Privacy Policy

The data controller for the processing of your personal data is Fabio Ariotti (sole trader), Via Vercelli 18, 13039 Trino (VC), Italy — P.IVA IT02782390021 — C.F. RTTFBA97T03B885G — REA VC-312122. Reachable at FabioAriotti@CookedBanana.Com or PEC FabioAriotti@PEC.It.

This Privacy Policy explains how CookedBanana ("we", "us", "our") collects, uses, and protects your personal data when you use our service at cookedbanana.com (the "Service"), in accordance with Regulation (EU) 2016/679 (GDPR).

We collect the following categories of personal data:

• Account data: email address, full name, and hashed password provided at registration.
• Profile data: profile picture (avatar) uploaded voluntarily.
• Usage data: images and text descriptions you submit to generate prompts, AI-generated outputs, and your generation history.
• Billing data: subscription plan, credit balance, and transaction history. Payment details (card numbers, etc.) are processed exclusively by Stripe and are never stored on our servers.
• Technical data: IP address, browser type, and session tokens collected automatically by our infrastructure provider (Supabase).

We process your data for the following purposes:

• Service delivery – account creation, authentication, prompt generation, saving and displaying your history. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Payments and billing – processing subscriptions, managing credits and invoices. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Analytics – understanding how users interact with the Service through aggregated, anonymised usage statistics (Google Analytics, Google Tag Manager). These tools are loaded only after you explicitly consent via the cookie banner. Legal basis: consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time by clearing your browser's local storage or by selecting "Only necessary" in the cookie banner.
• Security and fraud prevention – protecting accounts and detecting abuse. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
• Legal compliance – meeting fiscal and regulatory obligations. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

We share your data only with the following sub-processors, each bound by GDPR-compliant Data Processing Agreements:

• Supabase, Inc. (USA) – database, authentication, and file storage. Data may be transferred to the US under Standard Contractual Clauses.
• Stripe, Inc. (USA) – payment processing and subscription management.
• Google LLC (USA) – AI prompt generation via the Gemini API. Images and text you submit are sent to Google for processing. Refer to Google's data processing terms for details.

We do not sell, rent, or otherwise disclose your personal data to any other third party for marketing purposes.

• Account data and generation history are retained for as long as your account is active.
• Uploaded images are stored in our cloud storage and associated with your account. They are deleted when you delete your account.
• Upon account deletion, all personal data is permanently erased within 30 days, except where retention is required by law (e.g., fiscal records retained for 10 years under Italian law).
• Billing and transaction records may be retained for up to 10 years to comply with fiscal obligations.

We use two categories of cookies and similar technologies:

• Strictly necessary – session tokens managed by Supabase, required for authentication and secure access to the Service. These are always active and do not require consent.
• Analytics – Google Analytics (GA4) and Google Tag Manager, used to collect anonymised statistics about how visitors interact with the Service (pages visited, session duration, etc.). These are loaded only if you click "Accept all" in the cookie banner. You may withdraw consent at any time by clearing your browser's local storage or reopening the banner.

We do not use profiling, advertising, or third-party tracking cookies. You can manage or delete cookies at any time through your browser settings; deleting session cookies will sign you out of the Service.

Under the GDPR you have the right to:

• Access – request a copy of the personal data we hold about you.
• Rectification – correct inaccurate or incomplete data (available directly in Settings).
• Erasure ("right to be forgotten") – delete your account and all associated data from Settings → Delete account.
• Portability – receive your data in a structured, machine-readable format.
• Restriction – request that we restrict processing of your data in certain circumstances.
• Objection – object to processing based on legitimate interest.
• Withdraw consent – where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at FabioAriotti@CookedBanana.Com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in Italy: the Garante per la Protezione dei Dati Personali).

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encrypted connections (HTTPS/TLS), hashed passwords, access controls, and row-level security on our database. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify registered users by email of any material changes at least 15 days before they take effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

For any privacy-related requests or questions, contact: FabioAriotti@CookedBanana.Com