PikstageSign in

Privacy Policy

Effective June 4, 2026

This Privacy Policy explains what personal data Pikstage collects, why we collect it, who we share it with, and what choices you have. It applies to your use of pikstage.com and related Services.

Pikstage is operated by Dev Patel, a sole proprietor based in Vancouver, British Columbia, Canada. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), the BC Personal Information Protection Act (PIPA), and the EU General Data Protection Regulation (GDPR) for users in the European Economic Area.

1. Data We Collect

1.1 Account data

  • Email address (for authentication and communication)
  • Stripe customer ID and subscription status (for billing)
  • Plan tier and usage counts (to enforce quotas)

1.2 Content you upload

  • Reference product photos you upload to your account
  • Product names, descriptions, and metadata you provide
  • Custom scene descriptions you enter in Prompt Studio

1.3 Content we generate for you

  • AI-generated images produced from your reference photos
  • Metadata about each generation (model used, prompt, timestamps)

1.4 Operational data

  • Server logs (IP address, user agent, request path)
  • Error reports when something fails

1.5 Optional integrations

  • Shopify: If you connect a Shopify store, we store the store domain, the OAuth access token, and the scopes granted. We never access customer data or order data from Shopify.

2. How We Use Your Data

  • Provide, maintain, and improve the Service
  • Authenticate your account and prevent fraud
  • Process payments and manage subscriptions
  • Send transactional emails (welcome, batch complete, account)
  • Enforce plan quotas and rate limits
  • Debug and resolve technical issues

We do not sell your data. We do not use your reference photos or generated images to train any AI model. We do not show ads.

3. Third Parties We Share Data With

We share the minimum data necessary with these processors:

  • Supabase (database, auth, storage) — stores account, products, and generated images. Privacy.
  • Stripe (payments) — handles billing and stores your payment method. We never see full card numbers. Privacy.
  • Replicate (image generation) — receives a signed URL of your reference image and a text prompt; returns the generated image. Privacy.
  • Anthropic (prompt enhancement) — receives a base64-encoded copy of your reference image and your scene description when you use Prompt Studio. Privacy.
  • Resend (email delivery) — receives your email address and email contents when we send you transactional email. Privacy.
  • Cloudflare (CDN + DNS) — sees IP addresses and request metadata when you load Pikstage. Privacy.
  • Shopify (optional) — only if you connect a store.

We do not share your data with any other third party except as required by law or to enforce our rights.

4. International Data Transfers

Our providers are headquartered primarily in the United States. By using Pikstage, you consent to your data being processed in the United States and Canada. Where required by GDPR, we rely on Standard Contractual Clauses and similar safeguards.

5. Data Retention

  • Account data: kept while your account is active.
  • Reference photos and generated images: kept while your account is active. Deleting a product also deletes its images from storage within 24 hours.
  • After you delete your account: all personal data is deleted within 30 days, except billing records we are legally required to retain (typically 7 years).
  • Server logs: retained for 30 days for debugging, then automatically purged.

6. Your Rights

Regardless of where you live, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your account and personal data
  • Export your data in a portable format
  • Object to certain processing
  • Withdraw consent at any time

To exercise these rights, sign in to Pikstage and use the Dashboard → Settings → Delete account flow, or email [email protected]. We respond within 30 days.

7. Security

We use industry-standard security practices:

  • TLS encryption for all traffic to and from pikstage.com
  • Magic-link authentication (no passwords stored on our servers)
  • Row-level security on all database tables (PostgreSQL RLS)
  • Private storage buckets — your reference photos and generated images are not publicly accessible
  • Secrets stored in environment variables, never in source code

No system is perfectly secure. If we discover a data breach, we will notify affected users within 72 hours where required by law.

8. Cookies

We use a small number of cookies:

  • Supabase auth cookies — keep you signed in. Set when you log in, expire at session end.
  • Shopify OAuth state cookies — temporary CSRF protection during Shopify install (10-minute expiry).

We do not use third-party tracking cookies, advertising cookies, or analytics scripts that profile you across sites.

9. Children

Pikstage is not intended for use by anyone under 16. If you become aware that a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email and by posting the updated policy on this page with a new effective date.

11. Contact

Privacy questions or requests: [email protected]
General support: [email protected]

Mailing address (for postal correspondence):
Pikstage, Vancouver, British Columbia, Canada