Last updated: 2026-04-24
Account: your email address (for magic-link sign-in) and the display handle generated for you at signup. Content: photos you upload, generations / edits / videos / exports we produce from them, prompts and project briefs you write, and any project you publish to the public Community gallery. Usage: timestamps, credit-ledger entries, request IDs for support, and basic device info (browser, OS, IP at request time) used for security and rate limiting. Billing: order ID, plan, country, and the email Lemon Squeezy passes back to us. We never see or store your card or banking details. We do not collect passwords — authentication is magic-link only.
To run the service: generate the images you ask for, store them so you can return to them, charge the right number of credits, deliver email sign-in links. To prevent abuse: rate limits, safety classification, anti-fraud signals on signups and purchases. To support you: respond to help requests, identify the right account, debug failures (the request-id we return on errors lets us pinpoint your specific session). To meet legal obligations: tax reporting via our Merchant of Record, fraud and abuse reports.
We rely on the following service providers to operate the platform. Each receives only the data necessary for its specific job and is bound by their own data-processing terms — links available on each provider's site. Cloudflare (R2 object storage — your uploads, generations, exports). Neon (Postgres database — accounts, projects, ledger). Resend (transactional email — magic-link sign-in, receipts). Google AI / Gemini (image and video generation models). Lemon Squeezy (Merchant of Record for payments — checkout, invoices, tax). Sentry (error monitoring — only when enabled and only the error event, not your image content). PostHog (anonymous product analytics — only when you accept analytics in the cookie banner; declined by default). Upstash (Redis — rate-limit counters, no PII). Trigger.dev (background job runner — job IDs and timing, no image content). Vercel (hosting and edge network). The current list reflects the production deployment; new subprocessors will be announced before they begin processing your data.
When you generate or edit, your image bytes are sent to the AI provider for that route (mainly Google Gemini for image and video). Providers process the request, return the result, and — per our contract terms with them — must not retain the image for longer than is required to deliver the response or to comply with their own legal obligations. We do NOT use your uploads or outputs to train any model — neither our own nor any third party's. Generation requests are not used as training data by us, and we select providers whose policies match this commitment.
Uploads and outputs live in Cloudflare R2 under our account; access is gated by a per-request authentication check, and direct URLs to objects are not exposed to other users. Free-tier outputs are kept for 90 days from creation, after which they may be removed to free quota. Paid-tier outputs are retained for as long as your subscription is active, plus a 30-day grace window after cancellation. Account-level records (email, ledger entries) are retained for as long as your account exists; ledger entries are also retained after deletion as required for tax and fraud-prevention purposes (typically up to 7 years).
We use a small number of essential cookies to keep you signed in (Auth.js session token), remember your language preference, and stamp every response with a request ID for support. These cannot be disabled — without them sign-in and routing don't work. We use anonymous product analytics (PostHog) ONLY if you click "Accept all" on the cookie banner; the default is essential cookies only. Analytics events never include the contents of your prompts or generated images. You can change your decision at any time by clearing the cookie-consent value in your browser; the banner will reappear on the next visit.
Regardless of your jurisdiction we offer the following: Access — your account dashboard shows everything we have linked to you, and the Export button in account settings produces a downloadable archive of your data. Erasure — the Delete account button in account settings is irreversible and removes your projects, generations, ledger references, and personal data within 30 days. Specific records (e.g. tax-relevant ledger entries) may be retained longer where law requires. Rectification — you can update your display name and email any time from settings. Objection / restriction — write to support to opt out of analytics retroactively (if you ever accepted) and to ask us to restrict any specific processing. EU/UK residents have additional rights under GDPR including the right to lodge a complaint with their local supervisory authority; California residents have rights under CCPA — write to support to exercise either.
The service is not directed at children under 16. We do not knowingly collect data from anyone below that age; if you believe we have, write to support and we'll remove the account. Contact: write to our support email (link in the footer) for any privacy question, request, or complaint — we reply to every message. Changes: we may update this Policy as the service evolves; material changes will be announced in-app or by email at least 14 days before they take effect, and the "Last updated" date at the top of this page always reflects the current version.