Personal Data Processing Policy

1. General provisions

This Policy applies to all information the Operator may obtain about users while they use the Service and the website. It applies to personal data of visitors, registered users, and customers of the Service.

Use of the Service constitutes the user unconditional consent to this Policy and the terms of processing of their personal data set out herein; if the user does not agree, they must refrain from using the Service.

2. Key terms

The following key terms are used in this Policy:

• Personal data — any information relating, directly or indirectly, to a determined or determinable natural person (the data subject);
• Processing of personal data — any operation performed with personal data, with or without automation (collection, recording, systematization, accumulation, storage, updating, use, transfer, anonymization, blocking, deletion, destruction);
• Operator — individual entrepreneur Zaruev Andrey Stanislavovich, independently organizing and carrying out the processing of personal data;
• Data subject — a user of the Service to whom the personal data relates;
• Anonymization — actions making it impossible to attribute personal data to a specific subject without additional information;
• Destruction of personal data — actions resulting in the irreversible destruction of the data.

3. Principles of processing

Processing of personal data is based on the following principles:

• processing is carried out lawfully and fairly;
• processing is limited to specific, predefined, and lawful purposes; processing incompatible with the purposes of collection is not allowed;
• databases processed for mutually incompatible purposes are not combined;
• only personal data matching the purposes of processing is processed; its content and volume are not excessive;
• accuracy, sufficiency, and relevance of personal data are ensured; measures are taken to delete or correct incomplete or inaccurate data;
• data is stored no longer than required by the purposes of processing, unless a period is set by law or contract.

4. Purposes of processing

The Operator processes personal data for the following purposes:

• user registration and account management;
• providing paid and free access to the Service, crediting and accounting of credits;
• processing payments and refunds, issuing and retaining payment documents;
• sending transactional notifications (confirmations, access recovery, payment notifications, security alerts);
• providing technical support and handling requests;
• ensuring the security of the Service and preventing fraud and abuse;
• complying with the requirements of Russian law;
• sending informational and advertising messages with the user consent.

5. Categories of subjects and personal data processed

Data subjects are website visitors, registered users, and customers of the Service. The Operator processes the following personal data:

• name or display name;
• email address;
• password (stored as a hash) and authentication data;
• IP address, device and browser information, log-in and security events;
• payment and subscription metadata (plan, status, processor identifiers, payment outcomes, refund events);
• usage data and user content (prompts and generation results).

The Operator does not process special categories of personal data (on racial or ethnic origin, political or religious views, health, etc.) or biometric personal data. The Operator does not store full payment card numbers or CVV codes — they are processed by the payment provider. The Operator also does not collect precise (GPS) geolocation data, the contents of other browser tabs, or the user's private correspondence.

Prompts, generation parameters and materials uploaded by the user are transmitted to AI model providers over a secure channel to perform the generation; prompts and generation parameters are also stored by the Operator as part of the user's generation history. Generated outputs are stored in the Service storage infrastructure. This data is deleted on account deletion and in accordance with the retention section.

6. Legal bases for processing

The legal bases for processing personal data are:

• the consent of the data subject, expressed, among other things, through use of the Service and/or payment for services;
• performance of the contract (public offer) to which the data subject is a party;
• federal laws and other regulations on personal data protection, as well as accounting and tax requirements.

7. Procedure and conditions of processing

Personal data is processed with and without automation. The Operator takes reasonable measures to protect personal data against unlawful access, destruction, alteration, blocking, copying, and distribution.

• The Operator may transfer personal data to third parties (payment providers, hosting and infrastructure providers, email providers, AI model providers) solely to the extent necessary to provide the service, under agreements ensuring confidentiality and data protection;
• cross-border transfer of personal data is carried out in compliance with the requirements of Russian law;
• personal data is not transferred to third parties in other cases except as required by law or with the subject consent; the Operator does not sell personal data.

Part of the processing is carried out in the Service's international infrastructure and through foreign AI model providers. Cross-border transfer of personal data is carried out on the basis of the data subject's consent (Part 1, Article 12 of Federal Law No. 152-FZ) and for the performance of the contract. The Operator takes reasonable organizational and technical measures to protect personal data during its transfer and processing.

8. Rights of the data subject

The data subject has the right to:

• receive information regarding the processing of their personal data;
• request correction, blocking, or destruction of personal data that is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose;
• withdraw consent to the processing of personal data;
• request deletion of their account and the associated personal data;
• appeal the Operator actions or inaction to the authorized data protection authority (Roskomnadzor) or in court.

To exercise these rights, withdraw consent, and delete data, the subject sends a request to [email protected]. The Operator may request identity verification before responding.

9. Obligations of the Operator

The Operator is obliged to:

• process personal data lawfully and fairly, for the stated purposes;
• review data subject requests and respond within the periods set by law;
• ensure the security of personal data during processing;
• stop processing and destroy personal data once the purposes are achieved, upon withdrawal of consent, or at the subject request where required by law;
• notify the authorized authority and affected subjects of incidents in the cases and timeframes set by law.

10. Security measures

The Operator applies legal, organizational, and technical measures to protect personal data, including encryption in transit, access restriction and control, logging, and provider due diligence. No system is completely secure; the Operator cannot guarantee absolute security.

If a personal-data incident is detected, the Operator notifies the authorized authority within the timeframes set by law: an initial notification within 24 hours of detecting the incident, and a notification of the results of the internal investigation within 72 hours.

11. Processing periods and termination of processing

Personal data is processed until the purposes of processing are achieved, until the subject withdraws consent, or for the periods established by law (in particular, for accounting and tax purposes). Once the purposes are achieved, upon withdrawal of consent, or at the subject request, personal data is deleted or anonymized unless otherwise required by law.

12. Final provisions

The Operator may amend this Policy. A new version takes effect upon its publication on the website unless the new version provides otherwise. The current version is permanently available on the website.

13. Operator details

Personal data operator:

• Individual entrepreneur Zaruev Andrey Stanislavovich
• OGRNIP: 311507406800062
• INN: 507462292636
• Address: Moscow Region, Podolsky District, Molodyozhny settlement, building 27, apt. 41
• Email: [email protected]
• Phone / WhatsApp: +7 495 980-20-10

The Service and international infrastructure are operated by Global Data Labs LLC, Registration no. 402363321, Tbilisi, Georgia, [email protected].