Supamodel

Supamodel Privacy Policy

Effective date: March 25, 2026

This Privacy Policy explains how Ajith R, doing business as Yesss Design ("Supamodel," "we," "us," or "our") collects, uses, discloses, and protects information when merchants, merchant personnel, and other authorized users access the Supamodel Shopify app, website, and related services (collectively, the "Services").

If you are a Shopify merchant using Supamodel, this policy explains both:

  • how we handle information about you and your authorized users, and
  • how we handle information you submit to us or instruct us to process on your behalf through the Services.

Questions about this Privacy Policy can be sent to ajith@yesss.design.

1. Scope

This Privacy Policy applies to:

  • merchants who install or use Supamodel,
  • merchant employees, contractors, and other authorized users,
  • visitors to Supamodel-controlled websites and support channels, and
  • information processed by Supamodel in order to provide the Services.

This Privacy Policy does not apply to Shopify's own services, third-party services not controlled by Supamodel, or merchant storefront privacy practices.

2. Our Role

Supamodel does not play the same role for all data.

When Supamodel acts as a controller

We act as an independent controller for information such as:

  • merchant account and app-installation information,
  • billing and subscription records relating to our business relationship with you,
  • website, security, diagnostic, and support information,
  • communications with us,
  • internal business records required for legal, accounting, fraud-prevention, and compliance purposes.

When Supamodel acts as a processor or service provider

We generally act as a processor or service provider when we process information on a merchant's behalf to provide the Services, including:

  • Shopify product identifiers, titles, and media,
  • images, prompts, workflow inputs, and other content submitted through the app,
  • generated assets created at the merchant's direction,
  • records of asset pushes back into the merchant's Shopify catalog,
  • any customer-linked or storefront-linked data included in merchant-provided content or workflows.

If you are a consumer interacting with a merchant's storefront, the merchant is usually the party responsible for responding to your privacy requests unless applicable law requires otherwise.

3. Information We Collect

Depending on how the Services are used, we may collect the following categories of information.

Merchant account and installation data

  • Shopify shop domain and shop identifiers
  • installation and authentication records
  • session records
  • app access scopes
  • merchant or staff user name, email address, locale, and related account metadata made available by Shopify

Product and catalog data

  • product IDs
  • product titles
  • product image URLs and related media metadata
  • selected destination product IDs when a merchant chooses to push generated media into Shopify

Merchant-submitted content

  • prompts and text instructions
  • uploaded images and reference images
  • workflow definitions, presets, and configuration data
  • generated images and related output metadata
  • support requests, attachments, and feedback

Billing and commercial data

  • subscription status
  • plan selection
  • one-time purchase records
  • credits, credit usage, and related ledger records
  • billing webhook events and reconciliation data

We do not receive your full payment-card number from Shopify billing. Shopify and its payment providers process those payment details.

Technical, usage, and security data

  • IP address and general device or network information
  • request logs
  • app diagnostics and error logs
  • timestamps relating to app usage, workflow runs, and security or compliance events

Compliance request data

  • data associated with Shopify compliance webhooks such as customers/data_request, customers/redact, and shop/redact
  • records needed to verify, fulfill, log, or respond to those requests

4. How We Collect Information

We collect information:

  • directly from Shopify when you install, authenticate, or use the app,
  • directly from you when you upload content, configure workflows, contact support, or interact with the Services,
  • automatically from your browser, device, or use of the Services,
  • from service providers and infrastructure used to operate the Services,
  • from Shopify webhook events and related platform signals.

5. How We Use Information

We use information to:

  • authenticate merchants and authorized users,
  • operate, maintain, and secure the Services,
  • retrieve product information and product images from Shopify at your direction,
  • generate and manage creative assets and workflow outputs,
  • store, organize, and serve uploaded or generated media,
  • push generated images back into Shopify products at your direction,
  • administer subscriptions, credits, billing, and one-time purchases,
  • provide support and respond to inquiries,
  • detect, investigate, and prevent fraud, abuse, security incidents, and misuse,
  • comply with legal obligations and enforce our agreements,
  • create aggregated or deidentified analytics to understand and improve the Services.

We do not use merchant-confidential prompts, uploaded assets, or generated outputs to train our own foundation models. We may use service usage information, operational metrics, and aggregated or deidentified analytics to operate, maintain, and improve the Services.

Because Supamodel may call third-party AI providers to fulfill your requests, merchant inputs may be transmitted to those providers as necessary to generate outputs.

6. Legal Bases for Processing

Where required by applicable law, we rely on one or more of the following legal bases:

  • performance of a contract or steps taken at your request before entering a contract,
  • our legitimate interests in operating, securing, improving, and supporting the Services,
  • compliance with legal obligations,
  • consent, where consent is required by law for a particular activity.

7. How We Share Information

We may share information with the following categories of recipients:

Shopify

We exchange data with Shopify to authenticate merchants, access scoped product data, process billing flows, receive webhook events, and push media back to Shopify products.

AI and model providers

To provide image-generation and related creative features, we may share relevant inputs with configured third-party model providers, which may include:

  • Google Gemini,
  • OpenRouter, and
  • model vendors accessed through OpenRouter or similar routing, including providers such as OpenAI, Black Forest Labs, ByteDance Seed, and Sourceful, if enabled in our production environment.

Storage, hosting, and infrastructure providers

We may share information with hosting, database, queueing, logging, monitoring, and storage providers that help us run the Services. Based on the current implementation, this includes media-storage and CDN providers such as ImageKit and other infrastructure providers we use to host the app and worker processes.

Professional advisors and legal recipients

We may disclose information to lawyers, auditors, insurers, regulators, courts, law enforcement, or other third parties where reasonably necessary to comply with law, respond to legal process, protect rights, safety, and property, investigate fraud or security incidents, or enforce our agreements.

Corporate transaction recipients

We may disclose information in connection with a merger, acquisition, financing, restructuring, asset sale, or similar transaction, subject to appropriate confidentiality protections.

We do not sell merchant personal information in the ordinary meaning of the word "sell." We also do not share merchant-confidential creative inputs for unrelated third-party marketing use.

8. Merchant Responsibilities

Merchants are responsible for:

  • having rights to any product media, uploaded files, prompts, or other content submitted through Supamodel,
  • obtaining any required consents, notices, or permissions for personal data, likenesses, testimonials, or other protected material,
  • making sure their use of generated outputs complies with advertising, consumer-protection, intellectual property, publicity, privacy, and platform rules,
  • maintaining their own merchant privacy notices where required by law.

9. Data Retention

We retain information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, maintain account history, resolve disputes, enforce agreements, and comply with legal obligations.

Our retention approach is:

  • account and session data: for the life of the account and a reasonable period thereafter,
  • workflow, prompt, uploaded-image, and generated-asset records: until the merchant requests deletion, closes the account, or we are otherwise required to delete or redact them under Shopify compliance requirements or applicable law,
  • billing and financial records: for the period required by tax, accounting, and legal obligations,
  • security and diagnostic logs: for a limited operational retention period unless needed longer for fraud, abuse, or incident investigation.

If Shopify sends a valid shop/redact compliance webhook, or if a merchant makes a valid deletion request that we are required to honor, we will delete or anonymize merchant-linked data in accordance with our legal obligations and internal deletion processes, subject to data we must retain for legal, tax, fraud-prevention, security, or dispute-resolution reasons.

10. International Transfers

Supamodel and our service providers may process information in countries other than the country where the merchant or data subject is located. Where required by law, we will use appropriate safeguards for international transfers, which may include contractual protections or other lawful transfer mechanisms.

11. Security

We use reasonable technical and organizational measures designed to protect information against unauthorized access, alteration, disclosure, or destruction. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Your Rights and Choices

Depending on applicable law, you may have rights to:

  • access personal information,
  • correct inaccurate personal information,
  • delete personal information,
  • object to or restrict certain processing,
  • request data portability,
  • withdraw consent where processing is based on consent,
  • appeal a denied privacy request.

To exercise these rights, contact us at ajith@yesss.design.

If we process information only on behalf of a merchant, we may direct your request to that merchant because the merchant is the party best positioned to respond.

13. Children

The Services are not directed to children, and we do not knowingly collect personal information from children through the Services.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and update the effective date above. Where required by law, we will provide additional notice.

15. Contact Us

Ajith R, doing business as Yesss Design
Yesss Design, Second Floor, Dotspace Coworking, MC Tower, C Achutha Menon Rd, Punkunnam, Thrissur, Kerala 680004, India
ajith@yesss.design