GDPR

Privacy Policy

Last updated: 2026-06-07

This policy describes how MannequinIA ("we") collects, uses and protects your personal data when you use our AI image-generation service, in accordance with Regulation (EU) 2016/679 (the "GDPR") and applicable French data-protection law.

01

Data controller

The data controller is the operator of the service, [À COMPLÉTER : legal name], [À COMPLÉTER : legal form and share capital], registered under number [À COMPLÉTER : company registration number], with its registered office at [À COMPLÉTER : registered address].

For any question about your data or to exercise your rights, you may contact our data-protection point of contact: [À COMPLÉTER : GDPR contact email, e.g. privacy@…]. A Data Protection Officer (DPO) is not mandatory for our activity; where one is appointed, their details will appear here: [À COMPLÉTER : DPO if appointed].

02

Data we collect

Account data
Email address, display name, password (hashed) or authentication-provider identifier, language and preferences.
Images and content you upload
The product, garment or reference photos you upload to generate visuals, together with the related instructions (prompts) and settings.
Generated visuals
The images produced by the service from your content and instructions, stored in your gallery.
Billing data
Purchase history, credits, invoices and customer identifier. Payment-card details are handled directly by our payment provider (Stripe) and do not pass through our servers.
Technical and usage data
Connection logs, IP address, browser type, and events strictly necessary for operation, security and abuse prevention.

You remain responsible for the content you upload. You agree to upload a photograph depicting a real person only if you have their written consent (see our Terms). By default the service is built around products and 100% synthetic models.

03

Purposes and legal bases

We process your data for the following purposes, each relying on a legal basis under Article 6 of the GDPR:

  • Providing the service (account creation, visual generation, gallery) — performance of the contract (Art. 6(1)(b)).
  • Billing and credit management performance of the contract and legal obligation (accounting, Art. 6(1)(b) and 6(1)(c)).
  • Security, fraud and abuse prevention legitimate interest (Art. 6(1)(f)).
  • Improvement and support (incident diagnosis, assistance) — legitimate interest (Art. 6(1)(f)).
  • Service-related communications (transactional emails) — performance of the contract. Any marketing communication would rely on your consent (Art. 6(1)(a)), which you can withdraw at any time.

We do not use your uploaded images or generated visuals to train AI models. They are processed solely to produce the result you request.

04

Processors and recipients

To deliver the service we rely on processors that act on our instructions and with whom a Data Processing Agreement (DPA) is in place. The main ones are:

Fal.ai (AI image generation)
Runs the generation models from your content and instructions. Images may be transmitted to this provider for the duration of processing.
Stripe (payments)
Processes payments and billing. Stripe acts as a separate controller for payment data.
Brevo (email)
Delivers transactional emails and, where applicable, communications you have consented to.
Hosting provider
Hosting of the application and data. [À COMPLÉTER : hosting provider name and location].

Some of these providers may process data outside the European Union. Where this is the case, such transfers are governed by appropriate safeguards (the European Commission's Standard Contractual Clauses or an equivalent mechanism), in accordance with Articles 44 et seq. of the GDPR.

05

Retention periods

  • Account data: for the lifetime of the account, then deleted or anonymised within a reasonable period after closure.
  • Uploaded images and generated visuals: for as long as your account is active; you can delete them at any time from your gallery.
  • Billing data: kept for the period required by applicable accounting and tax obligations (in France, up to 10 years).
  • Technical logs: kept for a limited period for security purposes, generally a few months.
06

Your rights

Under the GDPR you have the following rights over your data:

  • Right of access and information (Art. 15);
  • Right to rectification (Art. 16);
  • Right to erasure / the "right to be forgotten" (Art. 17);
  • Right to restriction of processing (Art. 18);
  • Right to data portability (Art. 20);
  • Right to object, in particular to processing based on legitimate interest (Art. 21);
  • Right to withdraw consent at any time, without retroactive effect (Art. 7(3)).

To exercise these rights, write to [À COMPLÉTER : GDPR contact email]. We respond within one month. You also have the right to lodge a complaint with the French data-protection authority (CNIL, www.cnil.fr) or your local supervisory authority.

07

Cookies

Our service uses only cookies and technologies strictly necessary for its operation (authentication, security, language preference). These essential cookies do not require your prior consent.

We do not use advertising cookies or third-party profiling trackers. Should we ever introduce analytics or marketing cookies, a consent banner would be put in place and this policy updated accordingly.

08

Security

We implement appropriate technical and organisational measures to protect your data against loss, unauthorised access or disclosure (encryption in transit, access control, logging). As no system is infallible, we cannot guarantee absolute security, but we commit to notifying any data breach as required by the GDPR.

09

Changes

We may update this policy to reflect legal or technical developments. The last-updated date appears at the top of this page. In the event of a material change, we will inform you by appropriate means.