Privacy Policy

Last updated — April 2026

This Privacy Policy describes how Umbrai ("we", "us") collects, uses and protects personal information when you use our Service.

1 · Information we collect

Account information: name, email address, hashed password, role and status.
Payment information: handled by our payment processor (Stripe). We store only a customer ID and a transaction ledger — not card numbers.
Content you upload: reference images, product photos, face photos, prompts. Processed to fulfil your generation requests.
Generated content: stored in your account history and linked to your user ID.
Usage data: generation counts, timestamps, model used, credits spent. Needed for billing and audit.
Shopify credentials: only if you explicitly connect your store. Used to publish content to your storefront.

2 · How we use it

We use the information to operate the Service, process your generations, charge credits, provide support, prevent fraud, and comply with legal obligations. We do not sell personal data.

3 · Third parties

Your uploads are transmitted to AI model providers to generate content. We partner with:

AI engines from major providers for image, video and text generation.
Stripe for payments.
Railway / our cloud hosting provider for server infrastructure.
Shopify, when you connect your store.

Each has its own privacy practices. We only share the data strictly required to deliver the Service.

4 · Data retention

Generated history: kept until you delete it or your account is closed.
Audit log (credit transactions): retained for seven years for accounting and legal compliance.
Account data: deleted within 30 days of account closure, except where we must retain it by law.

5 · Your rights

You may request access to, correction of, or deletion of your personal data at any time. Write to privacy@umbrai.studio. We respond within 30 days.

6 · Security

Passwords are hashed with PBKDF2-HMAC-SHA256. Sessions use secure HttpOnly cookies. Communication is encrypted in transit (HTTPS). Database snapshots are encrypted at rest.

7 · Cookies

We use a single session cookie to keep you logged in. No advertising or tracking cookies.

8 · International transfers

The Service runs on servers in the EU. When data is sent to AI providers, it may be processed in the US or elsewhere subject to their privacy terms.

9 · Children

The Service is not for users under 18. We do not knowingly collect data from minors.

10 · Contact

Questions or data requests: privacy@umbrai.studio.

This is a template. Before opening to paying customers, have this reviewed by a lawyer and adapted to your specific data processing, especially if you target EU or Turkish customers (GDPR / KVKK).