Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

ArtEmotion, Inc.
Email: privacy@artemotion.ai
For UK-specific enquiries or to contact our UK representative, use the same email with subject line "UK GDPR Enquiry."

If you are located in the European Economic Area (EEA) or United Kingdom and have questions about how we process your personal data, or wish to exercise your data subject rights, contact us at privacy@artemotion.ai.

2. Information We Collect

Information you provide directly

• Account data: Name, email address, and password (hashed; we never store plain-text passwords).
• Payment information: Billing details are processed and stored by Stripe, Inc. We receive only a customer ID and masked card information. We do not store raw card numbers.
• Content you create: Text prompts, reference images, uploaded files, configuration settings, and AI-generated outputs ("Outputs").
• Communications: Messages you send to our support team and any feedback you submit.

Please do not submit confidential, sensitive, biometric, or unlicensed proprietary information through the Service.

Information from social sign-in providers (OAuth)

If you choose to sign in using a third-party OAuth provider, we receive the following data from that provider. Each provider is an independent data controller for its own processing of your information.

• Google: We receive your Google account ID (a numeric identifier), your verified email address (only if marked as verified by Google), and your given name or display name. We do not receive your Google password or payment information. Governed by Google's Privacy Policy.
• Discord: We receive your Discord user ID, your verified email address (only if the "verified" flag is true in Discord's API response), your global display name, and your username. We do not receive your Discord password or message history. Governed by Discord's Privacy Policy.
• GitHub: We receive your GitHub user ID, your primary verified email address (fetched from GitHub's emails API — only addresses marked both primary and verified are used), and your display name or username. We do not receive your GitHub password or repository contents. Governed by GitHub's Privacy Policy.

In all cases, unverified email addresses are never used for account linking to prevent account-takeover attacks. You may revoke ArtEmotion's access to any provider at any time in that provider's connected-applications settings.

Information collected automatically

• Usage data: Pages visited, features used, generation history, model selections, and interaction patterns.
• Device & technical data: Browser type, operating system, IP address, and device identifiers.
• Session cookies: We use a single, HttpOnly, Secure, SameSite=Lax session cookie to maintain your signed-in session. We do not use persistent tracking cookies or third-party advertising cookies.

3. Legal Bases for Processing (GDPR / UK GDPR)

For users in the EEA or UK, every processing activity has a specific legal basis under Article 6 GDPR / UK GDPR. The table below sets out the main activities and their bases.

• Contract performance (Art. 6(1)(b)): Creating and managing your account; processing payments and managing your credit balance; delivering AI-generation results; enabling social sign-in.
• Legitimate interests (Art. 6(1)(f)): Preventing fraud, abuse, and security incidents; improving the reliability and quality of the Service; maintaining audit logs; enforcing our Terms of Use. Our legitimate interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)): Retaining transaction records for tax and accounting purposes; responding to lawful requests from public authorities.
• Consent (Art. 6(1)(a)): Sending marketing or promotional communications (you may withdraw consent at any time); enabling adult content features (explicit opt-in required at sign-up or in account settings).

Where we rely on legitimate interests, you have the right to object to that processing (see Section 9). Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Service
• Process payments and manage your account and credit balance
• Authenticate your identity via email/password or OAuth providers
• Personalize your experience and remember your preferences
• Send transactional communications (receipts, generation notifications, account security alerts)
• Send marketing communications — only with your consent, and you may opt out at any time
• Detect, investigate, and prevent fraud, abuse, and security incidents
• Comply with legal obligations and enforce our Terms of Use
• Use aggregated or anonymized data to improve our AI systems — we do not use your specific, identifiable prompts or outputs to train models sold or licensed to third parties without your explicit consent

5. How We Share Your Information

We do not sell your personal information. We share it only in the following circumstances:

• AI model providers — fal.ai: Prompts, images, and other generation inputs are transmitted to fal.ai to fulfill your requests. fal.ai acts as a data processor on our behalf and processes data under data processing agreements. fal.ai has its own privacy policy governing its infrastructure.
• Payment processor — Stripe, Inc.: All payment transactions are processed by Stripe. Your payment data is subject to Stripe's Privacy Policy. Stripe is PCI-DSS certified.
• Media storage — Cloudinary: Generated images and videos may be uploaded to Cloudinary for persistent storage and delivery. Cloudinary processes data on our behalf under a data processing agreement.
• OAuth providers — Google, Discord, GitHub: When you use social sign-in, your browser communicates with the selected provider to authenticate you. Each provider receives only the data necessary to verify your identity in accordance with the OAuth 2.0 protocol.
• Legal requirements: We may disclose information when required by law, court order, or government request, or to protect the rights and safety of our users or the public.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections.

6. International Data Transfers

ArtEmotion, Inc. is based in the United States. If you access the Service from the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States, which the European Commission has not designated as providing an adequate level of data protection.

We rely on the following transfer mechanisms to ensure your data receives appropriate protection:

• Standard Contractual Clauses (SCCs): Our agreements with sub-processors (including fal.ai and Cloudinary) incorporate the European Commission's standard contractual clauses (2021/914/EU), where applicable.
• EU-U.S. Data Privacy Framework: Where sub-processors participate in the EU-U.S. Data Privacy Framework, we rely on that certification as a supplementary transfer mechanism.
• UK IDTA / Addendum: For transfers of UK personal data, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, as applicable.

You may request a copy of the safeguards we have put in place for international transfers by contacting us at privacy@artemotion.ai.

7. Your Content & AI Training

You retain ownership of your Inputs and Outputs. We use your content solely to operate and deliver the Service. We may use aggregated, de-identified data to evaluate and improve model quality. We will not use your specific, identifiable prompts or outputs to train models that are sold or licensed to third parties without your explicit, opt-in consent.

Your generated content is stored in your account and is not publicly visible to other users unless you explicitly share it. You may delete individual generations from your library at any time.

8. Data Retention

We retain personal data for the following periods:

• Account data: For as long as your account is active, plus 90 days after account closure.
• Generated content: Retained until you delete it. Deleted content is purged from active servers within 30 days and from backups within 90 days.
• Transaction records: Retained for 7 years to comply with tax and accounting obligations.
• Server and security logs: Retained for up to 12 months for security monitoring and fraud prevention.
• Inactivity: Accounts inactive for 24 consecutive months may be subject to a data minimization process; we will notify you before taking any action.

When retention periods expire, data is securely deleted or irreversibly anonymized.

9. Your Rights

Depending on your jurisdiction, you have the following rights with respect to your personal data. EEA and UK residents have all of these rights under GDPR / UK GDPR:

• Right of access (Art. 15): Request a copy of the personal data we hold about you, including information about how it is processed.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (where processing is based on consent or contract and carried out by automated means).
• Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Rights related to automated decision-making (Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects. If this changes, you will be informed and given the right to human review.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@artemotion.ai. We will respond within 30 days (or within 1 month under GDPR, with the possibility of a 2-month extension for complex requests, with notice). We may need to verify your identity before fulfilling a request.

EEA/UK residents: If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. In the EU, the relevant authority is the DPA of the EU member state where you habitually reside, work, or where the alleged infringement took place. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies

We use the following types of cookies:

• Strictly necessary cookies: A single, HttpOnly, Secure session cookie (__fal_token) to keep you signed in. This cookie cannot be disabled without breaking the Service. No consent is required for strictly necessary cookies under ePrivacy rules.
• OAuth state cookies: Short-lived cookies used during the OAuth sign-in flow to prevent CSRF attacks and verify the authorization code (PKCE). These are automatically deleted once sign-in completes.

We do not use advertising cookies, third-party tracking cookies, or persistent analytics cookies that identify individuals. If we add optional analytics or marketing cookies in the future, we will obtain your consent before setting them.

You can control or delete cookies through your browser settings. Blocking the session cookie will prevent you from signing in.

11. Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

• Encryption in transit via TLS/HTTPS and at rest for sensitive data fields
• Password hashing using bcrypt (passwords are never stored in plain text)
• HMAC-signed session tokens with short TTLs
• CSRF protection on all authentication flows
• PKCE (Proof Key for Code Exchange) on OAuth flows that support it
• Access controls and role-based permissions for internal systems
• Regular security reviews

No internet transmission is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR Art. 33) and, where required, affected individuals without undue delay.

12. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe we have collected data from a minor, please contact us at privacy@artemotion.ai.

13. California Residents (CCPA / CPRA)

California residents have the following additional rights:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete: Request deletion of your personal information, subject to exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale or sharing: We do not sell personal information and do not share it for cross-context behavioral advertising.
• Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond those permitted by CPRA.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a California privacy request, contact us at privacy@artemotion.ai or write to us at the address above. We will verify your identity before processing the request and respond within 45 days (extendable by a further 45 days with notice).

14. Third-Party Links

The Service may contain links to third-party websites (including the OAuth providers listed above). We are not responsible for the privacy practices of those sites and encourage you to review their policies before sharing any information with them.

15. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or prominent notice on the Service at least 30 days before the change takes effect (or immediately where required by law). Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree to the changes, please close your account before the effective date.

16. Contact Us

For privacy questions, data access requests, or to close your account, contact us at privacy@artemotion.ai.

For legal notices, contact us at legal@artemotion.ai.