Skip to main content
Back

Privacy Policy

Last Updated: April 23, 2026

1. Controller Information

Shoodio.ai is operated by:

Puristo GmbH Waldbach 51 4816 Gschwandt bei Gmunden Austria

Registration: FN 346897v, Landesgericht Wels Managing Director: Kornelia Steiner Contact: info@shoodio.ai

Data Protection Officer: Not required (team size < 20 persons under GDPR Article 37)

2. Overview

Shoodio is an AI-powered platform for creating fashion model photoshoots using synthetic AI-generated models. We process personal data only to the extent necessary to provide our services.

Important: All AI-generated models are synthetic and do not represent real persons. No biometric data is processed.

3. Personal Data We Collect

3.1 Account Data

When you register, we collect:

  • Email address (required)
  • Password (hashed, not readable)
  • Display name (required)
  • Profile avatar (optional)
  • Language preference

3.2 OAuth Sign-In (Google)

If you sign in via Google:

  • Email address
  • Display name
  • Profile picture (optional)

3.3 Generated Content

  • Text prompts for AI generation
  • AI-generated images and videos
  • Campaign configurations and workspace data

3.4 Payment Data

Processed exclusively by Paddle (our payment provider):

  • Transaction ID
  • Amount and currency
  • Payment status
  • Paddle Customer ID

We do NOT store credit card numbers or payment details.

3.5 Technical Data

  • Session cookies (Supabase Auth)
  • Access tokens (1 hour expiration)
  • Authentication logs
  • Language and UI preferences

4. Legal Basis and Purposes

| Purpose | Legal Basis | GDPR Reference | | ----------------------------------------------- | -------------------- | --------------- | | Account management and authentication | Contract performance | Art. 6(1)b GDPR | | AI content generation | Contract performance | Art. 6(1)b GDPR | | Payment processing | Contract performance | Art. 6(1)b GDPR | | Aggregated platform analytics (no user content) | Legitimate interest | Art. 6(1)f GDPR | | Marketing emails (with consent) | Consent | Art. 6(1)a GDPR |

You can withdraw consent for marketing emails at any time via the unsubscribe link in each email or in your account settings.

5. Data Recipients and Third-Party Services

We share your personal data only with the following service providers:

5.1 Supabase (Cloud Hosting & Database)

  • Purpose: Account management, authentication, database hosting
  • Location: EU (Frankfurt region available)
  • Data processed: Account data, session data, generated content metadata
  • Security: AES-256 encryption at rest, Row Level Security
  • Data Processing Agreement: Available

5.2 Paddle (Payment Processing)

  • Purpose: Subscription and credit purchase processing (Merchant of Record)
  • Location: UK (Paddle.com Market Limited)
  • Data shared with Paddle:
    • Your email address
    • Billing address (if provided)
    • Transaction ID and amount
    • Selected plan and billing period
  • Data stored in our database from Paddle:
    • Paddle Customer ID (links your Shoodio account to Paddle)
    • Paddle Subscription ID (for subscription management)
    • Transaction status and timestamps
  • Payment card data: Processed ONLY by Paddle, NEVER stored by us
  • International transfers: Paddle processes data in UK/EU, with some operations in USA under Standard Contractual Clauses (SCCs)
  • Paddle Privacy Policy: https://www.paddle.com/legal/privacy
  • Data Processing Agreement: https://www.paddle.com/legal/gdpr
  • Note: Paddle acts as Merchant of Record, meaning they handle all payment processing, tax compliance, and subscription billing on our behalf

5.3 Resend (Email Delivery)

  • Purpose: Transactional emails and newsletters (with consent)
  • Location: USA
  • International transfer: Standard Contractual Clauses (SCCs)
  • Data processed: Email addresses, email content
  • Retention: Email logs stored for 30 days
  • Data Processing Agreement: Available

5.4 AI Rendering Providers

To generate the images and videos you request, your uploads and prompts are passed through the following AI providers. Data is transmitted only at the moment of generation and is not retained by the providers beyond what is necessary to complete your request.

Fal.ai (AI Image Generation)

  • Purpose: Executing your image-generation requests (model + background + apparel composition)
  • Location: USA
  • International transfer: Standard Contractual Clauses (SCCs)
  • Data processed: Your uploaded reference images (product photos, apparel, backgrounds), text prompts, generation parameters
  • Retention by Fal.ai: Only for the duration of the generation job; not used for training
  • Data Processing Agreement: Available

OpenAI (Vision Analysis & Prompt Optimisation)

  • Purpose: Analysing uploaded apparel for category / color / material detection, and optimising prompts for generation
  • Location: USA
  • International transfer: Standard Contractual Clauses (SCCs)
  • Data processed: Thumbnail-resolution versions of uploaded apparel photos, text prompts
  • Retention by OpenAI: Processed via API with zero-retention agreement (OpenAI does not retain API content beyond 30 days for abuse monitoring, and does not train on API content)
  • Data Processing Agreement: Available

Bunny CDN (Media Storage & Delivery)

  • Purpose: Storing your uploaded assets and generated images, delivering them to your browser
  • Location: Global CDN edge nodes; primary storage in USA (New York)
  • International transfer: Standard Contractual Clauses (SCCs)
  • Data processed: Uploaded product photos, generated images and videos
  • Retention: Per your plan's content-retention policy (Basic: 90 days, Pro+: 365 days or manual deletion)
  • Data Processing Agreement: Available

5.5 No AI Training on Your Content

We do not use your uploaded product photos, apparel images, prompts, or generated content to train or fine-tune AI models — neither our own models nor any third-party provider's models. Any "platform improvements" we perform use only aggregated, anonymised usage metrics (e.g. generation counts, latency statistics, error rates) and never include your content.

All service providers are contractually bound to GDPR compliance.

6. Data Retention Periods

| Data Type | Retention Period | | ------------------------------ | --------------------------------------- | | Account data | Until account deletion by user | | Session data | 30 days | | Authentication logs | 90 days | | Generated content (Basic Plan) | 90 days (automatic deletion) | | Generated content (Pro+ Plans) | 365 days max, or until deleted by user | | Payment records | 10 years (legal requirement in Austria) | | Email logs | 30 days |

Note: Generated content on Basic plans is automatically deleted after 90 days. Pro+ users can keep content up to 365 days or delete it manually earlier.

7. Cookies and Tracking

We use a cookie consent banner that allows you to manage your preferences. You can change your settings at any time via "Cookie Settings" in your account settings.

7.1 Essential Cookies (always active)

| Cookie | Provider | Purpose | Duration | | ----------------- | -------- | ------------------------------------- | -------- | | sb-*-auth-token | Supabase | Authentication and session management | 1 year | | shoodio-consent | Shoodio | Stores your cookie preferences | 1 year | | shoodio-lang | Shoodio | Stores your language preference | 1 year |

7.2 Functional Cookies (optional)

These cookies can be disabled via the cookie banner.

| Cookie | Provider | Purpose | Duration | | ---------- | -------- | ----------------------------------------------- | -------- | | paddle_* | Paddle | Payment processing (checkout, fraud prevention) | Session |

7.3 Analytics and Marketing Cookies

Currently, we do not use analytics or marketing cookies. If this changes, we will update this policy and request your consent via the cookie banner.

8. International Data Transfers

  • Supabase: EU hosting (Frankfurt) - no international transfer
  • Paddle: Primary location UK/EU, some payment processing operations in USA - protected by Standard Contractual Clauses (SCCs) approved by the European Commission
  • Resend: USA - protected by Standard Contractual Clauses (SCCs) approved by the European Commission

All transfers comply with GDPR Chapter V requirements. For UK transfers post-Brexit, we rely on the European Commission's adequacy decision for the UK (valid until June 2025, expected to be renewed).

9. Referral & Affiliate Program

9.1 Data We Process

When you participate in the Shoodio referral or affiliate program, we process:

  • Referral codes and attribution (who referred whom)
  • IP address at registration (fraud prevention only, deleted after 90 days)
  • Commission amounts and timestamps
  • For partners: name, company details, tax ID, bank/PayPal details, social media links

9.2 Legal Basis

  • Contract performance (Art. 6(1)(b) GDPR) for partner agreements
  • Legitimate interest (Art. 6(1)(f) GDPR) for user referral tracking

9.3 Retention

  • Financial records (commissions, payouts): 10 years (Section 132 BAO, Austrian Federal Tax Code)
  • Referral attribution: until account deletion (then anonymized)
  • IP addresses: 90 days

9.4 Account Deletion

  • Referral records are anonymized (not deleted) to comply with tax retention obligations
  • Financial records are retained for the statutory period
  • Partner payout details are deleted immediately

10. Your Rights Under GDPR

You have the following rights regarding your personal data:

9.1 Right of Access (Art. 15 GDPR)

Request a copy of all personal data we store about you.

9.2 Right to Rectification (Art. 16 GDPR)

Correct inaccurate data in your profile settings.

9.3 Right to Erasure (Art. 17 GDPR)

Request deletion of your account and personal data. Note: 30-day cooling period applies for account recovery.

9.4 Right to Data Portability (Art. 20 GDPR)

Receive your data in JSON or CSV format, including:

  • Account information: Email, display name, preferences
  • Subscription history: Plan changes, billing periods, status changes
  • Payment transactions: Purchase amounts, dates, transaction IDs (credit card details excluded)
  • Generated content metadata: Prompts, campaign configurations, asset references
  • User-uploaded content: Models, apparel, backgrounds metadata

The export does NOT include AI-generated images/videos themselves (file size limits), but provides download links that remain valid for 30 days after export.

9.5 Right to Object (Art. 21 GDPR)

Object to data processing based on legitimate interest or for marketing purposes.

9.6 Right to Restrict Processing (Art. 18 GDPR)

Request limitation of data processing under certain conditions.

Implementation Status: Data export and account deletion features are currently in development (planned release: Q1 2025). Until then, please contact info@shoodio.ai to exercise these rights.

11. Security Measures

We implement state-of-the-art security measures:

  • Encryption in transit: HTTPS/TLS for all data transfers
  • Encryption at rest: AES-256 encryption (Supabase)
  • Password security: Industry-standard hashing (Supabase Auth)
  • Access control: Row Level Security (RLS) policies
  • Secure processing: Edge Functions for AI generation with isolated environments

12. Age Restriction

Shoodio is only available to users aged 16 years or older in compliance with GDPR Article 8.

We do not knowingly collect data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately at info@shoodio.ai.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • New features or services
  • Legal or regulatory changes
  • Security improvements

You will be notified of material changes via:

  • Email notification
  • Login notification banner
  • Changelog available at /privacy

Continued use of Shoodio after changes constitutes acceptance of the updated policy.

14. Contact and Complaints

Questions or Concerns?

Contact us at: info@shoodio.ai

File a Complaint

You have the right to lodge a complaint with your local data protection authority.

Austrian Data Protection Authority: Barichgasse 40-42 1030 Vienna, Austria Email: dsb@dsb.gv.at Website: https://www.dsb.gv.at/

15. Legal Basis Summary

This Privacy Policy is based on:

  • GDPR (General Data Protection Regulation) - Regulation (EU) 2016/679
  • Austrian Data Protection Act (DSG)
  • ePrivacy Directive - Directive 2002/58/EC

Thank you for trusting Shoodio with your data. We are committed to protecting your privacy.

For German, Spanish, Italian, or French version of this Privacy Policy, please select your language in the footer.