Privacy Policy

The data controller responsible for your personal data is:

We collect the following categories of personal data:

Account & Identity Data

• Email address (required to create an account)
• Name and profile picture (when signing in via Google OAuth)
• Authentication tokens and session identifiers
• Referral code (if you were referred by another user)

Usage & Generation Data

• Product images you upload (stored while your plan is active; deleted when your plan lapses or account is closed)
• AI-generated descriptions, price suggestions, and hashtags
• Item category, brand, and metadata associated with your generations
• Generation history and credit balance

Payment Data

• Transaction identifiers and purchase history
• Subscription status and plan information
• We do not store credit card numbers. Payments are processed by Polar.sh, our Merchant of Record, who handles all payment data under their own privacy policy and PCI-DSS compliance.

Technical & Analytics Data

• IP address and browser/device type
• Pages visited, features used, and interaction events
• Error reports and performance diagnostics

• Providing the service: Authenticating your account, processing images through our AI pipeline, and delivering generated descriptions.
• Managing credits & subscriptions: Tracking your credit balance, processing purchases, and managing subscription status.
• Referral program: Attributing referrals and awarding credits to eligible users.
• Transactional emails: Sending account confirmation, generation results, and billing notifications via Resend.
• Analytics & improvement: Understanding how features are used to improve the product (PostHog, aggregated and anonymized where possible).
• Error monitoring: Diagnosing and fixing technical issues (Sentry).
• Legal compliance: Meeting our obligations under applicable law.

We process your data under the following legal bases (Article 6 GDPR):

We use the following third-party processors. Each has its own privacy policy and data processing agreements in place with us where required by GDPR:

• Supabase – Database, authentication, and file storage. Data is stored in the EU (AWS eu-central-1). Privacy policy
• Polar.sh – Payment processing (Merchant of Record). Handles credit card data, VAT/GST compliance. Privacy policy
• Google Gemini API – AI model that processes product images to generate descriptions. Images are sent to Google’s API and not retained by Google for training without consent. Privacy policy
• Google OAuth – Optional sign-in method. Privacy policy
• PostHog – Product analytics. Data is stored on PostHog’s EU servers (eu.i.posthog.com). Privacy policy
• Sentry – Error monitoring and performance tracking. Privacy policy
• Resend – Transactional email delivery. Privacy policy
• Vercel – Hosting and edge network. Privacy policy

We do not sell your personal data to third parties.

• Uploaded images: Stored while your plan is active. Deleted when your subscription lapses or your account is closed.
• Account data: Retained for as long as your account is active. Upon account deletion, we delete your personal data within 30 days, except where retention is required by law.
• Generation history: Retained while your account is active. You can delete individual generations from your history at any time.
• Payment records: Retained for 5 years to meet tax and accounting obligations under Polish law.
• Analytics data: Retained in aggregated/anonymized form for up to 24 months.

As a data subject under GDPR, you have the following rights:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
• Right to restriction (Art. 18): Ask us to limit how we process your data.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest (e.g., analytics).
• Right to withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting prior lawfulness.

To exercise any of these rights, email us at contact@descbox.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Polish supervisory authority:

We use the following types of cookies and similar technologies:

• Essential cookies: Required for authentication (Supabase session tokens) and core functionality. These cannot be disabled.
• Analytics cookies: PostHog uses cookies to track product usage and improve the service. PostHog data is stored on EU servers. You may opt out by contacting us or using browser privacy settings.
• Error tracking: Sentry may set cookies or collect browser identifiers for error correlation.

You can manage cookies through your browser settings. Disabling non-essential cookies will not affect your ability to use core features.

We store your data primarily within the European Union. Where data is transferred outside the EU (for example, to Google’s API infrastructure or Vercel’s global CDN), such transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.

We implement appropriate technical and organizational measures to protect your personal data, including:

• Row-Level Security (RLS) on all database tables — your data is only accessible to you
• Encrypted connections (HTTPS/TLS) for all data in transit
• Deletion of uploaded images when your plan lapses or account is closed
• No storage of payment card details
• Regular monitoring via Sentry for security incidents

No system is perfectly secure. If you discover a security vulnerability, please report it to contact@descbox.com.

DescBox is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at contact@descbox.com and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make significant changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email. Continued use of DescBox after changes constitutes acceptance of the updated policy.

For any privacy-related questions, data subject requests, or concerns, contact us at: