Privacy Policy

The data controller for the processing of your personal data is:

This Privacy Policy is drafted in compliance with the EU General Data Protection Regulation (GDPR) 2016/679, the French Data Protection Act of January 6, 1978 (Loi n° 78-17 relative à l'informatique, aux fichiers et aux libertés), and the ePrivacy Directive 2002/58/EC.

2.1 Account Data (Registered Users)

When you create an account, we collect:

• Identity data: Name, email address
• Authentication data: Encrypted password, or authentication tokens from social login providers (Google, Apple, Facebook, X)
• Profile data: Profile picture (if provided via SSO)

2.2 Payment Data

When you make a purchase, the following data is processed:

• By Stripe (payment processor): Full credit card number, billing address, card expiry date. GFT does not have access to your full card number.
• By GFT: Stripe customer ID, subscription status, payment history (amounts, dates, invoice IDs), credit balance, transaction logs.

2.3 Usage Data

We collect data about your use of the Service:

• Generation data: Text prompts submitted, AI models selected, generation parameters (size, duration, resolution), generation status (success/failure/moderation), credit costs.
• Content data: Images you upload and AI-generated images and videos. These are stored on our cloud infrastructure and associated with your account.
• Project data: Project metadata, favorites, generation history.

2.4 Technical Data

• Device and browser: IP address, browser type and version, device type, operating system, screen resolution.
• Usage logs: Pages visited, features used, timestamps, error logs.

2.5 Abuse Prevention Data

To prevent abuse and enforce usage limits, we may collect technical identifiers such as IP addresses and device-level information. This data is used solely for security and fraud prevention purposes and is not used for advertising, profiling, or any other purpose.

Legitimate interest assessment: Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights. You may object to processing based on legitimate interest at any time (see Section 8).

We use your personal data for the following purposes:

• Service delivery: Processing your uploaded images through AI models, generating outputs, managing your projects and favorites.
• Account management: Creating and maintaining your account, authenticating your identity, managing sessions.
• Payment and billing: Processing subscriptions and credit purchases, managing credit balances, issuing refunds, maintaining transaction records.
• Abuse prevention: Detecting and preventing fraud, unauthorized access, multiple account abuse, and violations of our Terms of Service.
• Content moderation: Monitoring for prohibited content as described in our Terms of Service, responding to abuse reports, cooperating with law enforcement when legally required.
• Technical operations: Maintaining service availability, debugging errors, monitoring performance, ensuring security.
• Legal compliance: Responding to legal requests, complying with applicable laws and regulations, exercising or defending legal claims.

We do NOT:

• Sell your personal data to third parties;
• Use your uploaded images or generated content to train AI models;
• Use your data for targeted advertising;
• Create behavioral profiles for marketing purposes.

We share your data with the following categories of third-party processors, each acting under data processing agreements (DPAs) as required by Article 28 GDPR:

Data shared with AI providers: When you submit a generation request, the following data is transmitted to our AI model providers: your uploaded image(s), your text prompt, and generation parameters (size, duration, resolution). These providers process the data to generate output and may retain it temporarily for operational purposes. We do not transmit your name, email, or account information to AI providers.

Law enforcement: We may disclose your personal data to law enforcement authorities when required by law, court order, or to protect the safety of individuals, particularly in cases involving suspected child exploitation, non-consensual intimate imagery, or other serious crimes.

Your personal data is transferred to and processed in countries outside the European Economic Area (EEA), primarily the United States. These transfers are necessary for the performance of the Service and are protected by appropriate safeguards:

• EU-U.S. Data Privacy Framework: Where applicable, our US-based processors are certified under the EU-U.S. Data Privacy Framework (adequacy decision by the European Commission).
• Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, transfers are governed by EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
• Database: Our primary database is hosted in the EU, minimizing international transfers of core account data.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

As a data subject under the GDPR, you have the following rights:

• Right of access (Art. 15): Obtain confirmation of whether your data is being processed and receive a copy of your personal data.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interest, including profiling.
• Right to withdraw consent (Art. 7): Where processing is based on consent, withdraw your consent at any time without affecting prior processing.
• Right to lodge a complaint: File a complaint with the French data protection authority (CNIL — Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr, or with your local supervisory authority.

To exercise your rights, contact us at support@pixone.ai. We will respond within one (1) month. In complex cases, this period may be extended by two (2) additional months, with prior notice.

We may require identity verification before processing your request to prevent unauthorized access to personal data.

The Service uses the following client-side storage technologies:

9.1 Strictly Necessary (No Consent Required)

9.2 Third-Party Cookies

Stripe may set cookies for payment fraud prevention when you interact with payment forms. These are governed by Stripe's Cookie Policy.

We do not use analytics cookies, advertising cookies, or tracking pixels. We do not use Google Analytics, Facebook Pixel, or similar tracking technologies.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption in transit (TLS/HTTPS) for all communications;
• Encryption at rest for database storage;
• Secure password hashing;
• Token-based authentication with expiring sessions;
• Restricted database access with connection security;
• Secure payment processing with signature verification;
• Regular security reviews and dependency updates.

While we take reasonable measures to protect your data, no system is 100% secure. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the CNIL within 72 hours in accordance with Articles 33 and 34 of the GDPR.

The Service is not intended for individuals under eighteen (18) years of age. We do not knowingly collect personal data from children under 18.

If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe we have inadvertently collected data from a minor, please contact us immediately at support@pixone.ai.

In accordance with French law (Article 7-1 of the French Data Protection Act), specific parental consent requirements apply to minors under 15. However, as our Service requires users to be 18+, these provisions are addressed by our age restriction.

The Service involves the following automated processing:

• Content moderation: AI models include automated content moderation that may reject prompts or generated content based on provider-level safety policies. This automated decision may result in generation failure and credit deduction without output.
• Abuse detection: Automated systems detect and prevent abuse (e.g., multiple account creation, free-tier circumvention). This may result in automatic restrictions on your access.

Under Article 22 of the GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects. If you believe an automated decision has been made in error, you may contact us at support@pixone.ai to request human review.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Material changes will be communicated via:

• Email notification to registered users;
• A prominent notice on the Platform;
• Updated "Last updated" date at the top of this page.

We encourage you to review this page periodically. Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

For any questions about this Privacy Policy or to exercise your data protection rights:

You also have the right to lodge a complaint with the French data protection authority: