Privacy Policy

1. Data Controller

The data controller responsible for your personal data is İlk Adım Elektronik Tic. ve Aksesuar San. Ltd. Şti., a company incorporated under the laws of the Republic of Turkey, with its registered office in Istanbul, Turkey ("PrismUp," "we," "us," or "our").

We operate the PrismUp platform, a business-to-business software-as-a-service solution that provides AI-powered product image generation for e-commerce brands and retailers.

2. Data We Collect

We collect and process the following categories of personal data in connection with your use of the PrismUp platform:

• Account Information — Your full name, business email address, company name, and any other details you provide during registration or account management.
• Usage Data — Server logs, feature-usage analytics, session identifiers, IP addresses, browser type, operating system, and referring URLs collected automatically when you interact with our platform.
• Uploaded Content — Product images, swatch photographs, brand assets, and any other files you upload for AI-powered image generation. This content may include metadata embedded in the files.
• Payment Data — Billing name, billing address, subscription tier, and transaction history. All payment processing is handled by our payment processor, Lemon Squeezy. We do not store credit card numbers, CVVs, or full payment card details on our servers.

3. How We Use Your Data

We process your personal data for the following purposes:

• Service Delivery — To create and maintain your account, authenticate your sessions, and provide the core functionality of the PrismUp platform.
• AI Image Processing — To transmit your uploaded product images and related assets to third-party AI models for the purpose of generating, editing, and enhancing product visuals on your behalf.
• Billing and Invoicing — To manage your subscription, process payments through Lemon Squeezy, and maintain accurate financial records.
• Communications — To send transactional emails (account confirmations, password resets, billing receipts), service announcements, and, where you have opted in, marketing communications about new features or offers.
• Security and Fraud Prevention — To monitor for suspicious activity, enforce our Terms of Service, prevent abuse, and protect the integrity and availability of the platform.
• Analytics and Improvement — To understand how our platform is used, identify errors, and improve features, performance, and user experience.

The legal bases for these processing activities include performance of a contract, legitimate interests, compliance with legal obligations, and, where applicable, your consent.

4. Third-Party Processors

We engage the following third-party service providers ("sub-processors") to help deliver the PrismUp platform. Each processor is contractually obligated to handle your data in accordance with applicable data protection laws:

• Google (Gemini AI) — AI image generation and content analysis. Data may be processed in the United States and the European Union.
• OpenAI — AI text generation and vision analysis for product content and image processing. Data may be processed in the United States.
• Cloudflare (R2 Storage)— Object storage for uploaded images and generated assets. Data is stored across Cloudflare's global network.
• Upstash (Redis) — In-memory data store used for job queuing, rate limiting, and caching. Data is processed in regions selected by our infrastructure configuration.
• Vercel — Application hosting, edge functions, and content delivery. Data may be processed in the United States and other regions.
• Shopify— E-commerce platform integration for publishing generated images and product data to your online store. Processing occurs according to Shopify's data processing terms.
• Lemon Squeezy — Payment processing, subscription management, and invoicing. Payment data is handled in accordance with PCI DSS standards.

We maintain an up-to-date register of sub-processors. If we add a new sub-processor that materially changes how your data is handled, we will notify you in advance.

5. International Data Transfers

PrismUp is operated from Turkey. Your personal data may be transferred to, and processed in, countries outside of Turkey, including the United States and the European Union. These countries may have data protection laws that differ from those in your jurisdiction.

Where personal data is transferred outside of Turkey or the European Economic Area, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) — We execute EU-approved Standard Contractual Clauses with our sub-processors to ensure an adequate level of data protection for international transfers.
• Adequacy Decisions — Where available, we rely on adequacy decisions issued by the European Commission or the Turkish Personal Data Protection Authority (KVKK Board).
• Additional Safeguards — We implement supplementary technical and organizational measures, including encryption and access controls, to protect data during and after transfer.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data — Retained for the duration of your active account. If you request account deletion, your account data will be removed within 30 days of the request, subject to any legal retention obligations.
• Uploaded Content and Generated Images — Retained while your account is active. Upon account closure, all uploaded product images, generated assets, and associated files are permanently deleted within 90 days.
• Server Logs and Analytics — Retained for a maximum of 12 months from the date of collection, after which they are automatically purged or anonymized.
• Billing Records — Retained for the period required by applicable tax and commercial law (typically 10 years under Turkish commercial legislation).

7. Your Rights Under GDPR

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent local legislation:

• Right of Access — You may request a copy of the personal data we hold about you.
• Right to Rectification — You may request correction of inaccurate or incomplete personal data.
• Right to Erasure — You may request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to Restriction — You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest its accuracy.
• Right to Data Portability — You may request to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
• Right to Object — You may object to processing based on legitimate interests or direct marketing at any time.
• Right to Withdraw Consent — Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any of these rights, please contact us at privacy@prismup.ai. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

8. Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights:

• Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete — You may request that we delete the personal information we have collected from you, subject to certain exceptions permitted by law.
• Right to Opt-Out— You may opt out of the "sale" or "sharing" of your personal information. PrismUp does not sell personal information. If we engage in activities that constitute "sharing" under the CCPA, we will provide a clear opt-out mechanism.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality of service, or access as a result of your privacy choices.

To submit a CCPA request, please email privacy@prismup.ai. We will verify your identity before processing your request and respond within 45 days.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption in Transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. API communications with third-party processors are similarly encrypted.
• Encryption at Rest — Uploaded images, generated assets, and database contents are encrypted at rest using AES-256 or equivalent encryption standards provided by our infrastructure providers.
• Access Controls — Access to personal data is restricted to authorized personnel on a need-to-know basis. Authentication is enforced for all administrative and API access.
• Regular Reviews — We conduct periodic reviews of our security practices, access permissions, and sub-processor compliance to identify and address potential vulnerabilities.

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly notifying affected users and relevant authorities in the event of a data breach, as required by applicable law.

10. Children's Privacy

PrismUp is a business-to-business platform designed for use by companies and professionals. Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16.

If we become aware that we have inadvertently collected personal data from a child under 16, we will take prompt steps to delete that information. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@prismup.ai.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will provide at least 30 days' prior notice by email to the address associated with your account and by posting a prominent notice on the PrismUp platform.

Your continued use of the platform after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. We encourage you to review this page periodically for the latest information on our privacy practices.

12. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, you may contact us through the following channels:

• Privacy Inquiries — privacy@prismup.ai
• Data Protection Officer (DPO) — dpo@prismup.ai
• Postal Address — İlk Adım Elektronik Tic. ve Aksesuar San. Ltd. Şti. Ticaret A.S., Istanbul, Turkey

We will acknowledge receipt of your inquiry within 5 business days and aim to provide a substantive response within 30 days.