This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use Auto AI Studio's websites and services, including our consumer web application, dealership management platform, mobile application, related APIs, and support channels (collectively, the "Service").

By using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1) What we collect

We collect information that you provide directly, information collected automatically, and information from third parties.

1.1 Information you provide

Account & Profile. Name (or display name), email address, password (hashed), phone number (for dealership users), organization/dealership name (optional), and any profile details you choose to add. By creating an account, your email address is automatically added to our database and marketing communications list.

Authentication. If you sign in with Google, we receive basic account info (e.g., name, email, Google user ID) from Google OAuth to authenticate you.

Content you upload or create. Images, prompts, edits, and generated outputs you store in your account. For dealership users, this includes vehicle photos, VIN numbers, vehicle information (year, make, model, trim), and project metadata.

Vehicle Information (Dealership Users). When using our dealership services, you may provide or we may collect Vehicle Identification Numbers (VINs), which we decode using third-party services to obtain vehicle specifications (year, make, model, trim). VINs and associated vehicle data are stored in your dealership account.

Team & Organization Data (Dealership Users). For dealership accounts, we collect information about team members including names, email addresses, roles (admin, manager, photographer, viewer), and invite status. This information is used to manage access and permissions within your dealership.

Support & communications. Any messages, email content, or attachments you send to support.

Billing & subscription info. We do not store your full payment card numbers. Stripe processes payments and provides us with limited billing details (e.g., last4, brand, expiration month/year, billing name, and status). For dealership accounts, we also store subscription plan details, usage metrics (points consumed, images processed), and billing history.

1.2 Information collected automatically

Usage data. Features you use, actions you take, pages visited, timestamps, and performance metrics. For dealership users, this includes project creation, photo uploads, processing requests, team invitations, and subscription management activities.

Device & network data. IP address, browser type/version, device identifiers, operating system, language, referring/exit pages. For mobile app users, this may also include device model, screen size, and app version.

Mobile app data. When using our mobile application, we may collect device motion sensor data (accelerometer, gyroscope) for camera angle detection during guided photo capture. This data is processed locally on your device and is not transmitted to our servers. We also collect camera permissions status, photo library access permissions, and notification preferences.

Location data. We do not collect precise GPS location data. However, we may derive approximate location from IP address for analytics and fraud prevention purposes.

Cookies & similar tech. Cookies, local storage, AsyncStorage (mobile app), and similar technologies to keep you signed in, store preferences, protect your account, remember your active dealership selection, and understand usage. See Cookies below.

1.3 Information from third parties

Identity providers. Google OAuth provides your basic account information when you connect.

Payment processor. Stripe provides non-sensitive billing metadata and payment status.

VIN decoding service (Dealership Users). We use Auto.dev API to decode Vehicle Identification Numbers. When you scan or enter a VIN, we send it to Auto.dev to retrieve vehicle specifications. Auto.dev's data collection and use is governed by their own privacy policy.

AI service providers. We use Google Gemini for image analysis and categorization, SAM3 (Segment Anything Model) for image segmentation, and Roboflow for vehicle detection. These services process your images to provide the core functionality of our service. We configure these services to minimize data retention where controls are available.

Service providers. Analytics, error monitoring, fraud prevention, hosting/CDN, database, and email providers may supply operational signals or identifiers (e.g., request IDs, error traces). These include Supabase (database and authentication), Cloudflare (CDN, Workers, R2 storage), Railway (image processing), and Resend (transactional emails).

We do not knowingly collect or request information from children under 13 (or under the minimum age in your jurisdiction). If you believe a child has provided personal information, contact us and we will delete it.

2) How we use information

We use personal information to:

Provide and improve the Service. Operate core features; run AI edits and image processing; store history and downloads; provide authentication; enable routing and caching; perform maintenance and debugging. For dealership users, this includes VIN decoding, vehicle photo processing, background removal, image categorization, team management, and subscription management.

Mobile application functionality. Enable camera features, photo capture, offline storage, background upload queue management, real-time sync, and push notifications for processing completion.

Team collaboration (Dealership Users). Facilitate multi-user access, role-based permissions, team invitations, and project sharing within dealership organizations.

Account and subscription management. Manage plans, usage quotas (points/credits), billing cycles, overage charges, and payments via Stripe. For dealership accounts, track points consumed per image processed and provide usage analytics.

Security & abuse prevention. Detect fraud, abuse, spam, and malicious activity; protect accounts and our infrastructure; enforce usage limits and prevent unauthorized access.

Communications & Marketing. When you create an account, your email address is automatically added to our database and marketing communications list. We will send you transactional notices (receipts, security alerts, service updates, processing notifications, team invitations) as well as marketing communications (product tips, announcements, promotions, new feature announcements). You can opt out of marketing emails anytime via the unsubscribe link, but you cannot opt out of essential transactional emails while your account is active.

Analytics & product research. Aggregate usage patterns to improve performance, reliability, and features. For dealership accounts, we generate analytics reports showing project volumes, processing metrics, team activity, and ROI calculations.

Legal compliance. Comply with laws; respond to lawful requests; enforce our Terms of Service; handle DMCA requests.

3) Legal bases for processing (EEA/UK only)

If you are in the EEA/UK, we process your information under these legal bases:

Contract necessity: To provide the Service and fulfill our agreement with you.

Legitimate interests: To secure and improve the Service, prevent abuse, and understand usage (balanced with your rights).

Consent: For optional cookies/marketing where required.

Legal obligation: To comply with applicable laws (tax, accounting, regulatory requests).

4) How we share information

We do not sell personal information. We share information with:

Service providers / processors. We use trusted vendors who process data on our behalf and per our instructions, including:

• Supabase (authentication, database, storage, real-time data sync)
• Cloudflare (CDN, Workers serverless functions, R2 object storage, security, Workers KV)
• Railway (image processing services, AI pipeline execution)
• Stripe (payments—card data handled by Stripe, we receive limited billing metadata)
• Resend (transactional emails, team invitations, password resets, processing notifications)
• Auto.dev (VIN decoding for dealership users—VINs sent to their API for vehicle specification lookup)
• Google Gemini (AI image analysis, categorization, and description generation)
• Roboflow (vehicle detection and segmentation in images)
• Analytics / error monitoring (aggregate usage, reliability metrics)

Within your dealership organization (Dealership Users). When you are part of a dealership organization, your projects, uploaded images, and activity may be visible to other members of your dealership according to their role permissions. Admins and Managers can see all projects and team activity; Photographers can see projects they created and have access to; Viewers can only see completed projects.

Change of control. If we undergo a merger, acquisition, or asset sale, your information may be transferred subject to this Privacy Policy. We will notify you via email and/or prominent notice on our service of any change in ownership or uses of your personal information.

Legal reasons. To comply with law or valid legal process; to protect rights, property, security, or enforce our Terms; to respond to DMCA notices and counter-notices; to investigate fraud or security issues.

We require processors to use appropriate security and only process data as needed to deliver the contracted services. We do not authorize third parties to use your personal information for their own purposes.

5) Cookies and similar technologies

We use:

Essential cookies to keep you signed in, route traffic, and secure your session.

Functional/analytics to measure aggregate usage and improve our service. Specifically:

• Plausible Analytics: A privacy-friendly, GDPR-compliant analytics tool that does not use cookies, does not collect personal data, and does not track users across websites. Plausible is hosted in the EU and complies with GDPR, CCPA, and PECR. All data is aggregated and anonymous. Learn more at plausible.io/privacy-focused-web-analytics
• Google Analytics: Used for detailed traffic analysis and conversion tracking. Google Analytics may use cookies and collects data as described in Google's Privacy Policy. You can opt out using the Google Analytics Opt-out Browser Add-on

Where required by law, we implement consent controls for non-essential cookies. You can adjust browser settings to block cookies, but the Service may not work properly. Note that Plausible Analytics does not require cookie consent as it doesn't use cookies or collect personal information.

6) Data retention

Account & profile data are retained while your account is active and for a reasonable period afterward to meet legal/operational needs (e.g., billing, dispute resolution, tax compliance).

Images, prompts, and outputs you store remain in your account according to your subscription plan:

• Consumer accounts: Retention period varies by plan (e.g., 10 days for free tier, longer for paid plans). Images are automatically deleted after the retention period expires unless you download them.
• Dealership accounts: Unlimited retention—your projects and processed images remain available indefinitely while your subscription is active.

Mobile app local storage. Photos captured in the mobile app are stored locally on your device in SQLite database and app document directory until successfully uploaded to our servers. Local copies are automatically deleted 48 hours after server confirmation. If you uninstall the app, all local data is removed immediately.

Processing queue data. Temporary data created during image processing (intermediate files, analysis results, segmentation masks) is automatically deleted after processing completes or after 7 days, whichever comes first.

Logs and security data are kept for a limited time necessary for security, diagnostics, fraud prevention, legal compliance, and service integrity (typically 30-90 days).

Payment records are retained as required by tax and accounting laws (typically 7 years).

Team and organization data (Dealership Users). When a team member is removed from a dealership, their membership record is retained for audit purposes but marked as inactive. Projects and images they created remain accessible to the dealership organization.

We will delete or anonymize data when it is no longer needed for the purposes above, subject to legal holds.

7) Data security

We use administrative, technical, and physical safeguards to protect personal information, including encryption in transit (TLS), access controls, least-privilege practices, auditing, and network protections. No method of transmission or storage is 100% secure; if we learn of a breach affecting your personal data, we will notify you and regulators as required by law.

8) International data transfers

We are based in the United States. Your information may be transferred to and processed in the U.S. and other countries that may have different data-protection laws than your home jurisdiction. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) for transfers.

9) Your rights & choices

9.1 All users

Access, update, delete. You can access or update certain profile details in your account. You may request deletion of your account and associated content by contacting pepper@autoaistudio.com.

Email preferences. Opt out of non-essential emails via the unsubscribe link.

Cookies. Manage cookies in your browser. Where required, use our in-product controls.

9.2 EEA/UK residents

You may have rights to request access, rectification, erasure, portability, restriction, or objection to certain processing. You also have the right to lodge a complaint with your local supervisory authority. We will respond to verified requests as required by law.

9.3 California (CPRA) and U.S. state privacy laws

We do not sell personal information or share it for cross-context behavioral advertising as defined by CPRA. You may request:

• Access/know, correction, deletion, and information about disclosures.
• Submit requests at pepper@autoaistudio.com. We will not discriminate against you for exercising your rights.

10) Payments

Payments are processed by Stripe. Stripe collects and processes your payment information under its own privacy policy. We receive limited billing metadata and status from Stripe and do not store full card numbers.

11) User content, AI processing & training

Your content. You retain all ownership rights to the images, prompts, and outputs in your account. For dealership users, your organization retains ownership of all vehicle photos and processed images.

Processing. We process your content to run edits, perform background removal, categorize images, store history, and deliver downloads. When required for a requested feature, content (or derivative signals) may be sent to an AI provider only to perform your requested transformation. Specifically:

• SAM3 (Segment Anything Model): Used for vehicle segmentation and background removal
• Google Gemini: Used for image analysis, categorization (exterior, interior, detail, VIN), angle detection (front ¾, side, rear, etc.), and vehicle validation
• Roboflow: Used for vehicle detection and detail photo analysis

VIN data processing. When you scan or enter a VIN number, we send it to Auto.dev API to retrieve vehicle specifications (year, make, model, trim). The VIN and decoded information are stored in your dealership account and used to automatically name projects.

Model training. We do not use your content to train our own models. Where we rely on third-party AI tools, we configure and/or contract to prevent provider training on your content where such controls are available. However, providers may retain limited logs for abuse detection or legal compliance—see their policies:

• Google AI Privacy Policy
• Roboflow Privacy Policy
• Auto.dev Privacy Policy

Public sharing. If you choose to share content publicly (consumer accounts only—not available for dealership users), that content may be visible to others and indexable by search engines. Dealership users cannot publish projects publicly; all content remains private to your dealership organization.

Team visibility (Dealership Users). Within your dealership organization, projects and images you create may be visible to other team members according to their role. All team members with appropriate permissions can view, process, and download images from shared projects.

12) Third-party links & services

The Service may link to or integrate with third-party websites and services (e.g., Google, Stripe, Auto.dev). We are not responsible for their practices. Review their privacy policies before providing information.

13) Mobile application specific practices

Our mobile application (available for iOS and Android) collects and uses information as follows:

Camera and photos. The app requests permission to access your device camera and photo library to capture and upload vehicle photos. Camera access is required for VIN scanning and guided photo capture. We do not access your photo library except for images you explicitly select to upload.

Device sensors. The app uses device motion sensors (accelerometer, gyroscope) to detect camera angle and provide real-time guidance during photo capture. Sensor data is processed locally on your device and is not transmitted to our servers.

Local storage. The app stores data locally on your device including:

• Authentication session (AsyncStorage)
• Active dealership selection (AsyncStorage)
• Captured photos awaiting upload (SQLite database + document directory)
• Project metadata and upload queue status (SQLite database)

Background processing. The app may continue uploading photos in the background when you minimize the app or switch to another app. This ensures reliable photo delivery. Background processing is limited to 30 seconds on iOS (per platform restrictions) and uses background tasks to complete uploads.

Push notifications. With your permission, we send push notifications to alert you when image processing completes, when projects are ready for review, or for team-related activities. You can disable notifications in your device settings at any time.

Offline mode. The app supports offline photo capture. Photos captured offline are stored locally (up to 10 vehicles, approximately 2-3GB) and automatically uploaded when connectivity returns. VIN numbers captured offline are decoded automatically when you reconnect.

App analytics. We collect anonymous usage analytics including screen views, feature usage, crashes, and performance metrics to improve the app. This data does not include your photos or personal content.

14) Dealership-specific practices

If you use Auto AI Studio as part of a dealership organization, additional terms apply:

Multi-user access. Your dealership administrator controls who has access to your organization's account and what role they have (Admin, Manager, Photographer, Viewer). All projects and images belong to the dealership organization, not individual users.

Role-based permissions. What you can see and do depends on your role:

• Admin: Full access to all projects, billing, team management, and settings
• Manager: Can create projects, process images, manage team (except other Admins/Managers), and view analytics
• Photographer: Can create projects, upload photos, and process images
• Viewer: Can only view completed projects—no upload, editing, or creation permissions

Team invitations. When an Admin or Manager invites you to join a dealership, they provide your email address. We send an invitation email and create a pending invite record. You can accept or decline the invitation.

Usage tracking. We track points/credits consumed per dealership for billing purposes. Each processed image (AI mode) consumes points from your dealership's allocation. Images processed in "enhance only" mode do not consume points but are tracked separately for analytics.

Analytics dashboard. Admins and Managers can view analytics showing project volumes, photos processed, team activity, processing time, and ROI calculations. This data is aggregated and does not reveal individual user actions beyond project authorship.

Data retention after leaving. If you leave a dealership (voluntarily or removed by an admin), you lose access to that dealership's projects and images. However, projects you created remain accessible to the dealership organization. Your membership record is retained for audit purposes.

Multi-dealership users. If you belong to multiple dealerships (e.g., as a freelance photographer), each dealership's data is kept separate. You can switch between dealerships, and projects/images are filtered by your active dealership selection.

15) Children's privacy

The Service is not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. If we learn a child has provided personal information, we will delete it.

14) Changes to this policy

We may update this Privacy Policy from time to time. We will post the new effective date at the top. Material changes will be highlighted in-product or via email where appropriate. Your continued use of the Service after changes means you accept the updated policy.

16) Region-specific disclosures (summary)

United States. We comply with applicable U.S. federal and state privacy laws. For California/CPRA, see Section 9.3 above.

EEA/UK. We act as a controller for account/profile data and as a controller or processor for in-product content depending on the workflow. Transfers rely on appropriate safeguards (e.g., SCCs).

Other regions. Local rights may vary. Contact us to exercise rights available in your jurisdiction.