Privacy Policy

1. Information We Collect

1.1 Information You Provide

1.2 Automatically Collected Information

1.3 Information We Do Not Collect

We do not collect or permanently store: (i) precise geolocation data; (ii) biometric data or biometric identifiers; (iii) health information; (iv) cross-site tracking data; or (v) data from third-party advertising networks.

2. How We Use Your Information

2.1 Service Delivery

To provide, maintain, and improve the Service, including: (i) authentication and account management; (ii) processing requests through AI models; (iii) storing and retrieving your content; (iv) managing credits and subscriptions; and (v) sending transactional communications.

2.2 Personalization

To personalize your experience through: (i) applying custom AI traits and user context; (ii) displaying favorites and pinned content; (iii) remembering preset preferences; and (iv) providing suggested prompts.

2.3 Security and Fraud Prevention

To protect the Service and users through: (i) detecting and preventing fraud, abuse, and unauthorized access; (ii) monitoring for Terms violations; (iii) implementing security measures; and (iv) verifying identities.

2.4 Service Improvement

To analyze and improve the Service using aggregated, anonymized, or de-identified data for: (i) feature development and product research; (ii) performance optimization and infrastructure planning; (iii) bug identification and resolution; (iv) usage analytics and trend analysis; (v) AI model selection, evaluation, and benchmarking; (vi) business intelligence, reporting, and strategic planning; and (vii) developing new products, services, or features. Anonymized and de-identified data derived from your usage may be used indefinitely and without restriction.

2.5 Legal Compliance

To comply with legal obligations, including: (i) tax reporting and financial record-keeping; (ii) responding to law enforcement requests; (iii) enforcing our Terms; (iv) protecting our rights and property; and (v) defending against legal claims.

3. How We Share Your Information

3.1 Service Providers

We share information with third-party service providers that perform services on our behalf, including: (i) AI providers that process your prompts and images to deliver core functionality; (ii) payment processors and merchant-of-record services; (iii) hosting, CDN, and infrastructure providers; (iv) customer support and communication tools; (v) analytics and monitoring services; (vi) security and fraud prevention services; and (vii) professional advisors (legal, accounting, auditing). We may also share information with our affiliates, subsidiaries, and strategic partners as necessary for business operations. Service providers are bound by contractual obligations regarding data handling, though specific protections may vary by provider.

3.2 Legal Disclosures

We may disclose information when we believe in good faith that disclosure is necessary to: (i) comply with applicable law, regulation, legal process, or governmental request; (ii) enforce our Terms of Service or other agreements; (iii) detect, prevent, or address fraud, security, or technical issues; (iv) prevent harm to users, the public, or our business; (v) protect our rights, property, safety, or legitimate business interests; or (vi) respond to an emergency involving danger of death or serious physical injury. We may, but are not obligated to, notify you of legal requests unless prohibited by law or where we determine that notification would jeopardize an investigation or our interests.

3.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, or sale of all or substantially all assets, your information may be transferred to a successor entity as part of such transaction. We will make reasonable efforts to provide notice via email and/or prominent Service notice where practicable. Any successor entity may use your information in accordance with this Privacy Policy or its own privacy policy, which may differ from ours.

4. Data Security

4.1 Security Measures

We implement industry-standard security practices including: (i) HTTPS/TLS encryption for data in transit; (ii) encryption at rest for stored data; (iii) secure cryptographic hashing for passwords (never stored in plaintext); (iv) webhook signature verification; (v) role-based access controls; (vi) multi-factor authentication for internal systems; and (vii) regular security audits.

4.2 Security Limitations

No security system is impenetrable. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and using strong, unique passwords.

4.3 Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users without undue delay as required by applicable data breach notification laws. Notification will include a general description of the breach and recommended mitigation steps. The timing, method, and scope of notification shall be determined by us in compliance with applicable law and in consultation with law enforcement where appropriate.

5. Your Privacy Rights

5.1 Access and Portability

Subject to applicable law, you may: (i) request access to personal information we hold about you; and (ii) request an export of certain data through your account settings. We reserve the right to limit the scope, format, and frequency of data access requests and to charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

5.2 Correction

You have the right to update or correct inaccurate personal information through your account settings or by contacting us at [email protected].

5.3 Deletion

You may delete: (i) individual content items; or (ii) your entire account through account settings. Deletion requests are processed in accordance with our standard procedures and may take up to thirty (30) days to complete. Certain data may be retained after deletion as required by law, for legitimate business purposes (including fraud prevention and dispute resolution), in anonymized or aggregated form, or in backup systems for a reasonable period.

5.4 Objection and Restriction

You have the right to: (i) unsubscribe from marketing emails; (ii) opt out of optional analytics; and (iii) object to certain processing activities where applicable.

5.5 Exercising Your Rights

To exercise any of the above rights, contact us at [email protected] or use your account settings. We will require identity verification before processing any request. We will respond within the timeframes required by applicable law, or within forty-five (45) days where no specific timeframe is mandated. Complex requests may require an extension of up to an additional forty-five (45) days with notice to you. We reserve the right to deny requests that are manifestly unfounded, excessive, or that would adversely affect the rights of others.

6. International Data Transfers

6.1 Data Location

Our primary servers are located in the United States. Data may be transferred to and processed in the United States, European Union, or other jurisdictions.

6.2 Transfer Safeguards

For transfers from the European Economic Area or United Kingdom to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission or other appropriate safeguards to ensure GDPR compliance.

7. Cookies and Tracking Technologies

7.1 Essential Cookies

We use session cookies necessary for Service operation, including: (i) authentication and session management; and (ii) CSRF protection. These cookies cannot be disabled without impairing Service functionality.

7.2 Analytics

We use analytics tools to understand service usage and improve functionality. These tools may track activity on a per-account basis for service delivery purposes.

7.3 Third-Party Cookies

We do not use third-party advertising cookies. Our service providers, including support and infrastructure partners, may use cookies to deliver their services.

8. Children's Privacy

8.1 Age Restrictions

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

8.2 Parental Consent

Users between 13 and 18 years of age should obtain parental or guardian consent before using the Service.

8.3 Deletion of Children's Data

If we discover we have collected information from a child under 13, we will delete such information immediately and terminate the account.

8.4 Parental Rights

Parents or guardians may contact us at [email protected] to: (i) request access to their child's information; (ii) request deletion of their child's account; or (iii) exercise other parental rights.

9. California Privacy Disclosures

9.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information: (i) identifiers (email, account information); (ii) commercial information (subscription tier, transaction history); (iii) internet activity (aggregated usage metrics); (iv) visual information (user-generated images); and (v) inferences (AI traits, preferences).

9.2 Sensitive Personal Information

We collect account credentials for authentication purposes only. We do not collect Social Security numbers, precise geolocation, racial or ethnic origin, health information, or other categories of sensitive personal information as defined by the CCPA.

9.3 Sale and Sharing

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

10. Data Retention

11. GDPR Compliance (European Users)

11.1 Controller

Gestalt Labs LLC is the data controller for purposes of the General Data Protection Regulation (GDPR).

11.2 Legal Bases for Processing

11.3 Supervisory Authority

You have the right to lodge a complaint with your data protection authority. For EU/EEA residents, contact information is available at: https://edpb.europa.eu/about-edpb/board/members_en. For UK residents: https://ico.org.uk/make-a-complaint/

12. Changes to This Privacy Policy

12.1 Updates

We reserve the right to modify this Privacy Policy at any time at our sole discretion. We will make reasonable efforts to communicate material changes via email, in-app notification, or by posting the updated policy on the Service at least seven (7) days prior to the effective date. Non-material changes may be made at any time without notice.

12.2 Acceptance

Your continued use of the Service after the effective date of changes constitutes irrevocable acceptance of the modified Privacy Policy. If you do not agree to any modification, your sole remedy is to discontinue use of the Service and delete your account before the effective date.

13. Contact Information