Privacy Policy

LUK · Effective 2026-05-26

1. Introduction

This Privacy Policy describes how Lief Lab, operator of the LUK application ("we", "our", or "the App"), collects, uses, and handles data when you install and use the App through the Shopify platform.

By installing LUK, you agree to the practices described in this policy.

2. Data We Collect

LUK collects only shop-level data. We do not collect, process, or store end-customer (shopper) personally identifiable information (PII).

Data Type	What We Store	Purpose
Shop identity	Shop domain (e.g. yourshop.myshopify.com)	App authentication and per-shop credit/billing tracking
Product data	Shopify product IDs, titles, and image URLs from your store	Display products for selection inside the app
Generated images	Output images produced by the AI generation feature	Display in history, allow push to product gallery
Credit balance	Credit count per shop	Enforce usage limits and billing tier
Subscription	Current billing plan and Shopify charge ID	Determine feature access and credit allocation
Usage statistics	Count of model usage per generation (no image data)	Internal analytics to improve the model catalog

3. Data We Do NOT Collect

End-customer (shopper) names, emails, addresses, or purchase history
Payment card details (handled entirely by Shopify Billing)
Merchant personal details beyond the shop domain
Browser cookies or tracking pixels beyond what Shopify App Bridge requires

4. How We Use Your Data

AI image generation: Product images you select are sent to the Google Gemini API (specifically, Google Gemini 2.5 Flash) to generate on-model product photos. Images are processed transiently and are not retained by Google for model training under our API agreement.
Image storage: Generated output images are stored in Supabase Storage (a cloud storage service) under your shop's namespace and are accessible only to your shop.
Billing: Subscription and credit data is used solely to enforce plan limits and process recurring charges through Shopify's native Billing API.

5. Third-Party Processors

We share data with the following sub-processors:

Processor	Purpose	Data Shared	Privacy Policy
Google Gemini API	AI image generation	Product image (transient, not retained)	policies.google.com/privacy
Supabase	Image and data storage	Generated images, shop profile	supabase.com/privacy
Shopify	App platform, billing, OAuth	Shop domain, billing charge ID	shopify.com/legal/privacy
Vercel	App hosting and compute	Request logs (IP, headers) — retained per Vercel plan	vercel.com/legal/privacy-policy

6. Data Retention

Active shops: Data is retained for as long as the app is installed and your subscription is active.
After cancellation or downgrade (App still installed): Your shop data (history, settings, remaining credits subject to §4 of the Terms of Service) is retained until the end of the current billing period. At the start of the next billing period, the new plan's retention and feature scope applies; expired credits are removed from your balance.
After uninstall: All shop-scoped data (generations, credits, subscription, shop profile) is permanently deleted within 48 hours of receiving the Shopify SHOP_REDACT webhook, in compliance with Shopify Partner requirements.
Generated images: Stored in Supabase Storage per-shop. Deleted as part of the SHOP_REDACT purge. Merchants may also delete individual images from the History page at any time.

Shopify GDPR webhook compliance: LUK does not collect or store end-customer (shopper) personally identifiable information. In accordance with Shopify Partner program requirements, we implement all three mandatory GDPR webhooks: SHOP_REDACT (purges all shop-scoped data within 48 hours of app uninstall, as described above), CUSTOMERS_DATA_REQUEST (acknowledged with a no-op response, as no customer data is held), and CUSTOMERS_REDACT (acknowledged with a no-op response, as no customer data is held). Webhook endpoints are HMAC-verified per Shopify specifications.

7. Data Security

All data is transmitted over HTTPS. Supabase Storage enforces per-bucket access policies so that one shop cannot access another shop's generated images. Database access is restricted to server-side code using environment-scoped credentials.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding personal data we process about you (the merchant) or your shop:

Right of access — Request a copy of the data we hold about your shop.
Right to rectification — Request correction of inaccurate or incomplete data.
Right to erasure — Request deletion of your shop's data at any time by contacting us or by uninstalling the app.
Right to data portability — Request your shop data in a structured, machine-readable format.
Right to restriction or objection — Request that we restrict or stop processing your data in certain circumstances.
Right to withdraw consent — Where processing is based on consent, withdraw it at any time.
Right to lodge a complaint — EU/UK merchants may lodge a complaint with their local Data Protection Authority. UK merchants may contact the Information Commissioner's Office (ico.org.uk).

For California residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, the right to opt out of “sale” or “sharing” of personal information (we do not sell or share personal information for cross-context behavioral advertising), and the right to non-discrimination for exercising these rights.

Data Processing Agreement (DPA): A DPA is available on request for merchants requiring one for GDPR Article 28 compliance.

To exercise any of these rights or request a DPA, email us at lief.ofcl@gmail.com. We will respond within 30 days.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify merchants of material changes by updating the effective date above. Continued use of the App after a policy update constitutes acceptance of the revised terms.

10. Contact

If you have questions about this Privacy Policy or our data practices, please contact:

Lief Lab (operator of LUK)
Republic of Korea
Email: lief.ofcl@gmail.com
App URL: https://luk-spi.vercel.app