Privacy & Cookie Policy
Privacy Policy
Effective Date: April 15, 2026
Introduction
Dot Square Lab Limited ("we," "our," or "us") operates the Companion & Co service (the "Service"). We are committed to protecting your privacy and handling your personal data in a fair, transparent, and lawful manner. This Privacy Policy explains how we collect, use, share, and protect your personal information when you create an account, purchase credits or subscriptions, upload images, generate AI pet portraits, or otherwise interact with the Service or our website.
This Policy has been prepared in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).
Data Controller and Contact Information
- Data Controller: Dot Square Lab Limited
- Registered address: Labs Atrium, The Stables Market, Chalk Farm Rd, London, England, NW1 8AH
- Email: contact@companion-and-co.com
If you have any questions about this Privacy Policy or your rights, please contact us at the email above.
Personal Data We Collect
We collect the following categories of personal data.
Account and profile data.
- Name, email address, and password (stored in hashed form)
- Profile information you provide
- Account status, email verification status, and role (user, administrator)
Purpose: To create and maintain your account, authenticate you, communicate about the Service, and enforce our Terms.
Uploaded reference images.
- Photographs you upload to the Service for the purpose of generating a portrait
- Image metadata (file size, format, upload timestamp)
Purpose: To produce the AI-generated portraits you request. These images may contain identifiable information about you, your pet, or other individuals appearing in the photos; you are responsible for ensuring you have the right to upload each image.
Generated outputs.
- AI-generated portrait images produced from your uploads
- Generation metadata (theme, style, ratio, timestamp, outcome status)
Purpose: To deliver the portraits to you and maintain a history of your creations that you can access in the Service.
Payment and transaction data.
- Billing information sufficient to process payments, collected and held by our payment processor (see Sharing below); we do not receive or store full payment card numbers
- Subscription status, plan, renewal date, credit balances, and a ledger of credit debits/refunds and purchases
Purpose: To process payments, operate the credit wallet that powers the Service, and comply with tax/accounting record-keeping obligations.
Technical and usage data.
- IP address, browser type and version, device/OS information, pages viewed, timestamps, and interactions with the Service
- Authentication session cookie (see Cookie Policy below)
- Server and application logs for security, debugging, and abuse prevention
Purpose: To operate, secure, and improve the Service.
Support correspondence.
- If you contact us (e.g., refund requests, account queries), we retain the message, your email address, and any information you share in the course of the enquiry.
Purposes of Processing and Legal Bases
We process personal data for the following purposes, relying on the legal bases indicated:
- To provide the Service you have contracted for — creating your account, generating the portraits you request, delivering outputs, and operating your credit wallet. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
- To process payments and manage subscriptions — charging for credits/subscriptions, issuing receipts, handling renewals and cancellations. Legal basis: performance of a contract; compliance with legal obligations (Art. 6(1)(c)) for tax/accounting.
- To secure the Service, prevent fraud and abuse — authentication, rate limiting, abuse detection on uploaded content, investigation of suspected Terms violations. Legal basis: legitimate interests (Art. 6(1)(f)) — the integrity of the Service and protection of our users.
- To comply with legal obligations — responding to lawful requests from authorities, record-keeping obligations, and defending legal claims. Legal basis: legal obligation (Art. 6(1)(c)) and, where applicable, legitimate interests.
- To communicate with you — transactional emails (account verification, password reset, payment receipts, service notices) and responding to your enquiries. Legal basis: performance of a contract and our legitimate interest in operating the Service.
- Analytics or marketing, where applicable — if we enable optional analytics or marketing features in the future, we will rely on your consent (Art. 6(1)(a)) and provide the ability to opt in or withdraw at any time.
User-Uploaded Content
Images you upload to the Service may contain personal information — including your own likeness, that of your pet, or of other individuals who appear in the photograph. We process these images to produce the portraits you request. Uploads are transmitted to third-party AI image-generation service providers (see "Sharing of Personal Data" below) for the sole purpose of generating the requested output, and are stored by us in access-controlled cloud storage, accessible only via short-lived signed URLs.
You can delete uploaded reference images and generated outputs from your account at any time via the Service.
Automated Decision-Making
Portrait generation is automated, but it is not a decision producing legal or similarly significant effects on you within the meaning of Article 22 GDPR. We do not use your personal data to make decisions about you that have legal or similarly significant effects solely by automated means.
Sharing of Personal Data
We share personal data only with the following categories of recipients, and only to the extent necessary for the purposes described above.
| Recipient | Purpose | Role |
|---|---|---|
| Cloud infrastructure providers | Hosting, application runtime, database, and storage of application data and images | Processor |
| Third-party AI image-generation service providers | Process uploaded reference images strictly to produce the requested portrait output; provider data-processing terms govern handling of inputs and outputs | Processor |
| Stripe, Inc. | Payment processing; receives data necessary to charge your payment method and handles card data on our behalf (we do not receive full card numbers) | Processor |
| Resend, Inc. | Delivery of transactional emails (verification, password reset, receipts, service notices); processes recipient email address and message content on our behalf | Processor |
| Regulatory authorities, courts, and law-enforcement agencies | Where required by law or to establish, exercise, or defend legal claims | Independent recipient |
| Professional advisers (lawyers, auditors, accountants) | Corporate, regulatory, or tax matters, under obligations of confidentiality | Independent recipient |
All third-party service providers acting as processors do so on our behalf under written data-processing agreements that require compliance with the UK GDPR / EU GDPR and appropriate security measures.
We do not sell your personal data, and we do not share it for cross-context behavioural advertising.
International Data Transfers
Some of our service providers are located outside the UK and EEA (for example, in the United States). Where we transfer personal data internationally, we rely on:
- the EU-US Data Privacy Framework (for eligible US transfers to certified recipients),
- Standard Contractual Clauses approved by the European Commission and/or UK International Data Transfer Agreements/Addenda,
- or another lawful transfer mechanism recognized under applicable law.
You can contact us at contact@companion-and-co.com to request more information about the safeguards in place for a particular transfer.
Data Retention
| Data category | Retention period |
|---|---|
| Account data (profile, authentication credentials) | Until account deletion, subject to longer retention where required by law or for the establishment, exercise, or defence of legal claims |
| Uploaded reference images and generated outputs | While your account is active; removed when you delete them from the Service or on account deletion |
| Payment and financial records | Period required by applicable tax, accounting, and anti-money-laundering law — typically 6–10 years in the United Kingdom |
| Credit transaction logs | Period required for financial record-keeping and dispute resolution |
| Security and system logs | Limited period sufficient for operational, debugging, and security purposes |
| Support correspondence | Up to 24 months after resolution of your enquiry, unless a longer retention is required or useful to defend legal claims |
Your Rights (GDPR & UK GDPR)
Subject to the conditions and exceptions under applicable law, you have the right to:
- Access — obtain confirmation of whether we process your personal data and receive a copy of it.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data under certain conditions.
- Restriction — request that we limit processing of your data.
- Portability — receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.
- Object — object to processing based on legitimate interests, including profiling, and to processing for direct marketing.
- Withdraw consent — where processing is based on consent, withdraw it at any time (without affecting the lawfulness of processing carried out before withdrawal).
- Lodge a complaint — complain to a supervisory authority, including the UK Information Commissioner's Office (ICO, ico.org.uk) or the data-protection authority of your Member State of residence or place of the alleged infringement.
To exercise any of these rights, email us at contact@companion-and-co.com from the email address registered to your account. We may need to verify your identity before acting on a request.
Your Rights (CCPA/CPRA)
If you are a California resident, you have additional rights:
- Right to Know — request disclosure of categories and specific pieces of personal information we collect, the sources, the purposes, and the categories of recipients.
- Right to Delete — request deletion of personal information we have collected from you, subject to legal exceptions.
- Right to Correct — request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing — we do not sell personal information and do not share it for cross-context behavioural advertising; you may confirm this and opt out of any future such practices.
- Right to Limit Use of Sensitive Personal Information — where we process such information, request that we limit its use to purposes necessary to provide the Service.
- Right to Non-Discrimination — you will not be discriminated against for exercising your privacy rights.
You can submit requests by contacting us at contact@companion-and-co.com. We honor valid Global Privacy Control (GPC) signals.
Cookies
The Service uses only a single, strictly necessary authentication session cookie (jwt). Because it is strictly necessary to provide the Service you have requested, it does not require your consent under the EU ePrivacy Directive / PECR. See the Cookie Policy below for details of the cookies we use and how to manage them.
Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- encryption in transit (TLS) for data exchanged with the Service,
- encryption at rest for data held by our cloud infrastructure and storage providers,
- access controls and role-based access management for our systems,
- password hashing for stored credentials,
- signed, short-lived URLs for access to stored images,
- regular software updates and vulnerability management,
- staff access controls and confidentiality obligations.
No method of transmission over the Internet or method of electronic storage is 100% secure; we cannot guarantee absolute security, but we work continuously to protect your data.
Children
The Service is not directed at children under 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18 without verifiable parental consent, we will take steps to delete that information. If you believe we have inadvertently collected such information, please contact us at contact@companion-and-co.com.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The latest version will always be available on this page and will include the "Effective Date" above. Where the changes are material, we will notify you by email or through the Service.
Contact Us
For questions about this policy or to exercise your data rights, please contact:
Dot Square Lab Limited Labs Atrium, The Stables Market, Chalk Farm Rd, London, England, NW1 8AH Email: contact@companion-and-co.com
Cookie Policy
Effective Date: April 15, 2026
This Cookie Policy explains how Dot Square Lab Limited ("we," "us," or "our") uses cookies and similar tracking technologies when you use the Companion & Co service (the "Service").
What Are Cookies?
Cookies are small text files stored on your device when you visit websites or use online services. They help sites remember your preferences, authenticate sessions, analyze performance, and provide personalized experiences.
Cookies We Use
The Service currently uses only the following cookie, which is strictly necessary for the Service to function:
| Cookie | Category | Purpose | Duration | Provider | Legal basis |
|---|---|---|---|---|---|
jwt | Strictly necessary | HTTP-only authentication session cookie; keeps you signed in after login and authenticates each request | Until logout or token expiry | Dot Square Lab Limited (first-party) | Strictly necessary — no consent required under the EU ePrivacy Directive / PECR |
We do not currently use analytics, advertising, performance-measurement, or marketing cookies. If we introduce any non-essential cookies in the future, we will update this table and request your consent via a cookie banner before the cookies are set.
Managing Cookie Preferences
- Browser controls — most browsers allow you to block or delete cookies. See your browser's help pages:
- Chrome: Settings > Privacy and Security > Cookies and other site data
- Firefox: Settings > Privacy & Security > Cookies and Site Data
- Safari: Preferences > Privacy > Manage Website Data
- Edge: Settings > Cookies and site permissions > Cookies and site data
Note: blocking the strictly necessary jwt cookie will prevent you from signing in to the Service.
Children's Privacy
The Service is not directed at children under 18. See the Children section of the Privacy Policy above.
Cross-Border Transfers
Information associated with cookies, where applicable, may be transferred internationally under the safeguards described in the International Data Transfers section of the Privacy Policy.
Updates to This Cookie Policy
We may update this Cookie Policy to reflect changes in our practices, technology, or applicable law. The "Effective Date" above will be updated accordingly.
Contact Us
For questions about this Cookie Policy or to exercise your rights:
Dot Square Lab Limited Labs Atrium, The Stables Market, Chalk Farm Rd, London, England, NW1 8AH Email: contact@companion-and-co.com
Companion & Co. © 2026 • All rights reserved