Privacy Policy

1. Data Controller

The Controller of personal data is CladeGrove · di Fabio Ariotti, sole proprietorship (impresa individuale) with registered office in Trino (VC), Italy.

• VAT no. (P.IVA): IT02782390021
• Tax code (Codice Fiscale): RTTFBA97T03B885G
• REA: VC-312122
• Certified email (PEC): FabioAriotti@Pec.It
• Privacy contact: privacy@cladegrove.com
• General support: support@cladegrove.com

The Controller has not appointed a Data Protection Officer (DPO) as not required under Art. 37 GDPR.

2. Nature of the Service: "synthetic only" design

CladeGrove is an AI photo studio: every face and every body produced by the platform is fully synthetic. The Service does not perform face cloning, identity replication, or any other form of biometric mapping of real people. By design:

• Characters (re-usable models) created on or after 27 April 2026 are built exclusively from text descriptions (modes text_free and text_guided in the API). Photo-based character creation modes were removed on that date and the platform no longer accepts face photos as character source material. Caveat: legacy characters. Characters created before 27 April 2026 may have an associated stored reference face photo (source_photo_path field on the characterstable). When you tag such a legacy character in a new generation, that stored photo is sent to the AI image model as an identity reference, alongside any wardrobe items. You can remove the photo at any time by deleting the legacy character from the "Characters" section. New characters cannot be created in this way.
• Wardrobe items uploaded by you are clothing/accessory pictures used as visual references for the synthetic outfit. They are processed as product photography, not as identification material.
• Optional scene reference photos uploaded in the generator influence framing, lighting and composition only. The identity of any person depicted in such photos is not reproduced in the output. The output identity comes from the textual persona specification, not from pixel-faithful reproduction of any uploaded subject.
• Every generated image is marked, before storage, with machine-readable provenance metadata declaring it is AI-generated (see §11 below). This is part of our commitment under Art. 50 of Regulation (EU) 2024/1689 (AI Act).

The Acceptable Use rules in our Terms of Service (§5) prohibit attempts to use the Service to depict real, identifiable people without consent, to impersonate, or to produce non-consensual intimate imagery. Violations result in account termination.

3. Data processed

We process the following categories of data:

• Registration data: email address, password (stored in hashed form), account creation date, profile fields you optionally provide (first name, last name, display name).
• User-generated content: text prompts and character descriptions, wardrobe item images, optional scene reference photos, generated synthetic outputs, outfit presets and saved "looks". Such content is processed to deliver the Service and is retained until you delete it or delete your account.
• Billing data: subscription plan, top-up purchases, credit ledger, Stripe customer ID. Payment card data is never seen nor stored by us: it is handled directly by Stripe (PCI-DSS Level 1).
• Usage and technical data: IP address, user-agent, technical access logs, strictly necessary cookies and local storage (see Cookie Policy). No third-party analytics or marketing trackers are currently active on the platform.
• Optional reference photos that incidentally include a person: should an uploaded scene reference happen to include the user or a third party (e.g. a selfie used to suggest a mood or setting), the depicted person is treated as an identified or identifiable individual under Art. 4(1) GDPR. The image is processed only for the time strictly necessary to generate the output, is not used by us to extract biometric templates, and is retained on our side (Supabase Storage) until you delete the corresponding generation or your account. The image is also transmitted to OpenAI as an input for the image-generation API call, where it is retained by OpenAI for up to 30 days for abuse-monitoring purposes only and is then deleted (see §6, OpenAI). For runs that do not tag a legacy character with a stored face photo (see §2), the synthetic output is generated from the textual persona specification rather than from pixel-level reproduction of the uploaded subject.
• Customer-support and feedback content: email correspondence, in-app feedback box submissions (table user_feedbacks), retained for product improvement and dispute resolution.

We do not process special categories of personal data within the meaning of Art. 9 GDPR (including biometric data for the purpose of uniquely identifying a natural person). The Service is technically designed to avoid biometric processing.

4. Purposes and legal bases

• Service delivery (Art. 6.1.b GDPR, performance of contract): registration, authentication, generation of synthetic images, storage of wardrobe and characters, billing.
• Security and abuse prevention (Art. 6.1.f GDPR, legitimate interest): access logs, rate-limiting, system protection, content-policy enforcement (e.g. blocks on attempts to generate prohibited content).
• Legal obligations(Art. 6.1.c GDPR): retention of data for tax, accounting or competent authorities' requests (10 years for invoices and tax records, Art. 2220 Italian Civil Code).
• Marketing communications (Art. 6.1.a GDPR, consent): only with explicit consent at registration, revocable at any time.
• AI Act compliance (Art. 6.1.c GDPR): embedding of provenance metadata in every generated output is a legal obligation under Art. 50(2) of Regulation (EU) 2024/1689.

5. Provision of data

Provision of registration data and content necessary for the Service is mandatory: refusal makes use of the platform impossible. Consent to marketing communications is optional and does not affect access to the Service.

6. Recipients of data (External processors)

To deliver the Service we rely on the following data processors, each governed by a dedicated DPA pursuant to Art. 28 GDPR:

• Supabase Inc.(USA): authentication, database and storage. Non-EU transfer governed by the European Commission's Standard Contractual Clauses (SCC, EU Decision 2021/914).
• OpenAI, L.L.C. (USA): generative AI models for textual extraction (gpt-5.4-mini) and image synthesis (gpt-image-2). Inputs (text prompts and reference images) are transmitted to the model only for the time strictly necessary for processing. Pursuant to OpenAI's API data-usage policy in force, API inputs and outputs are not used to train OpenAI models and are retained by OpenAI for a maximum of 30 days for abuse-monitoring purposes only, after which they are deleted. Non-EU transfer governed by SCC.
• Stripe Payments Europe, Ltd. (Ireland, EU): payment processing, subscriptions, billing portal. Card data is handled directly by Stripe (PCI-DSS Level 1) and never reaches our servers.
• Vercel Inc. (USA): application hosting and CDN. Non-EU transfer governed by SCC.
• Cloudflare, Inc. (USA): domain registrar, DNS and anti-bot protection. Non-EU transfer governed by SCC.

Data is not disseminated and is not transferred to third parties for commercial profiling purposes.

7. Non-EU transfers

Some of the providers listed above are based in the United States of America. The transfer takes place on the basis of the Standard Contractual Clauses (EU Decision 2021/914) and, where available, the provider's adherence to the EU-US Data Privacy Framework (adequacy decision of 10 July 2023). Copies of the safeguards can be requested from the Controller at privacy@cladegrove.com.

8. Retention period

• Registration data: for the entire duration of the account and for 30 days following the deletion request, except where longer retention is required by law.
• User-generated content (prompts, wardrobe items, characters, generations, outfit presets): until manual deletion by the user or deletion of the account.
• Reference photos transmitted to the OpenAI API (scene references and, for legacy characters, the stored face reference photo, see §2): retained by OpenAI for up to 30 days for abuse-monitoring under OpenAI's default API data-usage policy, after which they are deleted on the sub-processor side. On our side, original reference uploads tied to a generation are stored on Supabase Storage until you delete the generation, the legacy character, or the account.
• Billing records and invoices: 10 years (Art. 2220 Italian Civil Code, tax obligations).
• Security logs and technical data: 12 months, except where longer retention is required for investigations.
• Provenance metadata embedded in generated images: written into the file itself before persistence (see §11). It travels with the file as long as no third party strips or re-encodes it; we do not retain a separate copy of these markers. Removing or forging the markers constitutes a violation of our Terms.

9. Rights of the data subject

Pursuant to Articles 15–22 GDPR, you have the right to:

• access your personal data and obtain a copy;
• rectify inaccurate or incomplete data;
• obtain erasure of your data ("right to be forgotten"), subject to legal retention obligations;
• restrict or object to processing;
• obtain portability of your data in a structured, readable format;
• withdraw consent at any time, without prejudice to the lawfulness of processing based on consent given before withdrawal;
• lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) or the competent supervisory authority.

To exercise your rights, write to privacy@cladegrove.comor to the Controller's PEC FabioAriotti@Pec.It. We will respond within 30 days.

Right to object: synthetic likeness. Should an output incidentally resemble you to a degree that is recognisable to a third party, you may request its erasure free of charge by writing to the privacy contact above. Provide a description of the relevant generation. We will remove it within 7 days of verification.

10. Automated decision-making (Art. 22 GDPR)

The Service uses generative AI models supplied by OpenAI, L.L.C., specifically gpt-5.4-mini for the textual extraction of persona attributes and gpt-image-2 for image synthesis, to generate synthetic images upon your explicit request. Such processes do not produce legal effects nor significantly affect you within the meaning of Art. 22 GDPR. We do not perform profiling, scoring, or automated decisions about you on the basis of model outputs.

11. AI transparency and provenance metadata (AI Act, Art. 50)

Pursuant to Article 50(2) of Regulation (EU) 2024/1689 (AI Act), generated outputs are marked in a machine-readable format detectable as artificially generated. Specifically, before persistence each output is stamped with:

• EXIF IFD0 tags (Software, Artist, Copyright, ImageDescription) declaring AI-generated origin;
• an XMP packet carrying the IPTC controlled-vocabulary value Iptc4xmpExt:DigitalSourceType = http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia (the standard endorsed by the European Commission AI Office and IPTC for synthetic-media labelling), together with our custom GenAI: namespace recording provider (OpenAI gpt-image-2 via CladeGrove), generation ID, timestamp, the URL of these Terms and a public AI disclosure URL.

Caveat: some third-party social platforms, messaging apps and download tools strip EXIF and XMP metadata when re-encoding images. Where this happens, machine-readable markers may be lost. This does not relieve you of any user-side disclosure obligation under Art. 50(4) AI Act when you publish the output to third parties.

We are committed to upgrading provenance to a cryptographically signed C2PA Content Credentials manifest before the date of applicability of Art. 50 (2 August 2026), so that the AI-generated marking remains verifiable across platforms even where EXIF/XMP is stripped.

For end-user information about how this Service marks AI-generated content, see the public AI Disclosure page (also linked from the metadata embedded in every output file).

12. Security

Data is processed using automated tools and stored on cloud infrastructure of third-party providers (listed above) with appropriate technical and organisational measures (Art. 32 GDPR): encryption in transit (TLS), encryption at rest as provided by our processors, role-based access, password hashing managed by Supabase Auth, application-level authorisation gates on every API route, and per-tenant isolation enforced both at the application layer (every business API route validates auth.uid() = row.user_id) and at the database layer (Postgres Row-Level Security policies on the public schema, restricting select/insert/update/delete to auth.uid() = user_id).

13. Changes to this notice

We reserve the right to update this notice. Material changes will be notified to you by email or in-app with reasonable advance notice.