ListPic

Privacy policy

Effective date: 29 March 2026

This Privacy Policy explains how ListPic ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website and service at listpic.app ("the Service"). We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data controller

ListPic is the data controller responsible for your personal data. If you have any questions about this policy or our data practices, you can contact us at hello@listpic.app.

2. What data we collect

We collect and process the following categories of personal data:

2.1. Account information

  • Email address— collected during registration, used for account authentication, service communications, and billing notifications.
  • Name and profile picture— collected from your Google account if you sign in via Google authentication. Used to personalise your ListPic experience.
  • Account identifiers— a unique user ID assigned to your account within our system.

2.2. Photos and images

  • Original photos— the product photos you upload for transformation.
  • Transformed photos— the AI-generated output images produced by the Service.

2.3. Payment information

  • Billing details— processed securely by Stripe. We do not store your full card number, CVV, or other sensitive payment credentials on our servers. We may store a Stripe customer ID, subscription status, and the last four digits of your payment card for display purposes.

2.4. Usage data

  • Transformation history— records of photos processed, including timestamps and transformation styles selected.
  • Quota usage— the number of photo transformations used within your current billing period.
  • Technical data— IP address, browser type, device type, and operating system, collected automatically when you access the Service.

3. How we use your data

We use your personal data for the following purposes:

  • Providing the Service— to process your photos using AI, store your original and transformed images, and deliver them to you.
  • Account management— to create and maintain your account, authenticate your identity, and manage your subscription.
  • Billing and payments— to process subscription payments, manage plan changes, and handle cancellations and refunds via Stripe.
  • Service improvement— to monitor usage patterns, diagnose technical issues, and improve the quality and reliability of the Service.
  • Communication— to send you essential service notifications such as billing confirmations, usage alerts, and important updates about the Service or these terms.
  • Security and fraud prevention— to detect and prevent abuse, enforce our Terms of Service, and protect the security of the Service.

4. Legal basis for processing

Under the UK GDPR, we process your personal data on the following legal bases:

  • Performance of a contract— processing necessary to provide the Service to you under our Terms of Service (e.g., transforming your photos, managing your account and subscription).
  • Legitimate interests— processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where these interests are not overridden by your rights.
  • Legal obligation— processing necessary to comply with our legal obligations, such as maintaining billing records.

5. How we use your photos

Your photos are used exclusively to provide the ListPic transformation service. We do not:

  • Share your photos with third parties for their own purposes
  • Use your photos to train, fine-tune, or improve AI models
  • Sell, licence, or commercially exploit your photos
  • Access or review your photos for any purpose other than providing the Service, unless required by law

Your photos are sent to the Google Gemini API solely for the purpose of generating transformed images. Google's API data processing terms apply to this transmission. According to Google's API terms, data submitted via their paid API services is not used to train their models. We recommend reviewing Google's Privacy Policy for further details on how API data is handled.

6. Third-party services

We use the following third-party services to operate ListPic. Each processes data in accordance with their own privacy policies:

  • Supabase— database hosting, user authentication, and photo storage. Data is hosted on AWS infrastructure. Supabase Privacy Policy
  • Google Gemini API— AI-powered photo transformation. Your photos are sent to Google's servers for processing and the transformed result is returned to us. Google Privacy Policy
  • Stripe— payment processing for paid subscriptions. Stripe handles all payment card data directly. Stripe Privacy Policy
  • Vercel— website hosting and deployment. Vercel may process technical data such as IP addresses and request logs. Vercel Privacy Policy

7. Data storage and security

Your data is stored securely using Supabase, hosted on AWS infrastructure. We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of all data in transit using TLS (Transport Layer Security)
  • Encryption of stored data at rest
  • Row-level security policies ensuring that your photos and account data are accessible only to your authenticated account
  • Secure authentication via Supabase Auth with support for Google OAuth
  • No storage of sensitive payment credentials on our infrastructure (handled entirely by Stripe)

8. Data retention

  • Photos— your original and transformed photos are retained until you delete them individually or delete your account, whichever occurs first.
  • Account data— your account information is retained for as long as your account is active. Upon account deletion, your personal data is deleted within 30 days, except where we are required by law to retain certain records (e.g., billing records for tax purposes).
  • Billing records— transaction records may be retained for up to 7 years to comply with UK tax and accounting obligations.
  • Technical logs— server logs containing IP addresses and request data are retained for up to 90 days for security and diagnostic purposes.

9. Your rights under UK GDPR

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access— you can request a copy of the personal data we hold about you.
  • Right to rectification— you can request that we correct any inaccurate or incomplete personal data.
  • Right to erasure— you can request deletion of your personal data. You can delete your account and all associated data at any time through your account settings page.
  • Right to restriction of processing— you can request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability— you can request your personal data in a structured, commonly used, and machine-readable format. You can download your photos directly from your dashboard at any time.
  • Right to object— you can object to the processing of your personal data where we rely on legitimate interests as the legal basis.
  • Right to withdraw consent— where processing is based on consent, you may withdraw your consent at any time.

To exercise any of these rights, please contact us at hello@listpic.app. We will respond to your request within one month, as required by law.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, if you believe your data protection rights have been violated. You can contact the ICO at ico.org.uk.

10. Cookies

ListPic uses only essential cookies that are strictly necessary for the operation of the Service. These include:

  • Authentication cookies— used to maintain your login session and keep you signed in across pages.
  • Security cookies— used to support authentication security measures such as CSRF protection.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Because we use only strictly necessary cookies, consent is not required under UK cookie regulations.

11. International data transfers

Some of our third-party service providers (including Google, Stripe, and Vercel) may process data outside the United Kingdom. Where data is transferred internationally, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, to protect your personal data in accordance with UK GDPR requirements.

12. Children's privacy

ListPic is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that information promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or by posting a prominent notice on the Service prior to the changes taking effect. The "Effective date" at the top of this page indicates when this policy was last revised.

14. Contact us

If you have any questions about this Privacy Policy or our data practices, please contact us at hello@listpic.app.