1. Scope

This policy applies to visitors to plotiz.com, registered users of our Services, order recipients, and business customers using our SDK or integrations. For enterprise customers, Plotiz generally acts as a processor/service provider for the end-user data processed on their behalf, and the customer's contract controls. For direct-to-consumer use, Plotiz acts as the controller.

2. Information we collect

Account & contact data. Name, email, password, country/region, shipping addresses, and preferences.

Transactions & payments. Order details, prices, taxes, currency, last 4 digits of card, card type, expiration month/year, payment status, refunds/chargebacks. We do not store full card numbers; our payment processor (e.g., Stripe) handles them.

Prompts & content. Prompts, uploads (e.g., photos), voice transcripts, Generations, print-ready files, and related metadata (timestamps, model parameters).

Usage & device data. IP address, device identifiers, browser/OS, referring/exit pages, page views, clicks, session duration, crash logs, and diagnostics.

Cookies & similar tech. Cookies, local storage, and analytics beacons used for core functionality, fraud prevention, performance, and—where permitted—marketing attribution/measurement. You can control cookies via browser settings and our on-site controls.

Support & research. Messages you send us, survey responses, and user-research feedback.

3. Children's privacy

Plotiz is not directed to children under 13. Adults may create content for or on behalf of children. We do not knowingly allow children under 13 to create accounts. If we learn that a user under 13 has created an account, we will delete it or obtain verifiable parental consent. Parents/guardians who believe this has occurred should contact us.

4. How we use personal data

We use personal data to:

• Provide, operate, and maintain the Services and Products.
• Generate content from prompts and compile print-ready files.
• Process payments and taxes; fulfill, ship, and deliver orders.
• Provide previews, quality checks, defect remediation, and customer support.
• Communicate about accounts, orders, security, and policy updates.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Analyze performance and develop new features and product lines.
• Personalize experiences and, where permitted, send marketing communications (you may opt out).
• Comply with legal obligations and enforce our agreements.
• Improve model and system performance where permitted by law and your settings (see Section 6).

These purposes map to recognized legal bases under GDPR and to legitimate business purposes under U.S. privacy laws.

5. Legal bases (EEA/UK/Switzerland)

Where the GDPR or similar laws apply, we rely on:

Contract (Art. 6(1)(b)) – to provide the Services, fulfill orders, and support your account.

Legitimate interests (Art. 6(1)(f)) – to secure and improve the Services; prevent fraud; personalize experiences; and market to existing customers (you can opt out).

Consent (Art. 6(1)(a)) – for certain cookies/analytics, promotional emails where required, and model-improvement uses. You may withdraw consent at any time.

Legal obligation (Art. 6(1)(c)) – tax, accounting, sanctions/export compliance, and regulatory requests.

We facilitate data subject rights and respond within required timelines.

6. Model and system improvement

To keep Plotiz safe and high quality, we may use prompts, uploads, and Generations to improve content safety, reduce abuse, and enhance output quality and system reliability—only where permitted by law and your settings. You can opt out of model-improvement uses at any time via account settings or by contacting us; this will not affect processing necessary to provide the Services (e.g., hosting, printing, shipping).

7. How we share information

We share personal data with:

Service providers/processors. Hosting and storage, payment processing, manufacturing/fulfillment partners, shipping carriers, communications, analytics, security, and customer support. AWS provides cloud infrastructure, and Stripe processes payments.

Integration partners (at your direction). Platforms or marketplaces where you use our SDK.

Professional advisors and authorities. Auditors, legal counsel, regulators, and law enforcement when required or permitted by law.

Corporate transactions. In connection with a merger, financing, acquisition, or sale of assets, subject to appropriate safeguards.

We do not sell personal information. Where U.S. state laws treat certain advertising/analytics as a "sale" or "sharing," you may opt out (see Section 10). We honor Global Privacy Control (GPC) signals where legally required.

8. International data transfers

We may transfer personal data to the United States and other countries that may not provide the same level of data protection as your home country. When we transfer personal data from the EEA/UK/Switzerland, we use appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and transfers to providers that participate in the EU-U.S. Data Privacy Framework (DPF) where applicable (for example, Stripe, Inc.).

9. Data retention

We retain personal data for as long as necessary to provide the Services and Products, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods:

Account data: retained while your account is active and up to 6 years after closure for tax/audit/legal purposes.

Prompts & Generations: retained while your account is active; you may delete items at any time.

Raw uploads (e.g., photos): automatically deleted within 30 days after generation or account closure, unless we must retain them for legal or security reasons.

Logs & diagnostics: typically 12–24 months, unless needed longer for security or legal purposes.

Retention periods are based on legal requirements and industry norms for security, tax, and dispute handling.

10. Your rights and choices

10.1 Email and marketing

Opt out of marketing emails at any time via the unsubscribe link or by contacting us. We may still send transactional or security messages.

10.2 Cookies and analytics

Use browser controls and our on-site banner to manage cookies. In regions that require consent, we will present a consent banner. We honor GPC signals where required.

10.3 GDPR (EEA/UK/Switzerland) rights

You have the rights to access, rectify, erase, restrict, object, and port your personal data, and to lodge a complaint with your supervisory authority. We will respond within statutory timelines.

10.4 U.S. state privacy rights (e.g., California)

Residents of certain U.S. states can access, correct, delete, and opt out of sale/sharing and targeted advertising. We will not discriminate against you for exercising these rights. You may submit requests via hello@plotiz.com or through in-product controls and may use an authorized agent as permitted by law. We recognize Global Privacy Control signals for opt-out where required.

11. Security

We employ administrative, technical, and physical safeguards appropriate to the nature of the data, including encryption in transit, access controls, network isolation, monitoring, and regular vendor reviews. No system is 100% secure; use strong, unique passwords and keep them confidential. Our major vendors publish details of their security and privacy programs.

12. Do Not Track

Some browsers offer Do Not Track (DNT) signals. Our Services currently respond to GPC signals where required by law; we otherwise treat DNT signals as a preference and continue to offer granular opt-outs via our controls.

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with an effective date and, for material changes, provide prominent notice (e.g., email or in-product). Your continued use of the Services after changes take effect signifies acceptance.

14. Contact us

Questions or requests about privacy or your rights: hello@plotiz.com

Jurisdiction-specific notices

EEA/UK. Plotiz, Inc. is the controller for personal data described in this Policy. You may lodge a complaint with your local supervisory authority. If we appoint an EU or UK representative, we will update this section with contact details.

California. See Sections 7 and 10.4 for your rights, including the right to opt out of sale/sharing and the use of GPC.

Children (US). We comply with the Children's Online Privacy Protection Act (COPPA).