Legal

Privacy Policy

Last updated · May 24, 2026

This Privacy Policy explains what personal information WarmlyKept (“we,” “us”) collects when you visit warmlykept.com, upload a photo, or place an order — and what we do with it. We’ve tried to write it in plain English; where legal terms appear, we’ve explained what they mean for you.

The short version. Your photo goes to OpenAI for AI styling, sits in our Cloudflare storage in private form (only unlocked after you pay), gets upscaled by Replicate to print resolution after payment, and — when you order a print — goes to Gelato for production. We never sell your data, none of these providers train models on your inputs, and you can delete everything anytime by emailing privacy@warmlykept.com.

1. Who we are

WarmlyKept is operated from Brisbane, Queensland, Australia and is the “data controller” for personal data processed through warmlykept.com.

Privacy questions, requests, and complaints: privacy@warmlykept.com.

2. What we collect

We collect different kinds of data depending on what you do on the site:

Photos and AI artwork

Photos you upload for AI styling — kept in encrypted Cloudflare R2 storage, with originals locked from public access until you complete a paid order.
AI-generated artwork produced from your photos. The watermarked preview is stored on our CDN; the full-resolution original stays private until purchase.
Style descriptions you type in the “Describe your own” box — sent to OpenAI’s chat API where the model expands your idea into a structured prompt for the image generator (see Section 4).

Account & order data (handled by Shopify)

Email address, name, shipping address, phone number.
Order history, fulfillment status, design IDs.
Payment information — collected and processed by Shopify Payments. We never see or store full card numbers.

Technical & usage data

A random anonymous session id stored in your browser (“wk_session”) — used to count free generations per device and prevent abuse.
Browser type, IP address, country (detected via Cloudflare), and standard server logs (kept up to 90 days).
Strictly necessary cookies for cart, sign-in, and session state.

3. How we use it (and our legal basis under GDPR)

Run the Studio & deliver orders — performance of a contract you start when you upload a photo or check out.
Process your photo through AI — your explicit consent (the “Upload a photo” button is your consent, paired with this notice).
Detect quota abuse, prevent fraud — our legitimate interest in running a sustainable service.
Tax records, accounting, refunds — legal obligation (typically 7 years).
Marketing emails — only if you opt in, and you can opt out from every email or by updating your account.

4. Who we share data with

We use the following third-party processors to run the site. Each one only receives the data needed for its job:

OpenAI (United States) — handles two things for us, using the same project API key: (a) the image generation itself (we send your uploaded photo plus a style prompt to gpt-image-2), and (b) the prompt rewriting on the “Describe your own” path (we send the short text you typed to gpt-4o-mini, never your photo). Per OpenAI’s API policy, your inputs and outputs are not used to train any OpenAI model. OpenAI is certified under the EU–US Data Privacy Framework.
Dynamic Mockups (location: see their privacy policy) — receives the URL of your watermarked design image so it can composite a product preview (mug, canvas, tee, etc.).
Replicate (United States) — receives the AI-generated artwork after you pay so it can upscale it from the model’s native 1024 px to a 4096 px print-ready PNG via the nightmareai/real-esrgan model. Your original photo is not sent. Per Replicate’s privacy policy, inputs and outputs are not used to train their models. Inputs are retained for up to 1 hour for debugging then deleted.
Gelato (Norway) — when you order a printed product, we send the print-ready upscaled design plus your shipping address so they can print and ship it.
Shopify (Canada) — runs the cart, checkout, payments, and customer accounts (sign-in via shop.app).
Cloudflare (United States) — provides the underlying compute (Workers), storage (R2 for images, KV for quota), and CDN that the site runs on.
Google Analytics 4 (United States) — sends aggregate page-view and event data (which pages you visit, how long, what country you visited from at country-level resolution) so we can see which parts of the site work and which don’t. We use anonymize_ip so your full IP is never stored. EU/UK/EEA/Swiss visitors see a consent banner and we block analytics until they accept; everywhere else, tracking is on by default and you can opt out by emailing us. We do not run Google Ads, retargeting, or advertising personalisation — only page-view + interaction analytics.

We do not sell your data, share it with advertisers, or use your photos to train any AI.

5. International transfers

Several of our processors are outside the country you may live in. For transfers from the EU, UK, or Switzerland to processors in countries without an adequacy decision, we rely on:

The EU–US Data Privacy Framework (OpenAI, Shopify, Cloudflare).
European Commission Standard Contractual Clauses (SCCs) plus supplementary technical and organizational measures with processors outside the DPF (Replicate, Dynamic Mockups, Gelato).

6. How long we keep your data

Photos uploaded by anonymous visitors: deleted after 30 days of inactivity.
Photos uploaded by signed-in customers: kept while your account is active. Removed within 30 days of account deletion.
AI-generated artwork tied to a paid order: kept for 7 years to support reprints, refunds, and tax records.
Anonymous session id (cookie + KV): auto-expires after 1 year of inactivity.
Server logs: 90 days.

7. Your rights

Depending on where you live (EU/UK GDPR, Australian Privacy Act, NZ Privacy Act 2020, California CCPA/CPRA, Canadian PIPEDA), you have some or all of these rights:

Access — request a copy of everything we hold about you.
Delete — erase your account and all uploaded photos (“right to be forgotten”).
Correct — update inaccurate information.
Port — get your data in a machine-readable format.
Object — to specific processing, such as marketing.
Withdraw consent — at any time, for anything you previously consented to.

To exercise any of these, email privacy@warmlykept.com. We respond within 30 days.

8. Cookies & similar tech

Cookies + browser storage we use:

Strictly necessary (no consent prompt — the site can’t function without these):

wk_session — random UUID in your browser’s localStorage for quota tracking and saved design history.
Shopify session and cart cookies — required for checkout to work.
Customer Account API cookies — required for signed-in features (orders, profile, addresses).
wk_consent_v2 — remembers your analytics consent choice (so we don’t re-ask on every visit).

Analytics (consent-gated for EU/UK/EEA/CH; on-by-default elsewhere with opt-out):

_ga, _ga_DQEDKTB47F — Google Analytics 4 first-party cookies, expire after 2 years. Anonymised IP, no cross-site retargeting.

We don’t use advertising trackers, third-party retargeting pixels, or marketing cookies of any kind. To change your analytics consent at any time, clear the wk_consent_v2 key from your browser’s localStorage (or use your browser’s site-data clear function), then reload — the consent banner will re-appear.

9. Children

WarmlyKept is intended for users aged 16 and up. If you’re a parent or legal guardian uploading photos of your child for a family keepsake, you confirm you have the authority to do so on their behalf.

We do not knowingly collect data from anyone under 16. If you believe we may have inadvertently received such data, contact us and we’ll delete it.

10. Security

We take reasonable steps to protect your data, including:

HTTPS everywhere — your photos and account data travel encrypted.
Original (un-watermarked) images stored in private Cloudflare R2, unreadable to the public web — they only unlock for fulfilment after a paid order references them.
Payment processing is handled by Shopify (PCI-DSS compliant) — we never see or store card numbers.
API keys for third-party processors stored as encrypted Cloudflare Worker secrets, never exposed to your browser.

No system is 100% secure. If we discover a breach affecting your data, we’ll notify you and the relevant regulator within the legally required window (72 hours under GDPR).

11. Updates to this policy

We may update this Privacy Policy when we add features or change processors. If the change is material (e.g. a new processor, a broader purpose), we’ll notify registered customers by email before it takes effect. The “Last updated” date at the top always reflects the current version.

12. Complaints

If you’re unhappy with how we’ve handled your data and we can’t resolve it directly, you can complain to a supervisory authority:

Australia: Office of the Australian Information Commissioner (OAIC)
New Zealand: Office of the Privacy Commissioner
United Kingdom: Information Commissioner’s Office (ICO)
EU residents: your local Data Protection Authority.
California: the California Attorney General’s Office.
Canada: Office of the Privacy Commissioner of Canada.