Bolkra Privacy Policy

Plain English summary

This summary explains the policy in everyday language. It is not a substitute for the full policy below, but it covers the points most people care about.

• Who we are. Bolkra is an AI image generation platform operated by Northern Collective Limited, a company registered in the United Kingdom and trading as Bolkra.
• Two kinds of data. We hold a small amount of data about you as an account holder, such as your name, email and billing details. Separately, we hold the content you put into the platform, such as the product photos and reference images you upload, the prompts you write and the images you generate. We treat these two things differently.
• We do not train AI on your content. We do not use your prompts, your uploaded reference images or your generated images to train any AI model. Not ours, not our providers', not anyone's. Your content is processed only to fulfil your own generation requests.
• Your content belongs to your project, not ours. For the content you upload and create, we act as your data processor. We handle it on your instructions and do not use it for our own purposes.
• Images of real people. If you train a character model on photographs of real, identifiable people, that may involve biometric data, which has extra legal protection. You are responsible for having the consent of the people in those photographs before you upload them.
• Agencies and white-label. If you are an agency using Bolkra to deliver imagery to your own clients, you are responsible for your relationship with those clients. We process data on your instructions.
• Service providers. We rely on a small number of trusted external providers to run the platform. We describe the categories of providers we use below. A named list of our current providers is available to paying customers in their Data Processing Agreement, and on request from anyone using the contact details in Section 1.
• Where data goes. Some of the providers we rely on operate outside the UK and EU. When data leaves the UK or EU we use legally recognised safeguards such as Standard Contractual Clauses.
• How long we keep things. After you close your account, workspace data is kept for 90 days and then deleted, unless the law requires us to keep something longer.
• Cookies and analytics. We use web analytics to understand how the platform is used. Analytics cookies only run if you accept them. Section 13 explains the full list.
• Your rights. You can ask to see, correct, delete, restrict, port or object to the use of your personal data. Section 14 explains how.
• Not for children. Bolkra is a business tool. It is not for anyone under 18.

If anything below is unclear, contact us using the details in Section 1.

1. Who we are and how to contact us

Bolkra is operated by Northern Collective Limited ("Bolkra", "we", "us", "our"), a company registered in England and Wales under company number 10590386, trading as Bolkra.

Our registered office is:

33 Metcombe Way Manchester M11 3BY United Kingdom

For any question about this policy or about how we handle personal data, including to exercise your data protection rights, contact us at:

• Email: stewart@northern-collective.co.uk
• Post: Data Protection, Northern Collective Limited, 33 Metcombe Way, Manchester M11 3BY, United Kingdom

2. What this policy covers

This policy explains how we collect, use, store and share personal data when you:

• visit bolkra.com or any related website we operate;
• create and use a Bolkra account; and
• otherwise interact with us, for example by contacting our support team.

It also explains the roles and responsibilities that apply to the content you and your team upload to and generate within the platform. Those roles are important, because they decide who is legally responsible for that content. Section 3 sets them out.

This policy does not cover third-party websites or services that may link to or from Bolkra. Those services have their own privacy policies.

3. Our role: when we are a controller and when we are a processor

Data protection law distinguishes between a controller, who decides why and how personal data is processed, and a processor, who processes data on a controller's behalf and on its instructions. Bolkra acts in both roles depending on the data in question.

We are the controller of the personal data we collect to run our business and our relationship with you. This includes account registration details, billing information, support correspondence and website usage data. Sections 4, 6, 12, 13 and 15 describe how we handle this data as a controller.

We are a processor for the content you put into the platform. This includes the product photographs and other reference images you upload, the prompts you write, the AI models you train and the images you generate. You, as our customer, are the controller of that content. We process it only to provide the service to you and only on your instructions, as set out in our customer agreement and the data processing terms that form part of it. We do not decide what that content is used for, and we do not use it for our own purposes.

This distinction matters in practice. If an individual whose image or data appears in content uploaded to a Bolkra workspace wants to exercise their data protection rights over that content, the request should usually be directed to the customer who controls that workspace, not to Bolkra. We will support our customers in responding to such requests, as Section 14 explains.

Our Terms of Service include data processing terms that govern our processing of customer content as a processor. These terms satisfy our obligations under Article 28 of the UK GDPR and the EU GDPR.

4. The personal data we collect

As a controller, we collect and hold the following categories of personal data.

Account and identity data. When you register, we collect your name, email address, password credentials and, where you enable it, multi-factor authentication details.

Workspace and profile data. We hold the name of your workspace or organisation, the names and email addresses of team members you invite, and your role and permission settings.

Billing and payment data. When you subscribe or make a one-time purchase, we collect billing contact details and a record of your transactions. Card and bank details are collected and processed directly by our payment provider Stripe. We do not store full card numbers on our own systems.

Usage and technical data. We collect information about how the platform is used, such as log records, generation activity counts, device and browser type, IP address and timestamps. We use this to operate, secure and support the service.

Analytics data. Where you have given your consent, we use web analytics to understand how visitors use bolkra.com and the platform. This is described in Section 13.

Support and communications data. If you contact us, we keep a record of the correspondence.

Content you upload and create. Separately from the above, the platform holds the reference images you upload, the prompts you write, the AI models you train and the images you generate. This content can itself contain personal data, for example where a reference image shows an identifiable person. We process this content as a processor, not as a controller, as Section 3 explains. Sections 5, 7 and 8 describe how this content is handled.

5. Reference images and other content you upload

When you use Bolkra, you upload reference images, typically product photographs, and you may upload images of people, such as your own staff or models, for the purpose of training character models. This section explains what happens to those images.

Where they are stored. Uploaded reference images are stored using our cloud storage provider. Metadata about them, such as file names and the workspace they belong to, is stored in our database, hosted by our database provider in the United Kingdom. During generation, reference images are transmitted to our AI inference providers solely to carry out the generation or model training you have requested.

What they are used for. Reference images are used only to fulfil your own generation and training requests. They are not used for any other purpose. In particular, and as Section 7 states in full, they are not used to train any AI model.

How long they are kept. Reference images and other workspace content remain available while your workspace is active. When a workspace or account is closed, content is deleted in line with the retention periods in Section 12.

Your responsibility. You are responsible for ensuring you have the right to upload each image and to use it within Bolkra. Where an image shows an identifiable person, you must have an appropriate lawful basis and, where required, that person's consent. Section 8 covers this for images of real people used to train character models.

6. How we use personal data and our lawful bases

Under data protection law we must have a lawful basis for each way we use personal data as a controller. The table below sets out our main processing activities and the lawful basis for each.

For the content you upload and generate, we act as a processor. The lawful basis for processing that content is a matter for you as the controller. You must make sure you have a valid lawful basis for the personal data contained in your reference images, prompts and trained models.

7. Our AI no-training commitment

This is a core commitment and we state it plainly.

We do not use your content to train AI models. We do not use your prompts, your uploaded reference images or your generated outputs to train, fine-tune, improve or develop any AI model. This applies to our own systems, to the models operated by the AI inference providers we use, and to any other model belonging to us, our providers or any third party.

Your prompts and reference images are sent to our AI inference providers only to carry out the specific generation or training job you have requested. When you train a character or product model, that model is trained for your workspace and your use. It is not added to, merged into or used to improve any shared or general-purpose model.

When we work to maintain and improve Bolkra, we rely on operational data and on aggregated, statistical information that does not identify any individual and does not consist of your content. We do not read or repurpose your reference images, prompts or outputs to develop the product.

8. Training character models on real people (biometric data)

Bolkra lets customers train character models, sometimes using a technique called LoRA, on photographs of real people. This section explains the legal position and your responsibilities.

When photographs of an identifiable person are processed to create a model that can reproduce that person's likeness, the data involved is likely to be biometric data and a special category of personal data under Article 9 of the UK GDPR and the EU GDPR. Special category data has extra legal protection, and processing it generally requires a specific condition to be met, most often the explicit consent of the individual concerned.

Your responsibilities as the customer. If you upload photographs of real people and train a model on them, you are the controller of that data. Before you do so, you must:

• have the explicit, informed consent of each identifiable person in those photographs, or another valid Article 9 condition;
• be able to demonstrate that consent if asked;
• tell those individuals how their images will be used, including that an AI model will be trained on their likeness; and
• respect any withdrawal of consent, and ask us to delete the relevant images and model if consent is withdrawn.

Our role. Bolkra processes this data as a processor, on your instructions, to carry out the training you have requested. We do not use it for any other purpose, and our no-training commitment in Section 7 applies fully. We provide tools to delete trained models and their source images.

If you cannot obtain the necessary consent for the people shown in an image, you must not upload that image or train a model on it.

9. White-label use by agencies

Agencies use Bolkra under white-label arrangements to deliver imagery to their own clients. This section clarifies who is responsible for what.

Where an agency is our customer, the agency is our customer and, for the content in its workspaces, the controller. Bolkra is the agency's processor for that content. The agency's own clients are not direct Bolkra customers and usually have no direct relationship with us.

Personal data belonging to an agency's clients, or to individuals featured in an agency's projects, may pass through Bolkra. Where that happens:

• the agency is responsible for its relationship with its clients, including for having the right lawful basis, notices and consents in place for any personal data it puts into Bolkra;
• depending on the agency's arrangement with its client, the agency may be a controller and Bolkra its processor, or the agency's client may be the controller, the agency a processor and Bolkra a sub-processor;
• in all of these cases, Bolkra processes the content only on documented instructions, applies the no-training commitment in Section 7, and does not use the content for its own purposes.

If you are an agency, you should make sure your own privacy notice and contracts with your clients reflect your use of Bolkra as a tool in your supply chain.

If you are the client of an agency that uses Bolkra and you have a question about your personal data, please contact that agency. They control the workspace your data sits in. We will support them in responding to you.

10. Service providers

We rely on a small number of trusted external providers to run Bolkra. Each one processes personal data only as needed to provide its service to us, under a contract that requires it to protect the data.

We describe the categories of providers we use, not the specific vendors, because the platform's supplier list changes from time to time and we want to be honest about who you are contracting with at any given moment. The categories are:

• Authentication and identity — managing account sign-in, password security and multi-factor authentication;
• Cloud hosting and infrastructure — running the web application and the background processing that powers generation;
• Database — storing account, workspace and content metadata, with our primary database hosted in the United Kingdom;
• File storage — storing the reference images you upload and the images Bolkra generates;
• Job and queue processing — managing the queue of generation requests, hosted in the United Kingdom;
• AI inference and model training — generating images and training models from your inputs;
• Payment processing — handled by Stripe, which acts as an independent controller for payment data, as Section 11 explains;
• Email delivery — sending account, security and billing notifications;
• Analytics — web analytics, only where you have consented, as Section 14 explains.

The named list of current providers is provided to paying customers as part of the Data Processing Terms that form part of our Terms of Service. It is also available on request to anyone, using the contact details in Section 1.

When we change a provider in a way that affects our processing of personal data, we update the named list, and where you are a paying customer we notify you in line with the change-notification terms in your customer agreement.

We do not sell personal data to anyone, ever.

11. Stripe and payment data

We use Stripe to process all subscription and one-time payments on Bolkra. When you make a payment, your card or bank details are collected and processed directly by Stripe under Stripe's own privacy policy. We do not see or store your full card number.

For payment and transaction data, Stripe acts as an independent controller, not as our processor. This is because Stripe has its own regulatory obligations under payment industry rules, including the rules of card schemes and applicable financial conduct law, and processes payment data for its own compliance purposes as well as on our behalf.

Stripe's own privacy policy is available at stripe.com/privacy. We hold a record of your transactions for billing, accounting and audit purposes, as Section 4 describes.

12. International data transfers

Bolkra is operated from the United Kingdom and serves customers in the UK, the EU and elsewhere. Our database and queue infrastructure are hosted in the United Kingdom, which means most of your account and workspace metadata stays within the UK. Some of the external providers we rely on, however, operate outside the UK and the European Economic Area, in particular in the United States.

When personal data is transferred outside the UK or the EEA, we make sure an appropriate safeguard recognised by data protection law is in place. Depending on the provider and the destination, this is one or more of the following:

• an adequacy decision, where the UK or the EU has formally decided that a country provides an adequate level of data protection;
• the Standard Contractual Clauses approved by the European Commission, together with the UK Addendum to those clauses or the UK International Data Transfer Agreement, for transfers of UK personal data; and
• where relevant, a provider's certification under the EU-US Data Privacy Framework and its UK Extension.

Where needed, we also consider whether any additional technical or organisational measures are required to protect the data in transit and at rest.

You can ask us for more detail about the safeguards that apply to a particular transfer by contacting us using the details in Section 1.

13. How long we keep data

We keep personal data only for as long as we need it for the purposes set out in this policy, or for as long as the law requires.

Account and workspace data. While your account is open, we keep your account data and workspace content so the service works. When an account is closed, workspace data is retained for 90 days and then deleted. This 90-day window gives you the chance to reactivate or to export your content before it is removed.

Billing and transaction records. We keep billing and transaction records for as long as required by tax and accounting law, which in the UK is generally six years, even after an account is closed.

Support correspondence. We keep support correspondence for a reasonable period after a query is resolved, so we have a record of the matter.

Backups. Deleted data may persist in routine encrypted backups for a limited period after deletion from our live systems, after which it is overwritten.

When a retention period ends, we delete the data or irreversibly anonymise it.

14. Cookies and similar technologies

We use cookies and similar technologies for two purposes: to run the platform and keep it secure, and where you have consented, to understand how visitors use bolkra.com. The table below itemises the cookies we use.

Strictly necessary cookies do not require consent because the platform cannot function securely without them.

Analytics cookies are only set if you accept them through our cookie banner. You can change your choice at any time through the cookie settings link in our website footer. We use a standard web analytics service with IP anonymisation enabled, which limits the personal data sent to the analytics provider.

We do not use advertising cookies, and we do not sell or share personal data for cross-context behavioural advertising.

15. Your data protection rights

Under the UK GDPR and the EU GDPR you have the following rights over your personal data:

• The right to be informed, through notices such as this policy.
• The right of access, to obtain a copy of the personal data we hold about you.
• The right to rectification, to have inaccurate data corrected and incomplete data completed.
• The right to erasure, to have your personal data deleted in certain circumstances.
• The right to restrict processing, to limit how we use your data in certain circumstances.
• The right to data portability, to receive certain data in a structured, commonly used and machine-readable format, and to have it transferred to another provider where technically feasible.
• The right to object, to processing based on our legitimate interests, and to object at any time to direct marketing.
• The right to withdraw consent, where we rely on consent to process your data, including the consent you give to analytics cookies.
• Rights relating to automated decision-making, although Bolkra does not make decisions about you that produce legal or similarly significant effects through solely automated means.

To exercise any of these rights, contact us using the details in Section 1. We will respond within one month. If a request is complex, or if you have made several requests, we may extend this by up to two further months, and we will tell you if we do. We will not normally charge a fee. We may need to verify your identity before we act, using measures that are proportionate to the sensitivity of the data.

An important note for customer content. Many requests concern content held inside a customer's workspace, such as a reference image of an identifiable person. For that content we are a processor and the customer is the controller, as Sections 3 and 9 explain. If your request concerns content in a workspace that belongs to one of our customers, including an agency, we will direct you to that customer, who is best placed to respond, and we will support them in doing so.

If you are not satisfied with how we have handled your personal data, you have the right to complain to a supervisory authority. Section 19 explains how.

16. How we keep data secure

We take the security of personal data seriously and use a range of technical and organisational measures to protect it. Without describing our defences in a way that would help an attacker, these measures include:

• encryption of data in transit and at rest;
• access controls, so that staff and systems can reach only the data they need;
• authentication and multi-factor authentication for account access;
• segregation of customer workspaces, so one customer's content is not accessible to another;
• use of reputable infrastructure and service providers, each held to appropriate security obligations;
• logging and monitoring to detect and respond to unusual activity; and
• regular review of our security practices.

No online service can be guaranteed to be completely secure. If a personal data breach occurs that is likely to result in a risk to people's rights, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, where required, and we will inform affected individuals or customers without undue delay where the law requires.

17. Children

Bolkra is a business-to-business platform intended for use by agencies, brands and their teams. It is not intended for, or directed at, anyone under the age of 18. We do not knowingly create accounts for, or collect personal data from, individuals under 18. If you become aware that someone under 18 has used Bolkra to create an account, please contact us and we will close the account and delete the associated data.

This does not change your own responsibility, as a customer, for any content you upload. If content you upload contains personal data relating to a minor, you must have an appropriate lawful basis and any consent required for that data.

18. Changes to this policy

We may update this policy from time to time, for example to reflect changes to our providers, to the platform or to the law. When we make a material change, we will update the "Last updated" date at the top of this policy and, where appropriate, tell you by email or through the platform. We encourage you to review this policy periodically.

19. Complaints

If you have a concern about how we handle your personal data, please contact us first, using the details in Section 1, so we can try to resolve it.

You also have the right to lodge a complaint with a data protection supervisory authority. In the United Kingdom this is the Information Commissioner's Office (ICO), ico.org.uk. If you are in the EU, you may complain to the supervisory authority in your country of residence or work.

This policy should be read together with Bolkra's Terms of Service, which include the Data Processing Terms that govern our processing of your content as a processor.