Privacy Policy

Last updated: December 24, 2025

1. Introduction

We take the protection of your personal data very seriously. This privacy policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR/DSGVO) and the German Federal Data Protection Act (BDSG).

This privacy policy applies to all services offered by Harshil Agrawal (operating as Images AI) through our website and applications.

2. Controller Information

Data Controller:

Harshil Agrawal

Operating as: Images AI

Helene-Jacobs-Str.

14199 Berlin, Germany

Email: hey@harshil.dev

For complete legal information, please see our Impressum.

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Email address
  • Password (encrypted and hashed)
  • Account creation date

Legal Basis: Article 6(1)(b) GDPR - Performance of contract

3.2 Usage Data

When you use our AI image generation services, we collect:

  • Text prompts submitted for image generation
  • Image generation settings and parameters
  • Generated images (stored in encrypted cloud storage)
  • Edit history and modifications
  • Credit usage and subscription tier

Legal Basis: Article 6(1)(b) GDPR - Performance of contract

3.3 Payment Information

When you subscribe to a paid plan, we collect payment information through our payment processor Stripe:

  • Billing name and address
  • Payment method details (processed by Stripe, not stored by us)
  • Transaction history
  • Subscription status

Legal Basis: Article 6(1)(b) GDPR - Performance of contract

3.4 Session and Authentication Data

We use cookies for authentication and session management:

  • Session cookies (essential for login functionality)
  • Login timestamps
  • Device information (browser type, operating system)

Legal Basis: Article 6(1)(b) GDPR - Performance of contract

⚠️3.5 Biometric Data Warning

Important: If you upload images containing faces for editing, these images may be classified as biometric data under Article 9 GDPR, which requires special protection.

By uploading images with faces, you explicitly consent to the processing of this biometric data for the purpose of AI-powered image editing. We process this data through our third-party AI provider Replicate (see section 4.1).

Legal Basis: Article 9(2)(a) GDPR - Explicit consent for biometric data processing

4. Third-Party Processors

We work with trusted third-party service providers to operate our service. All processors are bound by Data Processing Agreements (DPAs) and, where applicable, Standard Contractual Clauses (SCCs) for international data transfers.

4.1 Replicate AI (USA)

Purpose: AI image generation and editing

Data Processed: Text prompts, uploaded images, generation parameters

Location: United States

International Transfer: Standard Contractual Clauses (SCCs) under Article 46 GDPR

Data is transmitted to Replicate's servers in the USA for processing. We route all requests through Cloudflare AI Gateway for enhanced security and caching.

4.2 Cloudflare (Multi-Region)

Purpose: Infrastructure, hosting, content delivery, storage

Data Processed: All application data, generated images, user sessions

Services Used: Cloudflare Workers (compute), D1 Database (database), R2 Storage (file storage), AI Gateway (API routing)

Location: EU and worldwide (data residency configurable)

Cloudflare is GDPR-compliant and certified under ISO 27001, SOC 2 Type II.

4.3 Stripe (USA/EU)

Purpose: Payment processing, subscription management

Data Processed: Billing information, payment methods, transaction history

Location: European Union and United States

International Transfer: Standard Contractual Clauses (SCCs) where applicable

Stripe is PCI DSS Level 1 certified and GDPR-compliant. Payment card details are processed directly by Stripe and never stored on our servers.

4.4 Better Auth

Purpose: Authentication and session management

Data Processed: Email addresses, password hashes, session tokens

Location: Data stored in our Cloudflare D1 database (EU)

Better Auth is an open-source authentication library. All authentication data remains in our control within the EU.

5. Purpose of Data Processing

We process your personal data for the following purposes:

  • To provide and maintain our AI image generation service
  • To manage your account and authentication
  • To process payments and manage subscriptions
  • To store and display your generated images
  • To provide customer support
  • To comply with legal obligations
  • To improve our services and develop new features

6. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

  • Account data: Retained while your account is active and for 30 days after account deletion
  • Generated images: Retained while your account is active; deleted within 30 days of account deletion
  • Payment records: Retained for 10 years to comply with German tax law (§ 147 AO)
  • Session data: Deleted after session expiry (typically 30 days)

7. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU-approved contracts ensuring GDPR-level protection (Article 46 GDPR)
  • Adequacy Decisions: Transfers to countries with adequate protection recognized by the EU Commission

For transfers to the USA (Replicate, Stripe), we use Standard Contractual Clauses and additional safeguards to ensure your data is protected.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

Right to Access (Article 15 GDPR)

You can request a copy of all personal data we hold about you.

Right to Rectification (Article 16 GDPR)

You can request correction of inaccurate or incomplete personal data.

Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)

You can request deletion of your personal data when it's no longer needed or if you withdraw consent. Note: Some data may be retained for legal compliance.

Right to Data Portability (Article 20 GDPR)

You can request your data in a structured, machine-readable format for transfer to another service.

Right to Object (Article 21 GDPR)

You can object to processing based on legitimate interests or for direct marketing purposes.

Right to Restriction of Processing (Article 18 GDPR)

You can request limitation of processing in certain circumstances.

Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, please contact us at hey@harshil.dev. We will respond within 30 days.

9. Cookies and Tracking

We use cookies for essential functionality and to improve your experience. For detailed information about the cookies we use, please see our Cookie Policy.

Essential cookies: Required for authentication and session management (no consent required under GDPR).

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Password hashing using industry-standard algorithms
  • Regular security audits and updates
  • Access controls and authentication
  • Secure cloud infrastructure (Cloudflare, ISO 27001 certified)
  • Data backup and disaster recovery procedures

11. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately.

12. AI Transparency (EU AI Act)

In accordance with the EU AI Act transparency obligations:

  • All images on our platform are generated or edited using artificial intelligence
  • We use state-of-the-art AI models provided by third-party AI services (Replicate)
  • AI-generated content is clearly labeled throughout the application
  • You retain full ownership of images you generate with our AI systems

13. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by email or through a notice on our website. The "Last Updated" date at the top indicates when this policy was last revised.

14. Contact Information

For any questions or concerns about this privacy policy or our data practices, please contact us:

Email: hey@harshil.dev

Postal Address:

Harshil Agrawal

Helene-Jacobs-Str.

14199 Berlin, Germany

15. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.

For Germany, the federal data protection authority is:

Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)

Graurheindorfer Str. 153

53117 Bonn, Germany

Website: www.bfdi.bund.de