Privacy Policy
Last updated: 2026-06-09
This Privacy Policy describes how AI CMO ("we", "us") handles information when you use the Service. It is a disclosure of our practices, not a contract granting you rights. By using the Service you consent to the practices described below.
1. Information we collect
- Account data: your name, email address, and profile image as supplied by Google when you sign in via Google OAuth, plus an internal user ID.
- Content you submit: character briefs, text prompts, reference images, and any other data you upload to the Service.
- Outputs: images and videos generated on your behalf by third-party models, stored in object storage associated with your account.
- Billing metadata: Stripe customer and payment identifiers, credit purchase amount and timestamp, and a ledger of credit debits/credits. We do not see or store your full card number; Stripe handles that directly.
- Technical logs: IP address, user agent, request timestamps, error logs, and provider request IDs, retained for security, debugging, and fraud prevention.
2. How we use information
- To operate and provide the Service (authenticating you, routing your prompts to model providers, storing outputs, metering credits);
- To process payments and prevent fraud (including enforcing chargeback consequences described in the Terms);
- To debug, monitor, and secure the Service;
- To communicate with you about your account or material changes to the Service;
- To comply with legal obligations and respond to lawful requests.
3. Third-party sub-processors
Running the Service requires sending data to third parties. Your inputs and/or outputs may pass through any of the following providers, which act as independent controllers or sub-processors under their own terms and privacy policies:
- Google (OAuth sign-in, Gemini image model)
- GMI Cloud (Seedream image generation)
- TokenRouter (Happyhorse image-to-video generation)
- An OpenAI-compatible LLM provider configured per deployment (e.g., CoreWeave / GLM) for prompt expansion
- Cloudflare R2 (object storage for references and outputs)
- A MySQL database host of the operator's choosing
- Stripe (payments)
We do not control how these providers train their models, log requests, or apply watermarks, provenance metadata, or content filters. Review their policies before submitting sensitive data.
4. Storage and retention
Stored content (generated assets, reference images, characters) is retained as a convenience only and, as set out in the Terms of Service, may be deleted at any time after thirty (30) days from creation, without notice. You are solely responsible for promptly downloading anything you wish to keep. Account records and the credit ledger are retained for as long as your account exists and for a reasonable period afterward for tax, accounting, fraud-prevention, and legal-compliance reasons. You may delete your account from the account settings page; after deletion, residual backups and legally-required records may persist for a limited period.
5. Security
We use industry-standard technical measures including TLS in transit, credential hashing, row-level transactional integrity on the credit ledger, and scoped API credentials for providers. No system is perfectly secure; we do not guarantee security and you use the Service at your own risk.
6. No additional rights granted
Nothing in this Policy grants you any right, remedy, or claim beyond those, if any, that applicable law mandatorily imposes on us and that cannot be lawfully disclaimed. We make no representation that any particular privacy regime (including the GDPR, UK GDPR, or any state or national privacy statute) applies to us or to the Service, and we reserve all objections, including that a given law does not apply to us and that a given forum lacks jurisdiction over us. If you believe a law that actually applies to us mandatorily entitles you to make a request regarding your data, you may submit it to the contact address below; we may require proof of identity and of the law's applicability before acting, and we will respond only to the extent strictly required.
For the avoidance of doubt: we do not sell personal information, and we do not use your data for cross-context behavioral advertising. The fastest way to remove your data is to delete your account yourself from the account settings page.
7. Children
The Service is not directed to, and not available to, individuals under 18. We do not knowingly collect information from minors. If you believe a minor has provided us information, contact us for deletion.
8. International transfers
The Service and its providers are operated in various countries, including the United States. By using the Service you consent to the transfer of your information to, and processing in, jurisdictions that may have different data-protection laws than your own. If you are not comfortable with that, do not use the Service.
9. Changes
We may update this Policy at any time. Material changes take effect upon posting. Your continued use of the Service after a change constitutes acceptance.
10. Contact
Privacy questions should be directed to the contact address listed on our site or associated with your account.