Privacy Policy

            Summary: We take the protection of your baby photos very seriously. Original photos are
            only processed temporarily and deleted immediately after generation. Our app, database, and storage are
            located in the EU.
            Technology: We exclusively use FLUX.2-pro (Microsoft Azure AI Foundry).
            Through our Hybrid Regional Routing, we ensure that data from EU/US users remains
            within their respective Microsoft Azure Data Zones for maximum residency.
        

1. Data Controller

The data controller responsible for processing your personal data is:

Diamond Pytech
Gronaustr.12
65205 Wiesbaden, Germany
Germany

Email: contact@adobabyai.com

Full contact details can be found in our Imprint.

2. Overview of Data Processing

2.1 Data We Collect

Data Category	Examples	Purpose
Account Data	Email address, password (encrypted), name (optional)	Account creation and management
Usage Data	IP address, browser, operating system, access times	Security, troubleshooting
Photo Data	Uploaded baby photos, AI-generated images	AI image generation
Payment Data	Transaction ID, purchase date, package (NO credit card data!)	Processing purchases via Lemon Squeezy
Location Data	Country (based on IP address)	Regional server selection, compliance

2.2 Legal Basis for Processing

We process your data based on the following legal grounds:

Contract Performance (Art. 6(1)(b) GDPR): For providing our AI image generation service and account management
Legitimate Interests (Art. 6(1)(f) GDPR): For security measures, fraud prevention, and service improvement
Legal Obligation (Art. 6(1)(c) GDPR): For tax-related record-keeping requirements

3. Processing of Baby Photos

Important Notice: Baby photos are particularly sensitive data. We treat them with the utmost care.

3.1 Uploaded Original Photos

Storage Location: Temporarily on Azure servers (region depends on your location)
Retention Period: Maximum 24 hours after processing, then automatic deletion
Purpose: Exclusively for AI image generation
Legal Basis: Consent

3.2 Generated AI Images

Storage Location: Azure Blob Storage in your region
Retention Period: Until you delete them or delete your account
Your Rights: You retain all rights to the generated images

3.3 AI Image Generation via Azure AI Foundry (FLUX.2-pro)

We use the FLUX.2-pro AI model (Dec 2025 release), provided via Microsoft Azure AI Foundry as a serverless API deployment.

            Hybrid Regional Routing & Data Residency: To ensure maximum data sovereignty,
            we utilize the Microsoft Azure Data Zone Standard configuration.
            EU Users: Processing and storage occur exclusively within the EU Data
                        Zone (e.g., France Central region).
US Users: Processing and storage occur within the US Data Zone
                    (e.g., East US region).
Global Users: We utilize Global Standard deployment to optimize performance for
                    other regions.

        

a) Processed Data Categories

Uploads: Your uploaded baby photo (inference base)
Prompts/Parameters: The chosen style and technical parameters
Outputs: The generated result image

b) No Training with Your Data

Guarantee: According to the official Microsoft documentation:

Microsoft is the Processor for prompts and outputs
Your data is not shared with the model provider (Black Forest Labs)
Your data is not used for training Microsoft or third-party models
There is no human review of your images by Microsoft personnel

c) Immediate Deletion

Original photos are deleted immediately after inference (generation) from the graphics processor (GPU/RAM) and temporary storage of the Azure AI infrastructure. No permanent storage of original uploads occurs via the AI interface.

Legal Basis: Contract Performance (Art. 6(1)(b) GDPR).

More information: Microsoft Trust Center | Azure AI Model Catalog Details

            Infrastructure: Our core systems run in EU data centers. Through
            Hybrid Regional Routing, AI inference also remains within the Azure EU Data Zone
            (ISO 27001 certified) for EU customers.
        

4. International Data Transfers

4.1 International Data Transfers

For customers using our service outside the EU/USA (Global Standard Routing), data may be processed in third countries. These transfers are secured by:

EU-US Data Privacy Framework (DPF)
Standard Contractual Clauses (SCCs)
Microsoft DPA (Data Processing Addendum)

5.1 Regional Data Storage

We operate 10 regional Azure data centers worldwide to store your data as close to your location as possible:

Region	Data Center Location	Applicable for Users From
EU/EEA	Azure France Central (Paris)	All EU/EEA member states, Switzerland, UK
North America	Azure East US, Azure Canada Central	USA, Canada, Mexico
South America	Azure Brazil South	Brazil, Argentina, Chile, etc.
Asia-Pacific	Azure Japan East, Azure Korea Central, Azure Australia East	Japan, South Korea, Australia, New Zealand
Middle East	Azure UAE North	UAE, Saudi Arabia, Qatar, etc.
India	Azure South India	India
Africa	Azure South Africa North	South Africa, Kenya, Nigeria, etc.

5.2 Transfer Mechanisms for Third Countries

When personal data is transferred outside the EU/EEA, we rely on the following legal mechanisms as per GDPR Articles 44-49:

a) EU Adequacy Decisions (Art. 45 GDPR)

For certain countries, the European Commission has determined that they provide an adequate level of data protection. This includes:

United Kingdom – Adequacy decision (June 2021)
Canada – Adequacy for commercial organizations (PIPEDA)
Japan – Adequacy decision (January 2019)
South Korea – Adequacy decision (December 2021)
Switzerland – Adequate level of protection
Argentina – Adequacy decision
Israel – Adequacy decision
New Zealand – Adequacy decision

b) EU-US Data Privacy Framework (Art. 45 GDPR)

For transfers to the United States, our primary infrastructure provider Microsoft Corporation is certified under the EU-US Data Privacy Framework (DPF), adopted by the European Commission on July 10, 2023.

Microsoft DPF Certification: Microsoft is listed on the Data Privacy Framework List and commits to comply with EU data protection principles.

c) Standard Contractual Clauses (Art. 46(2)(c) GDPR)

For transfers to countries without an adequacy decision and not covered by the DPF, we implement Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).

Applicable Transfers with SCCs:

Microsoft Azure – Microsoft's Data Protection Addendum (DPA) incorporates EU SCCs for all Azure services. View Microsoft DPA
Supabase – Supabase includes EU SCCs in their Data Processing Agreement for customers. View Supabase Terms
Lemon Squeezy – As a US-based payment processor, Lemon Squeezy operates under SCCs for EU customer data.

d) Supplementary Measures

In addition to SCCs, we implement the following supplementary measures as recommended by the EDPB (European Data Protection Board):

Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Controls: Strict role-based access; no third-party access to raw image data
Data Minimization: Original photos deleted within 24 hours of processing
Pseudonymization: User IDs are UUIDs; no real names required for service use

5.3 No Data Transfer to Blocked Countries

We do not transfer any data to or process data in the following countries due to legal restrictions or lack of adequate protections:

China (data localization requirements)
Russia (service suspended)
Belarus, Cuba, Iran, North Korea, Syria (international sanctions)

6. Payment Processing

For payment processing, we use Lemon Squeezy LLC as our payment service provider (Merchant of Record).

Transmitted Data: Email address, billing country
Not Transmitted: Credit card data (entered directly at Lemon Squeezy)
Storage: Lemon Squeezy stores payment data according to statutory retention obligations
Legal Basis: Contract Performance

More information:
Lemon Squeezy Privacy Policy

7. Hosting and Infrastructure

7.1 Microsoft Azure

Our application is hosted on Microsoft Azure. Azure is certified according to ISO 27001, SOC 2, and other standards and is GDPR compliant.

7.2 Supabase (Authentication & Database)

For authentication and database services, we use Supabase Inc.

Stored Data: Account information, credits, generation history
Server Location: EU (for EU users)
Encryption: Data is stored encrypted

8. Retention Period

Data Category	Retention Period	Reason
Original Photos	Max. 24 hours	Necessary only for processing
Generated Images	Until deletion by user	Contract Performance
Account Data	Until account deletion	Contract Performance
Payment Data	10 years	Tax retention obligation
Server Logs	30 days	Security, Troubleshooting

9. Your Rights under GDPR

You have the following rights regarding your personal data:

Access (Art. 15): Find out what data we store about you
Rectification (Art. 16): Correct incorrect data
Deletion (Art. 17): Have your data deleted ("Right to be Forgotten")
Restriction (Art. 18): Restrict processing
Data Portability (Art. 20): Receive your data in machine-readable format
Object (Art. 21): Object to certain processing
Withdraw Consent (Art. 7 para. 3): Withdraw given consent at any time

How to exercise your rights:
Email: contact@adobabyai.com
We will reply within 30 days.

9.1 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

The Hessian Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Germany
https://datenschutz.hessen.de

10. Cookies and Tracking

We use exclusively technically necessary cookies for:

Authentication and Session Management
Security functions (CSRF protection)
Language settings

We do NOT use:

Advertising or Marketing Cookies
Tracking Cookies from third parties
Google Analytics or similar analysis services

10.1 Server-Side Conversion Tracking

When you make a purchase, we send anonymized conversion data to our advertising partners to measure the effectiveness of our advertising campaigns. This data is processed server-side and does not contain directly identifying information.

Meta Conversions API

We use the Meta Conversions API to transmit purchase events to Meta (Facebook, Instagram). Your email address is hashed using the SHA-256 algorithm before transmission. Meta may match this hashed data with anonymized user profiles to optimize advertisements.

Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
Privacy Policy: https://www.facebook.com/privacy/policy/

TikTok Events API

We use the TikTok Events API for conversion tracking. Your email address is hashed with SHA-256 before transmission.

Provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland
Privacy Policy: https://www.tiktok.com/legal/privacy-policy

Google Analytics 4 Measurement Protocol

We use the Google Analytics 4 Measurement Protocol for server-side conversion tracking. This data is used to analyze the performance of our Google Ads campaigns. Your email address is hashed before transmission.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Privacy Policy: https://policies.google.com/privacy

Legal Basis

Processing is based on your consent (Art. 6(1)(a) GDPR), which you provided during registration. You can withdraw this consent at any time in the app settings under "Privacy".

11. Data Security

We employ technical and organizational measures such as TLS 1.3 encryption, Bcrypt password hashing, and Role-Based Access Control.

12. Minors

Our service is intended for adults who want to create photos of their children. We do not knowingly collect data from children under 16. Use of our service requires that the user is at least 18 years old or has the consent of a legal guardian.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will inform you of significant changes. The current version is always available on this page.

14. Contact

For questions about data protection, please contact us at:

Email: contact@adobabyai.com

Last updated: December 2025
Version: 2.1 (International Transfers & SCCs added)