Privacy Policy

1. Who we are

My Food Studio is an AI-powered food photography enhancement service operated in Australia. Our platform allows food-service businesses to transform smartphone photos into professional studio-quality images using artificial intelligence.

For the purposes of this Privacy Policy, the data controller is My Food Studio. Enquiries about your personal information should be directed to us at the contact details in Section 14.

2. Information we collect

Account information

• First and last name
• Email address
• Phone number
• Business name (café / restaurant)
• Business address (street, suburb, state, postcode)
• Hashed password (we never store your password in plain text)

Usage and transactional information

• Credit balance, purchases, and usage history
• Generation settings chosen (background, resolution, aspect ratio)
• Timestamps and approximate IP addresses of requests
• Account activity logs (sign-in, generation events)

Content you upload

• Food photographs you submit for AI enhancement
• AI-generated output images stored in your library

We do not collect payment card details directly — payments are processed by our third-party payment provider (Stripe) which holds its own PCI-DSS certification.

3. How we collect information

We collect information in the following ways:

• Directly from you — when you create an account, fill in your profile, upload images, or contact us.
• Automatically — when you use the Service, our servers log IP addresses, request timestamps, and feature usage to support security and debugging.
• From third parties — authentication events and session tokens are managed by our authentication provider (Supabase / AWS).

4. Why we collect information

We collect and use your personal information only for purposes that are permitted by law and for which you would reasonably expect it to be used, including:

• Creating and managing your account
• Providing the AI photo-enhancement service
• Processing credit purchases and maintaining your credit balance
• Communicating service-related notices (account verification, password resets, low-credit warnings)
• Detecting and preventing fraud, abuse, or unauthorised access
• Complying with legal obligations under Australian law
• Improving the quality and reliability of our Service

We will not use your personal information for a secondary purpose unless you have consented, the secondary purpose is directly related to the primary purpose, or we are required or authorised by law to do so (APP 6).

5. Disclosure of your information

We do not sell, rent, or trade your personal information. We may disclose your information to:

• Service providers — Supabase (authentication and database), Cloudflare (image storage via R2), and Stripe (payment processing), each bound by data processing agreements.
• AI processing services — Google (Gemini API) processes your food images to generate enhanced versions. Images are submitted as API requests and are not used to train Google's models under our enterprise terms.
• Law enforcement and regulators — if required by Australian law, court order, or to protect our legal rights.
• Business successors — in the event of a merger, acquisition, or sale of assets, subject to the same privacy obligations.

6. Overseas disclosure

Some of our third-party service providers store or process data outside Australia:

• Supabase — hosted on AWS infrastructure (regions may include the United States and Singapore)
• Cloudflare R2 — global edge network; data may be stored in data centres outside Australia
• Google Gemini API — processed on Google's infrastructure (United States)

Before disclosing your personal information overseas, we take reasonable steps to ensure the recipient does not breach the APPs in relation to that information (APP 8.1). Where practicable, we use contractual protections with overseas recipients.

7. Storage and security

We take reasonable steps to protect your personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure (APP 11). Measures include:

• Passwords are hashed using industry-standard algorithms (bcrypt via Supabase Auth)
• All data transmitted between your browser and our server uses TLS encryption (HTTPS)
• Access to user data is restricted to authenticated sessions using short-lived JWT tokens
• Images are stored in private, access-controlled cloud storage (Cloudflare R2) accessible only via time-limited signed URLs
• Database access is protected by Row Level Security (RLS) policies
• Administrative access requires a separate privileged account

No internet transmission or electronic storage is 100% secure. If you believe your account security has been compromised, please contact us immediately.

8. Your generated images

Food photographs you upload and AI-generated images created by the Service are stored in your private library. They are accessible only to you via your authenticated account. We do not use your food images for advertising, model training (under our current third-party agreements), or any purpose other than delivering the Service to you.

You may delete images from your library at any time. Upon deletion, images are permanently removed from our storage. We do not retain deleted images in backups beyond our standard backup rotation period (typically 30 days).

9. Cookies and analytics

My Food Studio uses session cookies to maintain your logged-in state. These are essential for the Service to function and cannot be disabled while using the platform.

We do not currently use third-party advertising cookies or cross-site tracking technologies. If this changes, we will update this policy and, where required, obtain your consent.

10. Your rights

Under the Privacy Act 1988 (Cth), you have the right to:

• Access the personal information we hold about you (APP 12)
• Correct personal information that is inaccurate, out of date, incomplete, or misleading (APP 13)
• Request deletion of your personal information, subject to our legal obligations to retain certain records
• Opt out of direct marketing communications (see Section 12)
• Lodge a complaint about how we handle your personal information (see Section 14)

To exercise these rights, contact us using the details in Section 14. We will respond within 30 days. We will not charge a fee for access requests unless they are clearly excessive or repetitive.

11. Retention and deletion

We retain your personal information only for as long as necessary to fulfil the purposes described in this policy, or as required by law. When you close your account:

• Your profile and account information is soft-deleted and excluded from active processing
• Library images are deleted from cloud storage
• Transaction records may be retained for up to 7 years to meet Australian financial record-keeping obligations under the Corporations Act 2001 (Cth) and taxation laws

12. Direct marketing

We may send you service-related emails (e.g., account verification, credit balance alerts, receipts). These are not marketing communications and cannot be opted out of while your account is active.

If we send promotional communications, we will do so in accordance with the Spam Act 2003 (Cth). Every promotional email will include a clearly visible unsubscribe mechanism. You may also contact us directly to opt out of marketing at any time.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. We will notify you of material changes by posting the updated policy on our website with a revised “Last updated” date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

14. Complaints and contact

If you have questions, concerns, or a complaint about how we handle your personal information, please contact us:

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001