Privacy policy
Last updated: June 13, 2026
This notice describes how we process your personal data when you use the CBOS studio (studio.clothingbrandowners.com), the website clothingbrandowners.com and the shop shop.clothingbrandowners.com.
1. Data controller
The data controller is ClothingBrandOwners (“CBOS”, “we”). For any request regarding your data, write to clothingbrandownersapp@gmail.com.
2. What data we process
a) Account data. Sign-in happens exclusively through Google or Apple (OAuth): we receive your email, display name and an identifier from them. We do not collect or store passwords. We record the account creation date, last sign-in and the provider used.
b) Projects and creative content. Your 2D/3D designs, the images you upload and your moodboards are stored primarily locally, in your browser (IndexedDB on your device). On our servers we keep: project metadata (name, type, thumbnail), the 3D files and textures needed to generate renders (on Cloudflare R2 storage) and completed renders.
c) AI feature data. When you use an AI feature (image generation/editing, 3D model generation, HD renders), the images and prompts you provide are transmitted to the providers that perform the processing (fal.ai, Google Gemini, RunPod). We keep the outcome of the operation and the related token accounting; the intermediate image output of Gemini processing is kept on our systems for a maximum of 48 hours.
d) Purchase and billing data. Purchases (subscription and token top-ups) happen on Shopify. From Shopify we receive: customer identifier, email, subscription status, paid period and amounts. Payment data (cards) is handled exclusively by Shopify and never passes through our systems.
e) Usage and security data. Logs of AI operations (service, outcome, token cost), service usage events, logs of administrative actions and technical data for request rate limiting (including IP address).
f) Marketing and attribution data. To measure the effectiveness of our campaigns we collect: landing page, referrer, UTM parameters, advertising click identifiers (e.g. fbclid), IP address, user agent, estimated country/region/city, browser language, time zone, device type, visitor and session identifiers, and a hash (SHA-256) of your email.
g) WhatsApp contacts. If you contact us on WhatsApp through the buttons on the site (for example for production requests), the conversation takes place on the WhatsApp platform (Meta) under its own privacy notice. We may record your phone number and an identifying label in our system to manage the business relationship.
h) Service emails. We send transactional and account lifecycle emails: welcome, purchase and renewal confirmation, low token balance alert, cancellation confirmation, reminders after prolonged inactivity. They are sent through the provider Resend and contain your email and the strictly necessary data (amounts, dates, token balance).
i) Product analytics and session replay (paying customers only). If you have an active subscription, we collect usage events and recordings of your work session — including the contents of the design canvas — to improve the product (PostHog, on servers in the European Union). Sensitive fields (email, password, phone) are automatically masked in the recordings.
3. Why we process your data and on what legal basis
| Purpose | Data | Legal basis |
|---|---|---|
| Creating and managing the account, providing the studio, the token wallet, AI features and purchases | a, b, c, d, e | Performance of the contract (Art. 6(1)(b) GDPR) |
| Security, abuse prevention, internal audit | a, e | Legitimate interest (Art. 6(1)(f)) |
| Transactional emails (welcome, purchases, balance, cancellation) | a, d, h | Performance of the contract |
| Inactivity reminders | a, h | Legitimate interest, with the right to object |
| Measuring advertising campaigns and sending conversion events to Meta | f | Consent (Art. 6(1)(a)) |
| Product analytics and session replay | i | Consent (Art. 6(1)(a)) |
| Tax and accounting obligations | d | Legal obligation (Art. 6(1)(c)) |
Providing account data is necessary to use the studio; processing based on consent is optional and can be withdrawn at any time.
4. Cookies and similar technologies
Essential (always active):
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sb-*-auth-token | localStorage | session (max 72 hours) | Keeping you signed in |
| i18nextLng | cookie/localStorage | persistent | Interface language |
| cbos_geo_gate_v1 | sessionStorage | 24 hours | Determining the country to limit marketing tracking |
| IndexedDB databases (GraphicsStudio*, pixi_model_cache) | IndexedDB | until you delete them | Local storage of projects, assets and caches |
| Functional keys pixi_* / cbos* / atelier-* | localStorage | persistent | Editor preferences, work recovery, onboarding |
Statistics and attribution:
| Name | Duration | Purpose |
|---|---|---|
| visitor_id, session_id, session_count, session_started_at, attribution | persistent/session | Recognizing visits and attributing conversions to campaigns |
| PostHog cookies and localStorage | persistent | Product analytics and session replay (paying customers only) |
Marketing:
| Name | Duration | Purpose |
|---|---|---|
| _fbp, _fbc | 90 days (domain .clothingbrandowners.com) | Measuring and optimizing Meta campaigns |
You can manage non-essential cookies through the consent banner and, at any time, from your browser settings.
5. Who we share data with
We rely on the following providers, which process data on our behalf or as independent controllers:
| Provider | Role | Data involved |
|---|---|---|
| Supabase | Authentication and database | Account data, billing, wallet, project metadata |
| Vercel | Website and API hosting | All traffic (incl. IP) |
| OAuth sign-in; AI image processing (Gemini) | Account identity; images and prompts of AI operations | |
| Apple | OAuth sign-in | Account identity |
| fal.ai | AI image generation/editing, 3D generation | Images and prompts of AI operations |
| RunPod | High-definition 3D rendering | 3D files, textures and render settings |
| Cloudflare (R2/Workers) | Asset and render storage | 3D files, textures, completed renders |
| Shopify | Payments, subscriptions, top-ups | Customer and order data |
| Meta (Facebook/Instagram, WhatsApp) | Advertising and conversion measurement; WhatsApp messaging | Conversion events with email/phone/name/address in hashed form (SHA-256), plus IP and user agent; WhatsApp conversations |
| PostHog | Product analytics and session replay (EU servers) | Usage events, session recordings (paying customers only) |
| Resend | Sending service emails | Email and message content |
We do not sell your personal data. We may disclose it to authorities when required by law.
6. Transfers outside the European Union
Some providers (Meta, Google, fal.ai, RunPod, Cloudflare, Vercel, Resend, Shopify) may process data in the United States or other third countries. In these cases the transfers are based on adequacy decisions (including the EU-US Data Privacy Framework, where the provider adheres to it) or on the Standard Contractual Clauses of the European Commission. PostHog is configured on servers in the European Union.
7. How long we keep your data
| Data | Retention |
|---|---|
| Account data, wallet, projects on our servers | While the account is active; deleted when the account is closed |
| Intermediate outputs of AI processing (Gemini) | 48 hours |
| Checkout link tokens | 7 days |
| Email/event dispatch queues | 14 days |
| Technical rate-limiting data | 24 hours |
| Completed renders | Until you delete them or the account is closed |
| Marketing and attribution data | Maximum 24 months from collection |
| Tax and accounting documents (with Shopify and our accounting) | Statutory terms (up to 10 years) |
| Projects stored locally (IndexedDB) | They remain on your device until you delete them; we do not control them |
8. Your rights
You have the right to request: access to your data, rectification, erasure, restriction of processing, portability, objection to processing based on legitimate interest and withdrawal of any consent given. To exercise them, write to clothingbrandownersapp@gmail.com: we reply within 30 days. Deleting the account results in the erasure of the data listed in section 7, subject to statutory retention obligations.
If you believe the processing violates the law, you can lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, www.garanteprivacy.it) or with the authority of your country of residence.
9. Security
We adopt appropriate technical and organizational measures: encryption in transit (TLS), row-level access control on the database, mandatory two-factor authentication for administrative access, short-lived signed tokens for access to project files, hashing of the identifying data sent for advertising measurement, masking of sensitive fields in session recordings.
10. Minors
The service is reserved for adults (18+). We do not knowingly collect data from minors; if you believe a minor has provided us with personal data, contact us and we will delete it.
11. Changes to this notice
We may update this notice; in case of substantial changes we will inform you through the site or by email. The current version is always available on this page, with the date of last update at the top.
12. Contact
ClothingBrandOwners — Email: clothingbrandownersapp@gmail.com