Privacy Policy

1. Information We Collect

When you use ThePhotoForge, we may collect:

• Account information: Name, email address, and OAuth provider ID when you sign in via Google or GitHub.
• Usage data: API calls made, credits consumed, features used, and timestamps.
• Uploaded content: Images you upload for processing. These are stored temporarily and deleted after processing is complete.
• Payment data: Transaction IDs and amounts. We do not store full payment card details — all payment processing is handled by Creem.io or NowPayments.
• Log data: IP address, browser type, and request metadata for security and debugging purposes.

2. How We Use Your Information

• To provide and improve the Service.
• To manage your account, credits, and subscriptions.
• To send transactional emails (receipts, credit alerts, system notices).
• To detect and prevent abuse, fraud, and security incidents.
• To comply with legal obligations.

We do not sell your personal data. We do not use your uploaded images to train AI models without explicit consent.

3. Data Retention

• Uploaded images: deleted within 24 hours after processing.
• Generated output images: stored for 30 days, then automatically deleted.
• Account and transaction records: retained for 5 years for legal compliance.
• Upon account deletion: personal data removed within 30 days (anonymized analytics may be retained).

4. Cookies & Tracking

We use essential session cookies for authentication. We do not use third-party advertising trackers. Optional analytics cookies (e.g., PostHog) may be used to improve the product — you can opt out via browser settings.

5. Third-Party Services

We share data only as necessary with:

• OpenRouter / AI providers: prompts and images sent for generation.
• Creem.io / NowPayments: payment processing.
• Cloudflare: CDN and DDoS protection (sees your IP).
• Neon (PostgreSQL): database hosting in AWS US West.

6. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion of your data ("right to be forgotten").
• Object to or restrict certain processing.
• Data portability (export your data in a machine-readable format).

To exercise any of these rights, email [email protected]. We will respond within 30 days.

7. Data Security

We use HTTPS/TLS for all data in transit, encrypted database backups, and access controls to limit who can view your data. Despite these measures, no online service is 100% secure — please use a strong, unique password.

8. Children's Privacy

The Service is not directed to children under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy. We will notify you via email or an in-app notice at least 7 days before material changes take effect.

10. Contact

Privacy questions: [email protected]