Privacy Policy
Shootify Labs AG (trading as "Sartiq")
Via Pedemonte 20, 6962 Viganello (Lugano), Switzerland
Document Version: 2.0 | Effective Date: February 2026
1. Introduction
Shootify Labs AG, a company registered under the laws of Switzerland, with registered address at Via Pedemonte 20, 6962 Viganello (Lugano), Switzerland ("Company", "we", "us", or "our"), is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect personal data in connection with our website (sartiq.com) and our AI-powered photography platform (the "Platform").
We process personal data in accordance with the Swiss Federal Act on Data Protection ("FADP"), the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and other applicable data protection laws (collectively, "Data Protection Laws").
This Privacy Policy applies to all visitors of our website and users of our Platform, including employees and authorized representatives of our business clients.
2. Data Controller
The data controller responsible for the processing of your personal data is:
| Field | Detail |
|---|---|
| Legal Name | Shootify Labs AG |
| Address | Via Pedemonte 20, 6962 Viganello (Lugano), Switzerland |
| Commercial Register | CH-501.4.029.238-9 (Canton Ticino) |
| VAT/UID | CHE-229.758.403 |
| Contact Email | info@sartiq.com |
| Phone | +41 77 533 70 57 |
2.1 Data Protection Officer
Under Art. 10 FADP, the appointment of a Data Protection Advisor is voluntary for private data controllers in Switzerland. Under Art. 37(1) GDPR, the appointment of a Data Protection Officer ("DPO") is mandatory only where (a) the processing is carried out by a public authority, (b) the core activities of the controller consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or (c) the core activities consist of processing on a large scale of special categories of data.
None of these conditions apply to Shootify Labs AG. Our core activity is providing AI-powered photography services to business clients, not the large-scale processing or monitoring of personal data. We process personal data only to the extent necessary for user account management and platform operation (typically 1–50 data subjects per client). Accordingly, we have not appointed a DPO. For any data protection inquiries, please contact us at: info@sartiq.com.
2.2 EU Representative (Art. 27 GDPR)
Under Art. 27(1) GDPR, a controller not established in the EU that processes personal data of EU data subjects must designate an EU representative. However, Art. 27(2) provides exemptions where:
- (a) the processing is occasional;
- (b) does not include, on a large scale, processing of special categories of data referred to in Art. 9(1) or processing of personal data relating to criminal convictions and offences referred to in Art. 10; and
- (c) is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
Shootify Labs AG qualifies for this exemption because:
- We process minimal personal data of EU-based individuals (limited to user account data: name, email, company name for platform access);
- We employ fewer than 250 persons;
- We do not process special categories of personal data;
- We do not monitor EU data subjects systematically or on a large scale;
- The personal data we process (business contact details for B2B platform access) presents low risk to the rights and freedoms of natural persons.
Should this assessment change (e.g., due to significant expansion of EU operations), we will promptly designate an EU representative and update this Privacy Policy accordingly.
3. Categories of Personal Data, Purposes, Legal Basis, and Retention
We collect and process the following categories of personal data:
3.1 Technical Data (Website and Platform)
| Aspect | Detail |
|---|---|
| Data Collected | IP address, browser type and version, operating system, device information, referral URL, pages visited, time and date of access |
| Method of Collection | Automatically collected during website and Platform visits via server logs |
| Purpose | To ensure the security and proper functioning of our website and Platform; to detect and prevent misuse; to analyze aggregated usage patterns for service improvement |
| Legal Basis | Legitimate interest (Art. 6(1)(f) GDPR) in ensuring IT security and service availability. The balancing test confirms that our interest in maintaining secure, functional systems outweighs any minimal intrusion on the data subject, as only technical identifiers are processed and are not used for profiling or marketing. |
| Retention Period | Server logs are retained for 30 days and then automatically deleted. Aggregated, anonymized statistics may be retained indefinitely. |
3.2 Account and Identity Data (Platform Users)
| Aspect | Detail |
|---|---|
| Data Collected | Full name, business email address, company name, job title, phone number (optional) |
| Method of Collection | Provided by the user or their employer during account registration and onboarding |
| Purpose | To create and manage user accounts; to provide access to the Platform; to communicate regarding service delivery; to provide customer support |
| Legal Basis | Performance of a contract (Art. 6(1)(b) GDPR) — the data is necessary for the provision of our services under the agreement with the client organization |
| Retention Period | For the duration of the contractual relationship with the client organization. Upon termination, account data is retained for 30 days (to enable data return/export) and then deleted, unless longer retention is required by law. |
3.3 Billing and Transaction Data
| Aspect | Detail |
|---|---|
| Data Collected | Billing contact name, billing address, invoice records, payment references |
| Method of Collection | Provided by the client organization during contract setup |
| Purpose | Invoicing, payment processing, financial record-keeping |
| Legal Basis | Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR) for tax and accounting record retention |
| Retention Period | 10 years from the end of the financial year in which the transaction occurred, as required by Swiss tax law (Art. 958f CO) and applicable EU tax legislation |
3.4 Communication Data
| Aspect | Detail |
|---|---|
| Data Collected | Content and metadata of communications sent to us (emails, contact forms, support requests) |
| Method of Collection | Provided voluntarily by the data subject |
| Purpose | To respond to inquiries; to provide customer support; to improve our services |
| Legal Basis | Legitimate interest (Art. 6(1)(f) GDPR) in responding to inquiries and maintaining business relationships |
| Retention Period | For the duration of the business relationship, plus 1 year for follow-up purposes. Deleted upon request unless retention is legally required. |
3.5 User-Generated Content (Platform)
| Aspect | Detail |
|---|---|
| Data Collected | Product images uploaded to the Platform (still-life photos, 3D renders), styling parameters, generation settings |
| Method of Collection | Uploaded by the user through the Platform interface or API |
| Purpose | To generate AI-powered on-model photography as contracted |
| Legal Basis | Performance of a contract (Art. 6(1)(b) GDPR) |
| Retention Period | As agreed with the client organization (typically deleted within 30 days of contract termination, unless the client requests earlier deletion or return) |
Important note on product images: The product images processed by our Platform are images of garments and accessories (still-life, flat-lay, or 3D renders). They do not contain photographs of identifiable natural persons. Our Platform does not accept, process, or require photographs of real people as inputs. Clients are contractually prohibited from uploading images containing personal data.
4. Special Categories of Personal Data
Our Platform is not intended to collect or process special categories of personal data as defined in Art. 9 GDPR (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data concerning sexual orientation).
We do not request, and we instruct users not to provide, any such data. If special category data is inadvertently provided, we will delete it promptly upon becoming aware.
5. AI-Generated Content and Transparency (AI Act)
5.1 Nature of Our AI System
Our Platform uses generative AI technology to produce photorealistic synthetic images depicting AI-created human figures wearing client products. These images are created from synthetic data and are not based on, derived from, or intended to replicate any real natural person.
5.2 Transparency Obligations (Art. 50 AI Act)
Under Art. 50 of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), providers of AI systems that generate synthetic content must ensure that the outputs are marked in a machine-readable format and are detectable as artificially generated or manipulated.
We implement the following transparency measures:
- SynthID (Google DeepMind): Imperceptible digital watermark embedded in images generated via Google Vertex AI
- C2PA Content Credentials: Industry-standard cryptographic provenance manifest (backed by Adobe, Microsoft, Google)
- EXIF/XMP Metadata: Standard metadata fields marking images as AI-generated, including IPTC DigitalSourceType
- Visible labeling: Optional text overlay ("AI Generated") configurable per client preference
5.3 No Personal Data in AI Pipeline
Our AI image generation pipeline processes only product images and styling parameters. No personal data enters the generation pipeline. The synthetic persons depicted in generated images do not represent any real individual.
6. Recipients of Personal Data
We may share your personal data with the following categories of recipients, solely to the extent necessary for the purposes described in this Privacy Policy:
6.1 Infrastructure and Service Providers (Sub-Processors)
| Sub-Processor | Service | Entity | Processing Location | Relevant Safeguards |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, data storage, compute infrastructure | Amazon Web Services EMEA SARL | EU (Frankfurt, Germany — eu-central-1) | AWS GDPR Data Processing Addendum; ISO 27001, SOC 2 certified |
| Google Cloud Platform (GCP) | Cloud infrastructure, compute services | Google Ireland Limited | EU (europe-west regions) | Google Cloud Data Processing Amendment; ISO 27001, SOC 2 certified |
| Google Vertex AI | AI image generation (Imagen, Gemini) | Google Ireland Limited | EU (europe-west); Global endpoint for certain preview models (no personal data transmitted) | Google Cloud DPA; no personal data sent to AI endpoints — only product images and generation parameters |
We do NOT share personal data with:
- Marketing or advertising platforms
- Data brokers or analytics providers
- Social media networks
- Any third party for their own independent purposes
6.2 Professional Advisors
We may share personal data with our legal, tax, and accounting advisors where necessary and subject to professional confidentiality obligations.
6.3 Legal Obligations
We may disclose personal data where required by applicable law, regulation, court order, or binding request from a competent authority.
7. International Data Transfers
We do NOT transfer personal data outside the EU/EEA.
All personal data is processed and stored within the European Union, specifically at AWS Frankfurt (eu-central-1) and Google Cloud europe-west regions.
For AI image generation via Google Vertex AI, only product images and generation parameters are transmitted — no personal data is sent to AI generation endpoints. Even where global endpoints are used for certain preview-phase models, no personal data crosses any border.
Should we need to transfer personal data outside the EU/EEA in the future, we will ensure that appropriate safeguards are in place as required by Chapter V GDPR (e.g., Standard Contractual Clauses, adequacy decisions) and will update this Privacy Policy accordingly.
8. Cookies and Tracking Technologies
We do NOT use cookies or similar tracking technologies on our website or Platform.
We do not use:
- Advertising or marketing cookies
- Analytics cookies (e.g., Google Analytics)
- Social media tracking pixels
- Fingerprinting or other tracking mechanisms
Our website operates without setting any cookies on the visitor's device. If this changes in the future, we will implement an appropriate consent mechanism before deploying any non-essential cookies and update this Privacy Policy.
9. Data Subject Rights
Under the GDPR (Articles 15–22) and the FADP, you have the following rights regarding your personal data:
| Right | Description | Legal Reference |
|---|---|---|
| Right of Access | You may request confirmation of whether we process your personal data and, if so, obtain a copy of such data and information about the processing | Art. 15 GDPR; Art. 25 FADP |
| Right to Rectification | You may request correction of inaccurate personal data or completion of incomplete data | Art. 16 GDPR; Art. 32 FADP |
| Right to Erasure | You may request deletion of your personal data where there is no compelling reason for continued processing | Art. 17 GDPR; Art. 32 FADP |
| Right to Restriction | You may request that we restrict the processing of your personal data in certain circumstances | Art. 18 GDPR |
| Right to Data Portability | You may request to receive your personal data in a structured, commonly used, machine-readable format | Art. 20 GDPR |
| Right to Object | You may object to processing based on legitimate interests, including any profiling | Art. 21 GDPR |
| Right Not to be Subject to Automated Decision-Making | You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you | Art. 22 GDPR |
| Right to Withdraw Consent | Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal | Art. 7(3) GDPR |
How to Exercise Your Rights
To exercise any of these rights, please contact us at:
- Email: info@sartiq.com
- Post: Shootify Labs AG, Via Pedemonte 20, 6962 Viganello (Lugano), Switzerland
We will respond to your request within 30 days of receipt. If we require additional time (up to a further 60 days for complex requests), we will notify you within the initial 30-day period with an explanation. We may request verification of your identity before processing your request.
There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
10. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit: TLS 1.3 for all data transmissions
- Encryption at rest: AES-256 for all stored data
- Access control: Multi-factor authentication (MFA) and role-based access control (RBAC)
- Infrastructure security: Certified data centers (AWS, GCP — ISO 27001, SOC 2)
- Monitoring: Centralized security logging and real-time alerting
- Incident response: Documented incident response plan with defined notification timelines
In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours in accordance with Art. 33 GDPR, and affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR).
11. Record of Processing Activities (Art. 30 GDPR)
We maintain a record of processing activities in accordance with Art. 30 GDPR and Art. 12 FADP. This record documents all categories of processing activities carried out under our responsibility and is available to competent supervisory authorities upon request.
12. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes Data Protection Laws, you have the right to lodge a complaint with a supervisory authority:
- Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
- European Union: The supervisory authority of the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at: edpb.europa.eu/about-edpb/about-edpb/members_en
We encourage you to contact us first at info@sartiq.com so that we may address your concern before you escalate to a supervisory authority.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Material changes will be communicated through our website. We encourage you to review this Privacy Policy periodically.
The "Effective Date" at the top of this document indicates when the most recent version took effect.
14. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
Shootify Labs AG
Via Pedemonte 20
6962 Viganello (Lugano)
Switzerland
Email: info@sartiq.com
Phone: +41 77 533 70 57