Privacy Policy - Wrap It Up

Introduction

Wrap It Up, operated by Jabeja CommV (VAT: BE 1018138823), a company registered in Belgium ("we", "our", or "us"), is committed to protecting your privacy. This Privacy Policy explains how our mobile application handles your information.

User Accounts & Authentication

To access the App, you must create an account. We collect and process the following personal data:

Account Information:

Email address (required for authentication)
Full name (optional)
Date of birth (required for age verification - see below)
OAuth provider data (if you sign in with Google or Apple)
Authentication credentials (securely hashed passwords)

Age Verification (17+ Requirement):

What we collect: Your date of birth
Why we collect it: To verify you are 17 years or older, as required by law (COPPA/GDPR) for AI photo processing services
How we use it: Only to calculate and verify your age during signup
Legal basis: Legal obligation (COPPA, GDPR Article 8)
Storage: Stored securely in our database, encrypted at rest
Sharing: Never shared with third parties or used for marketing
Your rights: You can request deletion of your date of birth by deleting your account

Credit & Subscription Data:

Credit balance (free, subscription, and pack credits)
Transaction history
Purchase records
Subscription status

Photo Storage (Cloud):

Cloud Storage: Your original and AI-enhanced photos are securely stored in Cloudflare R2 cloud storage
Cross-Device Access: Photos are accessible from any device where you're logged in (mobile app and wrapitup.be/gallery)
Privacy Protection: EXIF metadata (GPS location, device info, timestamps) automatically removed before upload
Access Control: Only you can access your photos (authentication required, signed URLs with 1-hour expiry)
Download Anytime: You can download any photo (original or enhanced) to your device at any time
Deletion: Photos are permanently deleted from cloud storage within 24 hours when you delete them or your account

Local Device Storage:

Custom Modes: Camera settings and AI prompts stored locally on your device only
App Settings: Preferences stored locally

Data Storage Locations:

Account Data: Supabase servers (European Union)
Photos: Cloudflare R2 (Global CDN with EU data centers)
App Settings: Your device only

What we DON'T collect:

Location data
Device identifiers (IMEI, MAC address)
Browsing history or app usage analytics
Contact lists or other personal files

App Permissions

Wrap It Up requests the following permissions:

Camera Access: Required to capture product photos within the app.
Photo Library Access: Required to save enhanced photos to your device and select reference images.

These permissions are only used for core app functionality. We never access your camera or photos without your explicit action.

Third-Party Services & Data Processors

We use the following services that may process your data:

Supabase (EU Servers)

Purpose: Authentication, database storage
Data: Email, profile, credits, transactions
Location: European Union
Privacy Policy: supabase.com/privacy

RevenueCat

Purpose: Subscription and purchase management
Data: Purchase transactions, subscription status
Privacy Policy: revenuecat.com/privacy

Resend

Purpose: Transactional emails (deletion confirmations, data exports)
Data: Email address, export data (temporary)
Privacy Policy: resend.com/legal/privacy-policy

Cloudflare R2 (Global CDN with EU Data Centers)

Purpose: Secure cloud storage for your photos
Data: Original and AI-enhanced photos
Location: Global CDN with primary storage in EU data centers
Retention: Until you delete the photo or your account
Security: Private bucket, encrypted in transit (TLS 1.3), signed URLs (1h expiry for viewing, 24h for download)
Privacy Policy: cloudflare.com/privacy

Google Gemini AI (US-based)

Purpose: AI photo enhancement via secure backend proxy
Model: Google Gemini 2.5 Flash Image
Data: Photos sent for processing (temporary, real-time only - NOT stored by Google)
Processing Time: 3-10 seconds average
Location: United States (Google Cloud)
Transfer Protection: TLS 1.3 encryption, processed via our EU-hosted backend proxy
Retention: Zero - images processed in real-time and immediately discarded
Privacy Policy: ai.google.dev/terms

OpenRouter API Proxy

Purpose: Secure API routing to Google Gemini
Data: Photos (in transit only, not stored)
Privacy Policy: openrouter.ai/privacy

Apple App Store

Purpose: Payment processing, subscription management
Data: Purchase information (Apple handles directly)
Privacy Policy: apple.com/privacy

Payment Information

Subscriptions and one-time purchases are processed through Apple's App Store. We do not collect, store, or have access to your payment information. All billing, payment processing, and subscription management are handled entirely by Apple.

For questions about billing, refunds, or subscription management, please refer to Apple's support and privacy policies:

Apple Privacy Policy: apple.com/privacy
Manage Subscriptions: Settings → Apple ID → Subscriptions on your iOS device

Data Retention Periods

User Photos:

Cloud Storage: Retained in Cloudflare R2 until you manually delete them
After Deletion: Permanently removed from R2 within 24 hours, CDN cache purged globally
During AI Processing: Temporarily transferred to Google Gemini (real-time only, immediately discarded after enhancement - NOT stored)

Account Data:

While Active: Profile data retained for account functionality
After Deletion: Purged within 30 days, except email (fraud prevention) and anonymized financial records (7 years legal requirement)
Custom Modes: Stored locally on your device only (not in cloud)

Transaction History:

Purchase Records: Retained for 7 years (Belgian accounting law requirement)
After Deletion: Anonymized (personal identifiers removed) but transaction amounts and dates retained

AI Processing Logs:

Server Logs: Basic processing logs (success/failure) retained for 90 days for debugging and quality monitoring
Content: Logs do NOT contain images, only metadata (timestamps, status, errors)
Google Gemini: Does NOT retain images or logs - real-time processing only per their privacy policy

Deleted Accounts:

Email address: Retained indefinitely for fraud prevention (see below)
Financial records: Anonymized and retained for 7 years (legal requirement)
Photos: Permanently deleted from Cloudflare R2 within 24 hours
Photo metadata: Deleted immediately from database
CDN cache: Purged within 24 hours
All other data: Permanently deleted within 30 days

Fraud Prevention (GDPR Article 6(1)(f) - Legitimate Interest)

When you delete your account, we retain your email address to prevent abuse of our free credit system. If you create a new account with the same email, you will not receive the initial 10 free credits that first-time users receive. However, you will still receive monthly free credit resets (10 credits on the 1st of each month) like all other users. This is our legitimate interest in protecting our business from fraudulent account recreation. Only your email address is retained; all other personal data is permanently deleted.

Children's Privacy

Wrap It Up is not directed at children under 13. We do not knowingly collect information from children.

Your Data Rights (GDPR)

Under the EU General Data Protection Regulation (GDPR), you have the following rights:

Right to Access (Article 15)

View all your account data in the app:

Go to Settings → Account → View Profile
View your credit balance and transaction history

Right to Data Portability (Article 20)

Export your complete account data:

Go to Settings → Account
Tap "Export My Data"
Receive a comprehensive JSON file via email within minutes
Includes: profile, credits, transactions, purchases

Export your photos:

In-app: Tap any photo in Gallery → Download (original or enhanced version)
Website: Visit wrapitup.be/gallery → Download button on each photo
Bulk export: Contact us at info@wrapitup.be for bulk download of all photos

Right to Erasure (Article 17)

Delete your account and all data:

Go to Settings → Account
Tap "Delete My Account"
Confirm deletion (permanent, cannot be undone)
Receive confirmation email

What Gets Deleted:

Account credentials
Profile information
Credit balance
Custom camera modes
Transaction history
All cloud photos: Permanently deleted from Cloudflare R2 within 24 hours
Photo metadata: Deleted immediately from database
CDN cache: Purged globally within 24 hours
Subscription cancellations

What We Retain (Legal Requirements):

Email address (fraud prevention)
Anonymized financial records (7 years - Belgian law)

Right to Rectification (Article 16)

Update your profile information in Settings → Account at any time.

Right to Object (Article 21)

Right to Lodge a Complaint

If you believe your data rights have been violated, you can lodge a complaint with Belgium's Data Protection Authority (GBA):

gegevensbeschermingsautoriteit.be

International Data Transfers

Your photos are stored using Cloudflare R2, which operates a global content delivery network (CDN). While data may be cached globally for performance, the following safeguards apply:

Primary Storage: EU-based data centers
Standard Contractual Clauses: Cloudflare uses GDPR-compliant data transfer agreements
Encryption: All data encrypted in transit (TLS 1.3) and at rest
Access Control: Private bucket with signed URLs (1-hour expiry)
EU-US Data Privacy Framework: Cloudflare complies with EU-US data transfer framework

Legal basis for international transfers: GDPR Article 46 (Standard Contractual Clauses) and Article 49 (necessary for contract performance - photo storage and delivery).

AI Processing - US Data Transfers

Your photos are temporarily transferred to the United States for AI enhancement via Google Gemini. These transfers are protected by:

Encryption in Transit: TLS 1.3 end-to-end encryption
Secure Backend Proxy: All requests routed through our EU-hosted backend (wrapitup.be), never directly from your device
Zero Retention: Google does not store your images - processing is real-time only
Privacy-First Design: EXIF metadata (GPS, device info) automatically stripped before transfer
Standard Contractual Clauses (SCCs): EU-approved data transfer agreements in place
EU-US Data Privacy Framework: Google participates in EU-US DPF for additional protection

Your consent: By using AI enhancement features, you explicitly consent to this temporary data transfer for the sole purpose of processing your photo. You can withdraw consent by not using AI features or deleting your account.

AI-Generated Content (EU AI Act)

In compliance with the EU Artificial Intelligence Act (Article 50 - Transparency Obligations), all AI-enhanced photos include metadata indicating:

AI-generated flag: Visible in photo details and metadata
AI provider: Google Gemini 2.5 Flash Image (via OpenRouter)
Processing date: Timestamp of AI enhancement
Human verification: All AI outputs can be reviewed and regenerated

This ensures full transparency about which content has been modified or enhanced by AI systems.

Data Security

We implement industry-standard security measures to protect your data:

Encrypted transmission: All data is transmitted over HTTPS/TLS
Secure password storage: Passwords are hashed using bcrypt
OAuth authentication: Secure login via Google and Apple
Row-level security: Database access controls (Supabase RLS)
Service role protection: Admin operations secured on backend only
Regular updates: Security patches applied promptly

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of any material changes through the app or on this page.

Contact Us

If you have questions about this Privacy Policy, please contact us:

Jabeja CommV

Email: info@wrapitup.be
Phone: +32 497 40 39 49
Website: wrapitup.be

Nieuwstraat 15
8480 Eernergem
Belgium

VAT: BE 1018138823
KBO: BE 1018138823