LEGAL

Privacy Policy

Last updated: 1 May 2026

Purrtraits ("we", "us", "our") is a UK-based service that turns photographs of pets into AI-generated portraits, available as digital downloads or as physical prints fulfilled by our print partner. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using purrtraits.shop (the "Site") you agree to the practices described below. If you do not agree, please do not use the Site.

1. Who we are

Purrtraits is the data controller for the personal data described in this policy. You can reach us at privacy@purrtraits.shop for any privacy questions, requests, or complaints.

2. The data we collect

We collect the following categories of personal data:

  • Account & contact data. Email address, display name, and (where you create an account) a hashed password or a third-party identifier used for sign-in.
  • Pet photographs you upload. The image files you submit so we can generate portraits, plus any pet name or short description you provide.
  • Generated portraits. The AI-generated images we produce on your behalf and any selections you make (style, framing, size).
  • Order & shipping data. If you buy a physical print, your delivery address, recipient name, and order details. Payment card details are handled directly by our payment processor — we do not see or store full card numbers.
  • Quiz responses. Answers you give in our on-site quiz (e.g. about your pet's personality and your style preferences) so we can recommend portrait styles.
  • Session & usage data. A session identifier we set in your browser, basic device and browser information, pages visited, referring URL, approximate location derived from IP, and event timestamps.
  • Communications. Messages you send us by email or through any contact form.

3. How we use your data & legal bases

Under UK GDPR we only process personal data when we have a lawful basis to do so. Our uses and bases are:

  • To provide the service — generating portraits from your photos, fulfilling orders, providing customer support. Legal basis: performance of a contract.
  • To process payments — sharing the minimum transaction information needed with our payment processor. Legal basis: performance of a contract.
  • To run and secure the Site — preventing fraud and abuse, debugging, securing accounts. Legal basis: legitimate interests in operating a safe service.
  • To improve the service — measuring how features are used so we can fix problems and improve the product. Legal basis: legitimate interests.
  • To show advertising — including personalised advertising via Google AdSense where you have consented to advertising cookies. Legal basis: consent.
  • To comply with our legal obligations — for example tax, accounting, and responding to lawful requests from authorities. Legal basis: legal obligation.

4. AI image generation & your photos

The photos you upload are sent to our AI image-generation partner (fal.ai) so they can produce a portrait. We send only what is needed to generate your image and we do not use your uploaded photos to train any general-purpose AI model. We retain uploaded photos and generated portraits in our backend (Convex) so you can return to your gallery and re-order prints; you can ask us to delete them at any time (see section 9).

5. Third-party processors we share data with

We use the following service providers ("processors") to run Purrtraits. They process personal data on our instructions under written agreements that include UK-GDPR-compliant safeguards. Where data is transferred outside the UK we rely on the UK Addendum to the EU Standard Contractual Clauses or on UK adequacy decisions.

  • Stripe — payment processing. Receives transaction details and the card information you enter at checkout. See stripe.com/privacy.
  • fal.ai — AI image generation. Receives the pet photos you upload and the prompt parameters needed to produce your portrait. See fal.ai/privacy-policy.
  • Gelato — print-on-demand fulfilment. Receives the final portrait file, your shipping address, and order details so it can print and ship your order. See gelato.com/legal/privacy-policy.
  • Convex — our backend database and application platform. Hosts your account, gallery, orders, and session data. See convex.dev/legal/privacy.
  • Google AdSense — serves advertising on the Site. Where you consent to advertising cookies, Google may collect device, browsing, and approximate-location signals to personalise ads. See policies.google.com/privacy and policies.google.com/technologies/ads.

We do not sell your personal data. We do not share your pet photos or generated portraits with anyone other than the processors above, except where we are legally required to do so.

6. Cookies and similar technologies

We use a small number of cookies and similar storage mechanisms to keep you signed in, remember your cart, and (with your consent) to serve advertising. For full details and to manage your choices, see our Cookie Policy.

7. International transfers

Some of our processors are based outside the UK (for example in the United States). When personal data is transferred outside the UK we rely on transfer mechanisms recognised under UK GDPR — typically the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or transfers to jurisdictions covered by a UK adequacy decision.

8. How long we keep your data

  • Account data & gallery — kept while your account is active. If you delete your account or ask us to delete your data, we remove it within 30 days unless we are required to keep it longer for legal or accounting reasons.
  • Uploaded photos & generated portraits — kept while your account is active so you can re-download and re-order, then deleted on account deletion or on request.
  • Order & payment records — kept for up to 7 years to comply with UK tax and accounting law.
  • Session & analytics data — kept for up to 26 months, then deleted or aggregated.
  • Support emails — kept for up to 3 years after the last contact.

9. Your rights under UK GDPR

You have the right to:

  • request access to the personal data we hold about you;
  • ask us to correct inaccurate or incomplete data;
  • ask us to delete your personal data ("right to be forgotten");
  • ask us to restrict or object to certain processing;
  • request a portable copy of the data you provided to us;
  • withdraw consent at any time, where we rely on consent (e.g. advertising cookies); and
  • complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email privacy@purrtraits.shop. We will respond within one month. We may need to verify your identity before acting on a request.

10. Security

We use industry-standard technical and organisational measures to protect your data — including encryption in transit (TLS), access controls, and reputable hosting providers. No system is perfectly secure, but we work to keep your data safe and will notify you and the ICO of any personal-data breach where required by law.

11. Children

Purrtraits is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date above and, where appropriate, notify you by email or via a notice on the Site.

13. Contact us

For any questions about this Privacy Policy or how we handle your data, email privacy@purrtraits.shop.