Privacy Policy
Last updated: 13 June 2026
1. Introduction
FOTOOL LTD ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Fotool.ai platform.
Data Controller: FOTOOL LTD, 1053 London Road, Leigh-On-Sea, Essex, SS9 3JP, United Kingdom. Company No. 11046581. Registered with the Information Commissioner’s Office (ICO), registration reference: ZC121613.
2. Information We Collect
2.1 Information You Provide
| Category | Data Collected | Purpose |
|---|---|---|
| Account Data | Name, email address, password (hashed), company name | Account creation, authentication, communication |
| Billing Data | Payment card details (processed by Stripe), billing address, VAT number | Payment processing, invoicing, tax compliance |
| Content Data | Product images, custom model images | AI image generation, project management |
| Communication Data | Support tickets, feedback, survey responses | Customer support, product improvement |
2.2 Information Collected Automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Usage Data | Pages visited, features used, session duration, click patterns | Analytics, product improvement |
| Device Data | Browser type, operating system, screen resolution, device type | Compatibility, debugging |
| Network Data | IP address, approximate location (country/city level) | Security, fraud prevention, localisation |
| Cookie Data | Session cookies, preference cookies, analytics cookies | Session management, personalisation, analytics |
2.3 Information from Third Parties
We may receive information from third-party services you choose to connect (e.g., marketplace integrations), identity verification providers, and payment processors.
3. Legal Bases for Processing (GDPR)
| Legal Basis | Processing Activity |
|---|---|
| Contract Performance | Account management, service delivery, payment processing |
| Legitimate Interest | Analytics, fraud prevention, product improvement, security |
| Consent | Marketing communications, non-essential cookies, optional data sharing |
| Legal Obligation | Tax records, law enforcement requests, regulatory compliance |
4. How We Use Your Information
- Service Delivery: Process your images, generate AI content, manage your projects and account
- Communication: Send transactional emails (verification, password reset, project notifications), and marketing communications if you have opted in
- Improvement: Analyse usage patterns to improve features, fix bugs, and optimise performance
- Security: Detect and prevent fraud, abuse, and unauthorized access
- Compliance: Meet legal and regulatory obligations
5. Data Sharing and Disclosure
We do not sell your personal data. We share data with the following recipients, subject to appropriate safeguards. Recipients marked "(consent)" only receive data after you explicitly opt in via the cookie consent banner.
| Recipient / Category | Purpose | Safeguards |
|---|---|---|
| Google Cloud Platform & Firebase | Hosting, Firestore database, Cloud Functions, authentication, backend infrastructure | Google DPA, EU SCCs, SOC 2 Type II |
| Cloudflare | CDN, R2 image and media storage, DDoS protection, Web Analytics | Cloudflare DPA, EU SCCs, ISO 27001 |
| Google (Gemini API) | AI image generation and processing | Google Cloud DPA (enterprise terms, no training on user data) |
| Stripe | Payment processing and subscription management | Stripe DPA, PCI DSS Level 1 |
| Google (Analytics 4 & Tag Manager) (consent) | Website traffic analysis and tag management | Google Ads DPA, EU SCCs |
| Microsoft (Clarity) (consent) | User session analysis and UX improvements | Microsoft DPA, EU SCCs |
| Meta (Facebook Pixel) & TikTok (Pixel) (consent) | Marketing attribution and ad measurement | Platform DPAs, EU SCCs |
| Email service providers | Transactional and marketing emails | Vendor DPAs, EU SCCs |
6. International Data Transfers
Your data may be processed in the United States and other countries where our service providers operate. For transfers outside the UK/EEA, we rely on:
- EU Standard Contractual Clauses (SCCs)
- UK International Data Transfer Agreement (IDTA)
- Adequacy decisions where available
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account Data | Duration of account + 30 days after deletion |
| Billing Records | 7 years (UK tax requirements) |
| Generated Images | Duration of account + 30 days after deletion |
| Uploaded Images | Duration of account + 30 days after deletion |
| Analytics Data | 26 months (aggregated after 13 months) |
| Support Tickets | 3 years after resolution |
| Server Logs | 90 days |
8. Your Rights (UK GDPR / EU GDPR)
You have the following rights regarding your personal data:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your data (“right to be forgotten”). Please note that this right is subject to exceptions under Article 17(3) UK GDPR, including where retention is necessary for compliance with a legal obligation (such as tax and accounting requirements) or for the establishment, exercise, or defence of legal claims. See Section 11.1 for specific retention periods that apply after account deletion.
- Right to Restrict Processing: Limit how we process your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
To exercise your rights, contact us at support@fotool.ai. We will respond within 30 days (extendable by 60 days for complex requests).
9. Cookies
We use cookies and similar technologies as described in our Cookie Policy. You can manage your cookie preferences through your browser settings or our cookie consent banner.
10. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete it.
11. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Firebase Authentication with bcrypt password hashing
- Firestore security rules for access control
- Regular security audits and vulnerability assessments
- Principle of least privilege for system access
For more details, see our Security & Trust page.
11.1 Payment Data Retention Upon Account Deletion
When you delete your account or request erasure of your personal data under Section 12, please be aware that:
(a) Billing and payment records (including transaction history, invoice details, VAT records, and partial payment method information) will be retained for 7 years from the date of the last transaction, as required by:
- Section 388 of the Companies Act 2006 and HMRC Corporation Tax record-keeping requirements (6 years from end of accounting period);
- The Limitation Act 1980 (6-year limitation period for contractual claims);
- UK VAT regulations (6 years).
The 7-year retention period reflects our conservative compliance approach, ensuring coverage of the longest applicable statutory period plus current accounting year.
(b) Stripe as independent Data Controller. Our payment processor, Stripe, independently retains certain transaction data in accordance with its own legal obligations, including anti-money laundering regulations (the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017) and payment services regulations. This retention is outside Fotool’s control and is governed by Stripe’s Privacy Policy. Fotool cannot delete data held by Stripe in its capacity as an independent Data Controller.
(c) What is retained: Transaction amounts, dates, invoice numbers, billing address, VAT numbers, partial card details (last 4 digits), and subscription history. What is NOT retained: Full card numbers (never stored by Fotool), CVV codes, or authentication data.
(d) Minimisation: Retained payment data is restricted to the minimum necessary for legal compliance and is not used for marketing or any purpose beyond statutory record-keeping, fraud prevention, and dispute resolution.
After the retention period expires, data is securely deleted or anonymised. You may request earlier deletion of your data by contacting us at support@fotool.ai, subject to our legal obligations.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect.
13. Contact & Supervisory Authority
For privacy inquiries:
- Email: support@fotool.ai
- Address: FOTOOL LTD, 1053 London Road, Leigh-On-Sea, Essex, SS9 3JP, United Kingdom
If you wish to make a data protection complaint or exercise any of your rights, you can do so directly through our Data Protection Complaints form. We acknowledge every request and respond within 30 calendar days.
You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
Last updated: 13 June 2026
If you have questions, contact us at support@fotool.ai