Privacy Policy

1. Introduction

GenPrinting ("we", "us", or "our") values your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our AI-powered poster generation and printing service.

PD DIGITAL LTD (trading as GenPrinting), company number 17097644, registered in England and Wales, is the data controller for your personal data.

By using GenPrinting, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect different types of information to provide and improve our service:

2.1 Account Information

• Email address
• Automatically generated account ID
• Google account details if you sign in with Google (name, email, profile picture)

2.2 AI-Generated Content

• Text prompts you provide to generate images
• Generated images stored in your account

2.3 Order Information

• Shipping address and contact details
• Order history and product preferences

2.4 Payment Information

Payment card details are processed securely by Stripe. We do not store your payment card information on our servers.

2.5 Technical and Analytics Data

• IP address (used for security and rate limiting)
• Browser type, device information, and session data
• Anonymous page views and performance metrics via Vercel Analytics
• Credit usage data

3. How We Use Your Information

We use your data to:

• Generate AI images: Send your prompts and any reference images to our AI provider (fal.ai) for processing into generated images
• Process payments: Complete transactions securely through Stripe
• Fulfill orders: Send your design to our print partner (Gelato) for production and shipping
• Send notifications: Order confirmations, shipping updates, and service-related emails
• Prevent abuse: Enforce wallet credits and anti-abuse throttles to maintain service quality
• Improve our service: Analyse aggregated, non-identifying usage patterns to enhance user experience
• Provide customer support: Respond to inquiries and resolve issues
• Comply with legal obligations: Maintain records as required by law

We may also use de-identified, aggregate data to improve our service. This data cannot identify individual users, and we never use your specific prompts or images for marketing without your consent.

3.1 Lawful Basis for Processing

Under UK GDPR, we rely on the following lawful bases:

• Contract (Article 6(1)(b)): creating and managing your account, generating AI images you request, operating the AI credit wallet (deducting credits on request, adding purchased credits, displaying your balance), processing payments, fulfilling orders through our print partner, and sending transactional notifications (order, shipping, account)
• Legitimate interests (Article 6(1)(f)): preventing abuse, detecting and blocking attempts to circumvent credit limits (including multi-accounting), rate-limiting requests, investigating suspicious activity, anonymous analytics to improve the Service, and responding to customer support enquiries. We have assessed that these interests do not override your rights and freedoms.
• Legal obligation (Article 6(1)(c)): retaining order and payment records for tax and accounting purposes, and responding to lawful requests from regulators or law enforcement
• Consent (Article 6(1)(a)): only where we ask for it expressly. You can withdraw consent at any time.

4. Third-Party Services

We use trusted third-party services to operate GenPrinting. Each processes data according to their own privacy policies:

• Supabase– Authentication, database, and file storage. Supabase Privacy Policy
• Stripe– Payment processing (card details never touch our servers). Stripe Privacy Policy
• Gelato– Print fulfillment and shipping (receives your address and image after payment). Gelato Privacy Policy
• fal.ai – AI image generation and upscaling. fal.ai Privacy Policy
• Resend– Transactional emails (magic links, order confirmations, shipping updates). Resend Privacy Policy
• Cloudflare– Turnstile bot protection on the sign-in page. Cloudflare Privacy Policy
• Vercel – Hosting and anonymous analytics. Vercel Privacy Policy
• Upstash– Temporary rate-limiting counters for abuse prevention. Upstash Privacy Policy

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We only share data as necessary to provide our services:

• Service providers: Shared with third-party services listed above to operate our platform
• Legal requirements: Disclosed if required by law, court order, or government request
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new owner
• With your consent: Any other sharing requires your explicit permission

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All data is encrypted in transit (HTTPS/TLS) and at rest
• Access controls: Row-level security policies ensure you can only access your own data
• Authentication: Secure authentication via Supabase Auth with magic links or Google OAuth
• Regular monitoring: Automated systems monitor for suspicious activity
• Limited access: Only authorized personnel can access systems containing personal data

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

7. Cookies and Tracking

We use the following cookies and local storage:

• Authentication and security cookies to maintain your login session (essential)
• Vercel Analytics and Speed Insights for anonymous performance monitoring (no personal data)

We do not use advertising cookies or third-party tracking pixels. On this basis we do not currently display a cookie consent banner under the UK Privacy and Electronic Communications Regulations (PECR), because all cookies and similar technologies we use are either strictly necessary or limited to privacy-focused analytics that do not build advertising profiles or track you across other websites.

8. Data Retention

We retain your data as follows:

• Account data: Retained for as long as your account is active or as necessary to provide the Service. Contact us at support@genprinting.com to request account deletion. After deletion, residual copies in encrypted backups are purged on the normal backup rotation cycle.
• Generated images: Retained for as long as your account is active. You can delete individual images at any time from your account.
• Order history: Retained for 7 years for legal and accounting purposes
• Payment records: Maintained by Stripe according to their retention policy
• Credit and anti-abuse counters: Retained according to operational and fraud-prevention needs
• Credit ledger entries: Retained for as long as your account is active for accounting and fraud-prevention purposes, then anonymised or deleted in line with the 7-year transaction record retention period above.
• Analytics data: Anonymous data retained indefinitely for service improvement
• Dispute, fraud and legal-claim retention: We may retain limited personal information beyond the periods above where reasonably necessary to comply with legal obligations, resolve disputes, enforce our Terms of Service, or prevent fraud and abuse.

9. Your Privacy Rights

Under UK GDPR, you have the right to:

• Access a copy of your personal data
• Correct incorrect or incomplete data
• Request deletion of your account and data (subject to legal retention requirements)
• Receive your data in a portable format
• Object to or restrict certain processing of your data
• Withdraw consent at any time
• Lodge a complaint with the ICO (Information Commissioner's Office)

To exercise your rights, contact us at support@genprinting.com. We aim to respond within 7 business days. Under UK GDPR we must respond without undue delay and in any event within one calendar month of your request (we may extend this by up to two further months in complex cases, and we will tell you if that applies).

California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA:

• Right to know: what personal information we collect, use, and share about you
• Right to delete: request deletion of your personal information, subject to legal exceptions
• Right to correct: request correction of inaccurate personal information
• Right to opt-out of sale or sharing: we do not sell or share your personal information for cross-context behavioural advertising
• Right to non-discrimination: we will not deny you service or charge you a different price for exercising your privacy rights

To exercise any of these rights, email support@genprinting.com. Residents of other US states with comprehensive consumer privacy laws (for example, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, New Jersey, New Hampshire, Maryland, Minnesota, and Rhode Island) may exercise broadly equivalent rights using the same contact.

10. Children's Privacy

The GenPrinting Service is intended for users who are at least 18 years old, or the age of majority in their jurisdiction, and who can enter into a legally binding contract. By creating an account or placing an order, you represent that you meet this requirement.

We do not knowingly collect personal information from children under 13 (or under 16 in the European Economic Area) without verifiable parental consent. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@genprinting.com and we will promptly delete it.

11. International Data Transfers

We sell to customers in the United Kingdom and the United States, and some of our processors (listed in Section 4) are based in or process data outside the UK:

• United States: fal.ai, Vercel, Stripe, Resend, Cloudflare, Upstash
• European Economic Area: Supabase (EU regions), Gelato

Transfers to the EEA rely on the UK's adequacy regulations for the EU/EEA. Transfers to the US rely on one or more of the following mechanisms, depending on the recipient: (a) the UK Extension to the EU-US Data Privacy Framework, where the recipient is self-certified under that framework (the "UK Data Bridge", in force since 12 October 2023); (b) the UK International Data Transfer Agreement (IDTA); or (c) the UK Addendum to the EU Standard Contractual Clauses. You can request a copy of the relevant safeguards by emailing us.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

• Posting the updated policy on this page
• Updating the "Last Updated" date at the top

Your continued use of GenPrinting after changes become effective constitutes acceptance of the updated policy.

13. ICO registration

PD DIGITAL LTD is registered with the UK Information Commissioner's Office (ICO) as a data controller and pays the data protection fee. Registration reference: ZC108289. View our entry on the ICO register

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us: