Privacy Policy

Last updated: January 22, 2026

This Privacy Policy explains how ShotsFlowAI ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our AI-powered product photography service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

  • Entity: Kamil Kwapisz Consulting
  • NIP/TAX ID: 7010988206
  • Location: Poland, European Union
  • Contact Email: privacy@shotsflowai.com

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address: Used for account identification, login, and communication
  • Password: Stored in hashed form (we never store plain-text passwords)
  • Display name: Derived from your email address

2.2 Session and Security Data

For security and service functionality, we collect:

  • IP address: Used for security monitoring and fraud prevention
  • User agent: Browser and device information for session management
  • Session tokens: To maintain your logged-in state

2.3 User-Generated Content

When you use our service, we store:

  • Uploaded images: Product photos you upload for editing
  • Generated images: AI-created variations of your products
  • Prompts: Text descriptions you provide for image generation
  • Photoshoot metadata: Organization data such as project names and settings

2.4 Payment Information

Payment processing is handled by our third-party payment processor, Polar. We do not store your credit card details. We receive and store:

  • Subscription status and plan type
  • Transaction identifiers
  • Billing period information
  • Credit balance

2.5 Analytics Data

We use Umami, a privacy-focused analytics platform, to understand how our service is used. Umami is configured to:

  • Not use cookies for tracking
  • Not collect personally identifiable information
  • Only gather aggregated, anonymous usage statistics

3. Legal Basis for Processing

Under GDPR Article 6, we process your data based on the following legal grounds:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide you with our service, including account management, image generation, and subscription handling.
  • Legitimate Interest (Art. 6(1)(f)): Processing for security purposes, fraud prevention, service improvement, and ensuring platform integrity.
  • Legal Obligation (Art. 6(1)(c)): Processing required to comply with tax and accounting regulations.
  • Consent (Art. 6(1)(a)): Where applicable, for marketing communications (you may withdraw consent at any time).

4. How We Use Your Information

We use your personal data to:

  • Provide and maintain our AI product photography service
  • Process your image generation requests
  • Manage your account and subscription
  • Process payments and maintain billing records
  • Send transactional emails (account verification, password reset, order confirmations)
  • Ensure security and prevent fraud
  • Improve our service based on aggregated usage patterns
  • Comply with legal obligations

5. Data Sharing and Third-Party Services

We share your data with the following categories of service providers who act as data processors on our behalf:

5.1 Infrastructure and Hosting

ProviderPurposeLocation
HetznerWeb hostingGermany (EU)
NeonDatabase hostingUnited States*
Backblaze B2Image storage (CDN)United States*

5.2 Service Providers

ProviderPurposeLocation
PolarPayment processingPayment processor
ResendTransactional emailsUnited States*
OpenRouterAI image generationAPI provider
FalAI image generationAPI provider
UmamiPrivacy-focused analyticsSelf-hosted (EU)

*For US-based providers, data transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission.

6. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). When transferring personal data to countries without an EU adequacy decision, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use EU-approved contractual terms with our US-based processors.
  • Data Processing Agreements: All processors have signed DPAs committing to GDPR-equivalent protections.

7. Data Retention

We retain your personal data for the following periods:

  • Account data: Until you delete your account, plus any legally required retention period
  • Uploaded and generated images: Until you delete them or your account is terminated
  • Payment and transaction records: 5 years after the transaction (required by Polish tax law)
  • Session data: Automatically deleted upon session expiration or logout
  • Security logs: Up to 12 months for fraud prevention purposes

8. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of Access (Art. 15): Request a copy of your personal data we hold
  • Right to Rectification (Art. 16): Request correction of inaccurate data
  • Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
  • Right to Restriction (Art. 18): Request limitation of processing in certain circumstances
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21): Object to processing based on legitimate interest
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, please contact us at privacy@shotsflow.ai. We will respond to your request within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO).

9. Cookies and Tracking

We use minimal cookies necessary for the operation of our service:

  • Session cookies: Essential for maintaining your logged-in state. These are strictly necessary and do not require consent.

Our analytics provider (Umami) operates without cookies and does not track individual users across sessions.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (HTTPS/TLS)
  • Secure password hashing algorithms
  • Access controls and authentication requirements
  • Regular security assessments
  • Secure data centers with physical security measures

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security but will notify you and relevant authorities of any data breach as required by law.

11. Children's Privacy

Our service is intended for users who are at least 18 years old. We do not knowingly collect personal information from children under 18. If you believe we have collected data from a minor, please contact us immediately at privacy@shotsflowai.com.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on this page with a new "Last updated" date
  • Sending an email notification for significant changes

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

  • Business Name: Kamil Kwapisz Consulting
  • NIP/TAX ID: 7010988206
  • Email: privacy@shotsflowai.com
  • General inquiries: Contact form

For data protection inquiries, we aim to respond within 30 days.