PRIVACY POLICY

Effective Date: January 1, 2026

Last Updated: February 6, 2026

1. SCOPE AND DEFINITIONS

This Privacy Policy governs the relationship between JEWELER STUDIO LLC (“Company”) and the business entity or professional individual subscribing to the Services (“The Subscriber”).

• Subscriber: The jewelry business or professional entity subscribing to the Services.
• End-User: The individual customer of the Subscriber interacting with the Platform.
• Lead Data: All information, contact details, and design preferences captured from End-Users.
• Outputs: AI-generated images, renders, and design specifications.
• Platform: means the Company’s proprietary SaaS jewelry visualization tool, dashboard, API, and associated software. 

2. DETAILED INFORMATION COLLECTION

The Company collects the following data to maintain the business relationship:

• Administrative Data: Full name of account holders, professional email, and phone number.
• KYC/Compliance Data: The Company handles sensitive KYC/Compliance Data (Government IDs, Entity Docs) internally. This data is stored in air-gapped or logically isolated encrypted volumes restricted to the Company’s Compliance Officer. The Subscriber acknowledges that the Company may disclose this data to FinCEN or under the USA PATRIOT Act without prior notice.
• Financial Data: Transaction history and billing metadata. Payment processing is managed via Stripe; the Company does not store raw credit card numbers.
• Technical Usage Data: IP addresses, security logs, and dashboard interaction metrics.

3. INTERNAL KYC PROTOCOLS & SECURITY

Unlike standard usage data, KYC/Compliance Data is handled with enhanced security:

• Internal Processing: Compliance documents are stored internally in encrypted, logically isolated databases.
• Access Restricted: Access to raw identification documents is strictly limited to the Company’s Compliance Officer and senior legal counsel.
• Regulatory Disclosure: The Subscriber acknowledges that Company may be required by law (USA PATRIOT Act/FinCEN) to disclose this data to regulatory authorities without prior notice.

4. PROPRIETARY RIGHTS & DATA OWNERSHIP

• Company Ownership of Lead Data: The Subscriber acknowledges that all Lead Data generated via the Platform is the sole and exclusive property of the Company. The Company grants the Subscriber a limited, revocable license to access this data solely for the purpose of order fulfillment and customer service during an active subscription.
• Company Ownership of AI Outputs: All Outputs generated by the Platform are owned 100% by the Company.
• Subscriber Usage License: The Company hereby grants the Subscriber a perpetual, worldwide, royalty-free, and sub-licensable license to use, display, modify, and distribute the Outputs for any commercial purpose (marketing, manufacturing, etc.).
• Restrictions: The Subscriber shall not sell or lease Lead Data to third parties, nor use the Outputs to train competing artificial intelligence models.
• Trademark Disclaimer: Company makes no warranty that Outputs are free from third-party trademark or trade dress claims. Subscriber assumes all risk for the commercial use of designs that may resemble existing branded jewelry.

5. ARTIFICIAL INTELLIGENCE & DESIGN DISCLAIMER

• Probabilistic Nature: Outputs are generated via probabilistic AI models (Google Gemini). The Company makes no warranty regarding the physical manufacturability, structural integrity, or gemstone availability of any design.
• Trademark Disclaimer: The Company does not warrant that Outputs are free from third-party trademark or “trade dress” claims. The Subscriber assumes all risk for the commercial use of designs that may resemble existing branded jewelry.

6. DATA SHARING & SUBPROCESSORS

The Company utilizes the following vetted subprocessors to provide the Service:

• AI Inference: Google AI Studio (Gemini).
• Cloud Infrastructure: Google Cloud Platform (GCP), AWS, and Render.
• Security & CDN: Cloudflare.

7. DATA LIFECYCLE & RETENTION

• Permanent Business Records: The Company shall retain Subscriber’s basic Administrative Data (Business Name, Primary Contact, and Account Metadata) and Transactional History permanently as part of its historical business archives. This data is retained to prevent platform abuse, facilitate potential account reactivation, and maintain accurate corporate financial history.
• Mandatory Legal Hold (KYC): Pursuant to federal Anti-Money Laundering (AML) regulations and the USA PATRIOT Act, all sensitive KYC/Compliance Data (Government IDs, Entity Formation Docs) shall be retained for a minimum of five (5) years following account termination. After this period, the Company may, at its discretion, purge or continue to store this data in an “Offline/Cold Storage” state.
• Lead Data & AI Outputs: As the Company is the 100% owner of Lead Data and AI Outputs (as defined in Section 4), the Company reserves the right to retain this data indefinitely in an anonymized or aggregated format for the purpose of platform optimization and AI model training.
• Right to Erasure (Limited): Any request for “The Right to be Forgotten” or data deletion shall apply only to non-essential marketing data and shall not supersede the Company’s right to maintain its permanent commercial archives or its federal legal hold obligations.

8. SECURITY & BREACH NOTIFICATION

The Company employs AES-256 encryption at rest and TLS 1.2+ in transit. In the event of a confirmed breach of sensitive Compliance Data, the Company will notify the Subscriber within 72 hours of discovery.

9. SUBSCRIBER WARRANTIES

The Subscriber warrants that:

1. They are a legitimate business entity in good standing.
2. They will not use the platform for money laundering or to facilitate the sale of “conflict diamonds” or illicit materials.
3. They maintain their own privacy policy informing their End-Users that data is processed by third-party providers.

10. CHANGES TO THIS POLICY

• Right to Amend: The Company reserves the right to update or modify this Privacy Policy at any time.
• Notice of Material Changes: For significant changes (e.g., changes to data ownership, sharing with new third parties, or retention periods), the Company will provide the Subscriber with at least fourteen (14) days’ notice prior to the changes taking effect.
• Delivery of Notice: Notice shall be deemed provided when (i) sent via email to the Subscriber’s primary administrative address, or (ii) posted as a prominent alert on the Subscriber Dashboard.
• Acceptance via Continued Use: Your continued use of the Services following the effective date of any changes constitutes your affirmative acceptance of the revised Privacy Policy. If you do not agree to the changes, your sole and exclusive remedy is to terminate your subscription and cease all use of the Platform prior to the effective date.

11. CONTACT INFORMATION

For all legal or data inquiries:

Jeweler Studio LLC
Attn: Data Protection Officer
6115 97th st Unit 2K
Rego Park, NY 11374 
Email: Contact@jewelerstudio.ai

DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum (“DPA”) forms part of the Master Service Agreement or Terms of Service (the “Agreement”) between JEWELER STUDIO LLC (“Company”) and THE SUBSCRIBER (the “Subscriber”).

1. ASSIGNMENT OF DATA RIGHTS

Notwithstanding the roles of the parties defined herein, the Subscriber hereby assigns all right, title, and interest in and to the Lead Data to the Company as a material condition of using the Platform. This assignment ensures the Company’s ability to maintain a centralized, high-value data asset for AI training and platform optimization. The Company grants the Subscriber a license to use this data during the term of their subscription as defined in the Privacy Policy.

2. ROLES OF THE PARTIES

• Subscriber as Controller: The Subscriber determines the purposes and means of processing End-User data via their website integration.
• Company as Processor: The Company processes End-User data only on the documented instructions of the Subscriber to provide the AI visualization services.

3. BIOMETRIC COMPLIANCE & INDEMNIFICATION

The Subscriber warrants that it has obtained explicit, informed, and written consent from End-Users before permitting the upload of any media (e.g., hand photos) that could be subject to biometric privacy laws (such as BIPA). The Subscriber shall indemnify and hold the Company harmless against any and all claims, fines, or legal fees resulting from a failure to obtain such consent or for any violation of regional biometric privacy statutes.

4. SUBPROCESSOR GOVERNANCE

The Subscriber provides General Authorization for the Company to utilize the subprocessors listed in the Privacy Policy (including but not limited to Google Cloud, AWS, Render, and Cloudflare). The Company shall provide notice of any changes to its subprocessor list via the Subscriber Dashboard or official email notification.

5. TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

The Company shall implement industry-standard security measures, including:

• Encryption: All data is protected via AES-256 encryption at rest and TLS 1.2+ in transit.
• Confidentiality: Ensuring all Company personnel with access to data are bound by strict non-disclosure agreements.
• Isolation: Maintaining logical data segregation to prevent cross-contamination between different Subscribers.

6. BREACH NOTIFICATION

The Company shall notify the Subscriber without undue delay, and in any event within 72 hours, after becoming aware of a confirmed personal data breach affecting End-User data. The notice will include the nature of the breach and the Company’s remediation plan.

7. COORDINATED DELETION & RETENTION

Upon termination of the Agreement, the Company shall, at the Subscriber’s choice, delete or return End-User personal data, excluding:

1. Any Lead Data or Outputs already owned by the Company pursuant to Section 1 of this DPA.
2. Any data subject to the mandatory 5-year federal KYC/AML legal hold as required by the USA PATRIOT Act.

8. AUDIT RIGHTS

Subscriber’s right to audit is limited to one remote inspection of Company’s compliance documentation per calendar year. Such audit requires 30 days’ written notice and must be conducted without disrupting the Company’s standard business operations.

9. INTERNATIONAL TRANSFERS

To the extent that the Subscriber is located in the EEA, UK, or Switzerland, the parties agree that the relevant Standard Contractual Clauses (SCCs) are incorporated herein by reference to ensure the legality of cross-border data transfers to the Company’s US-based servers.

10. JURISDICTION

This DPA shall be governed by the laws of the State of New York without regard to conflict of law principles. Any disputes arising hereunder shall be resolved in the state or federal courts located in New York County.