Siirry pääsisältöön

— Legal —

Privacy Policy

Effective 12 July 2026 · EU General Data Protection Regulation (GDPR) 2016/679 · Finnish Data Protection Act (1050/2018)

1.Data controller

Zansen Studio Oy
Business ID: 3630838-1
Sompasaarenlaituri 10, 00540 Helsinki, Finland
Email: info@zansenstudio.com
Website: zansenstudio.com

The data controller decides on the purposes and means of processing personal data. All privacy-related contacts, requests and exercising of rights take place through the contact details above.

2.What data we process

We process the following data, which the user provides or which accumulates through use of the service:

Account data

  • Email address
  • Password hash (never the plain-text password)
  • Username, full name (optional)
  • Avatar image (optional)
  • Account creation time and last sign-in

Company data (optional, for B2B customers)

  • Company name
  • Business ID or equivalent company identifier
  • Postal address, postcode, city, country
  • Phone number

Service usage data

  • Original photographs uploaded by the user
  • AI-finished images (the output of the service)
  • Gallery names and creation times
  • Image processing event logs
  • Monthly usage and quotas
  • Watermark settings (logo, position, opacity)

Subscription and payment data

  • Subscription status (trial / active / cancelled)
  • Subscription period end date
  • Stripe customer ID and subscription ID
  • We do not process payment card details ourselves — Stripe processes them as a separate data controller

Technical data

  • IP address (logs, abuse prevention)
  • Browser type and operating system
  • Session cookie (maintaining sign-in)

3.Purposes and legal bases of processing

We process personal data for the following purposes and on the following GDPR legal bases:

Providing the service (user account, image processing, gallery management)Contract (GDPR 6.1.b)
Billing and paymentsContract (GDPR 6.1.b) + legal obligation, Finnish Accounting Act (6.1.c)
Customer service, email communication about the serviceContract (GDPR 6.1.b) + legitimate interest (6.1.f)
Service development and error detection (anonymised usage metrics)Legitimate interest (GDPR 6.1.f)
Marketing messages (if the user has given consent)Consent (GDPR 6.1.a) — revocable at any time
Preventing unlawful activity, investigating abuseLegitimate interest (GDPR 6.1.f)
Meeting legal obligations (accounting, authority requests)Legal obligation (GDPR 6.1.c)

4.Where the data comes from

Most data is received directly from the user during registration and use of the service. In addition:

  • Payment-related confirmations are received from Stripe (for example payment success, subscription status).
  • Technical log data accumulates automatically through server usage.

5.Who the data is disclosed to

We do not sell or rent personal data to third parties. We use carefully selected service providers who process data on our behalf under a data processing agreement (DPA):

Supabase Inc.

Database and image storage

Location: EU (Frankfurt) · Data is not transferred outside the EU

Vercel Inc.

Application hosting and content delivery

Location: EU + United States · Transfers outside the EU are based on Standard Contractual Clauses (SCC)

Stripe Payments Europe Ltd.

Payments and subscription management

Location: Ireland (EU) + United States · SCC + safeguards under Stripe's adequacy arrangements

OpenAI Ireland Ltd.

AI-based image processing

Location: Ireland (EU) — processing in the United States · SCC. OpenAI does not use images sent via the API to train its models, but may retain them for up to 30 days for abuse monitoring.

Inngest Inc.

Background job orchestration (does not process image content)

Location: United States · SCC, processes only metadata (identifiers, states)

Resend, Inc.

Transactional emails

Location: United States · SCC, processes only the email address and message content

Cloudflare, Inc.

DNS and network infrastructure (zansenstudio.com)

Location: Global network · SCC + Data Processing Addendum

Functional Software, Inc. (Sentry)

Error monitoring — receives information about software errors in the service (stack trace, path, browser type, user identifier). Does not collect images or other service content.

Location: EU + United States · SCC. Data is retained for 30 days and deleted automatically.

In addition, data may be disclosed to authorities where required by law.

6.Transfers outside the EU

Some of our processors are located in the United States. In those cases transfers are based on the Standard Contractual Clauses (SCC, 2021/914) approved by the European Commission, as well as the processors’ technical and organisational safeguards (including encryption at rest and in transit, access control and breach notification obligations).

We actively aim to keep user-uploaded photographs within the EU (Supabase Frankfurt). OpenAI calls, however, take place in the contractual partner’s infrastructure, where an individual image is processed temporarily — we do not store images permanently on OpenAI’s servers.

7.Retention periods

Main principle: the user’s images and galleries are retained for as long as the user has access to the service. When the user account is deleted or access ends, the user’s material is removed from our systems.

User account and account dataLifetime of the account + 30 days after deletion or termination (safety margin against accidental deletions)
Original uploaded imagesSame as the user's access to the gallery — retained as long as the user account exists
Processed (finished) imagesSame as the user's access to the gallery — retained as long as the user account exists
Subscription and payment data6 years from the end of the accounting period (Finnish Accounting Act, Chapter 2, Section 10) — billing records are retained even if the account is deleted earlier
Technical logs, IP addressesAt most 12 months
Customer service messages2 years from the last contact

The user may delete an individual gallery or their entire account at any time from the settings of the service. After account deletion, data is removed within 30 days with the exception of subscription and payment history, whose retention is based on the Finnish Accounting Act.

8.Rights of the data subject

Under the EU General Data Protection Regulation you have the following rights:

Right of access (GDPR 15)

The right to know what personal data about you is processed and to receive a copy of it.

Right to rectification (GDPR 16)

The right to request correction of inaccurate or incomplete data. In practice you can edit most data yourself in your profile settings.

Right to erasure (GDPR 17)

The right to request deletion of your data when there is no longer a basis for processing. You can delete your account yourself from your profile settings — the request is processed within 30 days.

Right to restriction of processing (GDPR 18)

The right to request restriction of processing, for example while the accuracy of data is being verified.

Right to data portability (GDPR 20)

The right to receive the data you have provided in a machine-readable format and transfer it to another controller, when processing is based on a contract or consent.

Right to object (GDPR 21)

The right to object to processing based on legitimate interest on grounds relating to your particular situation.

Withdrawal of consent (GDPR 7)

You can withdraw consent-based processing (for example marketing) at any time. Withdrawal does not affect processing carried out before it.

Right to lodge a complaint (GDPR 77)

You have the right to lodge a complaint with the Office of the Finnish Data Protection Ombudsman if you consider our processing to violate data protection law.

Exercising your rights: send a request to info@zansenstudio.com. We respond to your request within 30 days at the latest. We may ask for additional information to verify your identity.

Office of the Data Protection Ombudsman (Finland): tietosuoja.fi/en

9.Cookies and email tracking

Cookies in the browser

We use only cookies that are strictly necessary for the service to function:

  • Session cookie — maintaining sign-in. Persists for the duration of the session.
  • Supabase auth cookie — authentication token. Persists for at most 7 days from the last sign-in.
  • CSRF protection — secure handling of forms.

We do not use analytics or marketing cookies without your separate consent. If this changes, we will update the privacy policy and request new consents.

Email tracking

Our email service (Resend) uses the following statistical metrics:

  • Open tracking — a small transparent image in the message body notifies us when the message is opened. Apple Mail Privacy Protection and similar features may show opens that did not actually happen.
  • Click tracking— links in messages pass through Resend’s redirect, which counts the number of clicks.

The data is used to develop the service’s communication (for example which subjects and content are read the most). Tracking data about individual persons is not disclosed to third parties for advertising.

Legal basis: legitimate interest (GDPR 6.1.f) for transactional emails; consent (6.1.a) for marketing messages — consent is given when the user registers for the service or joins the waiting list.

10.Data security

We implement appropriate technical and organisational safeguards to protect personal data:

  • Traffic between the browser and the server is encrypted (TLS 1.2+).
  • Row-level access control in the database (Row Level Security) — a user only sees their own data.
  • Passwords are stored as cryptographic hashes, never in plain text.
  • Payment card details are not stored on our own servers.
  • Administrative access is restricted to personnel who need it to perform their duties.
  • In the event of a data breach we notify the supervisory authority within 72 hours and the affected data subjects if the breach poses a high risk.

11.Automated decision-making and profiling

We use OpenAI’s AI-based image processing model to process images, which is an action expressly requested by the user. We do not make automated decisions based on personal data that would have significant legal or similar effects on the user (GDPR 22).

12.Changes to this privacy policy

We update this policy as needed in connection with changes in legislation, changes to the service offering or the introduction of new processors. We notify users of material changes by email at least 30 days before the change takes effect. The date of the latest update is shown at the top of this page.

This is the first draft of the privacy policy. The final version will be reviewed by a lawyer specialised in data protection before the wider launch of the service. In case of any discrepancy between language versions, the Finnish version prevails. If you have questions or comments, please contact info@zansenstudio.com.