Privacy Policy

1. Introduction & Who We Are

ProductBooth.AI Pty Ltd (we, us, or our) operates the website at https://productbooth.ai and provides software tools for AI-assisted product image generation (Services).

We are committed to managing personal information openly and transparently in accordance with APP 1.

Contact details: support@productbooth.ai, registered address 20 Goyder St Erindale, Australia.

2. Information We Collect

We may collect the following categories of information:

• Identity and account data: name, email address, login details, account settings, and profile metadata.
• Service data: uploaded source images, prompts, generation settings, generated images, collections, and usage history.
• Billing data: subscription status, plan selection, invoices, transaction metadata, Stripe customer and subscription identifiers.
• Technical and usage data: IP address, device/browser data, logs, timestamps, approximate location from IP, and interaction events.
• Cookies and similar technologies: authentication/session cookies and functional cookies used to operate preferences and security features.
• Support communications: messages and attachments you send us.

We do not intentionally collect sensitive information (such as health information or government IDs) unless it is provided to us by you. Do not upload sensitive information unless strictly necessary.

Consistent with APP 3, we collect personal information only where reasonably necessary for our functions and activities, or otherwise as permitted or required by law.

3. How We Collect Information

We collect information in three main ways:

• Directly from you: when you create an account, upload content, purchase a subscription or top-up, contact support, or update profile settings.
• Automatically: through logs, cookies, and technical monitoring when you interact with the Services.
• From third parties: from payment, infrastructure, identity, and service providers supporting our operations.

If we receive unsolicited personal information (APP 4), we will determine whether we could have lawfully collected it. If not, we will de-identify or delete it where lawful and practicable.

4. Why We Collect Information (Purposes & Lawful Bases)

We collect and process personal information to:

• provide and operate the Services and your account;
• process payments and manage subscriptions/top-ups;
• generate requested outputs and maintain service quality and security;
• communicate with you about your account, support, updates, and billing;
• detect misuse, fraud, and legal or policy violations;
• comply with legal obligations and enforce our terms.

For GDPR purposes, our lawful bases may include:

• performance of a contract with you;
• legitimate interests (service security, improvement, fraud prevention);
• consent (for optional communications or cookies where required);
• compliance with legal obligations.

5. How We Use Your Information

We use personal information in accordance with APP 6 and applicable GDPR rules, including to:

• authenticate users and secure accounts;
• store and process uploaded and generated content;
• calculate usage and credit balances;
• deliver customer support and account administration;
• improve reliability, performance, and user experience;
• maintain audit trails and investigate incidents.

We do not use government-related identifiers (APP 9), such as Medicare or tax file numbers, as our own identifiers.

Consistent with APP 10, we take reasonable steps to ensure personal information we use or disclose is accurate, up to date, complete, and relevant.

6. How We Share / Disclose Your Information

We may disclose personal information to:

• Service providers/processors: Supabase (authentication, database, storage), Stripe (payments and billing), Google (Gemini model APIs), and hosting/cloud infrastructure providers such as Vercel.
• Professional advisers: legal, accounting, audit, or security providers where necessary.
• Authorities: regulators, law enforcement, courts, or government bodies where required or authorised by law.
• Corporate transactions: in connection with mergers, acquisitions, restructures, financing, or asset sales.

We take reasonable steps to ensure recipients use personal information consistently with this Privacy Policy, APP 8 obligations, and contractual safeguards.

7. International Data Transfers

We may transfer or allow access to personal information outside Australia, including to countries where our providers operate, such as the United States and other jurisdictions.

For cross-border disclosures, we implement safeguards such as contractual data protection obligations, security controls, and access restrictions. For GDPR transfers, we rely on lawful transfer mechanisms such as Standard Contractual Clauses, equivalent protections, or other lawful bases (including consent where appropriate).

8. Data Retention

We keep personal information only as long as reasonably necessary for the purposes described in this Policy, legal compliance, dispute resolution, and enforcement.

• Account and profile data: retained while your account is active and for a reasonable period after.
• Uploaded and generated content: retained until deletion by you or account closure, then removed or anonymised where practicable.
• Billing and transaction records: generally retained for up to 7 years for accounting and legal obligations.
• Security and audit logs: retained for operational, fraud prevention, and compliance periods.
• Support records: retained as needed to manage support history and legal obligations.

On valid deletion requests, we will delete or de-identify personal information unless retention is required or authorised by law.

9. Data Security

In line with APP 11, we implement reasonable technical and organisational safeguards designed to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These include access controls, encrypted transport, role-based permissions, logging, and secure infrastructure providers.

No system is completely secure. If an eligible data breach occurs, we will comply with the Notifiable Data Breaches (NDB) scheme, including notification to the OAIC and affected individuals as required. Where GDPR applies, we aim to notify relevant supervisory authorities within 72 hours where required.

10. Your Rights

Under Australian privacy law, you may request access to personal information we hold about you (APP 12) and request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information (APP 13).

You may also request information about whether we allow anonymous or pseudonymous interactions (APP 2). For core account-based features, anonymity is generally not practicable.

For EU/UK individuals where GDPR/UK GDPR applies, you may have rights to:

• access your personal data;
• rectify inaccurate data;
• erase data (right to be forgotten), subject to legal limits;
• restrict processing;
• data portability;
• object to processing based on legitimate interests or direct marketing;
• not be subject to certain solely automated decision-making with legal/similar effects.

To exercise rights, contact us at support@productbooth.ai. We may need to verify identity before processing requests.

We have not appointed a formal Data Protection Officer because we are not currently required to do so based on our scale and processing profile. Privacy responsibility remains with our management team via support@productbooth.ai.

11. Cookies & Tracking Technologies

We use cookies and similar technologies for essential functionality, security, authentication, and user preferences. We may also use technical diagnostics and service logs.

We do not currently rely on third-party advertising trackers in the core product experience. If this changes, we will update this Policy and seek consent where required by law.

You can manage cookies through browser settings, but disabling essential cookies may affect service functionality.

12. Direct Marketing & Communications

We may send service and account messages that are necessary to provide the Services (for example billing, security, and support notices).

We may also send marketing communications where permitted by law, including the Spam Act 2003 (Cth). You can opt out at any time using unsubscribe links or by contacting support@productbooth.ai.

13. Children's Privacy

Our Services are not directed to children under 16 and we do not knowingly collect personal information from children under 16 without appropriate consent.

If you believe a child has provided personal information without proper consent, contact us and we will take reasonable steps to delete or de-identify that information.

We monitor legal developments, including Australia's Children's Online Privacy Code expected from December 2026, and will update our practices as required.

14. Third-Party Links

Our website or Services may link to third-party websites or services. We are not responsible for their privacy practices, and you should review their policies before sharing personal information.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the Last Updated date. Material changes may also be notified by email or in-product notice.

Your continued use of the Services after changes take effect indicates acceptance.

16. How to Contact Us / Make a Complaint

For privacy requests, access/correction requests, or complaints, contact us at support@productbooth.ai.

Postal contact: ProductBooth.AI Pty Ltd, 20 Goyder St Erindale, Australia.

We will investigate complaints and respond within a reasonable period. If you are not satisfied, you may contact the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/privacy/ privacy-complaints.

If you are in the EU/EEA or UK, you may lodge a complaint with your local data protection authority (or the UK Information Commissioner's Office, as applicable).

Under Australian law, individuals may also have statutory rights regarding serious invasions of privacy, including rights introduced from June 2025.

We are preparing for expanded automated decision-making transparency obligations expected from December 2026 and will provide additional disclosures where required.