Privacy Policy
Last updated: April 2026
We care about privacy and protecting the personal data handled by us. All personal data is processed in accordance with applicable law, including the General Data Protection Regulation (GDPR). In this policy we describe how and for what purposes we use your personal data, what lawful basis we rely on, what measures we take to protect it, and how you can exercise your rights.
1. Who is responsible for your personal data?
HG Commerce AB (we, us or our) is the controller of all personal data described in this Privacy Policy (the Policy). This Policy provides information on how we handle personal data when you as a customer or website visitor (you) communicate with us, use the Services, or visit our website at captured.art (the Website).
Organisation number: 559498-1564
Registered address: Observatoriegatan 2 a, 113 29 Stockholm, Sweden
Privacy contact: privacy@captured.art
Our supervisory authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY), Box 8114, 104 20 Stockholm, Sweden (www.imy.se).
2. What personal data do we collect and why?
We collect and process personal data that you provide to us in order to provide our Services, ensure secure access to your account, provide customer support, process payments, send communications, develop and improve our Services, keep the Website running and secure, and comply with legal requirements. Below we describe each processing activity, the data involved, and the legal basis we rely on.
| Processing activity | Personal data | Lawful basis | Storage period |
|---|---|---|---|
| Account creation and authentication | Name, email, company name, password hash, profile picture (including via Google if used) | Contract performance (Art. 6(1)(b)) | Until you delete your account, plus 12 months |
| Processing uploaded product images for AI generation | Product images you upload to the platform | Contract performance (Art. 6(1)(b)) | Until you delete the content or your account, plus 30 days |
| Processing images scraped from URLs you provide | Product images and metadata retrieved from websites you submit | Contract performance (Art. 6(1)(b)) | Until you delete the content or your account, plus 30 days |
| AI-generated output images | Images generated by our AI systems based on your input | Contract performance (Art. 6(1)(b)) | Until you delete the content or your account, plus 30 days |
| Payment processing via Stripe | Transaction reference, billing address, subscription status, invoice history | Contract performance (Art. 6(1)(b)) | 7 years (Swedish Bookkeeping Act) |
| Tax and accounting records | Name, order details, billing information | Legal obligation (Art. 6(1)(c)) | 7 years (Swedish Bookkeeping Act) |
| Fraud prevention and security | IP address, device info, server logs, access patterns | Legitimate interest (Art. 6(1)(f)) | 90 days |
| Service analytics and improvement | Usage data, feature engagement, session info | Legitimate interest (Art. 6(1)(f)) | 24 months in identifiable form, then anonymised |
| Customer support | Name, email, content of communications | Contract performance (Art. 6(1)(b)) | 24 months after resolution |
| Marketing communications | Name, email | Consent (Art. 6(1)(a)) | Until you unsubscribe |
| Non-essential cookies and tracking | Cookie identifiers, browsing behaviour | Consent (Art. 6(1)(a)) | Cookie consent records: 5 years (IMY guidance) |
| AI model training (if offered) | Product images, only with explicit opt-in | Explicit consent (Art. 6(1)(a)) | Until consent is withdrawn |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest at any time.
How does AI processing work?
The core function of Captured is AI-powered product photography. When you provide product images (via upload or URL scraping), those images are transmitted to third-party AI model providers for processing. The AI systems generate new product images based on your input, which are returned to your account.
We have entered into data processing agreements with all AI model providers, and we select providers that commit to not using customer data for their own model training. No automated decisions with legal or similarly significant effects are made about you through the Services.
If we introduce an option for you to opt in to allowing your images to be used for AI model improvement, this will be presented as a separate, clearly labelled consent mechanism. Participation will be entirely voluntary, and consent may be withdrawn at any time. We will never use your images for model training without your explicit prior consent.
A note on images and personal data
Product images generally depict objects rather than identifiable individuals. However, lifestyle product photography may include identifiable people, and photographs that can identify an individual constitute personal data under the GDPR. If you upload or scrape images containing identifiable individuals, you are responsible for ensuring appropriate consent has been obtained. We recommend avoiding uploading images containing identifiable persons where possible. If scraped images inadvertently contain personal data of identifiable individuals, we rely on the exemption in GDPR Article 14(5)(b) where individual notification would involve disproportionate effort, but we make this information available through this Policy.
If any individual believes their image has been processed through our platform without appropriate authorisation, they may contact us at privacy@captured.art to request removal.
3. Who do we share your data with?
In order to operate our business and provide the Services, we use third-party service providers ("Processors") to help us host, store, process, analyse, and maintain Captured. We carefully select our providers and ensure that they maintain appropriate technical and organisational measures to protect personal data and comply with applicable law. We have entered into Data Processing Agreements (DPAs) with all our Processors.
Our Processors include:
- AI model providers — to process your product images and generate AI output. Images are transmitted for processing only and are not retained by the provider beyond the processing session.
- Cloud infrastructure providers — to host the platform, store your data, and provide compute resources.
- Stripe, Inc. — to process payments. Stripe acts as both a processor (for payment execution) and an independent controller (for its own fraud prevention and compliance). Please refer to Stripe's privacy policy at stripe.com/privacy.
- Analytics providers — to collect usage data for service improvement (subject to your cookie consent).
- Customer support tools — to manage and respond to your support requests.
We do not sell, rent, or share your personal data with third parties for their own marketing purposes.
International data transfers
Some of our Processors are located outside the European Economic Area (EEA), including in the United States. When personal data is transferred outside the EEA, we ensure adequate safeguards are in place in accordance with GDPR Chapter V. For transfers to the United States, we rely primarily on the EU-U.S. Data Privacy Framework (DPF) for DPF-certified recipients. Where the DPF does not apply, we use the European Commission's Standard Contractual Clauses (SCCs), supplemented by additional technical and organisational measures such as encryption in transit and at rest.
We may also need to disclose your personal data to designated authorities in order to fulfil obligations under applicable law or legally binding judgements.
4. How long do we keep your data?
We keep your personal data only as long as necessary for the purpose for which it was collected. Depending on the lawful basis, this may be regulated by contract, dependent on valid consent, stated in legislation, or follow from an internal assessment. Specific retention periods for each processing activity are set out in the table in Section 2 above.
When retention periods expire, data is deleted or irreversibly anonymised. We may process aggregated and anonymised data that cannot identify you for the purposes of operating, maintaining, and improving the Services. Because such data cannot be linked back to you, it is not considered personal data under applicable law.
5. Your rights
You are the one in control of your personal data and we always strive to ensure that you can exercise your rights as efficiently and smoothly as possible.
- Access — You have the right to receive information about the processing of data that concerns you. We only provide information after verifying your identity.
- Rectification — If you find that the personal data we process about you is incorrect, let us know and we will fix it.
- Erasure — You have the right to request deletion of your personal data when the processing is no longer necessary for the purpose for which it was collected. If we are required to retain your information under applicable law, we will ensure it is processed only for that specific purpose and erase it as soon as possible.
- Objection — If you disagree with our assessment that a legitimate interest overrides your interest in protecting your privacy, we will review our assessment. If you object to direct marketing, we will immediately stop processing your data for that purpose.
- Restriction — You can ask us to restrict our processing of your personal data in certain circumstances.
- Data portability — We may provide you with the data you have submitted to us in a commonly used and machine-readable format that you can transfer to another controller.
- Withdraw consent — If you have given consent to processing, you have the right to withdraw it at any time. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.
- Automated decision-making — You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Captured does not make such decisions.
- EU Data Act rights — If you are located in the EU/EEA, you also have rights under the EU Data Act (Regulation (EU) 2023/2854). You may request the transfer or deletion of your data, subject to reasonable notice and applicable law.
To exercise any of these rights, contact us at privacy@captured.art. We will respond within one (1) month. This period may be extended by two (2) further months for complex requests, in which case we will notify you.
Additional rights for users in the United States
If you are a resident of California or another US state with comprehensive privacy legislation, you may have additional rights, including the right to know what personal data we collect and how it is used, the right to delete, correct, and opt out of the sale or sharing of personal data, and the right to non-discrimination for exercising your rights.
We do not sell your personal data as defined under the California Consumer Privacy Act (CCPA/CPRA) or other state privacy laws. If we share data with analytics or advertising platforms in a manner that could constitute "sharing" under applicable law, we honour opt-out requests including Global Privacy Control (GPC) browser signals.
To exercise your US privacy rights, contact us at privacy@captured.art.
6. Cookies and tracking technologies
We use cookies and similar tracking technologies on the Website. In accordance with Sweden's Electronic Communications Act (Lag 2022:482) and the ePrivacy Directive, we obtain your prior consent before placing any non-essential cookies.
Essential cookies required for the basic functioning of the Website (such as authentication and security cookies) are placed without consent, as they are strictly necessary to provide the service you have requested. For non-essential cookies (including analytics and marketing cookies), we use a consent management platform that presents clear, equally prominent "Accept" and "Reject" options on your first visit. You may change your cookie preferences at any time through the cookie settings link available on every page of the Website.
For full details on the cookies we use, their purposes, providers, and duration, please refer to our separate Cookie Policy.
7. Security and data breaches
We take technical and organisational measures to ensure that your personal data is processed securely and protected from loss, abuse, and unauthorised access. Our security measures include encryption in transit (TLS) and at rest, access controls with role-based permissions, login and password management, regular security reviews, and backup solutions. Our infrastructure is hosted with providers that maintain industry-standard certifications.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify IMY without undue delay and, where feasible, within seventy-two (72) hours. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
8. Additional important information
Children's privacy
The Services are not directed at children under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete that data as quickly as possible. If you believe a child has provided us with personal data, please contact us at privacy@captured.art.
Data protection impact assessments
We conduct Data Protection Impact Assessments (DPIAs) where required by GDPR Article 35, including for the AI image processing features of the Services and the web scraping functionality. These assessments evaluate the necessity and proportionality of our processing, the risks to data subjects, and the measures in place to mitigate those risks.
9. Changes to this Policy
We reserve the right to make changes to this Policy. In the event that a change affects our obligations or your rights, we will inform you about the changes in advance by email or prominent notice on the Website at least thirty (30) days before they take effect, so that you have the opportunity to review the updated policy.
10. Contact and supervisory authority
Please contact us if you have questions about your rights or about how we process your personal data:
Email: privacy@captured.art
HG Commerce AB
Org. No: 559498-1564
Observatoriegatan 2 a, 113 29 Stockholm, Sweden
If you think that we are not processing your personal data correctly, even after you have notified us, you are always entitled to submit your complaint to the Swedish Authority for Privacy Protection:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
www.imy.se — imy@imy.se
If you are located in another EU/EEA member state, you may also contact the supervisory authority in your country of residence.