Privacy Policy

IMAGIN PRODUCTS LTD (Company No. SC337583), registered at 9 Midfield Drive, Dunnikier Business Park, Kirkcaldy, Fife, KY1 3LW, United Kingdom, operates Curio.

Privacy questions, data subject access requests, deletion requests and CCPA opt-out requests should be sent to support@imaginproducts.com. You can also write to our registered office above.

We collect the minimum data required to provide the service:

• Account data — email, hashed password, display name, profile preferences, consent records (which version of which policy you accepted, when, from which IP).
• Uploaded content — photos of collectibles you upload, prompts and refinements, and the rendered showcase reels and archive cards we produce for you.
• Billing data — Stripe customer id, last four digits of card, billing country, invoice history. We do not see or store your full card number, CVV or expiry; that data lives only with Stripe.
• Usage data — pages visited, features used, render queue events, credit consumption logs, error reports. Tied to your account id.
• Device data — browser, OS, IP, approximate city. Used for fraud signals, abuse detection, and basic analytics.

• Contract — to provide the service you signed up for, including rendering reels you requested and processing your subscription.
• Legal obligation — to keep tax records, comply with anti-fraud, and respond to lawful requests from regulators or courts.
• Legitimate interests — service security, fraud prevention, abuse detection, product improvement, and to defend ourselves in payment disputes.
• Consent — analytics and marketing cookies, and any optional features that require it. You can withdraw consent at any time inside the Cookie Banner or in Account → Privacy.

• To render the showcase reels, archive cards and exports you request.
• To run your subscription and credits ledger and surface usage.
• To send transactional email (renewals, receipts, security, deletion notices).
• To detect, investigate and prevent fraud, abuse and violations of our Acceptable Use Policy.
• To produce de-identified, aggregated analytics that help us improve quality. We do not sell your personal data.
• To assemble Stripe dispute evidence in the event of a chargeback. See Refund Policy for the evidence we retain.

We do not use your uploaded photos, prompts or rendered reels to train, fine-tune or evaluate machine-learning models. Renders are produced by third-party AI providers under contracts that prohibit them from training on your inputs. Model providers process your inputs only to generate the requested output and delete inputs after the API window closes (see "Sub-processors").

We rely on a small set of carefully-vetted vendors. Each acts under a written data processing agreement (UK GDPR Art. 28 / EU GDPR Art. 28) and lawful international transfer mechanisms (UK IDTA, EU Standard Contractual Clauses, or recognised adequacy decisions).

• Stripe Payments Europe, Ltd. — payment processing, fraud signals, dispute evidence handling. PCI-DSS Level 1.
• Supabase, Inc. — authentication, database, file storage. Region: EU.
• Vercel Inc. — site hosting and edge delivery.
• AI rendering providers — to produce reels and archive cards. Contracts prohibit training on your content. Inputs and outputs purge from their systems within 30 days unless required for abuse review.
• Cloudflare R2 / equivalent object storage — encrypted media storage at rest.
• Postmark / equivalent email provider — transactional email only.

An up-to-date list is available on request from support@imaginproducts.com.

Some processors are based outside the UK / EEA (notably the United States). For each transfer we rely on the UK International Data Transfer Addendum, EU Standard Contractual Clauses, or an applicable adequacy decision. Stripe transfers further rely on Stripe's published cross-border framework. Copies of the safeguards are available on request.

• Account data — for the life of the account plus 30 days after deletion, after which it is purged from primary systems and within 90 days from backups.
• Uploaded photos — until you delete them or your account, then purged from primary storage immediately and from backups within 30 days.
• Rendered reels and archive cards — kept indefinitely if you choose, or deleted on request.
• Billing records and consent records — retained for at least 7 years to meet UK accounting and tax obligations.
• Dispute evidence packs — retained for at least 13 months to cover the longest card-network chargeback windows.
• Server / security logs — retained 90 days for incident response.

• Access a copy of your personal data.
• Correct inaccurate data.
• Erase your data (subject to legal retention obligations such as tax records and dispute evidence).
• Restrict or object to processing.
• Port your data to another provider in a structured, machine-readable format.
• Withdraw consent at any time without affecting prior lawful processing.
• Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

California residents may request to know what personal information we have collected, delete it, correct it, limit the use of sensitive personal information, or opt out of "sharing" / "selling" of personal information. We do not sell personal information, and we do not "share" personal information for cross-context behavioural advertising. Email support@imaginproducts.com with the subject line "CCPA Request" to exercise these rights. We will not discriminate against you for exercising them.

Curio is not directed at, and we do not knowingly collect personal data from, children under 16 (UK / EU) or under 13 (US). If you believe a minor has created an account, please contact us so we can delete it.

We use TLS in transit, encryption at rest for stored media, hashed password storage (bcrypt with per-user salts), least-privilege access controls, full audit logging on admin actions, and offsite encrypted backups. No service is perfectly secure; if we suffer a personal data breach affecting you we will notify you and the relevant regulator within the time-frames required by law.

We will notify you of material changes by email and on-site banner at least 14 days before they take effect. The current version's effective date is 2026-05-07.