This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use Auto AI Studio's websites and services, including our image-editing web application, related APIs, and support channels (collectively, the "Service").

By using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1) What we collect

We collect information that you provide directly, information collected automatically, and information from third parties.

1.1 Information you provide

Account & Profile. Name (or display name), email address, password (hashed), organization (optional), and any profile details you choose to add.

Authentication. If you sign in with Google, we receive basic account info (e.g., name, email, Google user ID) from Google OAuth to authenticate you.

Content you upload or create. Images, prompts, edits, and generated outputs you store in your account.

Support & communications. Any messages, email content, or attachments you send to support.

Billing & subscription info. We do not store your full payment card numbers. Stripe processes payments and provides us with limited billing details (e.g., last4, brand, expiration month/year, billing name, and status).

1.2 Information collected automatically

Usage data. Features you use, actions you take, pages visited, timestamps, and performance metrics.

Device & network data. IP address, browser type/version, device identifiers, operating system, language, referring/exit pages.

Cookies & similar tech. Cookies, local storage, and similar technologies to keep you signed in, store preferences, protect your account, and understand usage. See Cookies below.

1.3 Information from third parties

Identity providers. Google OAuth provides your basic account information when you connect.

Payment processor. Stripe provides non-sensitive billing metadata and payment status.

Service providers. Analytics, error monitoring, fraud prevention, hosting/CDN, database, and email providers may supply operational signals or identifiers (e.g., request IDs, error traces).

We do not knowingly collect or request information from children under 13 (or under the minimum age in your jurisdiction). If you believe a child has provided personal information, contact us and we will delete it.

2) How we use information

We use personal information to:

Provide and improve the Service. Operate core features; run AI edits; store history and downloads; provide authentication; enable routing and caching; perform maintenance and debugging.

Account and subscription management. Manage plans, usage, quotas, and payments via Stripe.

Security & abuse prevention. Detect fraud, abuse, spam, and malicious activity; protect accounts and our infrastructure.

Communications. Send transactional notices (receipts, security alerts, service updates). If you opt in, we may send product tips or announcements; you can opt out anytime.

Analytics & product research. Aggregate usage patterns to improve performance, reliability, and features.

Legal compliance. Comply with laws; respond to lawful requests; enforce our Terms of Service; handle DMCA requests.

3) Legal bases for processing (EEA/UK only)

If you are in the EEA/UK, we process your information under these legal bases:

Contract necessity: To provide the Service and fulfill our agreement with you.

Legitimate interests: To secure and improve the Service, prevent abuse, and understand usage (balanced with your rights).

Consent: For optional cookies/marketing where required.

Legal obligation: To comply with applicable laws (tax, accounting, regulatory requests).

4) How we share information

We do not sell personal information. We share information with:

Service providers / processors. We use trusted vendors who process data on our behalf and per our instructions, including:

• Supabase (authentication, database, storage)
• Cloudflare (CDN, Workers, security, Workers KV)
• Stripe (payments—card data handled by Stripe)
• Email/notification providers (transactional messages)
• Analytics / error monitoring (aggregate usage, reliability)
• AI model providers (image transformation/processing for your requests; configured to avoid training on your content where controls exist)

Change of control. If we undergo a merger, acquisition, or asset sale, your information may be transferred subject to this Privacy Policy.

Legal reasons. To comply with law or valid legal process; to protect rights, property, security, or enforce our Terms; to respond to DMCA notices and counter-notices.

We require processors to use appropriate security and only process data as needed to deliver the contracted services.

5) Cookies and similar technologies

We use:

Essential cookies to keep you signed in, route traffic, and secure your session.

Functional/analytics to remember preferences and measure aggregate usage.

Where required by law, we implement consent controls for non-essential cookies. You can adjust browser settings to block cookies, but the Service may not work properly.

6) Data retention

Account & profile data are retained while your account is active and for a reasonable period afterward to meet legal/operational needs (e.g., billing, dispute resolution).

Images, prompts, and outputs you store remain in your account until you delete them or your account is deleted. Some generated or cached artifacts may persist briefly in backups or logs before automated deletion.

Logs and security data are kept for a limited time necessary for security, diagnostics, fraud prevention, legal compliance, and service integrity.

Payment records are retained as required by tax and accounting laws.

We will delete or anonymize data when it is no longer needed for the purposes above, subject to legal holds.

7) Data security

We use administrative, technical, and physical safeguards to protect personal information, including encryption in transit (TLS), access controls, least-privilege practices, auditing, and network protections. No method of transmission or storage is 100% secure; if we learn of a breach affecting your personal data, we will notify you and regulators as required by law.

8) International data transfers

We are based in the United States. Your information may be transferred to and processed in the U.S. and other countries that may have different data-protection laws than your home jurisdiction. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) for transfers.

9) Your rights & choices

9.1 All users

Access, update, delete. You can access or update certain profile details in your account. You may request deletion of your account and associated content by contacting pepper@autoaistudio.com.

Email preferences. Opt out of non-essential emails via the unsubscribe link.

Cookies. Manage cookies in your browser. Where required, use our in-product controls.

9.2 EEA/UK residents

You may have rights to request access, rectification, erasure, portability, restriction, or objection to certain processing. You also have the right to lodge a complaint with your local supervisory authority. We will respond to verified requests as required by law.

9.3 California (CPRA) and U.S. state privacy laws

We do not sell personal information or share it for cross-context behavioral advertising as defined by CPRA. You may request:

• Access/know, correction, deletion, and information about disclosures.
• Submit requests at pepper@autoaistudio.com. We will not discriminate against you for exercising your rights.

10) Payments

Payments are processed by Stripe. Stripe collects and processes your payment information under its own privacy policy. We receive limited billing metadata and status from Stripe and do not store full card numbers.

11) User content, AI processing & training

Your content. You control the images, prompts, and outputs stored in your account.

Processing. We process your content to run edits, store history, and deliver downloads. When required for a requested feature, content (or derivative signals) may be sent to an AI provider only to perform your requested transformation.

Model training. We do not use your content to train our own models. Where we rely on third-party AI tools, we configure and/or contract to prevent provider training on your content where such controls are available. Providers may retain limited logs for abuse detection or legal compliance—see their policies.

Public sharing. If you choose to share content publicly, that content may be visible to others and indexable by search engines.

12) Third-party links & services

The Service may link to or integrate with third-party websites and services (e.g., Google, Stripe). We are not responsible for their practices. Review their privacy policies before providing information.

13) Children's privacy

The Service is not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children. If we learn a child has provided personal information, we will delete it.

14) Changes to this policy

We may update this Privacy Policy from time to time. We will post the new effective date at the top. Material changes will be highlighted in-product or via email where appropriate. Your continued use of the Service after changes means you accept the updated policy.

16) Region-specific disclosures (summary)

United States. We comply with applicable U.S. federal and state privacy laws. For California/CPRA, see Section 9.3 above.

EEA/UK. We act as a controller for account/profile data and as a controller or processor for in-product content depending on the workflow. Transfers rely on appropriate safeguards (e.g., SCCs).

Other regions. Local rights may vary. Contact us to exercise rights available in your jurisdiction.