Privacy Policy

We collect information you provide directly, information we collect automatically, and information from third-party sources.

1.1 Information You Provide

• Account information: name, email address, password (hashed), and profile picture.
• Billing information: payment method details processed and stored by Stripe (we never store raw card numbers).
• Content you create: prompts, workflow configurations, uploaded images and videos, brand identity data, and AI-generated outputs.
• Communications: messages sent to our support team or via contact forms.
• Organization data: company name, team member invitations, and role assignments.

1.2 Information Collected Automatically

• Log data: IP address, browser type, operating system, referring URLs, pages visited, and timestamps.
• Device data: device identifiers, screen resolution, and language settings.
• Usage data: feature interactions, workflow executions, API call metadata, and error events.
• Cookies and tracking technologies (see our Cookie Policy for details).

1.3 Third-Party Sources

• Authentication providers: if you sign in with Google OAuth we receive your name and email.
• Stripe: payment status and subscription information.
• AI providers (Anthropic, OpenAI, Google, fal.ai, ElevenLabs): we send prompts and receive generated outputs on your behalf — we do not share your personal data with them beyond what is necessary to process a request.

• Provide, operate, and improve the Service.
• Process transactions and manage your subscription.
• Authenticate your identity and protect account security.
• Send transactional emails (receipts, password resets, team invitations).
• Send product and feature updates — you may opt out at any time.
• Respond to support requests and investigate issues.
• Detect, prevent, and address fraud or abuse.
• Comply with legal obligations.
• Conduct analytics to understand usage patterns and improve performance.

We rely on the following legal bases under the GDPR: contract performance (operating your account), legitimate interests (security and analytics), legal obligation (compliance), and — where applicable — your consent (marketing emails, non-essential cookies).

We do not sell your personal data. We may share information with:

• Service providers: Stripe (payments), Supabase (authentication and database infrastructure), AWS (storage and compute), Redis Labs (caching), fal.ai and other AI providers (model inference).
• Analytics tools: aggregated, anonymised usage data for product analytics.
• Legal authorities: when required by applicable law, court order, or to protect our rights.
• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred — we will notify you before this occurs.

All service providers are bound by data processing agreements that restrict how they may use your information.

We retain your data for as long as your account is active or as needed to provide the Service. Upon account deletion:

• Your profile and content are deleted within 30 days.
• AI generation history is deleted within 30 days.
• Billing records are retained for 7 years as required by tax law.
• Anonymised, aggregated analytics data may be retained indefinitely.

If you are located in the European Economic Area, you have the following rights:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate data.
• Erasure: request deletion of your data ("right to be forgotten").
• Restriction: request that we limit processing of your data.
• Portability: receive your data in a machine-readable format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at privacy@pixenlabs.com. We will respond within 30 days.

We implement industry-standard security measures including:

• TLS 1.3 encryption for all data in transit.
• AES-256 encryption for data at rest in S3 and DynamoDB.
• RS256/ES256 JWT authentication via Supabase JWKS.
• Rate limiting (120 requests/minute per user).
• Automatic redaction of auth headers and passwords from logs.
• Regular security reviews and vulnerability assessments.

No method of transmission over the internet is 100% secure. If we become aware of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by the GDPR.

PixenLabs is based in the European Union. If you access the Service from outside the EU, your data may be transferred to and processed in countries with different data protection laws. Where such transfers occur, we use standard contractual clauses (SCCs) approved by the European Commission or other appropriate safeguards.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.

We may update this Privacy Policy from time to time. We will notify you by email or by posting a prominent notice on the Service at least 14 days before changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

For questions, concerns, or to exercise your rights: