# Privacy Policy

Last updated: March 11, 2026

Lupa Software S.L. (“Lupa”, “we”, “our”, or “us”) respects your privacy and is committed to protecting personal data in accordance with applicable data protection laws, including Regulation (EU) 2016/679 (“GDPR”) and other applicable privacy and consumer protection laws.

This Privacy Policy explains how we collect, use, disclose, store, protect, and otherwise process personal information when you access or use our website, applications, products, and related services, including the website currently available at [https://lupa.art](https://lupa.art/) and any related platform, tool, interface, or feature (collectively, the “Service”).

This Privacy Policy also explains your rights and choices regarding your personal data.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

***

### 1. Controller Information

The controller responsible for the processing of personal data under this Privacy Policy is:

Lupa Software S.L.\
NIF: B22790133\
Avinguda Cerdanyola 92, Office 31\
08172 Sant Cugat del Vallès\
Barcelona, Spain

Contact email: <contact@lupaupscaler.com>

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, you may contact us using the details above.

***

### 2. Scope of this Privacy Policy

This Privacy Policy applies to personal data collected by Lupa through or in connection with:

* our website;
* user registration and account administration;
* subscriptions, billing, and invoices;
* customer support and communications;
* uploaded, generated, stored, and shared assets;
* analytics, security, fraud prevention, and platform performance monitoring;
* any other interactions you may have with us in connection with the Service.

This Privacy Policy does not apply to third-party websites, products, or services that may be linked to or integrated with the Service but are governed by their own privacy notices or terms.

***

### 3. Categories of Personal Data We Collect

We collect personal data in several ways, depending on how you interact with the Service.

#### 3.1 Information you provide directly

We may collect personal data you provide to us directly, including:

* name;
* username or display name;
* email address;
* login credentials or authentication-related information;
* account preferences;
* support requests and related correspondence;
* information you provide when contacting us;
* any other information you choose to submit through the Service.

You are responsible for ensuring that the information you provide is accurate and up to date.

#### 3.2 Account and profile information

When you create and use an account, we may process:

* account identifiers;
* subscription status;
* plan type;
* purchase and renewal history;
* account settings;
* public profile information, if you choose to make content or profile elements visible to others.

#### 3.3 Payment and billing information

Payments, subscription billing, and certain invoicing functions are handled by third-party payment providers, including Stripe. Lupa does not store full payment card numbers or full card credentials on its own systems. We may receive limited billing-related information necessary to manage the commercial relationship and provide the Service, such as subscription status, payment confirmation, invoice identifiers, billing country, and limited transaction metadata. Stripe publicly states that it processes personal data in connection with payments and related services under its own privacy terms.

#### 3.4 Usage, device, and technical data

When you access or use the Service, we may automatically collect certain technical and usage data, including:

* IP address;
* browser type and version;
* device type and identifiers;
* operating system;
* language settings;
* session data;
* log files;
* access timestamps;
* pages viewed and navigation paths;
* interactions with platform features;
* referrer URLs;
* crash reports, diagnostic information, and performance data.

#### 3.5 Uploaded, generated, and stored content

Our Service enables users to upload, generate, edit, store, organize, and share images and other digital assets. In connection with these features, we may process:

* uploaded files;
* generated outputs;
* metadata associated with those files or outputs;
* prompts, instructions, or related input data submitted through the Service;
* storage and sharing preferences associated with the content;
* visibility settings, including whether content is private or publicly shared.

#### 3.6 Cookies and similar technologies

We use cookies and similar technologies to operate the Service, remember preferences, maintain sessions, improve performance, measure engagement, and support analytics and security functions. Additional information may be provided in our Cookie Policy.

***

### 4. Sources of Personal Data

We collect personal data from the following sources:

* directly from you;
* automatically from your device or browser when using the Service;
* from payment processors and billing partners in connection with subscription management;
* from infrastructure and hosting providers used to operate the Service;
* from communications you send to our support or operational teams;
* from third-party integrations you choose to connect, where applicable.

***

### 5. Purposes of Processing

We process personal data for the following purposes:

* to provide, operate, maintain, and improve the Service;
* to create, administer, and secure user accounts;
* to process subscriptions, renewals, payments, invoices, and related billing operations;
* to provide customer support and respond to requests, complaints, and inquiries;
* to store, process, render, deliver, and display uploaded or generated assets;
* to enable sharing, profile publication, and collaboration features;
* to monitor usage, diagnose issues, optimize performance, and improve user experience;
* to detect, investigate, prevent, and address fraud, unauthorized use, abuse, security incidents, and violations of law or contract;
* to enforce our Terms and other policies;
* to comply with legal, accounting, tax, regulatory, and compliance obligations;
* to communicate with you about transactional, administrative, technical, service-related, and, where permitted, marketing matters;
* to protect our rights, business, systems, users, and the public;
* to support internal reporting, audits, corporate transactions, and business continuity.

We do not sell personal data to third parties.

***

### 6. Legal Bases for Processing

Where GDPR applies, we process personal data on one or more of the following legal bases:

#### 6.1 Performance of a contract

We process personal data where necessary to provide the Service, administer your account, process payments, deliver requested features, and perform our contractual obligations.

#### 6.2 Legitimate interests

We process personal data where necessary for our legitimate interests, including:

* maintaining and improving the Service;
* ensuring security and platform integrity;
* preventing fraud, abuse, and unauthorized access;
* supporting customer operations;
* defending legal claims;
* conducting internal analytics and business administration;
* promoting the Service using lawfully available content in the circumstances described in this Privacy Policy.

Where we rely on legitimate interests, we assess those interests against the rights and freedoms of data subjects.

#### 6.3 Consent

We may rely on consent where required by law, including for certain cookies, optional marketing communications, or specific uses of content where explicit authorization is required.

You may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

#### 6.4 Legal obligation

We may process personal data where necessary to comply with legal obligations, including tax, accounting, regulatory, consumer protection, or law enforcement requirements.

GDPR recognizes these categories of lawful processing and establishes data subject rights including access, rectification, erasure, restriction, objection, portability, and the right to lodge a complaint.

***

### 7. Payment Processing and Stripe

We use third-party payment processors, including Stripe, to process payments, manage subscriptions, support renewals, and facilitate related billing functions.

When you make a payment through the Service, payment information is submitted directly to the relevant payment processor. Lupa does not store complete payment card data on its own servers. We may receive and retain limited data associated with the payment relationship, including:

* customer identifier;
* payment status;
* subscription status;
* invoice identifiers;
* billing country;
* transaction timestamps;
* plan and renewal metadata;
* limited anti-fraud or chargeback-related information.

Stripe acts under its own privacy and security framework for the payment data it processes.

***

### 8. Hosting, Infrastructure, Storage, and AWS

Lupa uses third-party cloud infrastructure providers, including Amazon Web Services (“AWS”), to host, operate, secure, and scale the Service, including the storage and delivery of uploaded assets, generated images, and related system data.

This means that data submitted through the Service, including uploaded and generated image assets and related metadata, may be processed, stored, replicated, backed up, or transmitted using AWS infrastructure or associated cloud services.

AWS states that customers can use AWS services to process personal data under GDPR and offers contractual data processing commitments, including a GDPR-related data processing addendum. AWS also states that customers may select services that store and process data in the EU, depending on architecture and service configuration.

***

### 9. User Content, Uploaded Images, Stored Assets, and Public Content

#### 9.1 Storage and operational use

The Service allows users to upload, generate, edit, store, organize, retrieve, and share images and other digital assets.

Uploaded and generated assets may be stored on our infrastructure and cloud providers, including AWS, in order to:

* provide the requested functionality;
* enable access to content from your account;
* process and deliver outputs;
* support platform reliability, caching, logging, and recovery;
* maintain reasonable backups, redundancy, and business continuity;
* monitor abuse, fraud, misuse, and technical issues;
* enforce our policies and protect the Service.

#### 9.2 Ownership

As between Lupa and the user, users retain ownership of the content they upload or generate through the Service, subject to any rights of third parties and subject to the licenses and permissions granted under our Terms and this Privacy Policy where applicable.

Nothing in this Privacy Policy transfers ownership of private user content to Lupa.

#### 9.3 License necessary to operate the Service

By uploading, submitting, generating, storing, or sharing content through the Service, you grant Lupa a non-exclusive, worldwide, royalty-free license to host, store, reproduce, process, adapt, format, transmit, display, and otherwise use that content solely as necessary to operate, secure, improve, maintain, and provide the Service and its features, and to enforce our policies and agreements.

This operational license exists only to the extent necessary for the functioning of the Service and related business operations.

#### 9.4 Commercial and promotional use upon request and authorization

From time to time, Lupa may identify user-created or user-generated images or assets that may be suitable for commercial, promotional, editorial, showcase, demonstration, or marketing purposes, including publication on our website, landing pages, emails, social media, app store materials, case studies, investor materials, advertising creatives, presentations, or other public-facing materials.

Lupa will not use private or non-public user images for those commercial or promotional purposes unless we first request permission from the relevant user and obtain explicit authorization.

That authorization may be requested through email, platform communication, or another reasonably documented method. The scope of the authorization may include the right to reproduce, adapt, publish, communicate, display, distribute, and otherwise use the approved content for commercial and promotional purposes related to Lupa and the Service.

Unless otherwise agreed in writing, such authorization is non-exclusive, worldwide, royalty-free, and revocable prospectively by notice to us, provided that revocation will not require withdrawal of materials already lawfully produced, distributed, or published prior to the effective date of revocation, except where required by law.

#### 9.5 Public profiles and publicly shared content

The Service may permit users to publish content to public profiles, galleries, feeds, showcase pages, or other areas of the Service intended to be visible beyond the private account environment. The Service may also include a “share” feature or equivalent mechanism through which a user intentionally makes content public or otherwise accessible outside the user’s private workspace.

When a user intentionally makes content public or shares content through a public-facing feature, that content becomes publicly accessible to the extent enabled by the Service and the selected sharing settings. Publicly accessible content may be viewed, accessed, copied, embedded, redistributed, referenced, indexed, captured, or otherwise used by other users, visitors, third-party services, search engines, or the public, subject to applicable law and technical constraints.

Lupa may display, reproduce, curate, feature, promote, distribute, and otherwise use publicly shared content within the Service and in connection with the operation, promotion, and presentation of the Service, including for showcase and discovery purposes, without the need for an additional case-by-case authorization where the user has deliberately made the content public through the Service.

For the avoidance of doubt, content that is public is not thereby transferred into the legal public domain; however, it is treated as publicly available content within the context of the Service, and users should not expect confidentiality in relation to content they choose to publish publicly.

Users are solely responsible for deciding whether to publish content publicly and for ensuring that they have all necessary rights, permissions, licenses, and consents required to upload, generate, share, publish, and authorize the use of that content.

#### 9.6 User responsibility for uploaded and shared content

You are solely responsible for content you upload, generate, store, or share using the Service. You represent and warrant that you have all rights, permissions, consents, and lawful authority necessary to use that content in connection with the Service, including where relevant intellectual property rights, privacy rights, publicity rights, image rights, likeness rights, and any required authorizations from third parties.

You must not upload or share content that:

* infringes third-party rights;
* violates applicable law;
* contains unlawful, abusive, fraudulent, deceptive, defamatory, or harmful material;
* unlawfully includes personal data of others;
* violates our Terms or Acceptable Use rules.

Lupa reserves the right to remove, restrict, disable, review, report, or preserve content where reasonably necessary to comply with law, enforce our policies, protect rights, investigate abuse, or maintain platform security and integrity.

#### 9.7 Model training statement

Unless expressly stated otherwise in a specific feature notice, product interface, enterprise agreement, or separate written agreement, user-uploaded private content is not used by Lupa to train general-purpose machine learning models without authorization from the relevant user.

If Lupa introduces any feature or workflow involving a different data use model, we will describe it in the relevant notice, settings, product flow, or updated policy as required.

***

### 10. Cookies and Similar Technologies

We use cookies, SDKs, pixels, local storage, and similar technologies to:

* authenticate users;
* maintain sessions;
* remember preferences and settings;
* protect security;
* measure engagement and performance;
* understand usage patterns;
* support troubleshooting and analytics;
* improve the Service.

Depending on applicable law, some of these technologies may be deployed on the basis of consent. Users may manage cookie preferences through browser settings or through any cookie management interface we may make available.

Please consult our Cookie Policy for more detailed information.

***

### 11. Disclosure of Personal Data

We may disclose personal data to the following categories of recipients where necessary and appropriate:

* payment processors, including Stripe;
* cloud hosting and storage providers, including AWS;
* analytics and diagnostic providers;
* email and communications providers;
* security, fraud prevention, and abuse detection providers;
* customer support software providers;
* professional advisers, auditors, insurers, and legal counsel;
* competent authorities, regulators, courts, and law enforcement where required;
* counterparties and advisers in connection with actual or proposed mergers, acquisitions, financing transactions, or reorganizations.

We require processors and service providers acting on our behalf to process personal data under appropriate contractual safeguards and only for authorized purposes.

***

### 12. International Data Transfers

Because the Service and our providers operate internationally, personal data may be processed in countries outside the European Economic Area.

Where personal data is transferred internationally, we implement appropriate safeguards as required by applicable law, which may include Standard Contractual Clauses or other lawful transfer mechanisms recognized under GDPR. Guidance from EU and Spanish data protection authorities treats such safeguards as the standard mechanism for many international transfers under Chapter V GDPR.

Where relevant, we may also implement supplementary technical, contractual, or organizational measures designed to protect personal data in connection with international transfers.

***

### 13. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, protect the Service, and maintain legitimate business records.

Retention periods may vary depending on the category of data and the reason for processing. By way of example:

* account and profile data may be retained while the account remains active and for a reasonable period thereafter;
* billing, invoice, and transaction-related records may be retained for as long as required under applicable tax, accounting, and financial laws;
* support communications may be retained as needed to manage the relationship, resolve issues, and maintain records;
* logs, device data, and security records may be retained for fraud prevention, incident response, troubleshooting, and service reliability;
* uploaded and generated assets may remain stored while associated with the account, until deletion, expiry, plan limitations, account closure, or internal retention controls apply;
* public content may remain visible until removed by the user, removed by Lupa under the Terms, or otherwise archived or cached according to system behavior and third-party indexing.

Where feasible and appropriate, we may delete, anonymize, aggregate, or irreversibly de-identify data once it is no longer needed.

***

### 14. Security Measures

We implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These measures may include, as appropriate:

* encryption in transit;
* access controls and permissions management;
* authentication and session controls;
* infrastructure and application monitoring;
* internal confidentiality and security procedures;
* backup and recovery mechanisms;
* security reviews and provider-based controls.

No method of transmission over the internet or method of electronic storage is completely secure. Accordingly, while we strive to protect personal data, we cannot guarantee absolute security.

***

### 15. Your Rights

Subject to applicable law, you may have the right to:

* request access to your personal data;
* request rectification of inaccurate or incomplete data;
* request erasure of your personal data;
* request restriction of processing;
* object to processing based on legitimate interests;
* request data portability where applicable;
* withdraw consent where processing is based on consent;
* lodge a complaint with a competent supervisory authority.

If you wish to exercise any of these rights, please contact us at <contact@lupaupscaler.com>.

We may request information necessary to verify your identity before responding to your request.

If you are located in the European Economic Area, you also have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement. GDPR expressly provides these rights and remedies.

***

### 16. Marketing and Service Communications

We may send you transactional, administrative, service-related, legal, security, billing, and operational communications where necessary in connection with the Service.

Where permitted by applicable law, we may also send marketing or promotional communications. You may opt out of marketing communications at any time by using the unsubscribe mechanism included in the communication or by contacting us.

Opting out of marketing communications will not prevent us from sending essential service or account-related notices.

***

### 17. Children’s Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal data from children in violation of applicable law.

If you believe that a child has provided us with personal data unlawfully, please contact us and we will take reasonable steps to investigate and, where appropriate, delete the relevant information.

***

### 18. Third-Party Services and Links

The Service may contain links to, integrations with, or embedded content from third-party websites, products, or services.

We are not responsible for the privacy practices, content, or security of those third parties. Your use of third-party services is subject to their own terms and privacy notices.

***

### 19. Business Transfers

We may disclose, transfer, or assign personal data in connection with an actual or proposed merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar corporate transaction, subject to applicable confidentiality and legal requirements.

***

### 20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, operational practices, or business needs.

If we make material changes, we will update the “Last updated” date and may provide additional notice where required or appropriate, such as by posting a notice on the Service or contacting users through appropriate channels.

Your continued use of the Service after the effective date of an updated Privacy Policy may be treated as acknowledgement of the updated version, to the extent permitted by law.

***

### 21. Contact

If you have any questions about this Privacy Policy or wish to exercise your rights, you may contact us at:

<contact@lupaupscaler.com>

Lupa Software S.L.\
Avinguda Cerdanyola 92, Office 31\
08172 Sant Cugat del Vallès\
Barcelona, Spain\
NIF: B22790133