Privacy Policy

We collect three categories of data:

• Account data — your name, email, OAuth provider id, profile picture URL, and the timestamp of account creation.
• Your Content — prompts you enter, reference images you upload, generation parameters, labels, ratings, workspace metadata, and generated outputs.
• Operational data — request logs (path, status code, latency, request id), error events, queue state, and per-event spend ledger entries (currency amount, timestamp, generation kind).

• To deliver the Service: authenticate you, run generations, store and serve outputs.
• To enforce per-account spend caps so you cannot overspend.
• To debug issues, prevent abuse, and meet our legal obligations.
• To send transactional emails (account, billing, security). We do not send marketing email without explicit opt-in.

We do not sell your personal data, and we do not use Your Content to train any machine-learning model.

We use the following third-party processors to operate the Service. Each is bound by a Data Processing Addendum equivalent to ours.

• ByteDance / BytePlus — image and video generation inference.
• An OAuth identity provider (e.g. Google) — sign-in.
• A managed object-storage provider (or self-hosted MinIO) — image and video storage.
• A managed database provider — Postgres for metadata.
• A transactional-email provider — receipts, security, account notifications.
• An infrastructure provider — hosting, logs, metrics.

By default, your account data and Your Content are stored in the same primary region as the operating entity. We may replicate backups to a secondary region for durability; backups are encrypted at rest and limited-access.

If you are based in the EU and we operate the Service from outside the EU, the EU Standard Contractual Clauses apply to transfers — see the Data Processing Addendum.

• Account data and Your Content are retained for the lifetime of your account.
• After account deletion, live data is purged within 30 days; backup copies expire on the schedule documented in /security.
• Operational logs are retained for 30 days, then aggregated and anonymized.
• Spend-ledger entries are retained for 7 years for accounting compliance, with personal identifiers removed after the live data is purged.

Depending on your jurisdiction, you may have the right to access, correct, export, restrict the processing of, or delete your personal data. The Service supports these directly:

• Access and export — “Download my data” in account settings produces a zip of every entity row and every stored asset.
• Correction — change your name and email in account settings.
• Deletion — “Delete my account” in account settings starts a 72-hour cancellable countdown, after which the account and Your Content are permanently removed.
• Object / restrict — email privacy@example.com.

We use a minimal set of strictly necessary cookies (session token, active-workspace cookie, theme preference). These do not require consent. Any optional analytics or A/B-testing cookies are gated behind the cookie banner and are off by default.

The Service is not intended for users under 16. We do not knowingly collect personal data from children. If you believe we have, please contact privacy@example.com.

We will post material changes to this Privacy Policy here at least 14 days before they take effect, and notify account-holders by email.

Questions, requests, or complaints about your data: privacy@example.com.