HomeSmokePıc
Open as PDF

Privacy Policy

Effective: 2026-06-06

1. About us

This Policy is from PGZ AI Solutions, a sole proprietorship of Pugazhenthi N. Our principal place of business is 715-A, 7th Floor, Spencer Plaza, Suite #1544, Mount Road, Anna Salai, Chennai, Tamil Nadu, India.

This Policy explains what data we collect, why we collect it, how long we keep it, and your rights under Indian law.

2. What data we collect

  • Photos: the photos you upload, the images we generate from them, and intermediate processing artifacts.
  • Account: your email address, and a display name if you sign in with Google.
  • Payments: transaction metadata only. We do NOT store your card numbers — Razorpay does.
  • Technical: IP address, user-agent string, request timestamps. We use these for security and abuse prevention.
  • Security audit log: we record key security and account events — sign-ins, photo downloads, account deletion, payments, and administrative actions — together with the associated IP address and device, as our security and compliance trail (retention in §6).
  • Generation context: the mode you picked, sub-mode, and styling choices for each generation.
  • Usage analytics: anonymized event metadata about which features and modes you use (never your photos or text inputs).

3. Why we collect it

  • To generate your photos and deliver the service
  • To provide customer support when you ask
  • To bill correctly and meet Indian tax-record requirements
  • To prevent fraud, abuse, and infrastructure attacks
  • To comply with legal obligations under Indian law
  • To understand product usage and improve the service

4. Photos and AI training

We do not use your photos to train AI models. Period.

Photos you upload are sent to our AI/ML providers solely to generate and analyse your image — never to train any AI model, ours or theirs. We require every provider we use to operate under no-training terms for API traffic.

We retain your photos in our storage for 30 days, then delete them automatically (see §6).

5. Third-party processors

We use the following processors. Each has its own privacy policy governing how it handles data we send.

  • AI/ML providers — photo generation & analysis: we may route images through providers including Google (Vertex AI) and OpenAI (engaged under contractual no-training terms — your photos are never used to train any AI model, ours or theirs).
  • Supabase — authentication, database, storage: privacy policy
  • Vercel — hosting and analytics (page views, performance): privacy policy
  • PostHog — product analytics (usage events): privacy policy
  • Resend — transactional email: privacy policy
  • Razorpay — payments: privacy policy
  • Sentry — error tracking: privacy policy

6. Retention

  • Photos and generations: 30 days, then auto-deleted by our retention schedule.
  • User-deleted photos: storage purged immediately on delete. The database row remains until its natural 30-day expiry, then disappears completely.
  • Transaction & payment records: about 7–8 years, as Indian tax law requires. These are kept even if you delete your account, but with personal identifiers removed (anonymized).
  • Security audit log: about 13 months — at least the 180-day minimum required for access logs under Indian cybersecurity (CERT-In) rules — then automatically purged.
  • Account-deletion fraud record: when you delete your account we keep a one-way cryptographic hash of your email — not the email itself, and not reversible — to prevent repeated abuse of free sign-up credits. It contains no readable personal data and is retained indefinitely for fraud prevention.
  • Sentry error reports: per Sentry's default retention (currently 90 days).

7. Your DPDP rights

Under the Digital Personal Data Protection Act 2023, you have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Erase your data — go to Settings → Danger Zone to delete your account
  • Grievance redressal — contact our Grievance Officer (see §10)

When you delete your account we remove your photos, profile, and personal data. For legal compliance and fraud prevention we retain only two minimal things, neither of which identifies you: (i) your transaction and tax records with personal identifiers stripped out, and (ii) a one-way hash of your email address. See §6 for details.

8. Cookies and local storage

  • Auth session cookie: set by Supabase to keep you signed in
  • TweakRoom edit history: stored in your browser's localStorage so your edits persist across sessions
  • Wizard guide dismissals: localStorage flags (key prefix wizard-guide-dismissed:) remember which guide panels you have closed so they don't reopen. Persist until you clear browser storage.
  • Product analytics: PostHog stores an anonymous analytics ID in your browser's localStorage (key prefix ph_) — not a cookie. Vercel Analytics is cookieless.

We do NOT use third-party tracking cookies or advertising pixels.

9. Children

SmokePic is not intended for users under 18. We do not knowingly collect data from minors. If you become aware that a minor has used the service, contact us at support@smokepic.com and we will delete their data.

10. Grievance Officer

Under the DPDP Act, you may raise grievances about how we handle your personal data.

  • Grievance Officer: Pugazhenthi N
  • Email: grievance@smokepic.com
  • Address: 715-A, 7th Floor, Spencer Plaza, Suite #1544, Mount Road, Anna Salai, Chennai, Tamil Nadu, India

We commit to acknowledging your grievance within 7 days and resolving it within 30 days of receipt.

If you are not satisfied with our response, you may escalate to the Data Protection Board of India per the DPDP Act.