Privacy policy

ART-IF Privacy Policy

Last updated: April 29, 2026

ART-IF ("we," "us," or "our") operates art-if.com and provides AI-powered photo transformation and print fulfillment services (the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, how long we keep it, and what choices you have.

If there is a conflict between this Privacy Policy and our Terms of Service, this Privacy Policy controls with respect to the collection, processing, and disclosure of personal information.

By using the Service, you acknowledge that you have read this Privacy Policy and understand how we handle your information.

Quick summary

  • We collect what we need to run the Service: your account information, the photos you upload, the artwork we generate for you, your orders, and limited technical data we use to prevent abuse.
  • The biggest non-obvious thing: when you upload a photo, it is sent to Google's AI service for transformation. Google retains those prompts and outputs for up to 55 days for its own abuse detection.
  • We do not sell your personal information. We do not share it for cross-context behavioral advertising.
  • You can request deletion of your account, your photos, or your artwork at any time. Email studio@art-if.com.
  • Depending on where you live, you have specific legal rights described in Sections 12–14.

1. Scope

This Privacy Policy applies to personal information we collect through the Service — including the website, theme extensions running on Shopify-hosted stores, customer accounts, and order processing. It does not apply to third-party websites or services that we link to but do not operate.

When we say "personal information," we mean information that identifies, relates to, or could reasonably be linked to you or another identifiable person. It does not include information that has been anonymized or aggregated in a way that cannot reasonably be linked back to a person.

2. Information We Collect

2.1 Account information

  • Email address.
  • Customer profile information from Shopify (name, billing address, shipping address) when you create an account or place an order.
  • Account preferences and settings.
  • Authentication tokens and session identifiers.

2.2 Content you upload and generate

  • Photos you upload to the Service ("Source Content"). These photos may include images of faces, household interiors, and other personal details that you have chosen to include.
  • Style selections you make.
  • AI-generated artwork produced from your uploads.
  • Moderation results, including outputs from automated content-safety scans (described in Section 6).
  • Any prompts or annotations you add (currently limited to preset style selections — the Service does not accept free-form text prompts).

2.3 Order and payment information

  • Items you view, add to cart, and purchase.
  • Order history, including print size, quantity, fulfillment status, and tracking information.
  • Billing and shipping addresses.
  • Payment confirmation details (we do not store full credit card numbers — payment processing is handled by Shopify and its payment processors).

2.4 Communications with us

  • The contents of any email, support request, or other communication you send us.
  • Customer feedback and reviews you submit.

2.5 Operational and abuse-defense information

To run the Service securely and prevent abuse, we automatically collect:

  • IP address and approximate location derived from it.
  • Device, browser, and operating system identifiers (user agent string, screen size, time zone).
  • Browser session identifier stored in your browser's localStorage (used to associate guest generations with your session).
  • Tokens from invisible bot-defense systems we use to distinguish automated traffic from real users.
  • Rate-limit counters tied to your account, IP, and session.
  • Error and performance data (described in Section 5.2 under our error monitoring service).
  • Records of generation attempts, refusals, content-moderation events, and abuse signals.

2.6 Information from cookies and similar technologies

We and our service providers use cookies, localStorage entries, and similar technologies to operate the Service. See Section 15 for details.

3. Sources of Information

We collect personal information from the following sources:

  • Directly from you, when you create an account, upload content, place an order, contact support, or otherwise interact with the Service.
  • Automatically, from your device when you visit or interact with the Service.
  • From service providers acting on our behalf — including our commerce platform (Shopify), Google's AI services (generation and moderation), our print fulfillment partner, our email service provider, our error monitoring service, and our CDN and bot defense provider.
  • From you, on behalf of others, when you upload a photo of another person. By uploading you affirm that you have the necessary rights and consents (see our Content Policy).

4. How We Use Information

We use personal information for the following purposes:

4.1 To provide the Service

To create and maintain your account, accept and process your uploads, generate AI artwork, display your gallery, accept and fulfill orders, and provide customer support.

4.2 To process orders and fulfill prints

To accept payment, transmit the artwork file and shipping address to our print fulfillment partner, track shipments, and notify you of order status.

4.3 To prevent abuse and protect security

To detect and prevent fraud, content-policy violations, scripted abuse, and account takeover. This includes running automated content-moderation scans on uploads (Section 6), enforcing rate limits, deduplicating free-credit grants across normalized email addresses, and using invisible bot-defense services.

4.4 To communicate with you

To send transactional notifications about your account, generations, and orders. These messages are not promotional and you cannot opt out of them while you have an active account.

4.5 To send marketing — only with your consent

If you consent (typically by checking a marketing-opt-in box at signup or checkout, or by signing up for our newsletter), we use your email to send promotional content through our email service provider. You can unsubscribe at any time using the link in any marketing email.

4.6 To improve the Service

To analyze how the Service is used, debug errors, evaluate the quality of AI-generated outputs in aggregate, and decide what features to build. We do this using anonymized or aggregated data wherever feasible. We do not use your generated artwork to train AI models, and we do not allow our service providers to use your generated artwork to train their models, except as required for safety/abuse-detection by the AI provider (see Section 6).

4.7 To comply with law and protect rights

To respond to legal process (subpoenas, court orders, valid government requests), to enforce our Terms of Service and Content Policy, to protect the rights, safety, and property of ART-IF, our users, and the public, and to investigate suspected violations.

5. Who We Share Information With

5.1 Service providers

We share personal information with vendors and service providers that perform functions on our behalf — payment processing, hosting, AI generation, content moderation, print fulfillment, email delivery, error monitoring, and customer support. These service providers are bound by contract to use your information only for the purposes we direct and to protect it appropriately.

5.2 Specific third parties

The following service providers process meaningful amounts of personal information on our behalf:

  • Shopify — commerce platform that hosts the Service. Processes account data, orders, payment information, and analytics. See Shopify's Privacy Policy and Shopify's Consumer Privacy Policy.

  • Google AI services — used to generate artwork from your uploads and to scan uploads for prohibited content before generation. Receives the photo you upload and the style instructions, and returns the generated artwork or moderation results. Google retains prompts and outputs for up to 55 days for its own abuse detection and policy enforcement before deleting them. See Google's Generative AI Prohibited Use Policy and the Google AI for Developers Privacy and Security page.

  • Our print fulfillment partner — produces and ships your print orders. When you place a print order, our fulfillment partner receives the final artwork file, your shipping address, the print specifications, and order metadata.

  • Our email service provider — handles transactional and (with your consent) marketing emails. Receives your email address, name, order history, generation events, and engagement data.

  • Our error monitoring service — receives technical error data, which may include limited identifiers (user IDs, IP addresses) needed to debug specific failures. We configure this service to redact obvious personal information from error payloads where feasible.

  • Our CDN and bot defense provider — receives connection metadata (IP address, request headers, user agent) and bot-defense challenge tokens for any request routed through its network.

We may add, remove, or change service providers from time to time. Material changes will be reflected in updates to this Privacy Policy.

5.3 Shopify and Shopify enhanced features

The Service is hosted by Shopify, which collects and processes personal information about your access to and use of the Service in order to provide and improve the underlying platform. Information you submit to the Service is transmitted to and shared with Shopify and Shopify's own service providers, who may be located in countries other than where you reside.

To help protect, grow, and improve our business, we may use certain Shopify enhanced features that incorporate data and information obtained from your interactions with our store, along with other merchants and with Shopify. To provide these enhanced features, Shopify may make use of personal information collected about your interactions with our store, along with other merchants and with Shopify. In these circumstances, Shopify is responsible for the processing of your personal information for those purposes, including for responding to your requests to exercise your rights.

To learn more about how Shopify uses your personal information and any rights you may have, see the Shopify Consumer Privacy Policy and the Shopify Privacy Portal.

5.4 Legal compliance and protection

We may disclose personal information when we believe in good faith that disclosure is necessary to (a) comply with a legal obligation, subpoena, court order, or valid government request; (b) enforce our Terms of Service, Content Policy, or other agreements; (c) protect the rights, safety, or property of ART-IF, our users, or the public; or (d) detect, prevent, or address fraud, security, or technical issues.

5.5 Business transfers

If ART-IF is involved in a merger, acquisition, financing, sale of assets, or bankruptcy, personal information may be transferred as part of that transaction, subject to standard confidentiality protections. We will notify you of any change in ownership of personal information.

5.6 What we do not do

  • We do not sell your personal information for money.
  • We do not "share" your personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.
  • We do not use your generated artwork in ART-IF's marketing without your separate, explicit consent.
  • We do not allow our service providers to use your content to train their public AI models, except for the safety/abuse-detection retention by the AI provider described in Section 6.
  • We do not knowingly process personal information of children under 13 (see Section 10).

6. AI Processing and Content Moderation

Because the Service uses AI in ways that may not be obvious, we want to describe this processing specifically.

6.1 What happens when you upload a photo

  1. Pre-generation moderation scan. Your photo is sent to Google's content-moderation service for an automated content-safety scan. The service returns scores for explicit content, presence of faces, and presence of third-party logos. We cache these results by a hash of your file so identical re-uploads are not re-scanned.

  2. Generation. Your photo and the style you selected are sent to Google's AI service to generate the styled artwork. Google retains the prompt and output for up to 55 days for its own abuse-detection and policy-enforcement systems, after which it is deleted from Google's systems.

  3. Output handling. The generated artwork is stored in your account. If the AI provider refuses to generate (because the content violates Google's policies), we automatically refund the credit and show a generic error message.

  4. Human review. If you place a print order, our team reviews the artwork before it is sent to the printer (described in our Content Policy).

6.2 Automated decision-making

Some decisions about your uploads — for example, whether to block a photo as explicit content, whether to flag it for human review, and whether the AI provider can generate artwork from it — are made by automated systems. These decisions can affect your ability to use the Service for a specific photo.

If you believe an automated decision was wrong, you can request human review by emailing studio@art-if.com. We will review the decision manually within a reasonable time. EEA, UK, and Swiss residents have additional rights related to automated decision-making (see Section 13).

6.3 Biometric information

Your uploaded photos may include images of faces. We use these images solely to provide the Service — that is, to transform them into artwork, to scan for safety, and to print them. We do not extract face templates, "faceprints," or other biometric identifiers from your photos. We do not use face data to identify individuals or build face-recognition databases. We do not sell or share face data.

7. Retention

We keep personal information for as long as we need it for the purposes described in this Privacy Policy, and then we delete or anonymize it.

  • Account information — kept while your account is active. If you close your account, we delete it within a reasonable time, except where we must retain certain records (for example, tax records, fraud investigations) to comply with law.
  • Source Content (uploaded photos) — kept for as long as your account is active, as part of your gallery. You can delete individual photos at any time, or request deletion of all your content via studio@art-if.com.
  • Generated artwork — kept for as long as your account is active, as part of your gallery. You can delete individual artworks or request bulk deletion at any time.
  • Order data — retained as long as required by tax, accounting, and consumer-protection law (typically up to 7 years in the United States).
  • Moderation results and abuse signals — retained for up to 12 months for pattern analysis, then deleted or aggregated.
  • IP addresses, fingerprint signals, and rate-limit data — retained for up to 90 days for active abuse defense, then aggregated for statistical purposes.
  • Email marketing data — retained until you unsubscribe, after which it is retained per our email service provider's retention policies.
  • Error and performance data — retained per our error monitoring service's standard retention (typically 30–90 days).
  • AI provider retention — Google retains prompts/outputs for up to 55 days regardless of our retention; we do not control this.

We may keep limited backup copies for a reasonable period after deletion to ensure system integrity and recovery from accidental loss. These backups are not used for any other purpose and are eventually deleted on a rolling basis.

8. Security

We use reasonable technical and organizational measures to protect personal information, including encryption in transit (TLS), encryption at rest through our underlying infrastructure providers, access controls, and audit logging. Our service providers are held to their own commitments (typically SOC 2 Type II or equivalent).

No system is perfectly secure. We cannot guarantee that personal information will never be accessed, used, or disclosed in a manner that is inconsistent with this Privacy Policy. If we discover a security incident affecting your personal information, we will notify you and applicable authorities as required by law.

You are responsible for keeping your account credentials safe. We strongly recommend using a strong, unique password and not sharing your account with anyone.

9. International Data Transfers

ART-IF operates in the United States. Our service providers are located in the United States, the European Union, and other countries. By using the Service, your personal information may be transferred to, processed in, and stored in countries other than where you reside, including the United States, where data protection laws may differ from those of your home country.

For transfers of personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States or another country that has not been determined to provide an adequate level of protection, we rely on recognized transfer mechanisms — primarily the European Commission's Standard Contractual Clauses and (for UK transfers) the UK Addendum. Our service providers are signatories to these mechanisms or equivalents.

10. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact studio@art-if.com and we will delete it.

If you are between 13 and the age of majority in your jurisdiction (typically 18 in the United States), you may use the Service only with the involvement of a parent or legal guardian who has agreed to our Terms of Service on your behalf for any purchase. Photos depicting minors may only be uploaded by the minor's parent or legal guardian (see our Content Policy).

As of the effective date of this Privacy Policy, we do not have actual knowledge that we "share" or "sell" (as those terms are defined in applicable privacy law) personal information of individuals under 16 years of age.

11. Your Rights and Choices (General)

Depending on where you live, you may have some or all of the following rights. Sections 12–14 describe additional rights specific to California, the EEA/UK/Switzerland, and Quebec.

  • Access. You may request a copy of the personal information we hold about you.
  • Deletion. You may request that we delete personal information we hold about you. We may decline to delete certain information where retention is required by law (for example, tax records) or necessary to defend legal claims.
  • Correction. You may request that we correct inaccurate personal information.
  • Portability. You may request a copy of your personal information in a portable format.
  • Marketing opt-out. You can unsubscribe from marketing emails at any time using the link in any marketing email.
  • Account closure. You can request closure of your account at any time, and we will delete it within a reasonable time, subject to the retention rules in Section 7.

To exercise any of these rights, email studio@art-if.com. We may need to verify your identity before processing your request, and we may decline requests that are unfounded, excessive, or that we are unable to verify. We will not discriminate against you for exercising any of your privacy rights.

You may designate an authorized agent to exercise rights on your behalf. We will require the agent to provide proof of authorization and may also verify your identity directly with you.

12. California Privacy Rights (CCPA / CPRA)

This section applies to California residents and supplements the rights described above. It is provided to comply with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA").

12.1 Categories of personal information collected

In the past 12 months, we have collected the following categories of personal information from California residents:

CCPA Category Examples Source Purpose
Identifiers Name, email, IP address, account ID, session ID, device identifiers You; automatically; service providers Provide the Service, security, communications
Customer records Billing/shipping address, phone number, payment confirmation You; Shopify Order fulfillment, customer support
Commercial information Order history, items purchased, transaction details You; Shopify Order fulfillment, support, analytics
Internet/network activity Browsing data on the Service, interaction with features, error logs Automatically Service operation, abuse defense, debugging
Geolocation Approximate location derived from IP address Automatically Tax calculation, fraud prevention
Sensory information Photographs you upload, including images that may depict faces You Provide the Service (AI transformation, moderation, printing)
Inferences Style preferences and engagement patterns derived from your use Automatically Personalize the Service

12.2 Sensitive personal information

The CCPA defines "sensitive personal information" to include certain biometric information. As described in Section 6.3, the photographs you upload may include face imagery. We use this imagery only to operate the Service. We do not extract biometric identifiers (such as faceprints or face templates), do not use face data to identify individuals, and do not use sensitive personal information for purposes beyond those described in California Civil Code §1798.121(a) (for example, providing the Service you requested, preventing fraud, and ensuring security).

12.3 Sources, business purposes, and disclosures

The sources of personal information are described in Section 3, the business and commercial purposes for which we use personal information are described in Section 4, and the categories of recipients are described in Section 5.

In the past 12 months, we have disclosed each of the categories of personal information listed above to service providers and to authorized recipients for the business purposes described in this Privacy Policy.

12.4 No sale and no sharing for cross-context behavioral advertising

We do not "sell" personal information and do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA. If you would like to submit a formal opt-out request anyway, you may do so at our Do Not Sell or Share My Personal Information page.

12.5 Your CCPA rights

As a California resident, you have the right to:

  • Know what personal information we collect, use, disclose, and (if applicable) sell or share about you.
  • Delete personal information we have collected from you, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Limit the use of sensitive personal information to the purposes described in Section 12.2 (we already limit it to those purposes by default).
  • Opt out of the sale or sharing of personal information (we do not sell or share, so this right is automatically satisfied).
  • Non-discrimination for exercising your rights.

To exercise these rights, email studio@art-if.com. We will respond to verifiable requests within the timeframes required by the CCPA (typically 45 days, extendable by an additional 45 days). You may also use an authorized agent (Section 11).

12.6 Global Privacy Control

If you visit the Service with the Global Privacy Control opt-out preference signal enabled, we will treat that signal as a request to opt out of any "sale" or "share" for the device and browser you are using. To learn more, visit https://globalprivacycontrol.org/. You can also submit a manual opt-out request via our Do Not Sell or Share My Personal Information page.

12.7 Shine the Light

California Civil Code §1798.83 ("Shine the Light") permits California residents to request information regarding our disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.

12.8 Notice of financial incentive

We do not currently offer financial incentives in exchange for personal information.

12.9 California metrics

We are not currently required to publish California metrics under §999.317(g) of the CCPA regulations. If that changes, we will publish them on this page.

13. EEA, UK, and Switzerland Privacy Rights (GDPR)

This section applies to residents of the European Economic Area, the United Kingdom, and Switzerland and supplements the rights described above. It is provided to comply with the General Data Protection Regulation, the UK GDPR, and the Swiss Federal Act on Data Protection.

13.1 Controller

For personal information processed in connection with the Service, ART-IF is the controller. Contact details are in Section 17.

13.2 Legal bases for processing

We process personal information on the following legal bases:

  • Performance of a contract (Article 6(1)(b)). Account creation, processing your generations, accepting orders, fulfilling prints, and providing customer support.
  • Legitimate interests (Article 6(1)(f)). Preventing abuse, securing the Service, debugging, fraud detection, and limited service-improvement analytics. We have assessed that these interests are not overridden by your rights.
  • Consent (Article 6(1)(a)). Marketing emails sent through our email service provider, and any optional features that explicitly request your consent. You can withdraw consent at any time.
  • Compliance with legal obligation (Article 6(1)(c)). Tax records, accounting records, and responses to legitimate legal process.

13.3 Recipients and international transfers

Recipients of personal information are described in Section 5. Many of our service providers are located in the United States. Where we transfer personal information outside the EEA, UK, or Switzerland to a country that has not been recognized as providing an adequate level of protection, we rely on the European Commission's Standard Contractual Clauses, the UK Addendum, or equivalent transfer mechanisms.

13.4 Your GDPR rights

You have the right to:

  • Access your personal information.
  • Rectification of inaccurate personal information.
  • Erasure ("right to be forgotten"), subject to legal exceptions.
  • Restriction of processing in certain circumstances.
  • Data portability for personal information you have provided.
  • Object to processing based on legitimate interests, including for direct marketing.
  • Withdraw consent at any time, where processing is based on consent.
  • Not be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you, except in limited circumstances. As described in Section 6.2, you can request human review of any automated content-moderation decision.

To exercise these rights, email studio@art-if.com.

13.5 Right to lodge a complaint

You have the right to lodge a complaint with your local data protection authority. A list of EEA authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents can contact the Information Commissioner's Office. Swiss residents can contact the Federal Data Protection and Information Commissioner.

13.6 EU/UK representative

ART-IF is a small US-based business that does not currently have an EU or UK representative under Article 27 GDPR. If your jurisdiction requires us to designate one as we grow, we will update this Privacy Policy.

14. Quebec Privacy Rights (Law 25)

This section applies to residents of Quebec and supplements the rights described above. It is provided to comply with Quebec's Act Respecting the Protection of Personal Information in the Private Sector ("Law 25").

14.1 Person in Charge of the Protection of Personal Information

The Person in Charge of the Protection of Personal Information for ART-IF is the operator of the business. You can reach the Person in Charge by emailing studio@art-if.com (subject line: "Quebec Privacy Inquiry") or by writing to the mailing address in Section 17.

14.2 Categories collected and purposes

The categories of personal information we collect, the purposes of collection, and the categories of recipients are described in Sections 2, 4, and 5.

14.3 Your Law 25 rights

As a Quebec resident, you have the right to:

  • Access the personal information we hold about you.
  • Rectification of inaccurate, incomplete, or out-of-date personal information.
  • De-indexing or anonymization of personal information that contravenes the law or your wishes, subject to legal exceptions.
  • Data portability for personal information collected from you, in a structured, commonly used technological format.
  • Be informed about, and request human review of, any decision based exclusively on automated processing of your personal information that produces legal effects or significantly affects you. See Section 6.2.
  • Withdraw consent at any time, where processing is based on consent.

To exercise these rights, email studio@art-if.com. We will respond within 30 days as required by Law 25.

14.4 Cross-border transfers

Some of your personal information will be transferred outside Quebec, primarily to service providers located in the United States and the European Union. Before each such transfer, we have assessed whether the personal information will receive adequate protection in light of, among other factors, the sensitivity of the information, the purpose of its use, and the legal framework applicable in the destination jurisdiction. We rely on contractual safeguards (including Standard Contractual Clauses) with the service providers listed in Section 5.

14.5 Right to lodge a complaint

You have the right to lodge a complaint with the Commission d'accès à l'information du Québec at https://www.cai.gouv.qc.ca/.

15. Cookies and Similar Technologies

We and our service providers use cookies, localStorage entries, pixel tags, and similar technologies for the following purposes:

  • Strictly necessary. To operate the Service — for example, keeping you signed in, remembering your cart, generating and displaying artwork, and securing the Service against abuse. These are required for the Service to function and cannot be disabled through the Service.
  • Functional. To remember your preferences and settings.
  • Analytics. To understand how the Service is used in aggregate.
  • Marketing. Where we have your consent, to send you relevant promotional content and measure the effectiveness of marketing.

Where required by law, we will request your consent for non-essential cookies and tracking technologies through a cookie banner before activating them. You can also control cookies through your browser settings; however, disabling strictly necessary cookies will break essential parts of the Service.

We currently honor the Global Privacy Control signal (Section 12.6). We do not currently honor browser "Do Not Track" signals, which are not standardized.

A more detailed cookie disclosure may be added to this page as the Service evolves.

16. Changes to This Policy

We may update this Privacy Policy from time to time, including to reflect changes in our practices, our service providers, or applicable law. We will post the updated Privacy Policy on this page and update the "Last updated" date. If we make a material change, we will provide additional notice as required by law (for example, by email or by a prominent notice in the Service) before the change takes effect. Your continued use of the Service after the change takes effect means you accept the updated Privacy Policy.

17. How to Contact Us

For privacy questions, requests, or complaints:

ART-IF Attn: Privacy 1631 NE Broadway St #423 Portland, OR 97232 studio@art-if.com

For copyright takedown notices, see our IP Complaints.