Privacy Policy

Last Updated: May 1, 2026

Data Controller

The data controller responsible for your personal data is:

  • YAYA STUDIO AI AB
  • Walter Bengtssons Gata 18
  • 414 50 Göteborg
  • Sweden
  • Registration number: 559544-4315
  • Email: help@yposer.ai

We have not appointed a Data Protection Officer as our processing activities do not require one under Art. 37 GDPR. For all privacy inquiries, please contact us at the email address above.

Introduction

YPOSER (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our AI-powered image manipulation platform, in accordance with the General Data Protection Regulation (GDPR).

Please read this policy carefully before using our services.

Information We Collect

Account Data:

  • Email address (via Google Sign-In or email OTP)
  • Display name and profile picture

Payment Data:

  • Billing information processed by Stripe (we never see or store your card numbers)
  • Subscription tier and credit balance
  • Invoice and transaction records

Image Data:

  • Images you upload for AI processing
  • AI-generated images and outputs

Usage Data:

  • Job records (type, status, timestamps)
  • Anonymous usage analytics (page views, session duration, device type) — collected only with your consent via Google Analytics

Technical Data:

  • Session cookies for authentication
  • Cookie consent preferences

Lawful Basis for Processing

We process your personal data on the following legal bases under GDPR Art. 6(1):

Processing ActivityLawful Basis
Account creation (email, name)Contract — Art. 6(1)(b)
AI image generationContract — Art. 6(1)(b)
Payment processing (Stripe)Contract — Art. 6(1)(b)
Email OTP authentication (Stytch)Contract — Art. 6(1)(b)
Essential cookies (session)Legitimate interest — Art. 6(1)(f)
Analytics cookies (Google Analytics)Consent — Art. 6(1)(a)

Necessity of Providing Data

Providing your personal data is a contractual requirement necessary to use our service. Specifically:

  • Account data (email address) is required to create an account and access the platform. Without it, you cannot use YPOSER.
  • Payment data is required to subscribe to a paid plan. Without it, you are limited to the free tier.
  • Image data is required to use our AI generation tools. Without uploading images, the service cannot process your request.

How We Use Your Data

We use your personal data to:

  • Provide and maintain our AI image generation services
  • Process your images and deliver results
  • Manage your account, credits, and subscriptions
  • Process payments through Stripe
  • Authenticate your identity via Google Sign-In or email OTP
  • Send service-related communications
  • Prevent abuse through rate-limiting

We do not use your uploaded images or generated content to train our AI models. Your data is processed solely to provide the requested service.

Data Retention

We retain your data for the following periods:

Data TypeRetention PeriodMechanism
Account dataUntil account deletionUser request or account delete
Job records30 daysAutomatic purge (TTL policy)
Gallery imagesUntil you delete themUser-initiated deletion
Temporary processing imagesProcessing duration onlyOverwritten/expired
Payment dataPer Stripe retention policyManaged by Stripe
Analytics data2 months (user data) / 14 months (event data)Google Analytics default retention
CookiesSession or per cookie typeBrowser-managed

You may request deletion of your account and all associated data at any time by contacting us.

Third-Party Processors

We share your data with the following third-party processors to deliver our service:

  • Google Firebase — User accounts, profiles, job records, and real-time data. Processes email, display name, and authentication state.
  • Google Analytics (Firebase Analytics) — Collects anonymous usage data (page views, session duration, device type) to help us understand how the site is used. Only activated with your consent. Data is aggregated and does not personally identify you.
  • Google Cloud Storage — Stores uploaded images and AI-generated outputs. Images are accessed via time-limited signed URLs.
  • Vertex AI — Processes images through AI models for generation. Images are sent to Google's AI infrastructure for processing only.
  • Stripe — Payment processing, subscription management, and invoicing. Stripe is PCI-DSS compliant; we never see or store your card numbers.
  • Stytch — Email one-time password (OTP) authentication. Only receives your email address to deliver login codes. Tokens expire after 2 minutes.
  • OpenAI — Processes images through GPT-Image AI models for image editing and generation. Only receives images and prompts necessary for the requested operation. OpenAI does not use API inputs or outputs to train their models.

Each processor operates under its own data processing agreement and privacy policy.

Cross-Border Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

  • Google Cloud, Firebase, Google Analytics, and Vertex AI — May process data in the US and EU. Covered by the EU-U.S. Data Privacy Framework (DPF) and Google's Standard Contractual Clauses (SCCs).
  • Stripe — US-headquartered. Covered by the EU-U.S. Data Privacy Framework (DPF) and Stripe's Standard Contractual Clauses (SCCs).
  • OpenAI — US-headquartered. Covered by the EU-U.S. Data Privacy Framework (DPF) and OpenAI's Data Processing Agreement (DPA).
  • Stytch — US-headquartered. Covered by Standard Contractual Clauses (SCCs).

Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — Request a copy of your personal data
  • Right to rectification (Art. 16) — Correct inaccurate personal data
  • Right to erasure (Art. 17) — Request deletion of your personal data
  • Right to restriction (Art. 18) — Restrict processing of your data
  • Right to data portability (Art. 20) — Receive your data in a machine-readable format
  • Right to object (Art. 21) — Object to processing based on legitimate interest
  • Right to withdraw consent — Withdraw consent at any time for consent-based processing

Automated decision-making (Art. 22): Our AI image generation is entirely user-initiated and does not produce decisions with legal or similarly significant effects on you. You control what images to upload and when to generate.

To exercise any of these rights, contact us at help@yposer.ai. We will respond within 30 days. We may extend this by up to 60 additional days for complex requests, and will notify you in writing if we do.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

  • Integritetsskyddsmyndigheten (IMY)
  • Swedish Authority for Privacy Protection
  • Box 8114, 104 20 Stockholm, Sweden
  • imy.se

Cookies

We use cookies and similar tracking technologies. For detailed information about our cookie practices, please see our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by updating the “Last Updated” date at the top of this page. We encourage you to review this policy periodically.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at help@yposer.ai.

Back to Home