Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains how Picturel.ai, operated by Supercommercial Oy, processes your personal data when you use our website and services. We are committed to protecting your privacy and handling your data transparently and securely in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

2. Data Controller

The data controller responsible for processing your personal data is:

Supercommercial Oy
Majavankatu 7
55420 Imatra, Finland
Business ID (Y-tunnus): 3536814-7
Email: support@supercommercial.ai

3. Personal Data We Collect

We may collect and process the following categories of data:

  • Account data such as your name, email address, and authentication data when you create an account or sign in.
  • Usage data such as actions you take in the product, generated marketing assets, prompts, and interaction logs used to improve the service.
  • User-uploaded content such as reference images, product photos, and brand assets you upload for use in AI-assisted image generation. You are solely responsible for ensuring that you have the necessary rights and consents (including any required consents under data protection law) for any images you upload, particularly images depicting identifiable individuals.
  • Support data such as information you provide when you contact our support team.
  • Technical data such as IP address, device information, and browser information used to keep the service secure and reliable.

4. How We Use Your Data

We use your personal data to:

  • Provide, maintain, and improve our services.
  • Process uploaded images and prompts to generate AI-assisted marketing assets.
  • Authenticate users and secure accounts.
  • Communicate with you about your account and updates.
  • Comply with legal obligations and enforce our Terms of Service.

5. Legal Bases for Processing

We process your personal data on the following legal bases under the GDPR:

  • Performance of a contract (providing the service).
  • Compliance with legal obligations.
  • Legitimate interests (e.g., service security and improvement), balanced against your rights and freedoms.
  • Your consent, where required by law (for example, for certain cookies or marketing communications).

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. When data is no longer needed, it is deleted or anonymised. The following specific retention periods apply:

  • Account data (name, email, authentication): retained for the duration of your account and up to 12 months after account deletion.
  • Generated images and prompts: retained for the duration of your account. You may delete individual assets at any time through the Asset Library. Upon account deletion, all generated assets are deleted within 90 days.
  • Uploaded images (including reference images, product photos, and edit-source images): retained as part of your chat history so you can reopen past chats. These files are deleted when you delete the related chat. Any remaining uploaded images are deleted within 90 days after account deletion.
  • Billing and transaction records: retained for 6 years after the transaction date in accordance with Finnish accounting legislation.
  • Technical logs and analytics: retained for up to 12 months.

7. Sub-Processors and Third Parties

We use the following categories of third-party service providers (sub-processors) to operate the service. Each provider processes data only as necessary to deliver their specific function:

  • Cloud hosting and infrastructure (Google Cloud Platform, Vercel) — host our application, store user data, and serve content.
  • Authentication services (Firebase Authentication) — manage user sign-in and identity verification.
  • AI model providers (Google Gemini, Replicate) — process prompts and uploaded images to generate marketing assets. Data is processed according to each provider's API terms and is not used to train their models.
  • Payment processing (Stripe) — process subscription payments and manage billing. Stripe acts as an independent data controller for payment data.
  • Analytics providers — collect anonymised usage statistics to help us improve the service.

8. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses (SCCs) or the provider's participation in an approved transfer mechanism. You can request more details about the specific safeguards applied to your data by contacting us.

9. AI Model Training

We do not use your uploaded images, generated assets, or prompts to train, fine-tune, or improve any AI or machine learning models. Your content is processed solely to fulfil your generation requests. Third-party AI providers we use (Google Gemini, Replicate) process data via their API services, which operate under terms that exclude the use of API inputs and outputs for model training.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, in accordance with Article 34 of the GDPR.

11. Your Rights Under the GDPR

Subject to conditions and limitations set out in applicable law, you have the right to:

  • Access your personal data.
  • Request correction of inaccurate or incomplete data.
  • Request deletion of your personal data.
  • Restrict or object to the processing of your personal data.
  • Request data portability, where technically feasible.
  • Withdraw consent at any time where processing is based on consent.

To exercise these rights, please contact us at support@supercommercial.ai.

12. Cookies and Similar Technologies

We use cookies and similar technologies to provide and secure the service, and to remember your preferences. For more information about how we use cookies and how you can manage your choices, please see our Cookie Policy.

13. Contact and Complaints

If you have questions about this Privacy Policy or how we process your personal data, please contact us at support@supercommercial.ai.

You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.