Privacy Policy — ThriftyAI — Profit Identifier

1. Data controller & contact

The data controller for the App is Xcoder.

Contact email: blayasoft@gmail.com

If you wish to contact our Data Protection Officer (DPO) or make a GDPR request (access, rectification, erasure, restriction, portability, objection), please use the email above.

2. What data we process

Primary data: images (photos) that you voluntarily upload to the App for object detection and price/ profit estimation.

Derived data: detected object labels, bounding boxes, estimated price/profit values, anonymized logs and aggregate metrics.

What we do NOT collect or store: we do not store or log uploaded images on our own servers by default, and we do not attach personal identifiers to processed images.

3. Legal basis for processing (GDPR)

We process images under the following legal bases:

• Consent — You explicitly consent to upload and process an image when you use the App. This is the primary lawful basis when images may contain personal data (for example, faces or identifiable documents).
• Legitimate interests — We rely on legitimate interests for operational activities such as abuse detection, debugging, and improving service reliability (see section 5). We perform a balancing test to ensure your rights and freedoms are not overridden.

You can withdraw consent at any time by contacting us (see section 1). Withdrawal of consent will not affect processing that occurred prior to withdrawal when we had a lawful basis to process data.

4. Use of third‑party AI image analysis services

To provide core functionality (object detection and price estimation) we send uploaded images to trusted third‑party AI image analysis service providers ("Processors").

• Training: These third‑party services do not use your images to train their public models.
• Retention by third parties: Third‑party processors may retain images for up to 30 days solely for abuse and misuse detection, performance monitoring, and debugging platform issues. Such retained data is used only for operational/security purposes and is not linked to specific users.
• Data processor agreements: We enter into appropriate data processing agreements (DPAs) with processors and require them to implement technical and organizational measures to protect data.

5. Retention & logging

Our retention: ThriftyAI itself does not save or log uploaded images. We only store derived outputs (labels, bboxes, estimated prices) and an image hash (e.g. SHA‑256) for auditability if needed. These derived records are retained according to our internal retention policy and may be deleted on request.

Third‑party retention: As noted above, processors may retain images for up to 30 days for operational reasons. These logged images are not linked to user identities by the processors.

Important: It is your responsibility not to upload images that contain sensitive personal information or identifiable third parties unless you have their consent.

6. Security

We use industry standard measures to protect data: HTTPS/TLS for data in transit, access controls, and encryption at rest for any stored artifacts. Access to derived results and any temporary storage is restricted to authorized personnel only.

While we strive to protect data, no system can be guaranteed fully secure. Avoid uploading images that contain sensitive or special category personal data (racial, health, political opinions, etc.).

7. Your rights under the GDPR

If you are in the EU you have the following rights regarding your personal data:

• Right of access — request confirmation of whether we process your personal data and obtain a copy.
• Right to rectification — request correction of inaccurate data.
• Right to erasure ("right to be forgotten") — request deletion of your personal data where legal basis allows.
• Right to restriction of processing — request limitation of processing in certain circumstances.
• Right to data portability — receive your data in a commonly used machine‑readable format.
• Right to object — object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent — where processing is based on consent, you can withdraw it at any time.

To exercise any right, contact us at blayasoft@gmail.com. We will respond in accordance with applicable law (generally within one month).

If you believe we have not handled your request properly, you may lodge a complaint with your local supervisory authority. For Croatia, the supervisory authority is the Agency for Personal Data Protection (AZOP): https://azop.hr.

8. International transfers

Some processors we use may process or store data outside the European Economic Area (EEA). Where transfers occur, we ensure there are appropriate safeguards in place (standard contractual clauses, adequacy decisions, or other GDPR‑approved mechanisms).

9. Children

The App is not intended for children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will take steps to delete such data.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will post changes on this page with an updated "Last updated" date. Substantive changes affecting how we process personal data will be communicated where appropriate.

11. Additional information & recommendations

• Remove EXIF metadata (such as GPS, timestamp, device info) from photos before uploading if you want to minimise the chance that the image contains personal data.
• Do not upload images that contain sensitive personal data or other peoples' identifiable private information unless you have their permission.
• If you require a formal data processing agreement (DPA) or have specific compliance needs (e.g. enterprise zero‑retention), contact us at blayasoft@gmail.com.