Phora AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our e-commerce platform for AI-powered image transformation. We support Shopify, WooCommerce, BigCommerce, and other platforms.
By creating an account and using Phora AI, you agree to the collection and use of information in accordance with this policy.
Data Controller / Service Provider Identification
Mandatory disclosure under Hungarian Act CVIII of 2001 on E-Commerce Services §4 and GDPR Article 13:
Company name: BITNEX GROUP Korlátolt Felelősségű Társaság (BITNEX GROUP Ltd.)
Registered seat: H-4400 Nyíregyháza, Dózsa György utca 9. 3. em., Hungary
Company registration number: 15-09-069325 (Registry Court of Nyíregyháza)
Hungarian tax ID: 13311908-2-15 · EU VAT: HU13311908
Represented by: Tamás Sándor Nánási, Managing Director
Under GDPR Article 37, Phora AI is not required to appoint a DPO and has not appointed one at this time. For any privacy-related question, email [email protected] with subject 'GDPR Request'.
2. Information We Collect
2.1 Merchant Information
When you create a Phora AI account, we collect:
Account Information: Email address, name (for email/password signups)
Store Domain: Your store URL for authentication when connecting a store
Access Token: OAuth token for accessing your store data
Store Information: Basic store details provided by your e-commerce platform
2.2 Product Data
To provide image transformation services, we access:
Product IDs: Identifiers for products you choose to transform
Product Images: Media files you select for AI transformation
Product Metadata: Variant IDs and image URLs
2.3 Usage Data
We automatically collect:
Job Information: Transformation jobs, prompts, presets, and status
Billing Data: Credit pack tier, credit usage, and transaction records
Technical Logs: Error logs, performance metrics for service improvement
Technical Data: IP address, browser type and version, device information for debugging, abuse prevention, and maintaining service security (collected via Sentry error tracking)
Administrator access (impersonate): For troubleshooting purposes, a designated administrator may sign in to your account to investigate issues. Every such sign-in is recorded in an audit log with the admin ID, timestamp and reason. Legal basis: GDPR Art. 6(1)(f) legitimate interest (service operation, incident resolution).
2.4 What We DO NOT Collect
Important: We do NOT collect or store:
Customer personal information (names, emails, addresses)
Payment card information
Order details or transaction history
Any personally identifiable information (PII) of your customers
3. How We Use Your Information
3.1 Service Delivery
Processing AI image transformations using Google Gemini AI
Uploading transformed images to your product catalog
Managing job queues and processing status
3.2 Billing and Credit Management
Tracking credit usage and pack purchases
Managing credit balances and feature tiers
Generating usage reports for transparency
3.3 Service Improvement
Analyzing aggregate usage patterns to improve features
Monitoring performance metrics and error rates
Conducting internal analytics for operational efficiency
3.4 Security and Compliance
Maintaining audit logs for security purposes
Detecting and preventing fraud or abuse
Complying with legal obligations and enforcing our Terms of Service
4. Data Sharing and Disclosure
4.1 Third-Party Service Providers (Subprocessors)
We share data with the following service providers (subprocessors). We have a GDPR-compliant Data Processing Agreement (DPA) in place with each. The full, up-to-date subprocessor list is maintained in legal-subprocessors.md:
Google Gemini AI: Google Gemini AI (Google Cloud, US): AI image transformation. Covered by EU-US Data Privacy Framework. Google Cloud DPA applies: https://policies.google.com/privacy
Amazon S3: Amazon Web Services S3 (EU, eu-central-1): Temporary image storage for presigned upload (deleted within 48 hours).
Google OAuth: Google OAuth (US): Sign in with Google (optional). Only email, name, and profile picture URL.
4.2 E-commerce Platforms
We interact with your e-commerce platform's APIs (Shopify, WooCommerce, BigCommerce) to:
Read product and media data
Upload transformed images
Sync product information
4.3 Legal Requirements
We may disclose your information if required by law or to:
Comply with legal processes or government requests
Enforce our Terms of Service
Protect the rights, property, or safety of Phora AI, our users, or the public
We DO NOT:
Sell your data to third parties
Use your data for advertising purposes
Share your data with competitors
5. Data Retention
5.1 Active Merchants
While you actively use Phora AI, we retain data for the following concrete periods:
Job history: For the lifetime of your active account — you can access results at any time
Credit ledger: Lifetime of active account + 8 years after account closure, per Hungarian Accounting Act (Act C of 2000)
Invoices and billing records: 8 years, required by Hungarian accounting obligations
Session tokens: Auto-expire after 30 days of inactivity; rotated regularly
Audit logs (sign-in, critical actions): 12 months
Error logs (Sentry): 90 days (automatic deletion)
5.2 After Account Deletion
When you delete your account or disconnect your store:
Immediate: Store connection and access tokens are revoked
Within 48 hours: We delete most of your personal data, including:
Job records and job items
Account information (email, name)
Session tokens
Store connection data
Data retained due to legal obligations (8 years): Credit ledger entries, billing records, and payment metadata — the Hungarian Accounting Act (Act C of 2000 §169) mandates retention of these records. These are used solely for accounting and tax purposes.
Aggregated, anonymized data: May be retained indefinitely for service improvement, as it no longer contains personal data.
5.3 Image Data
We do NOT permanently store your product images. Images are:
Downloaded temporarily during transformation processing
Deleted from memory and all temporary storage within 48 hours
Not stored in any database or long-term storage
Not used by us or by Google Gemini for model training
6. GDPR Compliance (European Users)
If you are located in the European Economic Area (EEA), you have the following rights under GDPR:
6.1 Your Rights
Right of Access (Article 15): Request a copy of your data
Right to Rectification (Article 16): Correct inaccurate data
Right to Erasure (Article 17): Request deletion of your data
Right to Data Portability (Article 20): Receive your data in machine-readable format
Right to Object (Article 21): Object to data processing
6.2 Data Deletion and Portability Requests
We support platform data protection requirements (Shopify, WooCommerce, BigCommerce):
customers/data_request: Respond within 30 days with data export
customers/redact: Delete or anonymize relevant data within 30 days upon request (Note
shop/redact: Delete all store data within 48 hours of app uninstall or store disconnection
6.3 Legal Basis for Processing (per purpose)
We process your personal data on the following legal bases under GDPR Article 6(1):
Performance of a contract [Art. 6(1)(b)]: Account creation, image transformation service, credit purchases and balance management, customer support.
Legal obligation [Art. 6(1)(c)]: 8-year retention of accounting records (Hungarian Act C of 2000 §169), tax filing, responding to lawful authority requests.
Legitimate interest [Art. 6(1)(f)]: Fraud and abuse prevention, service security, product development, internal analytics, administrator troubleshooting (impersonate). The balancing test is available on request.
Consent [Art. 6(1)(a)]: Optional marketing emails, optional Google OAuth sign-in, analytics/advertising cookies. You may withdraw consent at any time; this does not affect the lawfulness of processing before withdrawal.
Vital / public interest [Art. 6(1)(d–e)]: Not relied upon.
6.4 Personal Data Breach Notification
Pursuant to GDPR Articles 33–34, in the event of a personal data breach we will notify the NAIH without undue delay and, where feasible, within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly (email + in-app notification).
7. Data Security
We implement industry-standard security measures:
7.1 Technical Safeguards
Encryption in Transit: All data transmitted via HTTPS/TLS
Encryption at Rest: Database encrypted with PostgreSQL SSL
Access Controls: Role-based access with JWT authentication
API Security: Rate limiting and OAuth 2.0 / API key authentication for platform integrations
7.2 Operational Safeguards
Audit Logs: All critical actions logged with immutable records
Environment Isolation: Production and development environments separated
Secret Management: API keys stored in environment variables, never in code
Vulnerability Monitoring: Error tracking with Sentry, regular security updates
7.3 Memory Management
Images processed in-memory with aggressive cleanup
No persistent storage of image data
Forced garbage collection after processing
Security Notice:
While we implement strong security measures, no system is 100% secure. We continuously monitor and improve our security practices to protect your data.
8. International Data Transfers
Phora AI is operated from Hungary (European Union). Your data may be transferred to and processed in:
European Union: Primary data storage and processing
United States: Google Gemini AI API (Google complies with EU-US Data Privacy Framework)
We ensure that all international data transfers comply with GDPR requirements through appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions.
9. Children's Privacy
Phora AI is a business-to-business (B2B) platform for e-commerce merchants. Under GDPR Article 8 and Hungarian Info Act (Act CXII of 2011), the age of digital consent in Hungary is 16 years. We do not knowingly collect data from individuals under 16 years of age, and the service is not directed at them. If we become aware that a child under 16 has provided personal data, we will delete it promptly; please contact us at [email protected].
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be communicated via:
In-app notification when you log in
Email notification to your account email (for significant changes)
Continued use of Phora AI after changes indicates acceptance of the updated Privacy Policy.
11. Your Choices and Controls
11.1 Data Access
You can access your data by:
Viewing job history in the Phora AI dashboard
Requesting a data export via the contact information below
11.2 Data Deletion
You can delete your data by:
Deleting your account from the settings page (automatic deletion within 48 hours)
Contacting us to request immediate deletion
11.3 Opt-Out
You can stop data collection at any time by uninstalling the app. However, some data processing is necessary to provide the service (e.g., sending images to Gemini AI for transformation).
12. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:
Response Time: We aim to respond within 5 business days
For GDPR-related requests, please include "GDPR Request" in your email subject line.
13. Supervisory Authority
If you are located in the EEA and have concerns about our data practices, you have the right to lodge a complaint with your local data protection authority. For Hungary:
National Authority for Data Protection and Freedom of Information (NAIH)