Privacy Policy

Effective date: March 27, 2026
Last updated: March 27, 2026

This Privacy Policy explains how Vista Studios Ltd (“we,” “us,” “our”) collects, uses, and shares information when you use Calmly Kids (the “Service”) available at https://calmlykids.app (the “Website”).

By using the Service, you agree to the practices described in this Privacy Policy.

1) Who we are (Controller)

Controller: Vista Studios Ltd
Address: 85 Portland Street, First Floor, London , W1W 7LT, UK
Privacy contact: [email protected]

2) Scope

This Privacy Policy applies to personal data processed through the Service, including:

  • User accounts, profiles, and authentication
  • Subscriptions and/or a credits system
  • Payment processing
  • Downloads of assets (e.g., searchable JPEG wallpapers, source files, Blender files, PSD files)
  • AI-based generation features using user-uploaded images (including private pictures)
  • Integrations with external APIs
  • Website analytics and SEO measurement

3) Information we collect

We collect information in three main ways: (a) you provide it, (b) we collect it automatically, and (c) we receive it from third parties.

A. Information you provide

  • Account information: name/username, email, password (stored as hashed credentials via our authentication system), profile details you choose to add
  • User uploads and content: images you upload (including private pictures) for AI generation, prompts/instructions you enter, and files/outputs you generate and download
  • Purchases and entitlements: subscription tier, credits balance, asset download entitlements
  • Support communications: messages you send, and attachments you provide
  • Preferences: settings and communication preferences

B. Information collected automatically

  • Device and usage IP address, device identifiers, browser type, pages viewed, timestamps, referring URLs, approximate location derived from IP, download events, and feature usage
  • Log error logs, performance data, and audit/security logs (e.g., sign-in attempts)
  • Cookies and similar technologies: used for authentication, preferences, security, analytics, and SEO measurement (see Section 8)

C. Information from third parties

  • Payment providers: billing status, payment confirmations, partial payment details (e.g., last 4 digits), billing country, invoices/receipts, and dispute/chargeback information (we generally do not receive full card numbers)
  • External API providers: information needed to provide integrations you use (details depend on the specific API)
  • Analytics/measurement providers (if used): aggregated metrics and attribution data

4) How we use information

  • Create and manage your account and profile
  • Authenticate users and maintain account security
  • Provide downloads (searchable JPEG wallpapers and related source files, Blender files, PSD files) and track entitlements
  • Provide AI generation features (including generating downloadable “Calmly Kids” AI files) using your uploaded images and instructions
  • Operate the subscription and/or credits system, enforce limits, and prevent abuse
  • Process payments, refunds, chargebacks, and maintain billing records
  • Provide customer support and troubleshoot issues
  • Monitor performance, measure traffic and SEO outcomes, and improve user experience
  • Comply with legal obligations and enforce our terms and policies

5) Legal bases (EEA/UK and similar jurisdictions)

Where required, we rely on one or more of these legal bases:

  • Contract: to provide the Service you request (accounts, downloads, AI generation, subscriptions/credits)
  • Legitimate interests: to secure the platform, prevent fraud/abuse, improve features, and measure performance (balanced against your rights)
  • Consent: where required for certain cookies, marketing communications, or specific processing choices
  • Legal obligation: tax, accounting, compliance requests, and lawful disclosures

For Brazil (LGPD), we process personal data based on applicable legal hypotheses such as performance of contract, legitimate interest, consent (when required), and legal/regulatory obligations.

6) AI features and user-uploaded private pictures

When you upload images (including private pictures) to use our AI-based features:

  • We process your uploads to provide the requested outputs and functionality
  • We may store uploads and generated outputs so you can access them, re-download them, and manage your projects, depending on your settings and plan

Model training: We do not use your private uploaded images to train our AI models unless we clearly present an opt-in choice and you explicitly opt in.

Human review: We do not manually view your private images unless (a) you request support and provide them, (b) it’s necessary to investigate abuse/security incidents, or (c) required by law.

Third-party AI processing: If AI processing uses third-party providers or external APIs, your uploads, prompts, and outputs may be transmitted to those providers strictly to deliver the feature (see Section 7).

7) Sharing and disclosures (including external APIs)

We share information only as needed to run the Service, comply with law, or protect rights.

  • Infrastructure providers: hosting, databases, file storage, content delivery, monitoring, and error tracking
  • Authentication/user management: we currently use a self-hosted Supabase stack for database, storage, and authentication, but our infrastructure may change over time
  • Payment processors: to process subscriptions, one-time payments, credits, refunds, invoicing, and fraud checks
  • External API providers: to enable specific functionality (e.g., AI generation, image processing, email delivery)
  • Professional advisers: legal, accounting, and auditors
  • Authorities: if required by law or to protect rights, safety, and security
  • Business transfers: in a merger, acquisition, financing, or sale of assets, information may be transferred subject to appropriate safeguards

Current vendors:

  • Payment processor(s): Stripe
  • Email/SMS provider(s): Resend & AWS SES
  • Analytics/SEO provider(s): Google Analytics
  • AI provider(s) / model host(s): OpenAI, Black Forest Labs, Stability AI, ComfyUI

8) Cookies, analytics, and SEO measurement

  • Keep you signed in and maintain sessions
  • Remember preferences
  • Help prevent fraud/abuse and improve reliability
  • Understand traffic sources and measure SEO performance and site usage

Cookie choices: Where required by law, we present a cookie banner/consent tool for non-essential cookies.

Optional cookie policy link: https://calmlykids.app/cookie-policy

9) Data retention

  • Account retained while your account is active; after deletion, we may retain limited records as required for legal, tax, accounting, fraud prevention, and dispute resolution
  • Uploads and generated outputs: Indefinitely until the user deletes the account, or within one year of no activity
  • Billing records: retained as required by applicable law and financial regulations
  • Logs and security records: retained for a limited period to maintain security and investigate incidents

Backups may persist for a limited time even after deletion, and data may remain in logs in minimized form.

10) Security

We implement administrative, technical, and organizational safeguards designed to protect information. No method of transmission or storage is 100% secure, so we cannot guarantee absolute security.

11) International data transfers

We serve users globally, so information may be processed in countries other than your own. Where required, we use recognized transfer mechanisms and contractual safeguards to help protect cross-border transfers.

12) Your privacy rights

Depending on your location, you may have rights such as access, correction, deletion (subject to exceptions), portability, objection/restriction, withdrawal of consent, and opting out of marketing.

To exercise rights, contact [email protected]. We may need to verify your identity.

13) Children’s privacy

The Service is not intended for children under 18. If you believe a child has provided personal data, contact us and we will take appropriate steps.

14) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version and change the “Last updated” date. If changes are material, we may provide additional notice.

15) Contact us

Email: [email protected]
Address: 85 Portland Street, First Floor, London , W1W 7LT, UK