Privacy Policy

1. Data Controller

The Controller of personal data is Cladegrove · di Fabio Ariotti, sole proprietorship (impresa individuale) with registered office in Trino (VC), Italy.

• VAT no. (P.IVA): IT02782390021
• Tax code (Codice Fiscale): RTTFBA97T03B885G
• REA: VC-312122
• Certified email (PEC): FabioAriotti@Pec.It
• Privacy contact: privacy@cladegrove.com
• General support: support@cladegrove.com
• Refund requests: refunds@cladegrove.com

The Controller has not appointed a Data Protection Officer (DPO) as not required under Art. 37 GDPR.

2. Nature of the Service: AI image generation

Cladegrove is an AI photo studio: every output produced by the platform is a synthetic image generated by a third-party AI model. The Service does not extract biometric templates from any image you upload and does not maintain a face-recognition index of users or third parties. By design:

• Characters (re-usable models) can be created from text only (modes text_free and text_guided) or from an uploaded reference photo (mode photo_upload, available since 8 May 2026). The photo upload mode is gated by an explicit consent declaration linked to our Likeness Policy, in which you confirm that the depicted person is yourself or has given you explicit consent, that the subject is an adult, and that you take full responsibility for the uploaded material and any output derived from it. The uploaded reference is stored in our private storage bucket alongside the character and re-used to anchor identity when the card is regenerated. Deleting the character also deletes the upload.
• Wardrobe items uploaded by you are clothing/accessory pictures used as visual references for the synthetic outfit. They are processed as product photography, not as identification material.
• Optional scene reference photosuploaded in Single shot are processed transiently to reconstruct that specific moment as a textual description: the environment, composition, framing and lighting, and also the pose, expression and clothing of any person shown. What is deliberately not carried over is the facial identity of a depicted person: the subject's identity is either a character you separately chose or, when none is chosen, a synthetic person invented from your text prompt. The photo is never sent to the image-generation model and is deleted from our storage immediately after the textual description is produced (typically within seconds), so it is not retained with the resulting generation. A real person's likeness is reproduced only where you deliberately create a character from a photo upload and tag that character in the generation, which is a separate, consent-gated flow described below and in our Likeness Policy.
• Every generated image is marked as artificially generated through two independent machine-readable layers: a SynthID watermark embedded in the pixels by the upstream AI model, and IPTC/XMP provenance metadata (includingIptc4xmpExt:DigitalSourceType = trainedAlgorithmicMedia and a dedicated GenAI namespace) added by Cladegrove to the file before storage (see §11 below). This is part of our commitment under Art. 50 of Regulation (EU) 2024/1689 (AI Act).

The Acceptable Use rules in our Terms of Service (§5) prohibit attempts to use the Service to impersonate, defame, sexualise or otherwise misuse the likeness of any third party, including by way of the photo-upload character flow, as well as sexually explicit or NSFW generations. Such requests are blocked automatically before any image is produced, and violations result in account termination.

3. Data processed

We process the following categories of data:

• Registration data: email address, password (stored in hashed form), account creation date, profile fields you optionally provide (first name, last name, display name).
• User-generated content: text prompts and character descriptions, wardrobe item images, generated synthetic outputs, outfit presets and saved "looks". Such content is processed to deliver the Service and is retained until you delete it or delete your account. Optional scene reference photos uploaded in Single shot are an exception: they are deleted from our storage immediately after the scene is transcribed into a textual description and are not retained with the resulting generation.
• Billing data: subscription plan, top-up purchases, credit ledger, Stripe customer ID. Payment card data is never seen nor stored by us: it is handled directly by Stripe (PCI-DSS Level 1).
• Usage and technical data: IP address, user-agent, technical access logs, strictly necessary cookies and local storage (see Cookie Policy). No third-party analytics or marketing trackers are currently active on the platform.
• Reference photos that depict a person: should a character upload (mode photo_upload) include the user or a third party, the depicted person is treated as an identified or identifiable individual under Art. 4(1) GDPR. The image is processed for the time strictly necessary to generate the output, is not used by us to extract biometric templates, and is retained on our side (Supabase Storage) for as long as the related character exists; deleting the character or your account deletes the upload. The image is transmitted to Google (Gemini Developer API, for anatomy extraction) and to OpenAI (image-synthesis API, for the studio card image); see §6 for the data-usage terms of each sub-processor. The legal basis for processing a photo of an identified or identifiable person uploaded through the character flow is your explicit consent (Art. 6.1.a GDPR), captured at upload time and audited in the consent_log table. Optional scene reference photos uploaded in Single shot are not covered by this paragraph: as stated above, they are transcribed into a textual description of the moment, the facial identity of any person shown is not reproduced, and they are deleted immediately after processing.
• Customer-support and feedback content: email correspondence, in-app feedback box submissions (table user_feedbacks), retained for product improvement and dispute resolution.

We do not process special categories of personal data within the meaning of Art. 9 GDPR (including biometric data for the purpose of uniquely identifying a natural person). The Service is technically designed to avoid biometric processing.

4. Purposes and legal bases

• Service delivery (Art. 6.1.b GDPR, performance of contract): registration, authentication, generation of synthetic images, storage of wardrobe and characters, billing.
• Security and abuse prevention (Art. 6.1.f GDPR, legitimate interest): access logs, rate-limiting, system protection, content-policy enforcement (e.g. blocks on attempts to generate prohibited content).
• Legal obligations(Art. 6.1.c GDPR): retention of data for tax, accounting or competent authorities' requests (10 years for invoices and tax records, Art. 2220 Italian Civil Code).
• Marketing communications (Art. 6.1.a GDPR, consent): only with explicit consent at registration, revocable at any time.
• Newsletter / editorial communications (Art. 6.1.a GDPR, consent): when you subscribe through the newsletter form on the blog, your email address is sent to Resend Audiences (see §6) so we can deliver product updates and editorial content. Subscription is opt-in, requires you to actively submit the form, and can be revoked at any time through the unsubscribe link in every email.
• AI Act compliance (Art. 6.1.c GDPR): marking every generated output as artificially generated is a legal obligation under Art. 50(2) of Regulation (EU) 2024/1689.

5. Provision of data

Provision of registration data and content necessary for the Service is mandatory: refusal makes use of the platform impossible. Consent to marketing communications is optional and does not affect access to the Service.

6. Recipients of data (External processors)

To deliver the Service we rely on the following data processors, each governed by a dedicated DPA pursuant to Art. 28 GDPR:

• Supabase Inc.: authentication, database and storage. The Cladegrove Supabase project is hosted in the EU (Frankfurt, Germany — region eu-central-1). All user data (accounts, generations, characters, wardrobe items, billing ledger, consent log, reference photos in Storage) resides inside the EU/EEA. No transfer to a third country takes place for these processing operations.
• Google LLC (USA): textual and visual extraction and prompt compilation via the Google Gemini Developer API (model gemini-3.1-flash-lite). The Gemini Developer API is used on the paid tier: pursuant to Google's Gemini API paid-tier terms,API inputs and outputs (including uploaded images) are not used to train or improve Google models and are logged only for a limited period solely for Prohibited-Use-Policy enforcement and legal or regulatory needs. Non-EU transfer governed by SCC.
• OpenAI, L.L.C. (USA): image synthesis. Two models are used, depending on the flow: gpt-image-2 for text-to-image generations (Single shot, Friends, InstaMood and text-only character cards) and gpt-5.5 via the Responses API with the image_generation tool for face-anchored character card renders (mode photo_upload), where the persona's face is preserved from an uploaded reference. Reference images are transmitted to the model only for the time strictly necessary for processing. Pursuant to OpenAI's API data-usage policy in force,API inputs and outputs are not used to train OpenAI models and are retained by OpenAI for a maximum of 30 days for abuse-monitoring purposes only, after which they are deleted. Non-EU transfer governed by SCC.
• Stripe Payments Europe, Ltd. (Ireland, EU): payment processing, subscriptions, billing portal. Card data is handled directly by Stripe (PCI-DSS Level 1) and never reaches our servers.
• Vercel Inc. (USA): application hosting and CDN. Non-EU transfer governed by SCC.
• Cloudflare, Inc. (USA): domain registrar, DNS, edge CDN proxy and anti-bot protection sitting in front of the Cladegrove origin. Non-EU transfer governed by SCC.
• Resend, Inc.(USA): transactional email delivery (account confirmation, password reset, billing notifications) and management of the optional blog newsletter ("Resend Audiences"). Email content and recipient addresses are transmitted to Resend for the time necessary to deliver each message and to operate the subscriber list. Non-EU transfer governed by SCC; Resend adheres to the EU-US Data Privacy Framework.

The provenance marking carried by generated images uses SynthID, a content-watermarking technology developed by Google DeepMind (a division of Google LLC). SynthID is applied inside OpenAI's image model at generation time; Google DeepMind does not separately receive your prompts, uploads or generated images for this purpose. See §11 for how outputs are marked.

Data is not disseminated and is not transferred to third parties for commercial profiling purposes.

7. Non-EU transfers

User data hosted in Supabase resides in the EU (Frankfurt, Germany) and is not transferred outside the EU/EEA for that processing operation. The remaining processors listed in §6 — Google LLC, OpenAI L.L.C., Vercel Inc., Cloudflare Inc. and Resend Inc. — are based in the United States of America and process the limited data described next to each entry. The transfer to those processors takes place on the basis of the Standard Contractual Clauses (EU Decision 2021/914) and, where available, the provider's adherence to the EU-US Data Privacy Framework (adequacy decision of 10 July 2023). Copies of the safeguards can be requested from the Controller at privacy@cladegrove.com.

8. Retention period

• Registration data: for the entire duration of the account and for 30 days following the deletion request, except where longer retention is required by law.
• User-generated content (prompts, wardrobe items, characters, generations, outfit presets): until manual deletion by the user or deletion of the account.
• Reference photos used in AI calls (see §2): (a) Optional scene reference photos uploaded in Single shot are sent only to the Google Gemini API for transient textual transcription and are never forwarded to the image-synthesis model; they are deleted from our storage immediately after the textual description is produced and are not retained with the resulting generation. On the Google sub-processor side they are logged only for a limited period for policy enforcement and legal needs per Google's paid-tier API terms. (b) Character reference photos (modephoto_upload) are transmitted to Google (anatomy extraction) and to OpenAI (studio card synthesis); OpenAI retains such inputs for up to 30 days for abuse-monitoring under its API data-usage policy, after which they are deleted on the sub-processor side. On our side, character reference uploads are stored on Supabase Storage until you delete the character or the account.
• Billing records and invoices: 10 years (Art. 2220 Italian Civil Code, tax obligations).
• Security logs and technical data: 12 months, except where longer retention is required for investigations.
• Provenance markers in generated images: a SynthID watermark applied by the upstream model in the pixels, and IPTC/XMP metadata written by Cladegrove into the file at stamping time (see §11). They travel with the file; we do not retain a separate copy of these markers. Removing or forging them constitutes a violation of our Terms.

9. Rights of the data subject

Pursuant to Articles 15–22 GDPR, you have the right to:

• access your personal data and obtain a copy;
• rectify inaccurate or incomplete data;
• obtain erasure of your data ("right to be forgotten"), subject to legal retention obligations;
• restrict or object to processing;
• obtain portability of your data in a structured, readable format;
• withdraw consent at any time, without prejudice to the lawfulness of processing based on consent given before withdrawal;
• lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or the competent supervisory authority.

To exercise your rights, write to privacy@cladegrove.comor to the Controller's PEC FabioAriotti@Pec.It. We will respond within 30 days.

Right to object: synthetic likeness. Should an output incidentally resemble you to a degree that is recognisable to a third party, you may request its erasure free of charge by writing to the privacy contact above. Provide a description of the relevant generation. We will remove it within 7 days of verification.

10. Automated decision-making (Art. 22 GDPR)

The Service uses generative AI models supplied by two sub-processors: Google LLC provides textual and visual extraction and prompt compilation via gemini-3.1-flash-lite (Gemini Developer API), and OpenAI, L.L.C. provides image synthesis via gpt-image-2 (text-to-image) and via gpt-5.5 (Responses API with the image_generation tool) for face-anchored character card renders. Together they generate synthetic images upon your explicit request. Such processes do not produce legal effects nor significantly affect you within the meaning of Art. 22 GDPR. We do not perform profiling, scoring, or automated decisions about you on the basis of model outputs.

11. AI transparency and provenance marking (AI Act, Art. 50)

Pursuant to Article 50(2) of Regulation (EU) 2024/1689 (AI Act), generated outputs are marked in a machine-readable format detectable as artificially generated. Marking is performed through two independent layers:

• a SynthID watermark embedded into the pixels of the image by the upstream OpenAI image model at generation time. SynthID is imperceptible to the human eye and robust to common re-compression and screenshotting; it is applied by the model, not by Cladegrove.
• IPTC/XMP provenance metadata written by Cladegrove into the file before storage. The metadata uses the IPTC controlled vocabulary that the AI Act guidance points to (Iptc4xmpExt:DigitalSourceType = trainedAlgorithmicMedia), plus a dedicated GenAI namespace recording the upstream model identifier, the generation ID, the creation timestamp and links to these legal pages. Standard EXIF fields (Software, Artist, Copyright, ImageDescription) consistently declare the file as AI-generated.

Caveat: some third-party social platforms, messaging apps and download tools strip file metadata when re-encoding images, which can remove the IPTC/XMP layer; the SynthID pixel watermark is more resilient but is not indestructible. Loss of a marker does not relieve you of any user-side disclosure obligation under Art. 50(4) AI Act when you publish the output to third parties.

For end-user information about how this Service marks AI-generated content and how to verify it, see the public AI Disclosure page.

12. Security

Data is processed using automated tools and stored on cloud infrastructure of third-party providers (listed above) with appropriate technical and organisational measures (Art. 32 GDPR): encryption in transit (TLS), encryption at rest as provided by our processors, role-based access, password hashing managed by Supabase Auth, application-level authorisation gates on every API route, and per-tenant isolation enforced both at the application layer (every business API route validates auth.uid() = row.user_id) and at the database layer (Postgres Row-Level Security policies on the public schema, restricting select/insert/update/delete to auth.uid() = user_id).

13. Notice for U.S. residents (State Privacy Laws)

The Service is operated from Italy. If you access it from the United States, the following rights and disclosures apply in addition to (and not in place of) the rest of this notice.

No sale or share of personal information. We do not sell personal information for monetary or other valuable consideration, and we do not share personal information for cross-context behavioural advertising. We do not use personal information for targeted advertising, profiling in furtherance of decisions producing legal or similarly significant effects, or training of third-party AI models. We do not process sensitive personal information (as defined by Cal. Civ. Code §1798.140(ae)) for purposes that would require an opt-out under §1798.121.

Global Privacy Control (GPC). Where your browser transmits a Global Privacy Control signal (Sec-GPC: 1), we treat it as a valid opt-out request and automatically disable the Analytics and Marketing cookie categories. You do not need to interact with the cookie banner. See the Cookie Policy for the technical implementation.

California (CCPA/CPRA, Cal. Civ. Code §§1798.100–1798.199). If you are a California resident, you have the right to: (a) know what personal information we collect, the sources, the purposes, and the categories of recipients; (b) access a copy of your personal information in a portable format; (c) delete your personal information, subject to statutory exceptions; (d) correct inaccurate personal information; (e) opt out of sale or share (see disclosure above: we do neither, so no opt-out is necessary, but a dedicated request mechanism is provided); (f) limit the use of sensitive personal information (not applicable: we do not process such data for opt-out purposes); (g) be free from discrimination for exercising any of the foregoing. Categories of personal information collected in the past 12 months map to the categories listed in §3 of this notice: identifiers, customer records, commercial information, internet/network activity, geolocation (coarse, derived from IP), and user-generated content. Retention periods are listed in §8.

Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), New Hampshire, New Jersey, Nebraska, Minnesota, Maryland, Rhode Island. If you are a resident of any of the above states, you have substantially the same rights as listed for California (access, correction, deletion, portability, opt-out of targeted advertising/sale/profiling). To exercise any state right, write to privacy@cladegrove.comwith the subject line “U.S. State Privacy Request” and state your residency. We will verify your identity through the email address associated with your account and respond within 45 days (extendable once by 45 days for complex requests). Authorised agents may submit requests with written permission and proof of identity of the principal.

Appeals.Residents of Colorado, Connecticut, Virginia and other states that grant an appeal right may, if we decline a request, submit an appeal to the same address with the subject line “U.S. Privacy Appeal”; we will respond within 60 days. Colorado residents may also contact the Colorado Attorney General; Texas residents may contact the Office of the Texas Attorney General Consumer Protection Division; California residents may contact the California Privacy Protection Agency (cppa.ca.gov).

“Shine the Light” (Cal. Civ. Code §1798.83). We do not disclose personal information to third parties for their direct marketing purposes.

Notice of Financial Incentive. We do not offer financial incentives in exchange for personal information.

14. Notice for users outside the EU/EEA

The rights described in §9 are granted under the GDPR. Comparable rights under other jurisdictions' laws are honoured to the extent applicable.

• United Kingdom (UK GDPR + Data Protection Act 2018). The same rights as §9 apply. UK residents may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
• Switzerland (revFADP, in force since 1 September 2023). Swiss residents may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) edoeb.admin.ch.
• Brazil (LGPD, Lei nº 13.709/2018). Brazilian data subjects have the rights set out in Art. 18 LGPD (confirmation, access, correction, anonymisation, portability, deletion, information about sharing, revocation of consent). The point of contact for data-protection requests (Encarregado pelo Tratamento de Dados Pessoais) is reachable at privacy@cladegrove.com. Complaints may be lodged with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
• Canada (PIPEDA + Quebec Law 25). Canadian users may exercise the rights of access, correction and withdrawal of consent under PIPEDA, and the right to data portability under Quebec Law 25 (in force since 22 September 2024). The Privacy Officer is reachable at privacy@cladegrove.com. Complaints: Office of the Privacy Commissioner of Canada (priv.gc.ca) or, for Quebec residents, the Commission d'accès à l'information (CAI) at cai.gouv.qc.ca.
• Australia (Privacy Act 1988 + Australian Privacy Principles). Australian users may exercise the rights of access and correction. We do not disclose personal information overseas for any purpose other than service delivery as described in §6. Complaints may be lodged with the Office of the Australian Information Commissioner (oaic.gov.au). Eligible data breaches will be notified to affected individuals and the OAIC in accordance with Part IIIC of the Privacy Act.
• Other jurisdictions. Users in other jurisdictions may contact us at privacy@cladegrove.com to exercise any right granted to them by local law that is not already covered above. We will respond in good faith within the timeframe required by the applicable statute.

15. Changes to this notice

We reserve the right to update this notice. Material changes will be notified to you by email or in-app with reasonable advance notice.