Privacy Policy

Last updated: May 20, 2026

This Privacy Policy describes what information Runpik ("we", "us", "our") collects about you, how we use it, who we share it with, and what rights you have over it. Runpik is operated by an individual sole proprietor based in the Republic of Armenia.

This policy applies to the Runpik website (runpik.com), the Runpik mobile applications, and any related services (collectively, the "Service"). If you do not agree with this policy, please do not use the Service.

1. Information we collect

1.1. Information you provide directly

• Account information: email address, password (stored as a salted hash, never in clear text), and an optional display name and avatar.
• Uploaded photos: images of products you upload to be processed into AI-generated photographs ("Input Images").
• Free-text input: any additional text you provide to guide a generation (e.g. shot-type preferences, optional notes).
• Communications: messages you send us by email or other channels.
• Payment information: when paid plans become available, payment data is processed by a third-party payment processor (e.g. Stripe, Apple, or Google). We receive a record of the transaction but not your full card details.

1.2. Information generated through your use

• Generated outputs: AI-generated photographs produced from your Input Images.
• Analysis data: structured metadata produced by the AI when analyzing your Input Image (product category, recommended shot type, etc.), used to assemble the generation request.
• Credit ledger: an append-only log of credits granted, charged, refunded, and (in future) purchased.
• Usage data: timestamps, generation parameters, success/failure status, and similar operational information.

1.3. Information collected automatically

• Technical data: IP address, device type, operating system, browser, and similar technical identifiers necessary to operate the Service and protect against abuse.
• Authentication cookies / tokens: short-lived session tokens (JWTs) that keep you signed in. See Section 10 (Cookies).

2. How we use your information

• To provide the Service: process your Input Images through our AI pipeline, deliver Generated Outputs to you, and manage your account and credits.
• To improve the Service: aggregated, non-identifying analytics about feature usage, generation success rates, and similar operational metrics. We do not use Your Content to train AI models.
• To communicate with you: respond to support requests, notify you of important changes to the Service, and (with your consent) send occasional product updates.
• To prevent abuse and ensure security: detect and respond to fraud, abuse, or violations of our Terms of Service.
• To comply with legal obligations: respond to lawful requests by public authorities, including for tax or law enforcement reasons.

3. Legal basis for processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, we rely on the following legal bases under the GDPR:

• Performance of a contract — to provide the Service you have signed up for (most account and generation processing).
• Consent — for optional features such as marketing communications. You can withdraw consent at any time.
• Legitimate interest — to operate, secure, and improve the Service, where this does not override your fundamental rights and freedoms.
• Legal obligation — to comply with applicable law.

4. Third parties who process your data

To provide the Service, we share certain data with the following categories of third-party providers. We share only what is necessary, and these providers are bound by their own privacy policies and (where applicable) data processing agreements.

• Supabase (hosting infrastructure): our database, authentication, and storage are hosted on Supabase Cloud. Account data and Your Content are stored on Supabase servers located in the European Union (Frankfurt, Germany). See Supabase's Privacy Policy.
• Google Gemini API (AI processing): when you trigger an analysis or generation, your Input Image and structured prompts are sent to Google's Gemini API for processing. Google may retain submitted content for a short period for abuse-prevention purposes, per its own policies. See Google's Gemini API Terms.
• Payment processors (future): when paid plans launch, your payment data will be handled by reputable third-party processors such as Stripe, Apple, or Google. We will update this policy with specifics before such features are enabled.
• Cloudflare (web infrastructure): our website (runpik.com) is delivered through Cloudflare. Cloudflare may collect technical request metadata (IP, user agent) for security and CDN purposes. See Cloudflare's Privacy Policy.

We do not sell your personal information to any third party. We do not share your information for third-party advertising purposes.

5. International data transfers

Because our infrastructure providers operate globally, your data may be transferred to, stored in, and processed in countries other than the one in which you reside, including the European Union (where Supabase is hosted) and the United States (where Google operates the Gemini API). Where required by law, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission to protect cross-border transfers.

6. Data retention

• Account data: retained for as long as your account is active.
• Input Images and Generated Outputs: retained until you delete them or your account, subject to short technical caching by upstream AI providers (see Section 4).
• Analysis cache: structured analysis metadata is cached to avoid redundant AI calls; cleared when you delete your account.
• Credit ledger: retained for as long as your account is active and, where applicable, for the period required for tax and accounting purposes after closure.
• Account deletion: when you request account deletion through the in-app flow, your account enters a 7-day grace period during which you may cancel. After the grace period, your profile, your Input Images, your Generated Outputs, and your generation history are permanently deleted. The credit-ledger entries may be retained in anonymized form for accounting compliance.

7. Your rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your data. Most of this is available directly via the in-app account deletion flow.
• Restriction: ask us to limit how we process your data in certain situations.
• Portability: request your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interest.
• Withdraw consent: withdraw consent for processing based on consent, at any time, without affecting the lawfulness of processing performed before withdrawal.
• Lodge a complaint: if you are in the EEA or UK, you may lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner where required by law).

8. Security

We take reasonable technical and organizational measures to protect your information, including:

• All traffic between your device and our infrastructure is encrypted via HTTPS/TLS.
• Passwords are stored as salted hashes, never in clear text.
• Row-Level Security (RLS) policies in our database ensure that each user can only access their own data.
• Server-side storage of uploaded images and generated outputs is private by default, with access mediated by short-lived signed URLs.
• API access requires a valid authentication token (JWT) that expires within a short window.

No system is perfectly secure, however, and we cannot guarantee absolute security. If we become aware of a personal data breach that affects you, we will notify you and the relevant authorities as required by law.

9. Children's privacy

The Service is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at [email protected] and we will take prompt steps to delete that information.

If you are between 13 and the age of majority in your country of residence, you may use the Service only with the involvement of a parent or guardian, as described in our Terms of Service.

10. Cookies and similar technologies

We use only the minimum cookies and similar technologies necessary to operate the Service. Specifically:

• Authentication tokens (JWTs): short-lived tokens stored on your device that keep you signed in between sessions. These are strictly necessary and cannot be disabled if you wish to use authenticated features.
• No third-party advertising or tracking: we do not use Google Analytics, Facebook Pixel, or similar third-party tracking services on the Service.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. If we make material changes, we will update the "Last updated" date at the top of this page and may notify registered users by email or in-app notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or how we handle your personal data, contact us at [email protected].

← Back to home