Privacy Policy

PixelFlair ("PixelFlair", "we", "us", or "our") operates the website pixelflair.co and the image upscaling service (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, with whom we share it, and what rights you have regarding your data.

This Policy applies to all users of the Service worldwide. Where applicable, it reflects the requirements of the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA). If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, PixelFlair acts as the Data Controller for your personal data.

By using the Service, you acknowledge you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

1. Data Controller

The data controller responsible for your personal data is:

For all data protection enquiries, including exercising your rights, please contact us at the email address above.

2. Personal Data We Collect

We collect personal data in the following categories:

2.1 Account Data

• Email address (used as your login identifier)
• First and last name
• Profile picture URL (if provided via OAuth)
• Password (stored as a cryptographic hash — we never store plaintext passwords)
• Language / locale preference
• Account creation date and timestamp
• OAuth provider identifier and provider user ID (when signing in via Google)

2.2 Billing and Payment Data

• Subscription plan and status (active, cancelled, past-due)
• Subscription start and renewal dates
• Payment method details: card brand, last 4 digits, expiry month/year (stored by Stripe — we never store full card numbers)
• Stripe Customer ID and Stripe Subscription ID (references to your records in Stripe)
• Invoice history and payment amounts
• Usage quota (number of images processed per billing period)

2.3 Image and Processing Data

• Images you upload for upscaling (stored in our cloud infrastructure)
• Processed (upscaled) output images
• Processing metadata: upscaling scale factor, AI model used, processing status, timestamps
• References to the location of your stored images

Note on image content: Images you upload may contain personal data about third parties, including photographs of people. We process images solely to provide the upscaling Service. We do not perform facial recognition, biometric identification, or any other automated analysis of image content beyond what is necessary for image upscaling. You are responsible for ensuring you have the necessary rights and consents for the images you upload (see Section 8 of the Terms of Service).

2.4 Usage and Technical Data

• IP address and approximate geographic location (country / city level)
• Browser type, version, and operating system
• Pages visited, features used, and session duration
• Referring URL
• Error and diagnostic information (stack traces, application logs)

2.5 Communications Data

• Messages and enquiries submitted via the contact form (name, email, subject, message)
• Transactional email records (account verification, password reset, billing notifications)

3. Legal Bases for Processing (GDPR)

For users in the EEA, UK, and Switzerland, we process personal data on the following legal bases under Article 6 of the GDPR:

4. How We Use Your Data

• To create and manage your user account
• To authenticate you and keep your session secure
• To process image upscaling requests using AI models
• To manage your subscription and billing via Stripe
• To send transactional emails (account verification, password reset, billing receipts, service updates)
• To respond to your contact form submissions and support requests
• To monitor application errors, diagnose bugs, and maintain service reliability
• To analyse aggregate usage trends and improve the Service
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations, including financial record-keeping

We do not sell your personal data to third parties. We do not use your images for training AI models.

Marketing communications: We may send you promotional emails and product updates only with your explicit prior consent. You can withdraw consent and unsubscribe at any time by clicking the unsubscribe link in any marketing email or by contacting us at [email protected]. Withdrawing consent does not affect transactional emails related to your account or subscription.

Automated decision-making: We do not make any automated decisions about you that produce legal effects or similarly significantly affect you (GDPR Art. 22). Subscription management and usage tracking are automated processes, but they do not involve profiling or decisions with significant legal consequences — they simply apply the plan limits you selected.

5. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by law.

Required data: Account data (email address, password or OAuth identifier) is necessary to provide the Service. Without it, we cannot create or maintain your account. Billing data is required to process payments for paid subscriptions.

When you delete your account, we initiate deletion of your personal data from our systems within 30 days, except where we are required by law to retain certain records.

6. Image Storage and Processing

Images you upload are stored in Amazon S3 (region: eu-central-1, Frankfurt, Germany). They are processed by AI models via the Replicate platform and, where available, partially processed on our servers or your device. Processed output images are stored in the same S3 bucket.

Access to your images is controlled via time-limited secure access links (valid for 10 minutes). No unauthorised third party has access to your images stored on our infrastructure.

Your images are retained until you delete them or until your account is deleted. You can delete individual images at any time from your My Images dashboard. To delete your account and all associated data, go to Account Settings → Danger Zone, or contact us at [email protected].

7. Third-Party Service Providers

We share personal data with the following sub-processors and service providers, solely to operate and deliver the Service. Each provider is contractually bound to protect your data and process it only as instructed.

8. International Data Transfers

Our primary infrastructure is located in the European Union (AWS eu-central-1, Frankfurt, Germany). Analytics data processed by PostHog also remains within the EU (PostHog EU Cloud, Frankfurt). Some of our third-party service providers are based in the United States (Stripe, Google, Mailgun, Replicate). Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Transfers to service providers that self-certify under applicable data transfer frameworks

You may request a copy of the safeguards we have in place for international transfers by contacting us at [email protected].

9. Cookies and Tracking Technologies

We use cookies and similar technologies. Cookies are small text files stored on your device.

You can manage cookies through our cookie consent banner, your browser settings, or opt-out tools provided by third parties (e.g. Google Analytics Opt-out). Disabling analytics cookies does not affect your ability to use the Service.

Browser local storage: We use your browser's local storage to save interface preferences such as your chosen theme (light/dark mode) and language. This data is stored only on your device and is not transmitted to our servers.

Do Not Track (DNT): We do not currently respond to browser Do Not Track signals, as no industry-wide standard for DNT has been adopted. Analytics cookies are enabled only with your explicit consent via our cookie banner.

10. Your Privacy Rights

Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights under the GDPR (or equivalent UK/Swiss law):

• Right of Access (Art. 15): Request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to Restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (e.g. JSON/CSV).
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority. The lead supervisory authority for PixelFlair is the Polish data protection authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland. You may also contact the supervisory authority in your own EU member state of residence.

Rights Under CCPA / CPRA (California Residents)

If you are a California resident, you have the following rights under the CCPA/CPRA:

• Right to Know: Request disclosure of the categories and specific pieces of personal information collected about you, the sources, the purposes, and the third parties with whom it is shared.
• Right to Delete: Request deletion of personal information we collected from you, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information with third parties for their own marketing purposes. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA), with a possible extension of up to 30 additional days where necessary. We may need to verify your identity before fulfilling your request.

11. Data Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

• Encrypted data transmission over HTTPS/TLS
• Passwords stored using PBKDF2 (industry-standard cryptographic hash) — plaintext passwords are never stored
• Payment data processed exclusively by Stripe (PCI-DSS Level 1)
• Cloud image storage with access control and time-limited secure access links
• Role-based access control limiting staff access to user data
• Self-hosted application error monitoring — error reports stay on our own infrastructure and are not shared with third parties

Despite our efforts, no security measure is 100% infallible. In the unlikely event of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

12. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in certain EU member states). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected] and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on this page with a new "Last updated" date, and where required by law, by sending an email notification to the address associated with your account. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: