Privacy Policy

Last updated: February 12, 2026

1. Introduction

This Privacy Policy aims to inform users of the DesignDads platform (hereinafter the "Platform") about how their personal data is collected, processed, stored and protected by ECOMTIME AGENCY SARL (hereinafter "we", "our" or "ECOMTIME AGENCY").

ECOMTIME AGENCY is committed to complying with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) as well as the amended French Data Protection Act.

Data Controller

ECOMTIME AGENCY SARL

SIRET: 892 022 773 00014

Registered office: 21 Avenue de Fondeyre, 31200 Toulouse, France

DPO Contact: contact@designdads.io

2. Personal Data Collected

In the course of using our Platform, we collect and process the following categories of personal data:

2.1 Identification and Account Data

  • Email address : used for account creation, authentication and communications
  • First and last name : displayed in your profile and used for service personalization
  • Password : stored in hashed (encrypted) form to secure access to your account
  • Account creation date
  • Subscription type (Discovery, Creator, Pro, Agency)

2.2 Payment Data

Payment data (credit card number, expiration date, CVV) is collected and processed exclusively by our secure payment provider Stripe Payments Europe, Ltd.

ECOMTIME AGENCY never directly stores your complete banking data. We only retain:

  • The last 4 digits of your credit card
  • The card brand (Visa, Mastercard, etc.)
  • The expiration date
  • The Stripe Customer ID (secure token)
  • Transaction and invoice history

2.3 Creation and Usage Data

  • Creation history : all images and videos generated via the Platform
  • Uploaded images : photos and visuals you upload for transformation
  • Prompts and instructions : text descriptions used to generate content
  • Creation metadata : date, time, generation parameters, formats, credits consumed
  • Credit consumption history

2.4 Connection and Technical Data

  • Connection logs : IP address, connection date and time
  • Navigation data : pages visited, session time, interactions with the Platform
  • Technical data : browser, operating system, device type, screen resolution
  • Cookies : see our Cookie Policy

2.5 Customer Support Data

When you contact our support, we retain the history of your exchanges (emails, messages) to process your requests and improve our service.

3. Purposes and Legal Bases for Processing

We process your personal data for the following purposes, each based on a legal basis compliant with the GDPR:

Service provision (legal basis: contract performance)

  • Creation and management of your user account
  • Authentication and secure access to the Platform
  • Visual content generation via artificial intelligence
  • Storage and availability of your creations
  • Management of your credit balance and subscription

Billing and payment (legal basis: contract performance + legal obligations)

  • Processing of payments and subscriptions
  • Issuance and retention of invoices (legal obligation: 10 years)
  • Management of refunds and withdrawal rights
  • Fraud prevention

Customer support (legal basis: legitimate interest)

  • Response to your requests and questions
  • Technical assistance
  • Complaint management

Service improvement (legal basis: legitimate interest)

  • Analysis of Platform usage and performance
  • Training and improvement of artificial intelligence models
  • Bug fixes and technical optimization
  • Development of new features

Marketing communications (legal basis: consent or legitimate interest)

  • Sending transactional emails (confirmations, credit expiration notifications, etc.) - legitimate interest
  • Sending newsletters and promotional communications - consent (you can unsubscribe at any time)

Security and compliance (legal basis: legal obligations + legitimate interest)

  • Prevention of fraud and abuse
  • Detection of illegal content
  • Retention of connection logs (legal obligation: 12 months)
  • Compliance with accounting and tax obligations

4. Data Recipients

Your personal data is processed by ECOMTIME AGENCY and may be transmitted to the following categories of recipients:

4.1 Authorized Personnel

ECOMTIME AGENCY employees who need access to your data as part of their duties (development, customer support, administration).

4.2 Subcontractors and Technical Service Providers

We use the following service providers, all subject to confidentiality and security obligations:

  • Vercel Inc. (United States) - Platform hosting
    Guarantees: European Commission standard contractual clauses
  • Supabase Inc. (United States) - Database and file storage
    Guarantees: European Commission standard contractual clauses
  • Replicate Inc. (United States) - Artificial intelligence processing
    Guarantees: European Commission standard contractual clauses
  • Stripe Payments Europe, Ltd (Ireland - EU) - Secure payments
    PCI-DSS and GDPR compliant
  • Resend Inc. (United States) - Transactional email delivery
    Guarantees: European Commission standard contractual clauses
  • Meta Platforms (Facebook Pixel) (United States) - Analytics and audience measurement (coming soon)
    Only with your consent
  • Google Analytics (United States) - Analytics and audience measurement (coming soon)
    Only with your consent

4.3 Public Authorities

In case of legal obligation, we may be required to communicate your data to competent authorities (police, justice, tax administration, CNIL, etc.).

5. Data Retention Periods

Your personal data is retained for different periods depending on its nature and legal obligations:

Account and Identification Data

As long as your account is active + 3 years after the last login (legal limitation period)

Creation History (images and videos)

According to your subscription plan:

  • Discovery (free) : 7 days
  • Creator : 90 days
  • Pro : 1 year
  • Agency : Unlimited retention as long as the account is active

Important: If you delete your account, all your creations are immediately and permanently deleted from our servers.

Billing and Payment Data

10 years after your account deletion (legal obligation - French Commercial Code, articles L123-22 and following)

This obligation applies to invoices, transaction history, subscriptions and credit purchases. This data is securely archived and is no longer accessible for operational use.

Connection Logs

12 months (legal obligation - article 6-II of LCEN)

Customer Support Data

3 years after ticket closure

Analytics Cookies

13 months maximum (CNIL recommendation)

Account Deletion and Right to Erasure

You can request permanent deletion of your account at any time from your personal space or by contacting us at contact@designdads.io.

Data deleted immediately:

  • All your creations (generated images and videos)
  • Your personal information (name, email, profile)
  • Your usage history and logs
  • Your remaining credits
  • Your authentication account

Data archived for 10 years (legal obligation):

  • Invoices and payment history (Commercial Code, art. L123-22)
  • Subscription and credit purchase history

This exception to the right to erasure is provided for by Article 17(3)(b) of the GDPR: compliance with a legal obligation. Archived data is anonymized and stored securely solely for accounting and tax purposes.

6. Your Rights Over Your Personal Data

In accordance with the GDPR and the French Data Protection Act, you have the following rights over your personal data:

Right of Access (Article 15 GDPR)

You can obtain a copy of all personal data we hold about you, as well as information about their processing.

Right to Rectification (Article 16 GDPR)

You can request correction of inaccurate or incomplete data. You can also directly modify your information from your personal space.

Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You can request deletion of your personal data in certain cases (for example, if the data is no longer necessary or if you withdraw your consent). Deleting your account results in the immediate deletion of all your personal data.

Exception: Billing Data (Article 17.3.b GDPR)

Invoices and accounting data are retained for 10 years to comply with our legal obligations (Commercial Code). This exception to the right to erasure is expressly provided for by the GDPR. This data is securely archived and is no longer used for operational purposes.

Right to Data Portability (Article 20 GDPR)

You can retrieve your data in a structured and commonly used format (JSON, CSV) to transfer it to another service. This right applies to data you have provided to us and which is processed automatically.

Right to Object (Article 21 GDPR)

You can object to certain processing of your data, particularly for direct marketing purposes (newsletter unsubscription) or when processing is based on our legitimate interest.

Right to Restriction of Processing (Article 18 GDPR)

In certain cases, you can request restriction of processing of your data (for example, while verifying the accuracy of your data or while examining an objection).

Right to Withdraw Consent

When processing is based on your consent (analytics cookies, newsletters), you can withdraw this consent at any time.

Right to Define Post-Mortem Instructions (Article 85 LIL)

You can define instructions regarding the retention, erasure and communication of your data after your death.

How to Exercise Your Rights?

To exercise any of these rights, contact us at the following address:

Email: contact@designdads.io

Subject: "Exercise of my GDPR rights"

Documents to attach: Copy of ID to verify your identity

We will respond within a maximum of 1 month from receipt of your request. This period may be extended by 2 additional months in case of complex requests (you will be informed).

Right to Complain to the CNIL

If you believe we are not respecting your rights, you can file a complaint with the French Data Protection Authority (CNIL):

CNIL

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07

Phone: 01 53 73 22 22

Website: www.cnil.fr

7. Data Security

ECOMTIME AGENCY implements all appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

Security measures in place:

  • Password encryption : secure hashing with bcrypt algorithm
  • HTTPS connections : all communications are encrypted (SSL/TLS certificate)
  • Secure hosting : Vercel and Supabase servers with security certifications (ISO 27001, SOC 2)
  • Strong authentication : protection against brute force attacks
  • Access control : data access limited to authorized personnel only
  • Regular backups : to prevent any data loss
  • Monitoring : monitoring of suspicious activities and security alerts
  • PCI-DSS payments : compliance with banking security standards via Stripe

Data Breach Notification

In case of a breach of your personal data likely to result in a high risk to your rights and freedoms, we will inform you as soon as possible in accordance with Article 34 of the GDPR, and notify the CNIL within 72 hours.

8. Data Transfers Outside the EU

Some of our technical service providers (Vercel, Supabase, Replicate, Resend) are located in the United States. Your data may therefore be transferred outside the European Union.

These transfers are governed by the European Commission's standard contractual clauses, which provide sufficient guarantees in accordance with Articles 46 and 47 of the GDPR.

We ensure that all our subcontractors comply with the same level of data protection as required in the European Union.

9. Cookies and Similar Technologies

The Platform uses cookies for its proper functioning and to improve your experience.

For more information on cookies used and how to manage them, see our Cookie Policy.

10. Data of Minors

The DesignDads Platform is intended for a professional audience and is not designed for minors under 15 years of age.

If you become aware that a minor under 15 has created an account on our Platform, please contact us immediately at contact@designdads.io so that we can delete their account.

11. Privacy Policy Modifications

ECOMTIME AGENCY reserves the right to modify this Privacy Policy at any time, particularly to comply with any legislative, regulatory, case law or technological changes.

In case of substantial modification, we will inform you by email or via a notification on the Platform. The last update date is indicated at the top of this document.

12. Contact

For any questions regarding the protection of your personal data or this Privacy Policy, you can contact our Data Protection Officer (DPO):

DPO Email: contact@designdads.io

Subject: "Personal data protection"

Postal address: ECOMTIME AGENCY, 21 Avenue de Fondeyre, 31200 Toulouse, France

Terms of ServiceLegal NoticeCookie Policy
Privacy Policy - DesignDads