Privacy Policy

We collect three categories of information:

Account information — email address, name, password hash (if you sign up with email and password), and OAuth identifiers (if you sign in with Google or GitHub).

Usage information — reference images you upload, text prompts you submit, generated outputs, prompt history, browser metadata, IP address, device fingerprint, and aggregated analytics events.

Payment information — subscription tier, billing address, transaction identifiers, and the last four digits of the payment card. Full card data is held by our payment processors (Stripe, Creem, or PayPal) and never reaches our servers.

We use information to:

Provide and maintain the Service (account, generation, billing, support).

Improve model accuracy and product quality through aggregated, de-identified analysis.

Detect, prevent, and respond to fraud, abuse, or violations of the Terms of Service.

Send transactional emails (sign-up confirmation, password reset, billing receipts, security alerts).

Send product updates if you have explicitly opted in.

We do not sell your personal information.

Account information is kept while your account is active and for up to 90 days after deletion to support recovery and compliance obligations.

Reference images and generation outputs are kept while your account is active and may be retained for up to 30 days after deletion in encrypted backups.

Payment metadata is kept for 7 years to comply with tax and accounting regulations.

Aggregated analytics that no longer identify an individual may be kept indefinitely.

We use the following categories of third-party processors:

Infrastructure: Vercel (hosting), Cloudflare (CDN), and Supabase / managed Postgres (database).

Object storage: AWS S3 or Cloudflare R2 for uploaded images and generation outputs.

AI inference: model providers (OpenAI, Anthropic, Google, Replicate, fal.ai, KIE, Gemini) for prompt analysis and image / video generation.

Authentication: Better Auth and OAuth providers (Google, GitHub).

Payments: Stripe, Creem, PayPal.

Email: Resend.

Analytics: optional Vercel Analytics, Google Analytics, Plausible, OpenPanel, or Microsoft Clarity depending on deployment configuration.

Each processor only receives the minimum data required to perform its function and is bound by its own privacy and security commitments.

Some processors operate in jurisdictions different from yours. By using the Service you consent to your data being transferred and processed in those jurisdictions. We rely on standard contractual clauses or equivalent safeguards where required.

Depending on your jurisdiction (GDPR, CCPA, PIPL, and similar), you may have the right to:

Access the personal information we hold about you.

Request correction or deletion of inaccurate or outdated information.

Object to or restrict certain processing activities.

Receive a portable copy of your data.

Withdraw consent to optional processing (e.g. marketing emails).

To exercise any of these rights, contact us using the details in the final section.

We use strictly-necessary cookies for sign-in, session management, and locale preferences. With your consent, we may also use analytics cookies to measure aggregated traffic and product performance. You can clear cookies in your browser at any time, but doing so may sign you out and reset preferences.

We protect data with encryption in transit (TLS 1.2+) and encryption at rest, scoped access controls, audited backups, rate-limited APIs, and abuse detection. No system is perfectly secure, so we encourage you to use strong unique passwords and enable two-factor authentication when available.

The Service is not directed to children under 13 (or the equivalent age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has signed up, contact us and we will remove the account.

We may update this policy to reflect changes in our practices, the law, or the Service. Material changes will be communicated by an in-product notice or by email at least 14 days before they take effect.

Questions, requests, or complaints about this policy:

Email: privacy@example.com

If you are based in the EEA or the UK and we cannot resolve your complaint, you may contact your local data protection authority.