Privacy Policy
This Privacy Policy describes how Studio by Bichachi (a sole proprietorship operating in California, USA — "we," "us," or "our") collects, uses, and shares your personal information when you use our service (the "Service").
1. Information We Collect
1.1 Information you provide directly
- Account information. Email address, password (stored hashed), display name, optional business name, timezone.
- Photos you upload. Photographs of products you upload, and — for VIP customers using the custom model feature — photographs of human likenesses.
- Communications. Messages you send to us via email or in-product feedback.
- Payment information. Handled directly by Stripe, Inc. We do not store full payment card numbers on our servers.
1.2 Information collected automatically
- Usage data. Pages visited, features used, generations performed, credits consumed.
- Device and connection. IP address, browser type, operating system, referring URL, timestamps.
- Authentication metadata. IP address and user-agent string at the time of signup, login, and signature events. These are retained as part of our security and audit trail.
2. Biometric Data — Special Notice
For likeness photos submitted under the VIP custom model program:
- The depicted person must sign a separate Likeness Release Agreement before their photos can be used.
- The account holder must sign an Indemnification Addendum confirming they have full rights to upload the photos.
- Likeness photos are stored encrypted at rest. They are used solely to generate AI composite imagery, plus for security, audit, and dispute-resolution purposes.
- The depicted person may revoke their consent at any time by emailing support@bichachi.com. We will disable the custom model and use commercially reasonable efforts to honor takedown requests.
- We do not sell, license, or share likeness photos with any third party beyond the AI processing service (currently Google Gemini) that performs the image generation.
3. How We Use Your Information
- To provide, maintain, and improve the Service.
- To process payments and manage your account.
- To send transactional emails (verification, password resets, decision notifications, etc.).
- To detect, prevent, and respond to fraud, abuse, and security issues.
- To comply with legal obligations and respond to lawful requests.
We do not use your photos or generated images to train AI models without your explicit, separate consent.
Storage of, and your rights in, your images. Your uploaded reference photographs and the AI Generated Images you create are stored on our secure cloud storage (Cloudflare R2) so that your generated images remain available to you in your account Gallery for viewing and re-download. You hold all proprietary rights in your AI Generated Images, and we act only as a custodian of this content. We will never sell, rent, license, publish, display, distribute, or otherwise commercially exploit your uploaded photographs or your AI Generated Images, and we will never use them to train, fine-tune, or improve any artificial-intelligence model. We will not use your images for our own marketing, promotion, or any other purpose without your prior, explicit, written permission, and we access your stored content only as necessary to operate, secure, troubleshoot, or support the Service, or where required by law. This mirrors Section 5 of our Terms of Service.
4. Third-Party Service Providers
We rely on the following service providers to operate the Service. Each is bound by their own terms and privacy policy. Use of the Service is subject to their handling of data:
| Provider | Purpose | Data handled |
|---|---|---|
| Google (Gemini API) | AI image generation | Reference photos at generation time; not stored long-term by Google for this product tier |
| Cloudflare (R2) | Encrypted object storage | Reference photos, generated images, signed PDF documents |
| Railway | Database hosting (PostgreSQL) | Account info, usage records, ledger, audit logs |
| Stripe, Inc. | Payment processing | Payment card information (handled directly by Stripe, not by us) |
| Resend | Transactional email delivery | Email addresses, message content |
| Cloudflare (Turnstile) | Bot/CAPTCHA protection at signup and login | Anonymous browser challenge data |
5. How We Share Your Information
We do not sell or rent your personal information. We share information only:
- With the third-party service providers listed above, as necessary to operate the Service.
- To comply with valid legal process, court orders, or government requests, after notifying you where legally permitted.
- To protect our rights, property, or safety, or that of our users and the public.
- In connection with a business transfer (merger, acquisition, sale of assets), in which case we will notify you and the new owner will be bound by this Privacy Policy.
6. Cookies and Tracking
We use a single first-party session cookie to keep you signed in. We do not use third-party advertising trackers, behavioral analytics, or cross-site tracking pixels. Browser challenge tokens may be set by Cloudflare Turnstile during signup/login to verify you are not a bot.
7. Data Retention
- Account data: retained for the lifetime of your account. You may request deletion at any time.
- Reference photos and generated images: retained for the lifetime of your account or until you delete them.
- Signed VIP waivers: retained for a minimum of seven (7) years after the custom model is disabled, to comply with potential audit and dispute-resolution requirements.
- Audit logs and security records: retained for up to seven (7) years for fraud detection and legal compliance.
- Payment records: retained per Stripe's policies and applicable tax law.
8. Your Rights
Depending on your location, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate personal information.
- Delete your account and associated personal information (subject to legal retention requirements).
- Export your account data in a portable format.
- Object to or restrict certain processing.
- Withdraw consent at any time (this does not affect prior lawful processing).
- Lodge a complaint with a supervisory authority in your country.
To exercise any of these rights, email support@bichachi.com from the email address on file. We will respond within thirty (30) days.
9. California Residents (CCPA)
If you are a California resident, you have the right to know what personal information we collect, the right to delete personal information we hold (with exceptions), the right to correct inaccurate information, and the right not to be discriminated against for exercising your privacy rights. Email support@bichachi.com to make a request. We do not sell or share personal information for cross-context behavioral advertising.
10. Children's Privacy
The Service is not intended for, and may not be used by, anyone under the age of 18. We do not knowingly collect personal information from minors. If we learn we have collected personal information from a minor, we will delete it.
11. International Data Transfers
Our servers and primary service providers are located in the United States. By using the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your country.
12. Security
We use industry-standard encryption (TLS in transit, encryption at rest via our storage providers), hashed passwords (bcrypt), and access controls to protect your information. No method of transmission or storage is perfectly secure, however, and we cannot guarantee absolute security.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or via in-product notice prior to taking effect. We encourage you to review this page periodically.
14. Contact Us
Questions or concerns about your privacy? Reach out to support@bichachi.com.
© 2026 Studio by Bichachi · Los Angeles, California