Privacy Policy

A plain-English summary of the rest of this page. The defined terms below still govern legally, but this paragraph is what most people want to know:

• We collect the data we need to run your account, deliver your shoots, take payment, and prevent abuse. Nothing else.
• We do not use your uploaded product images, brand inputs, or generated outputs to train any AI model — ours or anyone else's. Your assets are yours.
• We share data only with the named sub-processors listed at /sub-processors (hosting, database, payments, AI generation). Never sold.
• You can export or delete your data from inside your account, at any time. EU/UK/California users have additional statutory rights set out in §8.
• Questions, deletion requests, or complaints: privacy@objekt-ai.com.

OBJEKT (“OBJEKT”, “we”, “us”) is a product of MAS Digital Labs FZ-LLC, a free-zone company registered in the Ras Al Khaimah Economic Zone (RAKEZ), United Arab Emirates. MAS Digital Labs FZ-LLC is the data controller responsible for personal data processed through the OBJEKT service.

We only collect what we need to run the service. There are four categories.

Under the EU/UK GDPR we are required to tell you our lawful basis for each processing purpose. Here they are.

These are commitments, not aspirations. They are written into our internal policies and reflected in the terms we sign with our sub-processors.

• We do not train, fine-tune, or evaluate any AI model on your uploaded product images, brand inputs, prompts, or generated outputs.
• We do not sell your personal data. We have not sold or shared personal data for cross-context behavioural advertising in the preceding twelve months and we do not intend to.
• We do not use your generated images as marketing material or social-proof samples without your explicit, written opt-in.
• We do not allow third-party advertisers to track you across the OBJEKT product.

OBJEKT is a small operation that runs on top of well-known infrastructure. The current sub-processor list lives on its own page so we can update it without re-issuing this policy: /sub-processors.

At a high level, your data may be processed by:

• Our hosting and database providers (currently Vercel and Supabase), to actually run the application.
• Our payment processor (Stripe), to charge you and to comply with anti-fraud and tax obligations.
• Our AI generation providers, to produce the images you request. Generation providers operate under zero-data-retention or no-training contractual terms wherever offered, and your inputs are transmitted only for the duration of the generation.
• Our email provider, for transactional and (with consent) marketing mail.
• Professional advisors (lawyers, accountants, auditors), under confidentiality, where strictly necessary.
• Government authorities or courts, where legally compelled to disclose. Where lawful, we will notify you first.

We will subscribe a new sub-processor only after we have a written contract with terms at least as protective as those in this policy and our DPA at /dpa.

MAS Digital Labs FZ-LLC is established in the United Arab Emirates. The UAE is not, at the time of writing, the subject of an EU Commission adequacy decision. Where we process personal data of users located in the European Economic Area, the United Kingdom, or Switzerland, we transfer that data to the UAE (and to sub-processors located elsewhere — primarily the United States and the European Union) on the basis of:

• The European Commission’s Standard Contractual Clauses (2021 modules, as updated), incorporated by reference into every contract with every sub-processor that handles EU/EEA personal data;
• The UK International Data Transfer Addendum, where the UK GDPR applies;
• Supplementary measures including encryption in transit (TLS 1.2+), encryption at rest, access controls, and contractual restrictions on government-access requests.

You can request a redacted copy of the SCCs we rely on by writing to privacy@objekt-ai.com.

We keep personal data only for as long as we need it for the purposes set out in §3, after which it is deleted or anonymised.

You have rights over the personal data we hold about you. The specific rights depend on where you are.

To exercise any right, email privacy@objekt-ai.com or use the self-service controls inside Settings → Account. We will respond within 30 days. We may ask you to verify your identity before we act on a request.

We take reasonable technical and organisational measures to protect your data. These include:

• TLS 1.2+ in transit; AES-256 encryption at rest for stored content.
• Database row-level security so users can only access their own rows.
• Principle of least privilege for staff access; secrets stored only in our secrets manager and rotated on a defined schedule.
• Sub-processor contracts requiring SOC 2 / ISO 27001-aligned controls.
• Pre-release security review of new features that touch personal data, and periodic third-party penetration testing as we scale.

If we ever experience a security incident affecting your personal data, we will notify you and any relevant supervisory authority within the timeframes required by law (72 hours under the GDPR), and we will publish a plain-language summary of what happened.

A few specifics, because this is where the questions usually land:

• Inputs. Product images, prompts, and brand inputs you submit are transmitted to the AI provider used to fulfil the generation, and to nobody else. We require zero-data-retention terms from providers wherever offered.
• Outputs. The images we generate for you are yours. You own them, subject to your underlying right to depict the product (see §11). We claim no licence over your outputs beyond what is strictly necessary to deliver them to you and to keep them in your account until you delete them.
• No training. We do not train models on your inputs or outputs. We do not let our sub-processors train on them either. This is a contractual term, not just a stated intent.
• No likeness. OBJEKT is a product-photography tool. We do not generate identifiable images of real people. If a generation accidentally produces something recognisable, you are responsible for not publishing it; we are responsible for improving our guardrails.

When you upload a product image to OBJEKT, you warrant that you have the right to do so — that the product is yours, your client’s, or that you have a licence to depict it. Full content rules live in our Acceptable Use Policy and the IP terms live in our Terms of Service.

We use a small number of cookies. Most of them are strictly necessary for the service to function (keeping you signed in, remembering your theme). Non-essential cookies — primarily product analytics — are set only with your consent, which you can give, refuse, or withdraw via the banner shown on your first visit and via Settings → Privacy. Full detail is in our Cookie Policy.

OBJEKT is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact privacy@objekt-ai.com and we will delete it.

When we change this policy, we update the effective date at the top of the page. If we make a change that materially affects your rights or the data we collect, we will tell you by email and in-app at least 14 days before the change takes effect, so you have time to object or close your account before it applies.

For privacy questions, data-rights requests, or to lodge a complaint: privacy@objekt-ai.com.

You also have the right to complain to your local data-protection authority. We would ask you to email us first so we have a chance to resolve it directly, but it is your right and we will not penalise you for exercising it.