Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

ArtEmotion, Inc.
Colombia
Email: privacy@artemotion.ai
For UK-specific enquiries or to contact our UK representative, use the same email with subject line "UK GDPR Enquiry."

If you are located in the European Economic Area (EEA) or United Kingdom and have questions about how we process your personal data, or wish to exercise your data subject rights, contact us at privacy@artemotion.ai.

Data Protection Officer (GDPR Art. 37): We have assessed our processing activities and determined that we are not currently required to appoint a Data Protection Officer under GDPR Art. 37. Privacy inquiries and data subject rights requests should be directed to privacy@artemotion.ai. We will update this section promptly if our circumstances change and a DPO appointment becomes required or voluntary.

EU Representative (GDPR Art. 27): As a company not established in the EU that offers services to EEA data subjects, we are required to designate an EU representative. We are in the process of appointing one; in the interim, you may direct all GDPR enquiries to privacy@artemotion.ai and we will respond within the statutory timeframes. We will update this section once our representative is appointed.

2. Information We Collect

Information you provide directly

• Account data: Name, email address, and password (hashed; we never store plain-text passwords).
• Payment information: Billing details are processed and stored by Stripe, Inc. We receive only a customer ID and masked card information. We do not store raw card numbers.
• Content you create: Text prompts, reference images, uploaded files, configuration settings, and AI-generated outputs ("Outputs").
• Communications: Messages you send to our support team and any feedback you submit.

Please do not submit confidential, sensitive, biometric, or unlicensed proprietary information through the Service.

Information from social sign-in providers (OAuth)

If you choose to sign in using a third-party OAuth provider, we receive the following data from that provider. Each provider is an independent data controller for its own processing of your information.

• Google: We receive your Google account ID (a numeric identifier), your verified email address (only if marked as verified by Google), and your given name or display name. We do not receive your Google password or payment information. Governed by Google's Privacy Policy.
• Discord: We receive your Discord user ID, your verified email address (only if the "verified" flag is true in Discord's API response), your global display name, and your username. We do not receive your Discord password or message history. Governed by Discord's Privacy Policy.
• GitHub: We receive your GitHub user ID, your primary verified email address (fetched from GitHub's emails API — only addresses marked both primary and verified are used), and your display name or username. We do not receive your GitHub password or repository contents. Governed by GitHub's Privacy Policy.

In all cases, unverified email addresses are never used for account linking to prevent account-takeover attacks. You may revoke ArtEmotion's access to any provider at any time in that provider's connected-applications settings.

Information collected automatically

• Usage data: Pages visited, features used, generation history, model selections, and interaction patterns.
• Device & technical data: Browser type, operating system, IP address, and device identifiers.
• Session cookies: We use a single, HttpOnly, Secure, SameSite=Lax session cookie to maintain your signed-in session. We do not use persistent tracking cookies or third-party advertising cookies.

3. Legal Bases for Processing (GDPR / UK GDPR)

For users in the EEA or UK, every processing activity has a specific legal basis under Article 6 GDPR / UK GDPR. The table below sets out the main activities and their bases.

• Contract performance (Art. 6(1)(b)): Creating and managing your account; processing payments and managing your credit balance; delivering AI-generation results; enabling social sign-in.
• Legitimate interests (Art. 6(1)(f)): Preventing fraud, abuse, and security incidents; improving the reliability and quality of the Service; maintaining audit logs; enforcing our Terms of Use. Our legitimate interests do not override your fundamental rights.
• Legal obligation (Art. 6(1)(c)): Retaining transaction records for tax and accounting purposes; responding to lawful requests from public authorities.
• Consent (Art. 6(1)(a)): Sending marketing or promotional communications (you may withdraw consent at any time); enabling adult content features (explicit opt-in required at sign-up or in account settings).

Where we rely on legitimate interests, you have the right to object to that processing (see Section 9). Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Service
• Process payments and manage your account and credit balance
• Authenticate your identity via email/password or OAuth providers
• Personalize your experience and remember your preferences
• Send transactional communications (receipts, generation notifications, account security alerts)
• Send marketing communications — only with your consent, and you may opt out at any time
• Detect, investigate, and prevent fraud, abuse, and security incidents
• Comply with legal obligations and enforce our Terms of Use
• Use aggregated or anonymized data to improve our AI systems — we do not use your specific, identifiable prompts or outputs to train models sold or licensed to third parties without your explicit consent

5. How We Share Your Information

We do not sell your personal information. We share it only in the following circumstances:

• AI model providers — fal.ai: Prompts, images, and other generation inputs are transmitted to fal.ai to fulfill your requests. fal.ai acts as a data processor on our behalf and processes data under data processing agreements. fal.ai has its own privacy policy governing its infrastructure.
• Payment processor — Stripe, Inc.: All payment transactions are processed by Stripe. Your payment data is subject to Stripe's Privacy Policy. Stripe is PCI-DSS certified.
• Media storage — Cloudinary: Generated images and videos may be uploaded to Cloudinary for persistent storage and delivery. Cloudinary processes data on our behalf under a data processing agreement.
• Transactional email — Resend: We use Resend to deliver transactional emails (account notifications, receipts, security alerts). Resend processes your email address on our behalf as a data processor under a data processing agreement.
• OAuth providers — Google, Discord, GitHub: When you use social sign-in, your browser communicates with the selected provider to authenticate you. Each provider receives only the data necessary to verify your identity in accordance with the OAuth 2.0 protocol.
• Legal requirements: We may disclose information when required by law, court order, or government request, or to protect the rights and safety of our users or the public.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to the same privacy protections. We will notify you by email or prominent in-app notice before such a transfer completes, so you have the opportunity to close your account if you do not wish your data to be transferred.

6. International Data Transfers

ArtEmotion, Inc. is currently based in Colombia. If you access the Service from the EEA, UK, or Switzerland, your personal data will be transferred to and processed outside the European Economic Area, which may not provide the same level of data protection as your home country.

We rely on the following transfer mechanisms to ensure your data receives appropriate protection:

• Standard Contractual Clauses (SCCs): Our agreements with sub-processors (including fal.ai and Cloudinary) incorporate the European Commission's standard contractual clauses (2021/914/EU), where applicable.
• EU-U.S. Data Privacy Framework: Where sub-processors participate in the EU-U.S. Data Privacy Framework, we rely on that certification as a supplementary transfer mechanism.
• UK IDTA / Addendum: For transfers of UK personal data, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, as applicable.

Switzerland: For users in Switzerland, data transfers are governed by the revised Federal Act on Data Protection (revFADP / nFADP, in force September 2023). We rely on the standard data protection clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) or equivalent safeguards for transfers of Swiss personal data to the United States.

You may request a copy of the safeguards we have put in place for international transfers by contacting us at privacy@artemotion.ai.

7. Your Content & AI Training

You retain ownership of your Inputs and Outputs. We use your content solely to operate and deliver the Service. We may use aggregated, de-identified data to evaluate and improve model quality. We will not use your specific, identifiable prompts or outputs to train models that are sold or licensed to third parties without your explicit, opt-in consent.

Your generated content is stored in your account and is not publicly visible to other users unless you explicitly share it. You may delete individual generations from your library at any time.

EU AI Act (Regulation 2024/1689): Where required under EU AI Act Art. 50, AI-generated or AI-manipulated content — particularly synthetic media (deepfakes) depicting real, identifiable persons — must be disclosed as machine-generated when published or shared publicly. We label AI-generated outputs within the Service. You are independently responsible for making any disclosures required by applicable law when you distribute such content outside the Service.

8. Data Retention

We retain personal data for the following periods:

• Account data: For as long as your account is active, plus 90 days after account closure.
• Generated content: Retained until you delete it. Deleted content is purged from active servers within 30 days and from backups within 90 days.
• Transaction records: Retained for 7 years to comply with tax and accounting obligations.
• Server and security logs: Retained for up to 12 months for security monitoring and fraud prevention.
• Inactivity: Accounts inactive for 24 consecutive months may be subject to a data minimization process; we will notify you before taking any action.

When retention periods expire, data is securely deleted or irreversibly anonymized.

9. Your Rights

Depending on your jurisdiction, you have the following rights with respect to your personal data. EEA and UK residents have all of these rights under GDPR / UK GDPR:

• Right of access (Art. 15): Request a copy of the personal data we hold about you, including information about how it is processed.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (where processing is based on consent or contract and carried out by automated means).
• Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
• Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Rights related to automated decision-making (Art. 22): We do not make solely automated decisions that produce legal or similarly significant effects. If this changes, you will be informed and given the right to human review.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@artemotion.ai. We will respond within 1 month (extendable to 3 months for complex or numerous requests — we will notify you of any extension within the first month). We may need to verify your identity before fulfilling a request.

EEA/UK residents: If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. In the EU, the relevant authority is the DPA of the EU member state where you habitually reside, work, or where the alleged infringement took place. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

10. Cookies

We use the following types of cookies:

• Strictly necessary cookies: A single, HttpOnly, Secure session cookie (__fal_token) to keep you signed in. This cookie cannot be disabled without breaking the Service. No consent is required for strictly necessary cookies under ePrivacy rules.
• OAuth state & pending-auth cookies: Short-lived cookies (__fal_pendingand OAuth state tokens) used during the sign-in flow to prevent CSRF attacks, carry PKCE verifiers, and hold the pending session for new users completing age verification. These are automatically deleted once sign-in or the pending flow completes.

We do not use advertising cookies, third-party tracking cookies, or persistent analytics cookies that identify individuals. If we add optional analytics or marketing cookies in the future, we will obtain your consent before setting them.

Do Not Track (DNT): Some browsers transmit a "Do Not Track" signal. We currently do not alter our data practices in response to DNT signals, as there is no agreed-upon industry standard for how to interpret them. If a standard is established, we will revisit this position and update this Policy accordingly.

You can control or delete cookies through your browser settings. Blocking the session cookie will prevent you from signing in.

11. Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

• Encryption in transit via TLS/HTTPS and at rest for sensitive data fields
• Password hashing using bcrypt (passwords are never stored in plain text)
• HMAC-signed session tokens with short TTLs
• CSRF protection on all authentication flows
• PKCE (Proof Key for Code Exchange) on OAuth flows that support it
• Access controls and role-based permissions for internal systems
• Regular security reviews

No internet transmission is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR Art. 33) and, where required, affected individuals without undue delay.

12. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly. If you believe we have collected data from a minor, please contact us at privacy@artemotion.ai.

13. California Residents (CCPA / CPRA)

California residents have the following additional rights:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete: Request deletion of your personal information, subject to exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale or sharing: We do not sell personal information and do not share it for cross-context behavioral advertising. We also do not share personal information with third parties for their own direct marketing purposes (California Shine the Light, Cal. Civ. Code §1798.83).
• Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond those permitted by CPRA.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a California privacy request, contact us at privacy@artemotion.ai. We will verify your identity before processing the request and respond within 45 days (extendable by a further 45 days with notice).

14. Brazilian Residents (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados Pessoais (LGPD — Law No. 13.709/2018). These include the right to:

• Confirmation and access: Confirm whether we process your personal data and request access to it.
• Correction: Request correction of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD.
• Portability: Request portability of your personal data to another service or product provider, subject to ANPD regulations.
• Deletion of consented data: Request deletion of personal data processed on the basis of your consent.
• Information about sharing: Obtain information about public and private entities with whom we have shared your data.
• Objection: Object to processing activities carried out on grounds other than consent, where processing does not comply with the LGPD.
• Withdrawal of consent: Withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise your LGPD rights, contact us at privacy@artemotion.ai. We will respond within 15 days as required by law. You may also file a complaint with Brazil's national data protection authority, the ANPD (Autoridade Nacional de Proteção de Dados), at gov.br/anpd.

15. Canadian Residents (PIPEDA / Québec Law 25)

If you are located in Canada, your personal information is processed in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for residents of Québec, the Act respecting the protection of personal information in the private sector (Law 25 / Bill 64, in force September 2023).

Canadian residents have the right to:

• Access: Request access to the personal information we hold about you and how it is used.
• Correction: Request correction of inaccurate personal information.
• Withdrawal of consent: Withdraw consent to our use of your personal information, subject to legal or contractual restrictions and reasonable notice.
• Portability (Québec): Québec residents may request that personal information collected by technological means be communicated to them or to a third party in a structured, commonly used technological format.
• Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca, or with the Commission d'accès à l'information (CAI) for Québec residents at cai.gouv.qc.ca.

Email marketing (CASL): If you are located in Canada, we will only send you commercial electronic messages (CEMs) with your express or implied consent, as required by Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23). Every marketing email includes an unsubscribe mechanism. Transactional emails (receipts, security alerts, account notices) do not require consent under CASL and are sent regardless of marketing preferences.

To exercise these rights, contact us at privacy@artemotion.ai.

16. Colombian Users (Ley 1581 de 2012)

ArtEmotion, Inc. is headquartered in Colombia and processes personal data in compliance with Colombia's data protection framework, principally Ley Estatutaria 1581 de 2012 and its implementing Decree 1377 de 2013. Colombian users have the right to:

• Know: Be informed whether their personal data is being processed and for what purposes.
• Access: Request a copy of the personal data we hold about them.
• Update and correct: Request correction of incomplete, inaccurate, or outdated data.
• Deletion: Request deletion of personal data when processing violates Ley 1581 or the authorization granted, subject to legal retention obligations.
• Proof of authorization: Request evidence of the authorization given for processing their personal data.
• Revoke consent: Withdraw consent to processing where consent is the legal basis, subject to legal or contractual obligations.
• Complaint: File a complaint with the Superintendencia de Industria y Comercio (SIC) — Colombia's data protection authority — at sic.gov.co.

To exercise these rights, contact us at privacy@artemotion.ai.

17. Third-Party Links

The Service may contain links to third-party websites (including the OAuth providers listed above). We are not responsible for the privacy practices of those sites and encourage you to review their policies before sharing any information with them.

18. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or prominent notice on the Service at least 30 days before the change takes effect (or immediately where required by law). Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree to the changes, please close your account before the effective date.

19. Contact Us

For privacy questions, data access requests, or to close your account, contact us at privacy@artemotion.ai.

For legal notices, contact us at legal@artemotion.ai.