Privacy Policy
Effective date: 2026-04-17 · Last updated: 2026-04-17
MercaPic ("we", "us") respects your privacy. This policy explains what we collect, why, how we protect it, and your rights under GDPR, CCPA, and China's Personal Information Protection Law (PIPL).
1. What we collect
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account identification, magic-link login, billing receipts, service announcements | Until account deletion |
| Product reference photos (uploads) | Input to AI analysis; generating your campaign | Deleted within 24 hours of generation |
| Generated image thumbnails (256 px) | Display on your Projects page | Until you delete the project or close your account |
| Prompts and generation parameters | Troubleshooting failures, improving quality, your history | Up to 90 days after account closure |
| Usage logs (IP, user-agent, timestamps, error codes) | Abuse prevention, rate limiting, debugging | 30 days |
| Billing info (via payment processor only) | Subscription management | As required by tax law, typically 7 years |
We do not collect: birthdate, physical address, phone number, government ID, biometrics, or browsing history outside our Service.
2. How we use your data
Lawful bases under GDPR:
- Contract (Art. 6(1)(b)): Providing the Service you signed up for
- Legitimate interest (Art. 6(1)(f)): Security, abuse prevention, product improvement
- Legal obligation (Art. 6(1)(c)): Tax records, compliance requests
We do not sell your data. We do not use your uploaded photos or prompts to train public AI models.
3. Third parties we share data with
- Supabase Inc. (USA/EU) — our authentication and database provider. supabase.com/privacy
- Google LLC (USA) — the Gemini API is the AI engine that generates images. Uploaded photos and prompts are sent to Google's Vertex AI via a relay. Google Privacy Policy
- apiyi.com (China) — relay proxy for Gemini API. Traffic is encrypted in transit.
- Payment processor (Stripe or Alipay, depending on region) — handles card details; we never see full card numbers.
No data is shared with advertisers, data brokers, or analytics vendors that build user profiles.
4. International transfers
Your data may be processed in the United States (Google, Stripe), the European Union (Supabase EU region), and China (apiyi relay). We rely on Standard Contractual Clauses (SCCs) and PIPL-approved transfer mechanisms where applicable.
5. Security
Measures we take:
- HTTPS on all connections; no plaintext transit
- Passwordless magic-link authentication — no password storage to breach
- Database encryption at rest (Supabase default)
- Row-level security (RLS) policies — your data is invisible to other users at the database level
- Uploaded photos stored in memory only during processing; never written to persistent disk
No system is perfect. If we discover a breach affecting your personal data, we notify you within 72 hours per GDPR Art. 33.
6. Your rights
Under GDPR, CCPA, and PIPL you may:
- Access — request a copy of your data
- Rectify — correct inaccurate data
- Erase — delete your account and associated data ("right to be forgotten")
- Port — receive your data in a machine-readable format
- Object / restrict — limit how we process your data
- Withdraw consent — where processing is based on consent
- Lodge a complaint with your data protection authority (e.g. Spanish AEPD, California AG, Chinese CAC)
Email fangzihao8831@gmail.com with your request. We respond within 30 days (shortened where law requires).
7. Children
MercaPic is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has registered, email us and we will delete the account.
8. Cookies
We use minimum essential cookies for authentication (storing your Supabase session). No third-party tracking cookies, no advertising cookies. No cookie banner is required because we do not set non-essential cookies.
9. Changes
Material changes to this policy will be announced by email at least 14 days in advance. The "Last updated" date at the top reflects the most recent revision.
10. Contact
Data controller: MercaPic (Barcelona, Spain)
Privacy inquiries: fangzihao8831@gmail.com
General: fangzihao8831@gmail.com