Polishly
HomePricingAccountContact
Enhance

Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller for your personal data is Polishly (contact: support@polishly.com). For any privacy-related request, you may contact us at the email address above.

2. What Data We Collect

We collect the following categories of personal data: (a) Account data — your email address and Google account identifier, collected when you sign in via Google OAuth; (b) Usage data — a random Device ID assigned by our server via an HttpOnly cookie on your first visit, used together with a pseudonymous network identifier derived from your IP address using HMAC-SHA256 hashing (we never store your raw IP address) to enforce rate limits, free tier quotas, and securely grant you access to your photos without an account; enhancement job metadata (service type, settings, timestamps, processing status); and credit transaction records; (c) Payment data — Stripe processes your payment card details directly. We receive only a Stripe session identifier and the number of credits purchased. We never see or store your card number, CVV, or billing address; (d) Preference data — your last-used enhancement preferences (category, aspect ratio, resolution) stored in a cookie.

3. Legal Basis for Processing

We process your data under the following legal bases as defined in GDPR Art. 6: (a) Performance of a contract (Art. 6.1.b) — processing your enhancement jobs and managing your credit balance is necessary to deliver the service you requested; (b) Legitimate interests (Art. 6.1.f) — device-based and network-based abuse prevention, including rate limiting, free tier enforcement, error monitoring via Sentry, and session-based fraud detection. Network-based abuse prevention uses a pseudonymous identifier derived from your IP address using HMAC-SHA256 hashing; we never store your raw IP address; (c) Legal obligation (Art. 6.1.c) — credit transaction records linked to Stripe session identifiers are retained for 10 years after account deletion to comply with Italian fiscal law. These records are pseudonymized (your user_id is removed on deletion) but are not anonymous under GDPR because they can be linked to your identity via Stripe's records.

4. How We Use Your Data

Your data is used exclusively to: provide and improve the enhancement service; process payments and maintain credit balances; enforce rate limits and free tier quotas using pseudonymous device and network-level identifiers to ensure fair access; securely grant you access to your anonymous uploads; send transactional communications (e.g., if you contact support); comply with legal obligations. We do not sell your data, use it for advertising, or share it with third parties except the processors listed in Section 5. Your uploaded photos are never used to train AI models.

5. Third-Party Data Processors

We engage the following sub-processors to operate the service: Supabase Inc. (USA) — database, authentication, and file storage, hosted in EU regions where available; Stripe Inc. (USA) — payment processing, governed by Stripe’s own privacy policy and PCI DSS compliance; Google LLC (USA) — AI image enhancement via the Gemini API. Your uploaded image and related prompt data are transmitted to Google’s servers for processing. Under Google’s Gemini API policies, API inputs and outputs are not used to train or fine-tune Gemini models for general model improvement, but Google may retain prompts, contextual information, and outputs for a limited period for abuse monitoring and policy enforcement; Functional Software Inc. / Sentry (USA) — error monitoring, which may capture limited technical diagnostics and request metadata; Upstash Inc. (USA) — Redis-based rate limiting, which processes pseudonymous identifiers such as Device IDs, hashed network identifiers derived from IP addresses, and user IDs for abuse prevention; Cloudflare, Inc. (USA) — Turnstile bot protection used to verify that interactions are made by humans rather than automated abuse systems. All processors have been selected for appropriate data protection measures and, where applicable, Standard Contractual Clauses or equivalent safeguards are used for transfers outside the EU/EEA.

6. Data Retention

We apply strict retention limits: uploaded images (input and output) are permanently deleted 48 hours after processing; when an account deletion request is processed after the applicable grace period, account data (email, Google ID, credit balance) is deleted without undue delay; Device ID cookies expire after 1 year or are cleared by the user at any time via browser settings; Terms of Service acceptance records are deleted with your account; credit transaction records are pseudonymized (user_id set to NULL where applicable) on account deletion and retained for 10 years to satisfy legal and fiscal obligations. You may request a full export of your data at any time from your account page.

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights: Right of access (Art. 15) — download a complete export of your personal data from your account page; Right to rectification (Art. 16) — contact us to correct inaccurate data; Right to erasure (Art. 17) — request account deletion from your account page. Your account and associated data will be permanently deleted within 30 days. Fiscal transaction records are exempt from erasure under Art. 17.3(b); Right to data portability (Art. 20) — your data export is provided in machine-readable JSON format; Right to object (Art. 21) — you may object to processing based on legitimate interests by contacting us; Right to restriction (Art. 18) — you may request that we restrict processing of your data while a dispute is resolved; Right to lodge a complaint — you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it.

8. Cookies and Local Storage

We use two first-party cookies: (1) "polishly-device" is an HttpOnly cookie containing a random identifier (UUID) assigned by our server on your first visit. It is used together with a pseudonymous network-level identifier derived server-side from your IP address using HMAC-SHA256 hashing (we never store the raw IP address) to enforce rate limits, free tier quotas, and grant anonymous access to your enhanced photos. Because the cookie is HttpOnly, it cannot be read or modified by JavaScript in your browser. It expires after 1 year or can be cleared via your browser settings at any time. (2) "polishly-prefs" stores your UI preferences (category, aspect ratio, resolution) for 12 months. It is not used for cross-site tracking, profiling, or advertising. We also use Cloudflare Turnstile as a security measure to distinguish human users from automated abuse. For authenticated users, Supabase sets HttpOnly session cookies strictly necessary for account functionality. We do not use advertising cookies or third-party marketing trackers.

9. Contact and Updates

For any privacy questions or to exercise your rights, contact us at support@polishly.com. We will respond within 30 days. This policy may be updated to reflect changes in our practices or legal requirements. Material changes will be communicated via the Terms of Service acceptance flow on your next login.

Polishly

  • Pricing
  • Contact
  • Terms
  • Privacy

© 2026 Polishly. All rights reserved.