Notice
Privacy Policy
Last updated: May 15, 2026
This notice describes how Cromea Studio (hereinafter also "we" or "the Service") processes personal data of users who access the site www.cromeastudio.com and use the AI color analysis service.
Processing is carried out in compliance with Regulation (EU) 2016/679 (GDPR), Italian Legislative Decree 196/2003 as amended by Decree 101/2018 and — for users residing outside the European Union — applicable regulations (CCPA for California, UK GDPR, LGPD in Brazil, PIPEDA in Canada).
1. Data controller
Antigravity
Email: info@antigravity.dev
For any request regarding the processing of your personal data, write to us at privacy@antigravity.dev.
2. Categories of data collected
We process the following categories of personal data:
- Email address: needed to authenticate you via OTP code and to send service communications (purchase receipt, dossier-ready notifications).
- Photo of your face: the image you upload for color analysis constitutes a biometric datum under Art. 9 GDPR (special category). It is processed by the AI to extract information about skin tone, hair and eyes, and is automatically deleted within 24 hours of upload.
- Analysis result (dossier): the color classification, palette and generated guidance. These are retained so that you can consult and download your dossier as long as your account remains active.
- Payment data: handled directly by Stripe (see § 6). We do not store card numbers or banking credentials — we only receive the transaction ID and the outcome.
- Technical data: IP address, user agent, request timestamps, session cookies needed for login to work. We do not use profiling or third-party advertising cookies.
3. Purposes and legal basis
| Purpose | Legal basis |
|---|---|
| Service delivery (photo analysis, dossier generation) | Performance of a contract (Art. 6.1.b GDPR) + explicit consent for biometric data (Art. 9.2.a GDPR) |
| Authentication and account management | Performance of a contract (Art. 6.1.b) |
| Invoicing and tax compliance | Legal obligation (Art. 6.1.c) |
| Security, anti-fraud, technical logs | Legitimate interest (Art. 6.1.f) — abuse prevention |
Consent for processing your photo as biometric data is collected at upload time, before submission to the AI. You can withdraw consent at any time by deleting your account or requesting removal via email.
4. Retention period
- Original photo: automatically deleted within 24 hours of upload via a scheduled job. No backup copy is kept beyond this period.
- Generated dossier and palette: retained as long as your account remains active. You can delete them individually from the dashboard at any time.
- Account and email: deleted upon your request or after 24 months of inactivity (with email notice 30 days in advance).
- Tax data: retained for 10 years as required by Italian law (Art. 2220 Civil Code).
- Security logs: retained for 90 days and then deleted.
5. Processing methods and security
Data is processed using IT tools and stored on protected servers, with technical and organizational measures designed to ensure confidentiality, integrity and availability (TLS 1.2+ encryption in transit, at-rest encryption of file storage, passwordless authentication with time-limited OTP codes, Row-Level Security at the database layer, HTTP security headers). No manual processing or automated decision-making producing significant legal effects on the user takes place (the color analysis is purely informational in nature).
6. Data recipients (sub-processors)
To deliver the service we rely on the following providers (sub-processors under Art. 28 GDPR):
| Provider | Role | Location |
|---|---|---|
| Supabase | Database, auth, photo/dossier storage | EU (Frankfurt) |
| fal.ai | AI image analysis (Google Gemini Vision) | USA — SCC in place |
| Vercel | Web application hosting | USA — SCC in place |
| Stripe | Payment processing, invoicing, Stripe Tax | USA / Ireland |
| Google Analytics 4 | Aggregated usage statistics (only with explicit consent) | USA — SCC in place, IP anonymized |
Transfers outside the EU take place on the basis of the Standard Contractual Clauses (SCC) approved by the European Commission with Decision 2021/914. fal.ai and Vercel have signed Data Processing Agreements that prohibit using the data to train AI models. Google Analytics 4 is activated only after your explicit consent via the cookie banner (Google Consent Mode v2 with default 'denied').
7. Your rights
As a data subject, you have the right to:
- Access (Art. 15 GDPR): obtain a copy of your data.
- Rectification (Art. 16): correct inaccurate data.
- Erasure / right to be forgotten (Art. 17): delete your account and all associated data.
- Restriction (Art. 18): request the suspension of processing.
- Portability (Art. 20): receive your data in a structured format (JSON).
- Objection (Art. 21): object to processing based on legitimate interest.
- Withdrawal of consent at any time, without affecting the lawfulness of prior processing.
- Complaint to the Italian Data Protection Authority (garanteprivacy.it) or the authority in your country of residence.
To exercise your rights, write to us at privacy@antigravity.dev. We will respond within 30 days.
8. California residents (CCPA / CPRA)
If you reside in California, you have additional rights under the California Consumer Privacy Act: to know the categories of personal information collected, to request their deletion, and to opt out of sale or sharing (to be clear: we do not sell or share your personal data).
9. Minors
The Service is intended for users aged 16 or older. We do not knowingly collect data from minors; if we become aware of an account belonging to a minor, we delete it immediately.
10. Changes to this notice
We may update this notice in case of technical, regulatory or organizational changes. Substantial changes will be communicated by email at least 30 days in advance. The last-updated date is shown at the top.
Questions? Write to us at privacy@antigravity.dev. We'll respond within 5 working days.