Privacy Policy

1. Who We Are (Data Controller)

This Privacy Policy explains how your personal data is collected, used, and protected when you use the Popsicle AI platform ("Service") accessible at usepopsicle.com and its subdomains.

The data controller responsible for your personal data is:

• Company: Popsicle Technologies Private Limited
• Registered Address: Rajahmundry, Andhra Pradesh, India
• Contact Email: support@usepopsicle.com

The Service is operated from India. If you are located in the European Economic Area (EEA), United Kingdom, or any other jurisdiction with data protection laws, this policy describes how we handle your data in compliance with applicable regulations, including the General Data Protection Regulation (GDPR) where applicable.

2. What Data We Collect

2.1 Information You Provide Directly

• Account & Authentication Data: Email address, name, and profile information. Authentication is handled by Clerk, our third-party identity provider. We do not store passwords directly.
• Payment Information: Billing details and payment method information processed securely by Razorpay. We do not store complete payment card numbers on our servers.
• User Content: Design descriptions, text prompts, uploaded images, and any other content you input into the Service to generate designs.
• AI-Generated Designs: The design outputs created by the Service based on your prompts and inputs.
• Communications: Information you provide when contacting our support team or communicating with us via email.

2.2 Information Collected Automatically

• Usage Data: Number of designs generated, feature usage, session duration, and interaction patterns with the Service.
• Infrastructure-Level Data: Our infrastructure provider (Cloudflare) automatically collects technical data such as IP addresses, browser type, operating system, and request timestamps for security and performance purposes (e.g., DDoS protection, bot mitigation). This data is stored by Cloudflare and is accessible to us as the domain owner through Cloudflare's dashboard and logs. Cloudflare's retention periods apply to this data as per their own privacy policy.

Note: Your prompts and generated designs may constitute personal data if they can directly or indirectly identify you. We treat all user content with the same level of protection.

3. Why We Collect Your Data (Purpose of Processing)

We use your personal data for the following specific purposes:

• Account Creation & Login: To create and manage your account and authenticate your identity via Clerk.
• Delivering the Service: To process your prompts, generate designs using AI models via OpenRouter, and store your designs.
• Payment Processing: To process subscription payments and manage billing via Razorpay.
• Storing Your Designs: To save and make your generated designs accessible to you within the Service.
• Customer Support: To respond to your inquiries and provide assistance.
• Service Improvement: To analyze usage patterns, debug issues, and develop new features.
• Security & Fraud Prevention: To detect, prevent, and address security breaches, fraudulent activity, and abuse.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.
• Communications: To send service-related notifications, security alerts, and important updates about the Service.

We do not use your data for purposes unrelated to those listed above without providing you notice.

4. Legal Basis for Processing

If you are located in the EEA or a jurisdiction that requires a legal basis for processing personal data, we rely on the following grounds:

• Contract Necessity (Article 6(1)(b) GDPR): Processing your account data, prompts, and designs is necessary to provide the Service you signed up for. Without this data, we cannot deliver the Service.
• Legitimate Interest (Article 6(1)(f) GDPR): We process usage data, technical logs, and analytics for security, fraud prevention, service improvement, and debugging. These interests do not override your fundamental rights.
• Consent (Article 6(1)(a) GDPR): We rely on your consent for non-essential cookies, if and when introduced. You may withdraw consent at any time.
• Legal Obligation (Article 6(1)(c) GDPR): We may process data to comply with applicable legal requirements, such as tax and accounting obligations.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy. Specifically:

• Account & Authentication Data: Retained while your account is active and for up to 2 years after account closure for legal and business purposes.
• User Content & Designs: Retained as long as your account is active. Upon account deletion, we remove user content from active systems within 30 days. Copies may remain in backups for up to 90 days before being purged.
• Prompts: Retained as long as your account is active. Deleted alongside your account data upon request.
• Usage Data: Retained for up to 12 months for service improvement and security purposes, then aggregated or anonymized.
• Payment Records: Payment transaction data is processed and retained by Razorpay in accordance with their own retention policies and applicable tax/accounting obligations. We store only subscription status and transaction reference IDs necessary to manage your account.

We do not retain data indefinitely without justification. When data is no longer needed, it is securely deleted or anonymized.

6. Third-Party Processors

We do not sell your personal data. We share data with the following categories of third-party service providers who process data on our behalf:

Each of these providers maintains their own privacy policies and security practices. Key compliance notes:

• Clerk is SOC 2 Type II certified and GDPR compliant.
• OpenRouter routes requests to various AI model providers depending on performance and availability. We have strict data collection deny settings enabled on OpenRouter, meaning AI providers do not retain or train on your prompts.
• Razorpay is PCI DSS Level 1 certified. We never store complete card numbers.
• Oracle Cloud (India region) hosts our primary database and servers within India.

6.1 Legal Requirements

We may disclose your data if required by law, court order, or governmental authority, or if we believe such action is necessary to: (a) comply with legal obligations; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

6.2 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

7. International Data Transfers

Our primary servers and database are hosted on Oracle Cloud in the India region. However, some of our third-party processors (Clerk, OpenRouter) operate servers in other countries, including the United States. This means your data may be transferred to and processed in countries outside India as part of normal service operation.

We do not independently implement cross-border transfer mechanisms such as Standard Contractual Clauses (SCCs). However, our key processors maintain their own GDPR compliance programs:

• Clerk is GDPR compliant and maintains appropriate data transfer safeguards
• OpenRouter processes prompts through AI providers with strict data collection deny settings — prompts are not retained or used for training
• Razorpay processes payments within India (PCI DSS Level 1 certified)

By using the Service, you acknowledge and consent to the transfer and processing of your data in India and other countries where our service providers operate. If you are located in the EEA or UK, please be aware that these transfers occur implicitly through our use of third-party processors, and each processor is responsible for their own compliance with applicable data protection laws.

8. Your Rights

Depending on your location, you have certain rights regarding your personal data. We respect these rights for all users regardless of jurisdiction:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request that we correct inaccurate or incomplete data.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to our legal obligations (see Section 9 for the deletion process).
• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
• Right to Data Portability: Request a copy of your data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing based on legitimate interests, including for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent (e.g., marketing), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: If you are in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, please contact us at support@usepopsicle.com. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

9. How to Request Deletion

You can request deletion of your account and personal data by:

• Emailing support@usepopsicle.com with the subject line "Account Deletion Request"

Upon receiving a verified deletion request:

• Your account will be deactivated within 7 business days
• Your personal data, designs, and prompts will be removed from active systems within 30 days
• Residual copies in backups will be purged within 90 days
• Payment transaction data held by Razorpay will be subject to Razorpay's own retention policies
• Data already shared with third-party processors (Clerk, OpenRouter, Razorpay) will be subject to their respective retention and deletion policies

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data. Our security posture benefits from the use of industry-leading third-party providers:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS).
• Encryption at rest: Data stored in our database is encrypted at rest via Oracle Cloud's infrastructure.
• Authentication security: User authentication is handled by Clerk, which provides SOC 2 Type II certified security, including multi-factor authentication support.
• Payment security: Payment processing is handled by Razorpay (PCI DSS Level 1 certified). We never store or have access to complete card numbers.
• Access controls: Internal access to user data is restricted to authorized personnel only.
• Infrastructure security: Our servers are hosted on Oracle Cloud (India region) with enterprise-grade security controls.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. If you become aware of any security issue, please notify us immediately at support@usepopsicle.com.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service. Below is a summary of the types of cookies we use:

11.1 Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled. They include:

• Authentication cookies (set by Clerk) to keep you logged in
• Session cookies to maintain your session state
• Security cookies to prevent cross-site request forgery and other attacks

11.2 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to:

• View what cookies are set
• Delete individual or all cookies
• Block cookies from specific or all sites
• Block third-party cookies

Please note that disabling strictly necessary cookies may prevent the Service from functioning properly (e.g., you may be unable to stay logged in).

We do not currently use analytics or advertising cookies. If we introduce them in the future, we will update this policy and, where required, obtain your consent before setting them.

12. Children's Privacy

Our Service is not intended for children under 16 years of age (or the minimum age required in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have inadvertently collected information from a child, please contact us immediately at support@usepopsicle.com, and we will promptly delete such information.

13. Third-Party Links and Services

Our Service may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices, data handling, or content of third-party sites. We encourage you to review the privacy policies of any third-party services you interact with.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, service providers, or applicable law. When we make changes:

We will update the "Last Updated" date at the top of this page whenever changes are made. We encourage you to review this page periodically to stay informed about how we protect your data.

Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Service and request account deletion.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, your personal data, or wish to exercise any of your rights, please contact us:

• Email: support@usepopsicle.com
• Company: Popsicle Technologies Private Limited
• Address: Rajahmundry, Andhra Pradesh, India

We aim to respond to all privacy-related inquiries within 30 days.