Privacy Policy

The data controller responsible for the processing of your personal data is PixenLabs, with its registered office in Barcelona, Spain. We are the company that operates the PixenLabs platform.

You may direct any privacy-related question to the email above and we will respond promptly.

This Policy applies to personal data we collect when you visit our website at pixenlabs.io, register for an account, use the Services, contact our support team, or interact with us through any official channel. It does not apply to third-party websites or services that we link to but do not control.

If you do not agree with this Policy, please do not use the Services. If you have already created an account, you may close it at any time as described in Section 11.

3.1 Information You Provide to Us

• Account data: full name, email address, password (stored as a hash, never in plain text), and profile picture or avatar.
• Profile and preferences: language, theme, interface settings, onboarding answers.
• Billing data: billing name and address, country, VAT number (for business customers), and the limited card information returned by our payment processor (last four digits, card brand, expiry — we never receive or store the full card number).
• Subscription state: current plan, renewal date, plan-change history, credit balance, credit grant and consumption ledger.
• Content you create: prompts, parameters, workflow configurations, uploaded images and videos, brand identity inputs, chat conversations, generated AI outputs, library assets, and any other material you submit to the Services.
• Organisation data (if applicable): company name, team-member invitations, role assignments, and member activity within your organisation.
• Communications: messages you send to our support team, feedback you submit, and your responses to surveys or interviews.
• Consent records: the Terms and Privacy Policy version you accepted, and the timestamp of acceptance.

3.2 Information Collected Automatically

• Log data: IP address, request URLs and methods, response codes, timestamps, browser type and version, operating system, device type, and screen resolution.
• Usage data: features used, generations triggered, credit consumption events, error events, response times, and other product-telemetry signals required to operate and improve the Services.
• Cookies, local-storage and session-storage values: see our Cookie Policy for the full inventory and your control options.

3.3 Information from Third Parties

• Authentication providers: if you sign in with Google, we receive your name, email address, and Google account identifier (Google does not act as an AI provider for the Services — it is only used for authentication when you choose this option).
• Payment processor: Stripe sends us payment status, subscription state, invoice identifiers, and limited customer metadata so we can keep your subscription and credit balance synchronised.

We process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): to create and maintain your account, deliver the Services you request, process payments, and provide customer support.
• Legitimate interests (Art. 6(1)(f)): to keep the Services secure, prevent fraud and abuse, monitor system performance, conduct internal analytics, and develop new features. We balance these interests against your rights and freedoms and will not process data this way where your rights override our interests.
• Compliance with legal obligations (Art. 6(1)(c)): to meet our obligations under tax, accounting, consumer-protection, anti-money-laundering, and data-protection law.
• Consent (Art. 6(1)(a)): for activities that require your explicit consent, including non-essential cookies and optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out beforehand.

• Provide, maintain, and improve the Services.
• Authenticate you, manage your account and your organisation membership, and keep your subscription and credit balance accurate.
• Process payments and produce invoices, including reconciling Stripe events.
• Send transactional emails (account verification, password reset, receipts, team invitations, security alerts, terms-update notices, and similar service messages).
• Send product and feature updates if you have opted in to marketing — you can opt out at any time.
• Respond to your support requests, investigate issues, and resolve disputes.
• Monitor and protect the Services against fraud, abuse, security incidents, and policy violations.
• Comply with our legal and regulatory obligations and respond to lawful requests from competent authorities.
• Generate aggregated, anonymised statistics to understand usage patterns and improve performance.

6.1 How Your Inputs Are Processed by Third-Party AI Providers

When you use an AI feature, your User Inputs (prompts, parameters, uploaded files) are transmitted to the relevant Third-Party AI Provider for processing, and the AI Output is returned to you through the Services. The full list of providers we currently rely on is set out in Section 7.2.

Each Third-Party AI Provider processes your inputs in accordance with its own privacy policy and acceptable-use rules. Where the provider offers data-handling controls, we select the settings most protective of your data, including those that restrict the use of your inputs for the provider's own purposes.

6.2 Aggregated and Anonymised Signals

We may use aggregated and anonymised signals — such as how often a feature is used, average response times, failure rates, and credit consumption patterns — to operate, debug, and improve the Services. Aggregated data does not identify you and is not considered personal data once it has been anonymised.

6.3 Confidentiality and Sensitive Data

You should not submit confidential, sensitive (within the meaning of GDPR Articles 9 and 10), or unlicensed third-party material as User Inputs unless you are legally entitled to do so. AI Outputs may incorporate or be influenced by your inputs, and any sensitive data you submit may be transmitted to Third-Party AI Providers as described above.

We do not sell your personal data. We share it only with the categories of recipients described below, and only to the extent necessary for the stated purpose. All sub-processors are bound by written data-processing agreements that limit how they may use your data.

7.1 Infrastructure Sub-Processors

• Amazon Web Services (AWS)
• Supabase

7.2 Third-Party AI Providers

When you use AI features, your User Inputs are transmitted to one or more of the following providers depending on the model you select:

• Anthropic
• OpenAI
• Stability AI
• ElevenLabs
• xAI

7.3 Payments

Stripe Payments Europe Ltd. processes all payments. We share your billing identifier and limited transaction metadata with Stripe; Stripe handles the card data directly and we never receive it in full. Stripe is also responsible for storing invoice records for as long as required by applicable accounting and tax law.

7.4 Email

Resend acts as our email delivery service. We share your email address and the content of transactional emails (and any marketing emails you have opted into) with Resend solely for the purpose of delivering those messages.

7.5 Authentication

If you choose to sign in with Google, Google receives information necessary to complete the authentication request. Google is used only for authentication and does not receive any of your User Inputs or AI Outputs.

7.6 Internal Observability

We operate internal observability tooling (structured logging, distributed tracing, error reporting) to monitor the health of the Services. Logs are automatically scrubbed of authentication headers and credentials, and personal data is reduced to the minimum needed for diagnostics.

7.7 Legal Authorities

We may disclose personal data to competent authorities when required by law, court order, or other valid legal process, or where disclosure is necessary to protect our rights, your safety, or the safety of others. We push back on requests that we believe to be overbroad or unlawful.

7.8 Business Transfers

If PixenLabs is involved in a merger, acquisition, financing, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you in advance and require the recipient to honour the commitments made in this Policy.

Our primary infrastructure (AWS, Supabase) is configured to host EU customer data within the European Economic Area (EEA). Some of our Third-Party AI Providers, observability tools, or email delivery services may process limited data outside the EEA — for example, in the United States.

Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V of the GDPR, including adequacy decisions issued by the European Commission and Standard Contractual Clauses (SCCs) as updated in 2021. You may request a copy of the safeguards in place by emailing info@pixenlabs.io.

9.1 While Your Account Is Active

We retain your personal data for as long as your account is active or as needed to provide the Services.

9.2 When You Delete Your Account

When you delete your account from your account settings, we initiate an immediate hard purge of your personal data across all of our systems. The purge includes your profile, AI history, chats, workflows and their executions, brand-identity data, library assets (including the underlying files in object storage), notifications, organisation memberships, and your credit ledger. Active sessions and refresh tokens are also revoked.

9.3 Billing Records

Invoices, payment records, and related accounting information are retained by us and by Stripe for the period required by Spanish tax and accounting law (typically up to six (6) years). This retention takes precedence over deletion requests where it is necessary to comply with our legal obligations.

9.4 Aggregated Analytics

Aggregated and anonymised statistics that do not identify you may be retained indefinitely for product-improvement and reporting purposes.

9.5 Legal Holds

We may retain specific records for longer where required to comply with a legal obligation, resolve a dispute, enforce our agreements, or defend a legal claim.

Under the GDPR and applicable Spanish law, you have the following rights in relation to your personal data:

• Right of access (Art. 15): obtain confirmation of whether we process your personal data and a copy of that data.
• Right to rectification (Art. 16): correct inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Art. 17): request deletion of your personal data where one of the legal grounds applies.
• Right to restriction (Art. 18): require us to limit processing in specific circumstances.
• Right to data portability (Art. 20): receive a structured, commonly used, machine-readable copy of the personal data you provided to us.
• Right to object (Art. 21): object to processing carried out on the basis of legitimate interests, including direct marketing.
• Right to withdraw consent (Art. 7): where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right not to be subject to automated decision-making producing legal or similarly significant effects (Art. 22) — see Section 16.

You can exercise most of your rights directly from the Services:

• Access and update most of your account data from your account settings.
• Download a portable export of your personal data.
• Delete your account permanently using the "Delete account" action in your account settings; this initiates the immediate hard purge described in Section 9.2.
• Manage your cookie preferences from the /cookies page or the on-site cookie banner.

For any other request — including access, rectification, restriction, objection, or any question about how we process your data — write to info@pixenlabs.io. We will respond within one (1) month, extendable by two further months for complex requests as permitted by Article 12(3) GDPR. We may need to verify your identity before processing the request.

We implement technical and organisational measures appropriate to the risk to protect your personal data, including:

• TLS encryption (HTTPS) for all data in transit.
• Encryption at rest for our cloud databases and object storage.
• Industry-standard token-based authentication with short-lived sessions and renewal tokens that rotate periodically.
• Per-user rate limiting and abuse detection to mitigate brute-force and denial-of-service attempts.
• Automatic redaction of authentication headers and credentials from application logs.
• Principle of least privilege for internal access to production systems, with regular reviews.
• Routine security reviews of dependencies and third-party integrations.

No system can be made entirely secure. If a security incident affects your personal data we will follow the breach-notification procedure in Section 13.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (the Spanish Data Protection Agency, AEPD) without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34 GDPR.

The Services use cookies and similar technologies (such as localStorage and sessionStorage) for essential functionality, to remember your preferences, and — with your consent — for non-essential purposes. Our Cookie Policy describes each category, its legal basis, and how you can change your preferences at any time.

The Services are intended for users aged eighteen (18) years and over. We do not knowingly collect personal data from anyone under 18. If we learn that we have inadvertently collected such data, we will delete it without undue delay. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@pixenlabs.io.

We do not make decisions producing legal or similarly significant effects on you that are based solely on automated processing within the meaning of Article 22 GDPR. Automated systems are used to monitor for abuse, fraud, and policy violations, but any consequential action (such as suspending or terminating an account) involves human review where reasonably practicable.

We may update this Privacy Policy to reflect changes in our practices, the Services, applicable law, or industry standards. We will indicate the date of the most recent revision at the top of this page. For material changes we will provide at least fourteen (14) days' advance notice by email and/or through a prominent in-product notice, and we may require you to re-acknowledge the updated Policy before continuing to use the Services. Non-material changes (typo fixes, clarifications) take effect immediately.

Although we urge you to contact us first to find a solution for any concern you may have, in addition to your rights outlined above, if you are not satisfied with our response to a request you make, or how we process your personal information, you can make a complaint to the data protection regulator in your habitual place of residence.