Legal

Privacy Policy

Last updated: June 17, 2026

The Short Version

  • • We collect your name & email via Google sign-in
  • • Your photos are processed by AI (Google Gemini) to identify products — then deleted from AI memory
  • • Images are stored on Bunny.net CDN (your content, your control)
  • • We never sell your data. Period.
  • • You can delete everything anytime from your account settings

1. Who We Are

My Creative Stash is operated by lic. Andreea-Iulia Bănțoiu, M., Gattergasse 2B, Tür 11, 1110 Vienna, Austria (“we”, “us”, “our”). We are the data controller for your personal data under the EU General Data Protection Regulation (GDPR).

Contact: info@mycreativestash.com

2. What We Collect

DataSourcePurpose
Name, email, profile photoGoogle OAuthAccount creation & authentication
Product photosYou (camera/upload)AI recognition & product catalog
Product metadataAI-generated + your editsCatalog organization
Session cookieNextAuth.jsKeeping you signed in

3. Why We Collect It (Legal Basis)

  • Contract performance (Art. 6(1)(b) GDPR): We need your account data to provide the service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR): Session cookies to keep you signed in; basic security measures; and verifying your email address to prevent abuse of our AI features.
  • Consent (Art. 6(1)(a) GDPR): Sending you marketing emails (product updates and offers), only if you explicitly opt in. You can withdraw this consent at any time.

We do not rely on consent for core functionality — because you should be able to withdraw consent without losing your account.

4. Third-Party Services

We share data with these processors to provide the service:

Google — Mountain View, USA

We use Google services for two purposes: (1) Google OAuth for sign-in (provides your name, email, and profile picture — we do not access your Google Drive, contacts, or other data), and (2) Google's Gemini API for AI product recognition (your photos are sent for identification; Google does not use API data to train their models per their API Terms of Service). Our servers also run on Google Cloud Platform (US region). All data transfer is covered by Google's Standard Contractual Clauses and Data Processing Addendum.

Bunny.net — European Union

Product images are stored and delivered through Bunny.net's CDN (operated by BunnyWay d.o.o., Slovenia, EU) for fast delivery. Images are stored until you delete the product or your account. Bunny.net acts as a data processor under their DPA.

SerpAPI — USA

Product names may be searched via SerpAPI for brand verification and price lookup. No personal data (only product names) is sent to this service.

Resend — USA

We use Resend to deliver transactional emails (such as email verification) and, if you opt in, marketing emails. Only your email address and name are shared, solely to send these messages. Resend acts as a data processor under their DPA.

Stripe — Ireland / USA

If you subscribe to a paid plan, payments are processed by Stripe Payments Europe, Ltd. (Dublin, Ireland). Stripe receives your name, email, and payment details to process the transaction and prevent fraud. We never see or store your full card number — Stripe handles card data directly as an independent controller and, for the data it processes on our behalf, under their DPA. See stripe.com/privacy.

4a. Email Communications

We send two kinds of email: (1) essential account emails — for example, verifying your address — which are required to operate your account; and (2) marketing emails — product updates and occasional offers — which we send only if you opted in. Every marketing email includes a one-click unsubscribe link, and you can change your preference anytime in Settings → Email preferences. Unsubscribing stops marketing emails but not essential account emails.

5. Data Retention

  • Account data: Kept until you delete your account
  • Product data & images: Kept until you delete the product or your account
  • Session cookies: Expire after 30 days of inactivity
  • AI processing: Images are processed in real-time and not stored by Google beyond processing
  • Database backups: Automatically deleted after 30 days

6. Your Rights (GDPR Articles 15–22)

You have the right to:

  • Access — Request a copy of all data we hold about you
  • Rectification — Correct inaccurate data (edit your products anytime)
  • Erasure — Delete your account and all associated data
  • Data portability — Export your catalog data in a machine-readable format
  • Restriction — Request we stop processing your data
  • Objection — Object to processing based on legitimate interest

To exercise any right, email us at info@mycreativestash.com or use the “Delete Account” button in your account settings. We will respond within 30 days.

You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, www.dsb.gv.at).

7. Cookies

We use only essential cookies:

CookiePurposeDuration
next-auth.session-tokenKeeps you signed in30 days
next-auth.csrf-tokenSecurity (prevents CSRF attacks)Session

We do not use analytics cookies, advertising cookies, or any third-party tracking.

8. Security

We protect your data with: HTTPS encryption in transit, encrypted database at rest, access restricted to authenticated users only, regular automated backups, no plain-text password storage (OAuth only).

9. Children

This service is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by displaying a notice in the app. The “Last updated” date at the top will always reflect the latest revision.

11. Contact

lic. Andreea-Iulia Bănțoiu, M.
Gattergasse 2B, Tür 11, 1110 Vienna, Austria
info@mycreativestash.com