Privacy Policy

We collect personal data from you, from your use of the Services and from third parties.

The Services are not intended for users under 13 years old. If you are under the age at which you can lawfully consent to data processing in your jurisdiction, you may use the Services only with consent from a parent or legal guardian. We do not knowingly collect personal data from children under 13.

Do not upload or share sensitive personal data through the Services unless you have a lawful basis and all necessary consents. Sensitive personal data includes health information, financial account details, government identifiers, passport numbers, Singapore National Registration Identity Card numbers, biometric data, child-related information, precise geolocation and similar information. We generally do not need national identifiers to provide the Services. If we discover that sensitive personal data was uploaded without an appropriate basis, we may delete, restrict or disable access to it.

We collect, use and disclose personal data for the following purposes:

• Provide and operate the Services: create and manage accounts, authenticate users, generate and edit images, store projects, retrieve templates, provide exports, process prompts and support product features.
• Subscriptions, trials and billing: process payments through Stripe, create checkout and customer billing portal sessions, manage subscriptions, issue receipts and invoices, apply plan entitlements, process cancellations, handle failed payments, provide trial reminders where required and prevent trial abuse.
• Customer support and communications: respond to requests, send verification codes, security notices, trial-start notices, trial-end or renewal reminders where required, subscription lifecycle messages, service notices and policy updates.
• Improve and personalize the Services: understand usage, improve templates and workflows, recommend templates or features, develop new features, measure product performance and conduct aggregated analysis.
• Security, fraud prevention and abuse detection: verify accounts, detect duplicate trials, prevent spam, scraping, fraud, payment abuse, unauthorized access, policy violations, harmful content and misuse.
• Content moderation and legal compliance: detect, block, remove or report illegal, harmful, infringing or policy-violating content; respond to copyright, trademark, privacy or other rights notices and counter-notices.
• Analytics and advertising: measure traffic, usage, conversion, attribution and marketing effectiveness, including through analytics and advertising providers where permitted by law and subject to your cookie choices.
• Error monitoring and reliability: diagnose bugs, investigate crashes, monitor performance, troubleshoot incidents and improve service reliability.
• Business operations: maintain records, administer contracts, conduct audits, manage corporate governance, obtain professional advice and plan or complete financing, merger, acquisition, reorganization, sale of assets or other business transactions.
• Legal and regulatory purposes: comply with law, legal process, court orders, regulatory requests, tax and accounting obligations, enforce our Terms, protect our rights and resolve disputes.
• Other notified purposes: any other purpose that we notify to you at or before the time of collection, or for which you provide consent.

The purposes above may continue after your relationship with us ends where reasonably necessary for legal, security, billing, accounting, dispute resolution, business or compliance purposes.

We do not use your User Content to train generative AI models or foundation models by default.

We will not use your User Content for such training unless you expressly opt in or otherwise provide consent through a separate mechanism. If we introduce an optional training feature, we will explain what content may be used, the purpose of the training use and how to withdraw consent for future training use. Withdrawal will not affect processing that occurred before withdrawal, previously trained models, or aggregated, anonymized or de-identified information that no longer identifies you, except where applicable law requires otherwise.

We may use aggregated, anonymized or de-identified usage information that does not identify you to understand and improve the Services.

Where GDPR or similar laws apply, we process personal data based on:

• performance of a contract: to provide the Services, accounts, subscriptions, trials, billing and support;
• legitimate interests: to operate, improve, secure and market the Services, prevent fraud and abuse, analyze usage and enforce our rights, where those interests are not overridden by your rights;
• consent: for optional AI training, marketing communications, non-essential cookies and similar technologies where consent is required;
• legal obligations: to comply with tax, accounting, consumer protection, data protection, regulatory, law enforcement and other legal requirements; and
• legal claims: to establish, exercise or defend legal claims.

You may withdraw consent at any time where processing is based on consent. Withdrawal does not affect processing that occurred before withdrawal.

We may disclose personal data to the following categories of recipients, whether within or outside Singapore:

• Service providers and processors: cloud hosting, storage, CDN, database, infrastructure, image processing, AI model, template search, email, customer support, analytics, error monitoring, security, CAPTCHA and fraud prevention providers.
• Payment processors: Stripe and related payment, subscription, invoicing and billing portal services.
• Authentication providers: Google and other sign-in providers you choose to use.
• Analytics and advertising providers: Google Analytics, Google Ads, Mixpanel and similar providers where enabled and permitted by law.
• Professional advisors: lawyers, auditors, accountants, insurers, bankers and consultants.
• Authorities and legal parties: courts, regulators, law enforcement, government agencies, rights holders, complainants or counterparties where required or permitted by law or necessary to protect rights and safety.
• Business transaction parties: potential or actual buyers, investors, lenders, successors, affiliates or advisers in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets or similar transaction.
• With your consent or direction: third parties you authorize or integrations you choose to use.

We require service providers to process personal data only for specified purposes and to provide appropriate safeguards, subject to applicable law and contractual arrangements.

We may store and process personal data in Singapore and in other countries where we or our service providers operate. These countries may have data protection laws different from those in your jurisdiction.

Where we transfer personal data outside Singapore, we will take appropriate steps designed to ensure that the transferred data receives a standard of protection comparable to the PDPA, such as contractual data protection obligations or other legally recognized safeguards.

Where we transfer personal data from the EEA, UK or Switzerland to countries not recognized as providing adequate protection, we rely on appropriate safeguards such as Standard Contractual Clauses, the UK International Data Transfer Addendum or Agreement, transfer impact assessments, supplementary measures, adequacy decisions or other lawful transfer mechanisms where applicable.

We use cookies, local storage, pixels, SDKs and similar technologies for authentication, security, analytics, preferences, performance, advertising and payment-related purposes. Non-essential cookies and similar technologies are used only where permitted by law and subject to your consent choices where consent is required.

See our Cookie Policy for more information about the categories of cookies and how to manage preferences.

Depending on your location and applicable law, you may have rights to:

• request access to personal data we hold about you;
• request correction of inaccurate or incomplete personal data;
• request deletion of personal data, subject to legal and business retention requirements;
• request restriction of processing;
• object to processing based on legitimate interests or direct marketing;
• request portability of certain personal data;
• withdraw consent where processing is based on consent;
• opt out of marketing communications;
• opt out of sale or sharing of personal information where California law applies; and
• lodge a complaint with a data protection authority.

For Singapore users, you may request access to or correction of personal data and may withdraw consent for our collection, use or disclosure of personal data. If you withdraw consent, we will inform you of the likely consequences where required and may not be able to provide or continue providing some or all Services. If the withdrawn consent is necessary for us to perform our contract with you, we will not be liable for being unable to provide the affected Services, and our legal rights and remedies are reserved.

We will respond to access and correction requests as soon as reasonably possible. If we cannot respond within 30 days after receiving a Singapore PDPA access or correction request, we will inform you in writing within that period of the time by which we will be able to respond. If we reject an access or correction request, we will notify you as required by applicable law and take any steps required by law, such as preserving withheld personal data for the applicable period or annotating disputed correction requests.

For California users, we do not sell personal information for money. We do not share personal information for cross-context behavioral advertising unless we provide required notices and opt-out mechanisms. If required, we will honor Global Privacy Control signals as valid opt-out requests.

To exercise rights, contact [email protected]. We may verify your identity before responding.

We may send you service-related messages, security notices, billing messages, trial and renewal notices, support responses and other transactional communications. These are not marketing messages and you may not be able to opt out while using the Services.

We may send marketing communications where permitted by law or with consent where required. You may opt out by using unsubscribe links or contacting us. Opting out of marketing does not affect transactional or service-related messages.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or for a legal or business purpose, including providing the Services, maintaining security, complying with tax and accounting obligations, resolving disputes and enforcing agreements.

Our ordinary reference retention periods are:

We may retain data longer where necessary for legal claims, investigations, regulatory obligations, security incidents, fraud prevention, tax, accounting or other legitimate business purposes. When personal data is no longer needed, we will delete it, anonymize it or otherwise handle it according to applicable law.

We use reasonable administrative, technical and organizational safeguards designed to protect personal data from unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. These safeguards may include access controls, encryption in transit, secure cloud infrastructure, monitoring, logging, incident response processes, vendor review and internal access restrictions.

No internet, cloud, payment or AI service is completely secure. We cannot guarantee absolute security. You are responsible for keeping your credentials confidential and notifying us promptly of suspected unauthorized access.

Where required by law, we will notify affected individuals and authorities of data breaches that meet applicable notification thresholds.

The Services may link to or integrate with third-party websites, services, platforms or providers. Their privacy practices are governed by their own policies, not this Policy. This includes Stripe checkout and billing portal pages, Google sign-in, analytics providers, AI model providers and other third-party services.

We encourage you to review third-party privacy notices before providing information to them.

We may update this Policy from time to time. We will post the updated Policy with a revised "Last Updated" date. Where changes are material, we will provide reasonable notice by email, in-product notice or other appropriate means.

If a change requires consent under applicable law, we will seek consent as required. Continued use of the Services after the effective date of an updated Policy may indicate acknowledgement of the updated Policy, subject to applicable law.

If you have questions, requests or concerns about this Policy or our data practices, please contact us:

• Email: [email protected]
• Data Protection Officer contact: [email protected]

This is the public business contact information for the individual or team responsible for our PDPA compliance.