Effective from 25 May 2026

Privacy Policy

This Policy explains what personal information GAFFER.AI (the “Service”), operated by GAFFER.AI, Israeli Authorised Dealer (Osek Murshe) 322714833 (“we”, “our”), collects, how we use it, who we share it with, and what your rights are. We act in accordance with the Israeli Privacy Protection Law, 5741-1981 and its regulations; for EU/EEA residents, in accordance with the EU GDPR (Regulation (EU) 2016/679); for UK residents, the UK GDPR.

1. Data Controller & Contact

The Data Controller is GAFFER.AI, Israeli Authorised Dealer 322714833, Tel Aviv, Israel.

Privacy queries / data-subject requests: hello@gafferai.io · +972 50 693 0076.

2. Information We Collect

  • Account information: email address, display name, profile photo (if signed in with Google).
  • Content you upload: photos of products, garments, models, and text prompts.
  • Generated content: the images / videos the Service produces for you.
  • Usage data: system performance logs, request timing, which model handled which call.
  • Billing data: subscription status, token balance, purchase history. Credit-card details are NEVER stored by us — they are entered directly inside a secure iframe operated by our payment processor (Hyp).
  • Cookies + Web Storage: for session identification, language preferences, and Firebase authentication.

3. Purposes of Processing

  • To provide the Service (image generation, garment catalogue, subscription management).
  • To bill and meet contractual obligations.
  • To improve the Service (aggregate usage analysis; not personally identifying).
  • To meet legal obligations (tax reporting, statutory record retention).
  • To send service and support communications (no marketing email without explicit opt-in).

4. Legal Basis (GDPR)

For EU/EEA residents, the lawful basis for processing is:

  • Contract (Art. 6(1)(b)): delivering the Service you purchased.
  • Legal obligation (Art. 6(1)(c)): tax / billing record retention.
  • Consent (Art. 6(1)(a)): for marketing email only (opt-in).
  • Legitimate interest (Art. 6(1)(f)): securing the Service and preventing fraud.

5. Sharing with Third Parties

We do not sell your personal information. We use the following sub-processors strictly as needed to deliver the Service:

  • Google Firebase (auth, database, file storage) — Google LLC.
  • Vercel (website + API hosting) — Vercel Inc.
  • Hyp (payment gateway) — handles card data and PCI scope.
  • Isracard (card acquirer).
  • Replicate, fal.ai, Google AI Studio, OpenAI — AI providers that process the images and prompts you upload. They commit, under their commercial terms, not to use our data to train their models.

All sub-processors maintain industry-standard security certifications (SOC 2, ISO 27001, PCI-DSS where applicable). We do not share your data with advertising networks, data brokers, or any party not required to deliver the Service.

6. Security

  • HTTPS / TLS 1.2+ across all traffic.
  • HSTS with a two-year max-age.
  • Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP).
  • Firebase signed-token authentication.
  • Strict separation of API keys and backend services.
  • Backups of user content in Firebase Storage with restricted access rules.
  • Credit-card details — never touch our servers; entered inside Hyp's PCI-DSS Level 1 iframe.

7. Data Retention

  • Account data: while the account is active + up to 7 years after closure (tax record requirement).
  • User-uploaded content: removable on demand at any time; otherwise deleted 90 days after account closure.
  • Billing records: 7 years (statutory).
  • Logs: 12 months.

8. Your Rights

Subject to Israeli law and GDPR, you have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate data.
  • Erasure (“right to be forgotten”): ask us to delete your data, subject to legal obligations.
  • Restriction: ask us to pause processing.
  • Portability: receive your data in a structured format.
  • Objection: object to processing based on legitimate interest.
  • Withdraw consent: at any time (applies to marketing email).

To exercise any right, email hello@gafferai.io. We will respond within 30 days.

EU/EEA residents may lodge a complaint with their national supervisory authority; Israeli residents with the Privacy Protection Authority's database registrar.

9. International Transfers

Our sub-processors (Google, Vercel, AI providers) are hosted outside Israel and the EU. Transfers are made under Standard Contractual Clauses of the European Commission or equivalent transfer frameworks (e.g., the EU-U.S. Data Privacy Framework).

10. Children

The Service is not intended for individuals under 18. We do not knowingly collect data from minors. If a minor account is identified, it will be closed and the data deleted.

11. Cookies

We use cookies strictly necessary for the operation of the site (session, authentication, language). We do not use third-party advertising / tracking cookies. You can block cookies in your browser settings; some features may stop working as a result.

12. Changes to this Policy

This Policy may be updated. Updates will be published on this page with a refreshed effective date in the header. Material changes will also be emailed to active account holders.

13. Contact

Any privacy question: hello@gafferai.io · Tel Aviv, Israel.

GAFFER.AI · עוסק מורשה / Israeli Authorised Dealer 322714833
hello@gafferai.io · Tel Aviv, Israel