Privacy Policy

1. Introduction

This Privacy Policy explains how personal information is collected, used, disclosed, and protected when you use the Lashify Studio web application and related services (the "Service").

The Service is offered to authorized business users on an invite-only basis. It provides AI-assisted product visualization and room-scene editing for furniture and lighting workflows.

This policy describes our practices under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Accountability

The Service is operated under the trade name Lashify Studio from Ontario, Canada ("we," "us," "our"). Lashify Studio is accountable for personal information handled through the Service.

A designated Privacy Officer is responsible for our compliance with this policy and for handling privacy questions, correction requests, deletion requests, and complaints. You may reach our Privacy Officer using the contact information in Section 16.

We do not publish the personal legal name of the operator on this website.

When a business customer contracts with us to use the Service and directs how their employees' or contractors' data is processed, that customer is the data controller for that data and we act as a data processor, subject to the terms of our agreement with that customer. This policy applies to our practices as a data controller for information we collect directly.

3. Scope

This policy applies to:

• Visitors to our public marketing pages (limited data, such as cookies and analytics).
• Authenticated users of the Service — employees or contractors of customer organizations.
• Administrators who manage accounts, usage, and billing within the Service.

4. Information we collect

We collect only the information necessary for the purposes identified in this policy.

• Account information: email address, display name, authentication identifiers, role, organization assignment, and password-related flags (for example, whether a password change is required on next sign-in). Passwords are managed by Firebase Authentication; we do not store your password in our application database.
• Usage and billing metadata: user identifier, email, organization identifier, event type (such as image generation or scene export), timestamps, token counts, estimated costs, resolution, image file names you provide, success/failure status, and URLs to generated outputs stored for history features. For Image Modification history and recall, we also store the text instructions you enter, your generation settings (such as aspect ratio, background mode, and color tone selections), reference image counts, and downscaled thumbnail previews of uploaded input images — not full-resolution uploads. We do not store the internal AI system prompts used by the Service.
• User content: images you upload (product photos, room scenes, reference images) and text instructions you submit for generation. This content is transmitted to our servers and to Google's Gemini API to fulfill your request.
• Technical data: IP address, browser type, operating system, device identifiers, App Check or security signals, and similar data in server or Firebase logs.
• Daily usage counters: per-user counts of AI operations for quota enforcement.
• Website analytics: Google Analytics collects online identifiers, page views, and general usage data on our public and authenticated pages.

5. Consent

We identify the purposes for collecting personal information at or before the time of collection, as described in Section 6.

Because the Service is invite-only, your organization's administrator creates your account and acknowledges our data practices when provisioning access. Your use of the Service constitutes your understanding that personal information is collected and used as described in this policy.

You may withdraw consent by requesting account deactivation through your administrator. Withdrawing consent may mean you can no longer use the Service.

Where we rely on implied consent — for example, for analytics cookies on public pages — we provide an opportunity to opt out as described in Section 13.

6. How we use information

We use personal information only for the purposes identified at or before collection:

• Provide, operate, and secure the Service (authentication, authorization, image generation, scene export, history, and quotas).
• Administer accounts created by your organization's administrators.
• Measure and report usage, including organization-level analytics and client invoicing where applicable.
• Maintain product configuration (accessible to administrators only).
• Troubleshoot errors, prevent abuse, and improve reliability.
• Comply with law and respond to lawful requests.

7. AI processing

Image generation and analysis are performed using Google's Gemini API. Your images and instructions are sent to that service to fulfill your request. We call the Gemini API from our backend only; your content is not exposed in the browser.

Google's handling of data submitted to its API is governed by Google's Cloud Data Processing Addendum and Gemini API terms. By default, Google does not use API-submitted data to train its general AI models. We do not use your content to train our own models. For details, see Google's AI terms at ai.google.dev/gemini-api/terms.

You should not submit content you are not authorized to share, including images that contain personal information about identifiable individuals, unless you have a lawful basis to do so. If you believe personal information about identifiable individuals has been inadvertently processed through the Service, contact our Privacy Officer using the details in Section 16.

8. When we share information

We do not sell personal information. We may share information in these circumstances:

• Service providers (subprocessors): Google LLC provides the core infrastructure we rely on, including Firebase Authentication, Firestore (database), Cloud Storage, Cloud Functions, App Check, the Gemini API, and Google Analytics. Google processes data in Canada and other countries, including the United States, under its own terms, data processing agreements, and privacy policies.
• Your organization's administrators, who can view usage analytics and manage users assigned to their billing organization.
• Professional advisers, regulators, or authorities when required by law, court order, or to protect rights, safety, and security.
• In connection with a business transition (such as an asset sale or merger). Where reasonably practicable, we will notify affected users or their organization's administrators before such a transfer occurs, and appropriate protections will be in place.

9. Storage, location, and retention

Our backend services are primarily hosted in Canada using Google Cloud. Google Analytics and some supporting Firebase services may also process data in the United States. Data transferred outside Canada is subject to the laws of the country where it is processed, including any lawful access by authorities in that country.

Generated images may be stored in Firebase Cloud Storage under your user account path so you can access history and recent work. For Image Modification history, we also store downscaled thumbnail previews of your uploaded base and reference images (not full-resolution originals). Temporary Scene Builder upload files are deleted from our servers after a successful export.

We retain personal information only as long as reasonably necessary for the purposes described in this policy, or as required by contract. We are establishing formal retention schedules and will update this policy when they are defined. You may request deletion as described in Section 12.

10. Accuracy

We take reasonable steps to keep personal information accurate, complete, and up-to-date for the purposes for which it is used.

You may update your display name through your account profile settings. To request correction of other personal information, contact our Privacy Officer using the details in Section 16.

11. Security safeguards

We use administrative, technical, and organizational measures appropriate to the sensitivity of the information, including role-based access controls, server-side authorization checks, restricted database and storage access rules, protected API keys, and optional Firebase App Check.

No method of transmission or storage is completely secure. You are responsible for safeguarding your account credentials and for the content you choose to upload.

12. Your rights and choices

Subject to applicable law, you may request access to, correction of, or deletion of personal information we control about you, or ask questions about how it has been used or disclosed.

Because access is provisioned by your organization, many requests — such as account deactivation or role changes — should be directed to your administrator first.

To exercise rights directly with us, contact our Privacy Officer using the details in Section 16. We may need to verify your identity before responding and will respond within a reasonable timeframe.

If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

13. Cookies and analytics

We use essential cookies and similar technologies required for authentication and security.

We use Google Analytics (GA4) on our public and authenticated pages to understand general usage. Google Analytics sets cookies and collects online identifiers. This tracking is active by default. You may opt out using Google's Analytics opt-out browser add-on (tools.google.com/dlpage/gaoptout) or by disabling cookies in your browser settings.

We intend to implement a cookie consent mechanism for visitors in jurisdictions where explicit consent is required. Until that is in place, the opt-out methods above are available.

Blocking essential cookies may prevent the Service from working correctly.

14. Children

The Service is intended for business use and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children.

15. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will change when we do.

For material changes, we will make reasonable efforts to notify you or your organization's administrator in advance, through the Service or by email.

16. Contact — Privacy Officer

For privacy questions, correction or deletion requests, or complaints about how Lashify Studio handles personal information, contact our Privacy Officer using the secure form on this page.

The form collects your email address, optional name, request type, and message so we can respond. We do not use this form for marketing.