Privacy Policy

Effective Date: January 27, 2026 Version: 2.0

Data Controller

TeamDev Management OÜ (Registry Code: 14114492) is the data controller responsible for your personal information under GDPR.

Registered Address: Narva mnt 7-559, Kesklinna linnaosa, Tallinn, 10117, Estonia

Contact: support@leya.studio

Introduction

This Privacy Policy describes how TeamDev Management OÜ ("TeamDev Management OÜ," "we," "us," or "our") collects, uses, shares, and protects personal information when you use our website, platform, and services (collectively, the "Services").

Our Services: TeamDev Management OÜ provides an AI-powered platform for creating Instagram carousels, posts, and stories using advanced design tools and artificial intelligence.

Your Privacy Matters: We are committed to protecting your privacy and being transparent about our data practices. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights and choices.

Scope: This Privacy Policy applies to:

• Our website at https://leya.studio
• Our web-based platform and applications
• Related services, features, and communications

Additional Policies: This Privacy Policy should be read together with:

• Our Terms of Service
• Our Cookie Notice
• Any additional privacy notices provided for specific features

Business vs. Personal Use: This Privacy Policy applies to individuals using the Services. If you are using the Services on behalf of an organization under a separate agreement, that agreement may contain different terms regarding data processing.

Table of Contents

1. Information We Collect
2. How We Collect Information
3. How We Use Your Information
4. How We Share Your Information
5. Third-Party Services
6. Data Retention
7. Your Rights and Choices
8. International Data Transfers
9. Data Security
10. Cookies and Tracking Technologies
11. Children's Privacy
12. AI and Automated Processing
13. Changes to This Privacy Policy
14. Contact Us
15. Additional Information for European Users
16. Additional Information for California Users

1. Information We Collect

We collect several types of information from and about users of our Services.

1.1 Information You Provide Directly

Account Information:

• Name or username
• Email address
• Password (encrypted)
• Profile picture (optional)
• Account preferences and settings

Payment Information:

• Billing name and address
• Payment card information (processed by our third-party payment processor)
• Transaction history and purchase records

Content You Create:

• Design projects (carousels, posts, stories)
• Images and graphics you upload
• Text content and templates
• AI-generated content (templates, images)
• Project metadata (names, descriptions, tags)

Communications:

• Messages you send us (support requests, feedback)
• Survey responses
• Email correspondence
• Chat messages with support

Optional Information:

• Demographic information (if you choose to provide it)
• Professional information (company, role)
• Social media profiles (if you link them)

1.2 Information We Collect Automatically

Device and Technical Information:

• IP address
• Device type, model, and operating system
• Browser type and version
• Screen resolution and device settings
• Device identifiers (e.g., advertising ID)
• Language preferences
• Time zone

Usage Information:

• Pages and features you access
• Actions you take (clicks, views, edits)
• Time spent on pages and features
• Navigation paths and sequences
• Search queries within the Services
• Projects created and modified
• AI operations performed (prompts, generations)
• Features and tools used
• Error logs and diagnostic data

Location Information:

• General location based on IP address (city, region, country)
• Time zone

Cookies and Similar Technologies:

• Cookies, web beacons, and similar tracking technologies
• See our Cookie Notice for details

1.3 Information from Third-Party Sources

Authentication Providers:

• If you sign in with Google or another third-party account:
  • Email address
  • Name
  • Profile picture
  • Account ID
  • Any other information you authorize us to access

Payment Processors:

• Payment status and transaction data from payment processors
• Subscription status updates

Analytics Services:

• Usage analytics from Plausible Analytics and similar privacy-focused services
• Aggregated usage and attribution data

2. How We Collect Information

2.1 Direct Collection

We collect information directly from you when you:

• Create an account or sign in
• Use the Services and create content
• Make purchases or manage subscriptions
• Contact customer support
• Subscribe to our emails or newsletters
• Participate in surveys or promotions
• Provide feedback or communicate with us

2.2 Automatic Collection

We automatically collect information through:

• Cookies and Tracking Technologies: See our Cookie Notice
• Log Files: Server logs that record requests to our servers
• Analytics Tools: Plausible Analytics and similar privacy-focused services
• Error Tracking: Tools that monitor errors and performance

2.3 Third-Party Sources

We receive information from:

• Authentication Providers: Google Sign-In
• Payment Processors: Stripe
• Analytics Providers: Plausible Analytics
• Public Sources: Publicly available information (if relevant)

3. How We Use Your Information

We use your information for the following purposes:

3.1 Provide and Operate the Services

Service Delivery:

• Create and manage your account
• Authenticate your identity and provide secure access
• Process your payments and manage subscriptions
• Provide the visual editor, templates, and design tools
• Generate AI-powered templates and images
• Store and manage your projects and content
• Enable file uploads and exports
• Provide customer support and respond to inquiries

Legal Basis (GDPR): Contractual necessity, legitimate interests

3.2 Improve and Develop the Services

Service Enhancement:

• Analyze usage patterns and trends
• Test new features and functionality
• Troubleshoot errors and technical issues
• Monitor service performance and uptime
• Conduct research and development
• Improve AI models and algorithms (with appropriate consent)

Legal Basis (GDPR): Legitimate interests, consent (for AI training)

3.3 Personalize Your Experience

Customization:

• Remember your preferences and settings
• Customize content and recommendations
• Provide relevant features and suggestions
• Remember your device and login history

Legal Basis (GDPR): Legitimate interests, consent

3.4 Communicate with You

Service Communications:

• Send service-related announcements and updates
• Notify you of account activity and security alerts
• Respond to your requests and inquiries
• Send technical notices and policy updates

Marketing Communications (with consent):

• Send newsletters and promotional emails
• Inform you of new features and offerings
• Provide tips and educational content

Legal Basis (GDPR): Contractual necessity, legitimate interests, consent (for marketing)

3.5 Process Payments and Manage Subscriptions

Financial Operations:

• Process subscription payments
• Manage credit purchases and allocations
• Track credit usage and balances
• Handle refunds (when applicable)
• Prevent fraud and unauthorized transactions
• Maintain transaction records

Legal Basis (GDPR): Contractual necessity, legal obligations

3.6 Ensure Security and Prevent Fraud

Security Measures:

• Detect and prevent fraud, abuse, and security incidents
• Verify identities and prevent unauthorized access
• Monitor for suspicious activity
• Investigate violations of our Terms of Service
• Protect our rights, property, and safety
• Protect users' rights and safety

Legal Basis (GDPR): Legitimate interests, legal obligations

3.7 Comply with Legal Obligations

Legal Compliance:

• Respond to legal requests and court orders
• Comply with applicable laws and regulations
• Enforce our Terms of Service
• Protect against legal liability
• Maintain records as required by law
• Comply with tax and accounting requirements

Legal Basis (GDPR): Legal obligations, legitimate interests

3.8 AI Model Training (With Appropriate Consent)

AI Development:

• Free Plan Users: We may use your content (in anonymized and aggregated form) to train and improve our AI models
• Paid Plan Users: We do not train on your content unless you explicitly opt-in

You can control AI training preferences in your account settings.

Legal Basis (GDPR): Consent, legitimate interests (for aggregated analytics)

3.9 Business Operations

General Business Purposes:

• Conduct analytics and market research
• Create aggregated, anonymized data for business insights
• Manage business transfers (mergers, acquisitions)
• Maintain business records

Legal Basis (GDPR): Legitimate interests

4. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf:

Categories of Service Providers:

• Cloud Hosting: Google Cloud Platform (infrastructure and storage)
• Authentication: Firebase Authentication (account management)
• Database: Firebase Firestore (data storage)
• AI Services: Google Generative AI (Gemini, Imagen models)
• Payment Processing: Third-party payment processors (payment and subscription management)
• Analytics: Plausible Analytics (aggregate usage analytics)
• Customer Support: Support and communication tools
• Email Services: Email delivery providers

Safeguards: Service providers are contractually obligated to:

• Use your information only for specified purposes
• Protect your information with appropriate security measures
• Comply with applicable data protection laws

4.2 Business Transfers

If we are involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have.

4.3 Legal Requirements and Protection

We may disclose your information when required or permitted by law:

• To comply with legal obligations (subpoenas, court orders, legal processes)
• To respond to government or law enforcement requests
• To protect our rights, property, or safety
• To protect users' rights, property, or safety
• To prevent fraud, security threats, or illegal activity
• To enforce our Terms of Service or other agreements
• To investigate violations or suspicious activity

4.4 With Your Consent

We may share information for other purposes with your explicit consent or at your direction.

4.5 Public Information

If you choose to make your projects or profile public:

• Other users and the public may view that information
• Search engines may index public content
• Other users may copy or use public content according to the permissions you grant

4.6 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you:

• For research and analysis
• For business purposes
• With partners and the public

5. Third-Party Services

5.1 Third-Party Service Providers

The Services integrate with and rely on the following third-party services:

Google Services

• Google Cloud Platform: Cloud infrastructure and hosting
• Firebase Authentication: User authentication and account management
• Firebase Firestore: Database and data storage
• Google Cloud Storage: File and asset storage
• Google Generative AI (Gemini, Imagen): AI models for content generation

Google's Privacy Practices:

• Governed by Google's Privacy Policy
• Subject to Google's data processing terms
• May involve data transfers to the United States

Plausible Analytics

• Service: Aggregate website and product usage analytics
• Information Shared: Page URLs, referrers, browser and device information, approximate geography, and campaign attribution data
• Privacy Practices: Designed for privacy-focused analytics without analytics cookies in our current web integration
• Privacy Policy: Plausible Data Policy

Payment Processors

• Services: Payment processing, subscription management, billing, and merchant services
• Information Shared: Billing name and address, payment card information, transaction data, purchase records
• Data Processing: Our payment processor(s) may act as merchant of record for transactions
• Safeguards: Payment processors are contractually required to protect your information and comply with applicable payment card industry (PCI DSS) standards and data protection laws
• Privacy Policies: For information about our current payment processor(s) and their privacy practices, visit https://leya.studio/legal/payment-providers or contact support@leya.studio

5.2 Your Use of Third-Party Services

Third-Party Accounts: If you link a third-party account (e.g., Google) to your TeamDev Management OÜ account:

• We access only the information you authorize
• The third party's privacy policy governs their data practices
• You can disconnect linked accounts at any time in your account settings

Third-Party Links: The Services may contain links to third-party websites or services. We are not responsible for their privacy practices. Please review their privacy policies before providing information to them.

5.3 Our Responsibility

We carefully select service providers and require them to protect your information. However:

• We are not responsible for third parties' privacy practices
• We do not control how third parties use your information
• You should review third parties' privacy policies

6. Data Retention

6.1 Retention Periods

Active Accounts:

• We retain your information for as long as your account is active
• We retain information as necessary to provide the Services

After Account Deletion:

• Personal Information: Deleted within 30 days
• AI-Generated Content: Deleted within 90 days
• Anonymized Data: May be retained indefinitely for analytics

Legal Obligations:

• Transaction Records: Retained for 7 years (legal and tax requirements)
• Backup Data: Retained for up to 30 days in rolling backups
• Legal Claims: Retained as necessary to resolve disputes or enforce rights

6.2 Inactive Accounts

If your account is inactive for 2 years or more:

• We may delete your account and associated data
• We will notify you before deletion (if possible)
• You can prevent deletion by logging in

6.3 Retention Criteria

We determine retention periods based on:

• The nature and sensitivity of the information
• The purposes for which we process the information
• Legal and regulatory requirements
• The need to protect rights or resolve disputes
• Whether we can achieve purposes through other means

7. Your Rights and Choices

7.1 Account Access and Management

Account Settings:

• Access and update your profile information
• Change your email address and password
• Manage linked third-party accounts
• Configure preferences and settings
• Control AI training preferences

Access Your Account: Log in to https://leya.studio to manage your account.

7.2 Data Access and Portability

Right to Access: You can request a copy of your personal information by contacting us at support@leya.studio.

Data Portability (GDPR): European users can request their data in a structured, machine-readable format.

7.3 Data Correction and Updates

Right to Correct: You can update inaccurate information in your account settings or by contacting us.

7.4 Data Deletion

Right to Deletion: You can request deletion of your personal information by:

• Deleting your account in account settings
• Contacting us at support@leya.studio

Deletion Process:

• We will delete your information within 30 days
• Some information may be retained as described in Section 6 (Data Retention)
• Anonymized data may be retained for analytics

Limitations: We may retain information:

• To comply with legal obligations
• To resolve disputes or enforce our rights
• To complete transactions or provide requested services

7.5 Marketing Communications

Opt-Out of Marketing Emails:

• Click "Unsubscribe" in any marketing email
• Adjust email preferences in your account settings
• Contact us at support@leya.studio

Service Communications: You cannot opt out of essential service communications (account notifications, security alerts, etc.).

7.6 Cookie Preferences

Manage Cookies:

• Use your browser settings to block or delete cookies
• See our Cookie Notice for details

7.7 Do Not Track Signals

We do not currently respond to "Do Not Track" signals from browsers. Please see our Cookie Notice for information about managing cookies.

7.8 Additional Rights for European Users

If you are in the European Union, European Economic Area, or United Kingdom, you have additional rights. See Section 15.

7.9 Additional Rights for California Users

If you are a California resident, you have additional rights. See Section 16.

7.10 Exercising Your Rights

How to Exercise Rights:

• Email: support@leya.studio
• Subject: "Privacy Rights Request"
• Include: Your name, email, and description of your request

Verification: We may ask you to verify your identity before processing your request.

Response Time: We will respond to your request within 30 days (or as required by applicable law).

No Discrimination: We will not discriminate against you for exercising your privacy rights.

8. International Data Transfers

8.1 Data Storage Locations

Your information may be stored and processed in:

• European Union (Estonia): Where we operate and our primary infrastructure is located
• European Union (Other Member States): Google Cloud Platform EU regions
• United States: Google Cloud Platform, Google services (where required for service functionality)
• Other countries: Where our service providers operate

8.2 Transfers from Europe

As TeamDev Management OÜ is established in the European Union (Estonia), your personal data is primarily processed within the EU/EEA under GDPR's high standards of data protection.

Transfers Outside the EU: When we transfer data to countries without an adequacy decision (such as the United States for certain Google services), we implement appropriate safeguards including Standard Contractual Clauses (SCCs).

Safeguards:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• Supplementary Measures: Additional technical and organizational measures
• Your Consent: In some cases, with your explicit consent

Google Services: Google provides appropriate safeguards for international data transfers. See Google's data transfer mechanisms.

8.3 Your Consent to Transfers

By using the Services, you consent to the transfer of your information to countries outside your country of residence, including countries that may not provide the same level of data protection as your country.

9. Data Security

9.1 Security Measures

We implement technical, organizational, and physical security measures to protect your information, including:

Technical Measures:

• Encryption in Transit: TLS/SSL encryption for data transmission
• Encryption at Rest: Encryption for stored data on Google Cloud
• Access Controls: Role-based access controls and authentication
• Firewalls: Network security and firewalls
• Monitoring: Continuous security monitoring and threat detection

Organizational Measures:

• Access Restrictions: Limit employee access to personal information
• Confidentiality Agreements: Employees and contractors sign confidentiality agreements
• Security Training: Regular security awareness training
• Data Minimization: Collect only necessary information

Physical Measures:

• Secure Data Centers: Google Cloud Platform's secure facilities
• Physical Access Controls: Restricted access to servers

9.2 Your Responsibility

Protect Your Account:

• Use a strong, unique password
• Do not share your password with others
• Enable two-factor authentication (if available)
• Log out of shared devices
• Keep your device and browser secure

9.3 Security Limitations

No Absolute Security: While we implement strong security measures, no system is 100% secure. We cannot guarantee absolute security of your information.

Notify Us: If you believe your account has been compromised, notify us immediately at support@leya.studio

9.4 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and applicable authorities as required by law.

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device that help us provide and improve the Services.

10.2 Types of Cookies We Use

Essential Cookies:

• Authentication and security
• Session management
• Load balancing

Analytics Cookies:

• Plausible Analytics does not set analytics cookies in our current web integration
• Usage tracking and analysis

Preference Cookies:

• Remember your settings and preferences
• Language and display preferences

10.3 Third-Party Cookies

Third-party services we use may involve analytics or infrastructure processing. In our current web integration, Plausible Analytics does not set analytics cookies. See our Cookie Notice for details.

10.4 Managing Cookies

Browser Settings:

• Most browsers allow you to block or delete cookies
• Blocking cookies may affect functionality

Cookie Preferences:

• https://leya.studio/legal/cookies (if we implement a cookie consent banner)

Detailed Information: See our full Cookie Notice for comprehensive information about cookies.

11. Children's Privacy

11.1 Age Restrictions

The Services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

11.2 Parental Consent

If you are between 13 and 17 years old (or the age of majority in your jurisdiction), you must have your parent's or legal guardian's permission to use the Services.

11.3 If We Learn of Child's Information

If we learn that we have collected personal information from a child under 13 without parental consent:

• We will delete that information as quickly as possible
• We will terminate the child's account

Report Violations: If you believe a child under 13 is using the Services without parental consent, please contact us immediately at support@leya.studio

11.4 Parental Rights

Parents or guardians can:

• Review their child's personal information
• Request deletion of their child's information
• Refuse further collection or use of their child's information

12. AI and Automated Processing

12.1 AI Services We Use

We use artificial intelligence in the following ways:

AI-Powered Features:

• Template Generation: Google Gemini generates design templates from text prompts
• Image Generation: Google Imagen creates images from text descriptions
• Content Suggestions: AI provides design recommendations and suggestions

Third-Party AI: All AI features are powered by Google's AI services (Gemini, Imagen). We do not control these services.

12.2 How Your Data Is Used in AI

For Free Plan Users:

• We may use your content (in anonymized, aggregated form) to improve our AI models
• You can upgrade to a paid plan to opt-out of AI training

For Paid Plan Users:

• We do not use your content for AI training by default
• You can opt-in to AI training in exchange for benefits (if offered)

Control AI Training: Manage your AI training preferences in your account settings.

12.3 Automated Decision-Making

No Automated Legal Decisions: We do not use automated decision-making (including profiling) that produces legal effects or similarly significantly affects you.

The AI features are tools that assist you in creating content, but all final decisions are made by you.

12.4 AI Transparency

AI Limitations:

• AI-generated content may be inaccurate, inappropriate, or biased
• AI Results may inadvertently resemble existing works
• You are responsible for reviewing and validating AI Results

Third-Party AI Risks:

• Third-party AI providers may change or discontinue services
• We have no control over third-party AI models or their outputs

13. Changes to This Privacy Policy

13.1 Right to Modify

We reserve the right to modify this Privacy Policy at any time.

13.2 Notice of Changes

For Material Changes:

• We will update the "Effective Date" at the top
• We will notify you by email (to the address associated with your account)
• We may display a notice on the Services
• We will obtain your consent if required by law

For Minor Changes:

• We will update the "Effective Date"
• We may post a notice on the Services

13.3 Your Acceptance

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the modified Privacy Policy.

If You Disagree: If you do not agree to the changes, you must stop using the Services and may delete your account.

13.4 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices.

14. Contact Us

Data Controller Contact Information

Data Controller: TeamDev Management OÜ Registered Address: Narva mnt 7-559, Kesklinna linnaosa, Tallinn, 10117, Estonia Registry Code: 14114492

Contact Methods

General Inquiries: support@leya.studio (Subject: "Privacy Policy Inquiry") Privacy Rights Requests: support@leya.studio (Subject: "Privacy Rights Request") GDPR Inquiries: support@leya.studio (Subject: "GDPR Inquiry")

Response Time: 30 days (or as required by GDPR)

15. Additional Information for European Users

This section applies if you are located in the European Union, European Economic Area, or United Kingdom ("Europe").

15.1 Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we must have a legal basis to process your personal data. We rely on the following legal bases:

1. Contractual Necessity: Processing is necessary to perform our contract with you (provide the Services).

• Examples: Account management, service delivery, payment processing

2. Legitimate Interests: Processing is necessary for our legitimate interests (or those of third parties), provided your rights do not override those interests.

• Examples: Service improvement, fraud prevention, analytics, marketing (in some cases)

3. Legal Obligations: Processing is necessary to comply with legal obligations.

• Examples: Tax compliance, responding to legal requests

4. Consent: You have given explicit consent for specific processing activities.

• Examples: Marketing emails, AI model training (free users), optional cookies

You can withdraw consent at any time, but this does not affect the lawfulness of processing before withdrawal.

15.2 Your GDPR Rights

As a European user, you have the following rights:

Right of Access (Article 15): Request access to your personal data and information about how we process it.

Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.

Right to Erasure / "Right to be Forgotten" (Article 17): Request deletion of your personal data in certain circumstances.

Right to Restriction of Processing (Article 18): Request that we limit how we use your personal data in certain circumstances.

Right to Data Portability (Article 20): Receive your personal data in a structured, machine-readable format and transmit it to another controller.

Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time where processing is based on consent.

Right to Lodge a Complaint (Article 77): Lodge a complaint with your national data protection authority.

Rights Related to Automated Decision-Making (Article 22): Rights related to solely automated decision-making (which we do not currently use for legal or significant effects).

15.3 Exercising Your Rights

How to Exercise: Contact us at support@leya.studio with:

• Your name and email address
• Description of your request
• Verification information (if requested)

Response Time: We will respond within 1 month (may be extended by 2 additional months for complex requests).

No Fee: We will not charge a fee unless your request is manifestly unfounded or excessive.

15.4 Data Controller

Under GDPR, the data controller is TeamDev Management OÜ, an Estonian company.

Estonian Data Protection Authority: As we are established in Estonia, our lead supervisory authority is:

• Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
• Website: https://www.aki.ee/en
• Email: info@aki.ee
• Address: Tatari 39, 10134 Tallinn, Estonia

Contact for GDPR Matters: Email: support@leya.studio Subject: "GDPR Inquiry"

15.5 Supervisory Authority

For Estonian Residents: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Website: https://www.aki.ee/en Email: info@aki.ee

For Other EU/EEA Residents: Find your local authority via the European Data Protection Board member list.

Note: As our lead supervisory authority is in Estonia, complaints may be handled by the Estonian Data Protection Inspectorate in cooperation with your local authority.

15.6 Data Protection Officer

We are not currently required to appoint a Data Protection Officer under GDPR. For data protection inquiries, contact us at support@leya.studio.

15.7 Legal Basis Table

| Purpose | Personal Data Categories | Legal Basis | |---------|-------------------------|-------------| | Provide Services | Account data, content, usage data | Contractual necessity | | Process payments | Payment data, transaction data | Contractual necessity | | Service improvement | Usage data, analytics data | Legitimate interests | | AI model training | Content data (anonymized) | Consent (free users), Opt-in (paid users) | | Marketing emails | Contact data | Consent | | Legal compliance | All relevant data | Legal obligations | | Fraud prevention | Account data, usage data, technical data | Legitimate interests, Legal obligations |

16. Additional Information for California Users

This section applies if you are a California resident and provides additional information required by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

16.1 Categories of Personal Information We Collect

In the past 12 months, we have collected the following categories of personal information:

| Category | Examples | Collected? | |----------|----------|------------| | Identifiers | Name, email, username, IP address, device ID | Yes | | Personal information (Cal. Civ. Code § 1798.80(e)) | Name, address, telephone number, credit card number | Yes | | Protected classifications | Age, gender (if voluntarily provided) | Limited | | Commercial information | Purchase history, transaction records | Yes | | Internet or network activity | Browsing history, usage data, interactions | Yes | | Geolocation data | General location from IP address | Yes (general only) | | Sensory information | Audio, visual, or similar information (images you upload) | Yes | | Professional or employment information | Job title, company (if voluntarily provided) | Limited | | Non-public education information | None | No | | Inferences | Preferences, characteristics, behavior | Yes |

16.2 Sources of Personal Information

We collect personal information from:

• Directly from you (account registration, uploads, communications)
• Automatically (cookies, usage data, analytics)
• Third-party sources (Google Sign-In, payment processors)

16.3 Purposes for Collecting Personal Information

We use personal information for the purposes described in Section 3, including:

• Providing and operating the Services
• Processing transactions
• Customer support
• Service improvement and analytics
• Marketing (with consent)
• Security and fraud prevention
• Legal compliance

16.4 Sharing Personal Information

In the past 12 months, we have disclosed the following categories of personal information for business purposes:

| Category | Recipients | |----------|-----------| | Identifiers | Cloud hosting (Google), analytics (Plausible), payment processors (Stripe) | | Personal information | Payment processors, cloud hosting | | Commercial information | Payment processors | | Internet activity | Analytics providers, cloud hosting | | Geolocation data | Analytics providers | | Sensory information | Cloud storage (Google Cloud Storage) |

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

16.5 Your California Privacy Rights

California residents have the following rights:

1. Right to Know (CCPA § 1798.100): Request disclosure of:

• Categories of personal information we collected
• Categories of sources
• Business or commercial purposes
• Categories of third parties with whom we share information
• Specific pieces of personal information we collected

2. Right to Delete (CCPA § 1798.105): Request deletion of your personal information, subject to certain exceptions.

3. Right to Correct (CPRA): Request correction of inaccurate personal information.

4. Right to Opt-Out of Sale/Sharing (CCPA § 1798.120): We do not sell or share personal information, so this right does not apply.

5. Right to Limit Use of Sensitive Personal Information (CPRA): We do not use or disclose sensitive personal information in ways that trigger this right.

6. Right to Non-Discrimination (CCPA § 1798.125): We will not discriminate against you for exercising your CCPA rights.

16.6 Exercising Your California Rights

How to Submit a Request:

• Email: support@leya.studio
• Subject: "California Privacy Rights Request"
• Include: Your name, email, and description of your request

Verification: We will verify your identity before processing your request. We may ask for:

• Email address associated with your account
• Additional information to confirm your identity

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. The agent must provide proof of authorization.

Response Time: We will respond within 45 days (may be extended by an additional 45 days if necessary).

No Fee: We do not charge a fee to process requests.

16.7 California "Shine the Light" Law

California Civil Code § 1798.83 permits California residents to request information about disclosure of personal information to third parties for their direct marketing purposes.

We do not share personal information with third parties for their direct marketing purposes.

16.8 Minors Under 16

We do not sell or share personal information of consumers under 16 years of age without appropriate consent.

Definitions

"Personal Information" / "Personal Data": Information that identifies, relates to, or could reasonably be linked to you.

"Processing": Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

"Controller": The entity that determines the purposes and means of processing personal data.

"Processor": An entity that processes personal data on behalf of the controller.

"Third Party": An entity that is not you, us, or our service providers.

"Anonymization": The process of removing identifying information so data can no longer be linked to you.

"Aggregation": Combining data from multiple users so that individual users cannot be identified.

"Consent": Freely given, specific, informed, and unambiguous indication of your wishes.

Summary

What We Collect: Account information, content you create, usage data, technical information

How We Use It: Provide services, improve services, process payments, communicate with you, ensure security

How We Share It: Service providers (Google, Stripe), legal requirements, with your consent

Your Rights: Access, correct, delete your data; opt-out of marketing; control cookies; additional rights for EU and California residents

Security: We use encryption, access controls, and security monitoring

Contact: support@leya.studio

Last Updated: January 3, 2026 Version: 1.0

BY USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.