Privacy Policy

• Your uploaded photos are deleted 90 days after delivery. The 2D preview output we made for you is kept indefinitely (it's the artifact you paid for, and you can re-download it from your account).
• We never use your photo to train AI. Not by us, not by our AI provider. The provider's API doesn't train on your inputs by their own policy.
• We don't sell your data. Ever.
• You can delete your account and data anytime from your account page.

This Privacy Policy describes how StartOff (operating as Chibily; the "Company", "we", "us") handles personal data we collect when you use chibily.com or place an order. StartOff is a UAE-registered company. Address details are in our Terms of Service.

Questions about anything in this policy? Email support@chibily.com.

We only collect data that's necessary to make your figurine and run the site:

• Account info — your name, email address, and avatar (if you sign in with Google). Used to log you in and email you about your order.
• Photos you upload — the source photo for your figurine. See section 3 for how we handle these.
• Order details — style choice, subject counts (people / pets), optional prompt notes, packaging choice, shipping address, total paid.
• Payment info — processed entirely by Stripe. We see only the order total, payment status, and a Stripe reference. We never see or store your card number.
• Technical info — basic logs (timestamps, IP address for rate limiting and abuse prevention, browser type). No third-party analytics or marketing pixels at launch. If we add any in the future, we'll update this policy.

A photo of you is biometric data, which is treated specially under UAE Federal Decree Law No. 45 of 2021 on the Protection of Personal Data, the EU GDPR, and similar laws worldwide. We treat it carefully:

• What we do with your source photo: we upload it to our private storage, send it to our AI provider to generate the 2D preview, and use the generated preview as the reference for our 3D modelling and printing process.
• How long we keep your source photo: 90 days after your order is delivered. After that, an automated job permanently deletes it from our storage. The 90-day window covers our defect-claim period (14 days, see Refund Policy) plus a buffer for any post-delivery questions.
• How long we keep the generated 2D preview: indefinitely, while your account is active. It's the artifact you paid for, and you can re-download it anytime from your account. Deleted when you delete your account.
• AI training: we do not use your photos to train, fine-tune or improve any AI model. Our AI provider (currently OpenAI's gpt-image-1 API) explicitly does not use API inputs for model training under their published policy. If we ever change AI provider, we'll only use providers with the same no-training-on-inputs policy.
• Sharing: the only third party that ever sees your source photo is our AI provider, and only for the moment of generation. They retain inputs for up to 30 days for abuse monitoring, then delete them, under their own published API data policy.

You can request earlier deletion of your source photo at any time, even before the 90-day window — email support@chibily.com. Note that this may affect our ability to honor a defect claim if one comes up later.

• Performance of contract. We process your photo, address and payment because we'd be unable to make and ship your figurine otherwise.
• Consent. You consent to biometric processing (the photo) when you upload it — an explicit confirmation is shown at upload.
• Legitimate interest. Basic IP-address logging for rate limiting and fraud prevention is necessary for us to run the site safely.
• Legal obligation. We retain order records (without identifying photos) for the period required by UAE tax and accounting law.

The minimum number of third parties needed to run a modern web business:

• Supabase — hosts our database, authentication and file storage. Servers located outside the UAE; data encrypted in transit and at rest.
• Vercel — hosts the Chibily website and its server-side code.
• Upstash — rate-limit cache and background job queue. Sees only generation IDs, not your photo or personal data.
• OpenAI — receives your source photo and our style prompt to generate the 2D preview. See section 3 for retention details.
• Stripe — handles payment. They get whatever's required for the charge (your name, card details which we don't see, billing address, email). Stripe is PCI-DSS Level 1 compliant.
• Resend — sends transactional emails (order confirmation, shipping updates). Gets your email address and the email body.
• Couriers — receive your shipping address and phone number to deliver the package. See our Shipping Policy.

We don't sell, rent or trade your data with anyone. We don't share with advertisers. We don't do affiliate or marketing pixel sharing.

We use only essential cookies needed to run the site:

• An auth cookie to keep you signed in (set by Supabase).
• A short-lived cookie to preserve your form across sign-in redirects.

We do not use third-party analytics, advertising pixels, or tracking cookies at launch. If we ever add analytics (we may add a privacy-friendly one like Plausible after launch), we'll update this policy and add a clear notice.

We only send marketing emails (new styles, special offers) if you explicitly opt in. Transactional emails (order confirmation, shipping updates, defect-claim replies) are sent regardless of marketing preferences because we need to send them to fulfil your order.

You can update your email preferences anytime from your account page or via the unsubscribe link at the bottom of any marketing email.

You have the right to:

• Access the personal data we hold about you. Email support@chibily.com and we'll respond within 30 days.
• Correct data that's wrong. Most things you can edit yourself on your account page; for the rest, email us.
• Delete your data. Use the "Delete account" option on your account page. We anonymize past order records (we're legally required to keep them for tax purposes) and delete your photos and personal info.
• Withdraw consent for biometric processing at any time by deleting your photo or your account. Note that we can't make your figurine without it.
• Object to any processing you disagree with, and to complain to your local data protection authority if you're not happy with how we've responded.

• Source photos: deleted 90 days after order delivery (or earlier on request).
• Generated 2D previews: kept while your account is active; deleted when you delete the account.
• Order history: kept for as long as required by UAE tax and accounting law (currently 5 years), then anonymized.
• Account info: deleted when you delete your account, except for the anonymized order records noted above.
• Email logs: kept 12 months for support and deliverability troubleshooting, then deleted.

We use HTTPS site-wide, encrypted database connections, encrypted file storage, server-side authentication via secure HttpOnly cookies, and Stripe for all card handling. Passwords are hashed (we never see them in plain text). Internal access to customer data is limited to the team members who need it for support and order fulfilment.

No system is perfectly secure. If we ever suffer a data breach affecting your personal data, we'll notify you and the appropriate UAE authority within the legally required timeframes.

Chibily is for users 18 and older. We don't knowingly process the personal data of anyone under 18 except in the specific case described in our Terms (a parent or legal guardian uploading a photo of their minor child to make a figurine of that child). In that case, the parent or guardian is the data subject responsible for consent on behalf of the minor.

Some of our service providers (Supabase, Vercel, OpenAI, Stripe) operate servers outside the UAE. When your data is transferred for processing, we rely on those providers' standard contractual safeguards (Standard Contractual Clauses or equivalent) to ensure your data continues to be protected at the same standard.

We'll update this Privacy Policy as our practices evolve. The "Last updated" date at the top reflects the current version. For material changes (new categories of data, new processors, longer retention), we'll notify you by email at least 14 days before they take effect.

Email support@chibily.com for any privacy question, data request or complaint. Or use the form on our Contact page.