Privacy Policy

Last updated: 2026-05-26 (Brevo email integration added)

Goola (“Goola”, “we”, “us”, “our”) is an AI food photography service available at goola.pro. This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, and how long we keep it.

If you are located in the European Economic Area (EEA), the General Data Protection Regulation (GDPR) applies to our processing of your data. For questions or to exercise your rights, contact us at hello@goola.pro.

1. Data we collect

• Email address — you provide this when submitting a batch of photos. We use it to identify your job and send you watermarked preview results.
• Food photos — the images you upload (up to 15 JPG or PNG files, up to 20 MB each). These are processed by our AI pipeline and then deleted automatically when your job expires.
• IP address— captured by our servers and by Cloudflare’s Turnstile bot-protection service for security and abuse prevention.
• Payment data — handled directly and entirely by Stripe, Inc. We never see or store your card number, CVC, or bank details. We receive only a payment status and a Stripe Payment Intent ID linked to your job.
• Usage and analytics data — anonymised data about pages visited, time on site, errors, and ad interaction, collected via Google Analytics (GA4), Vercel Analytics, and Meta Pixel (Facebook). This data is only collected if you accept analytics cookies.
• Cookie consent preference — stored as a first-party cookie (goola_consent) for up to 12 months so we remember your choice.

2. How we use your data

• Delivering the Service— processing your photos through the AI pipeline and returning watermarked previews to your email. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
• Payment processing— creating and fulfilling the payment for your unlocked batch. Legal basis: performance of contract (GDPR Art. 6(1)(b)).
• Security and fraud prevention— using IP address and Cloudflare Turnstile signals to block bots and abuse. Legal basis: legitimate interests (GDPR Art. 6(1)(f)).
• Analytics and ad measurement— understanding how Goola is used so we can improve it, and measuring the effectiveness of our advertising campaigns. Legal basis: consent (GDPR Art. 6(1)(a)) — only if you accept analytics cookies.
• Legal compliance— retaining payment records as required by applicable financial law. Legal basis: legal obligation (GDPR Art. 6(1)(c)).
• Email communications— sending you your enhanced photo previews, order confirmations, and (with your consent) occasional product updates via Brevo. Transactional emails (photo delivery, receipts) are sent under legitimate interest (GDPR Art. 6(1)(f)); marketing emails require and rely on your consent (GDPR Art. 6(1)(a)). You can withdraw consent at any time by clicking the unsubscribe link in any email.

3. Data processors

We share your data only with the following sub-processors, under contractual data-processing agreements. We do not sell your data to any third party.

• Google LLC (Gemini API)— runs the AI image-enhancement pipeline on your uploaded photos. Google processes images strictly on our behalf and does not use them to train Google’s own models.
• Cloudflare, Inc. — stores original and enhanced images in Cloudflare R2 object storage (EU data centre); provides Turnstile bot protection.
• Supabase, Inc. — hosts the database containing job metadata (email address, job status, payment status, and storage object keys). Hosted in the EU (eu-west-1 region).
• Stripe, Inc. — processes payment card transactions. Stripe acts as an independent data controller for payment card data under their own privacy policy.
• Vercel, Inc. — hosts the Goola web application and provides edge-network delivery and performance analytics.
• Google LLC (Google Analytics) — provides anonymised usage analytics when you consent to analytics cookies.
• Meta Platforms, Inc. (Meta Pixel) — measures conversions from our Facebook and Instagram ad campaigns and enables retargeting audiences. Only active with your consent. Meta acts as an independent data controller under their own privacy policy. Data may be transferred to the US under Standard Contractual Clauses.
• Brevo (Sendinblue SAS) — manages email contact records and sends transactional and marketing emails on our behalf. Brevo is a French company (EU-based); your data does not leave the EEA. Contacts are retained for 12 months from last activity for leads and 36 months for paying customers, after which they are deleted. You can unsubscribe at any time via the link in any email we send.

4. Data retention

• Food photos (originals and enhanced files) — deleted automatically when your job record expires, within 7 days of job creation.
• Job metadata (email address, processing status) — purged together with the job record, within 7 days of creation.
• Payment records — Stripe retains payment data as required by applicable financial regulations. We retain only the payment status and the Stripe Payment Intent ID; these are purged with the job record.
• Analytics data — retained by Google Analytics and Vercel Analytics per their own policies (typically 14 months for GA4). Meta Pixel data is retained by Meta Platforms per their own data policy.
• Cookie consent preference — stored in your browser for up to 12 months.
• Email contact records (Brevo) — leads retained for 12 months from last activity; paying customers retained for 36 months from last activity. You can request deletion at any time by emailing hello@goola.pro or clicking the unsubscribe link in any email.

5. Your rights

If you are in the EEA, you have the following rights under the GDPR:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data (“right to be forgotten”).
• Restriction — request that we limit how we use your data in certain circumstances.
• Object — object to processing based on our legitimate interests.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent — at any time, for analytics processing, by declining or withdrawing cookie consent via your browser settings.

To exercise any of these rights, email hello@goola.pro. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority — for example, the Spanish AEPD (www.aepd.es) or your local supervisory authority.

6. Cookies

We use the following cookies:

• goola_consent (essential) — stores your cookie consent choice. Duration: 12 months.
• Stripe cookies (essential) — required for secure, fraud-resistant payment processing. Cannot be disabled when making a payment.
• Google Analytics (_ga, _gid) (analytics) — anonymised usage analytics. Only set if you accept cookies. Duration: up to 2 years.
• Vercel Analytics (analytics) — anonymised performance data. Only active with your consent.
• Meta Pixel (_fbp, _fbc) (analytics) — tracks conversions and ad interactions for Facebook and Instagram campaigns. Only set if you accept cookies. Duration: up to 3 months.

You can withdraw consent at any time by clicking “Decline” on the cookie banner, or by clearing cookies in your browser settings.

7. Security

All data in transit is protected by HTTPS/TLS encryption. Images stored in Cloudflare R2 are encrypted at rest. Payment processing is handled exclusively by Stripe and protected by 256-bit SSL encryption and PCI DSS Level 1 compliance. We apply role-based access controls to our database and storage systems.

8. Children

Goola is not directed to children under 16 years of age. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us at hello@goola.pro and we will delete it promptly.

9. International transfers

Some of our sub-processors are based in the United States (Google, Cloudflare, Stripe, Vercel, Supabase). Where personal data is transferred outside the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework to ensure an adequate level of protection.

10. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will reflect any changes. Continued use of the Service after changes are posted constitutes acceptance of the updated policy. For material changes, we will take reasonable steps to notify you.

11. Contact

For privacy enquiries, to exercise your rights, or to report a concern, contact us at hello@goola.pro.