Privacy Policy

This Privacy Policy explains how Prisfol ("Prisfol", "we", "us") collects, uses, shares and protects information when you use the Prisfol website, platform and APIs (the "Service"). For privacy questions you can reach us at support@prisfol.com.

We collect the following categories of information:

• Account information. When you create an account we collect your email address and authentication identifiers. If you sign in with a third-party provider, we receive a basic profile (name, email, avatar URL).
• Content you submit. Prompts, uploaded images, brand assets, workflows, node configurations and any other content you create or store in the Service.
• Generated outputs. Images and other assets produced by the AI providers we orchestrate on your behalf, together with metadata about the generation (model used, parameters, timestamps, credits consumed).
• Billing information. When you subscribe or buy credits, our Merchant of Record Paddle collects your payment-method details and billing address directly. We receive a customer ID, plan, billing status and the last four digits / brand of your card — we do not store full card numbers on our servers. Paddle is responsible for sales tax / VAT collection and the issuing of invoices.
• Usage and device data. IP address, user agent, pages viewed, performance metrics and high-level interaction events, collected to operate, secure and improve the Service.
• Communications. If you email us, we keep the contents of those messages.

• Provide, operate and maintain the Service, including running your workflows and storing your assets.
• Process payments, manage subscriptions and apply credit balances.
• Send transactional messages (account, billing, security and material product changes).
• Monitor and improve performance, debug issues, and prevent abuse, fraud and security incidents.
• Comply with legal obligations and enforce our Terms of Service.

We do not use your prompts, uploaded assets or generated outputs to train foundation AI models. We do not sell your personal information.

If you are in the EEA or UK, we rely on the following bases under the GDPR / UK GDPR:

• Contract. To create your account, deliver the Service and process payments.
• Legitimate interests. To secure the Service, prevent abuse and improve our product.
• Consent. For non-essential cookies and analytics where required, and for optional marketing communications.
• Legal obligation. To meet tax, accounting and other regulatory requirements.

We share information with the following processors strictly to operate the Service. Each provider is bound by confidentiality and data-processing obligations.

• Supabase — managed Postgres, authentication and file storage that hosts your account, content and generated assets.
• Vercel — application hosting, edge runtime, performance metrics and product analytics.
• Paddle — Merchant of Record for all purchases. Handles checkout, subscription management, invoice issuing, and global sales tax / VAT collection and remittance. Paddle's privacy policy applies to the data it collects directly from you at checkout.
• Replicate — runs the AI models used to generate and process images, including via webhook callbacks.
• Google (Gemini API) — large-language-model and image-model inference for orchestration and generation.
• Hugging Face Spaces — hosts our background-removal microservice that may receive image data for processing.

When you submit a prompt or asset to a workflow, the relevant inputs are transmitted to the AI provider that powers that step. Each provider operates under its own privacy and data-handling terms; please review them if you need detail on a specific model.

We may also disclose information when required by law, to enforce our Terms, to protect our rights or those of our users, or in connection with a merger, acquisition or sale of assets (in which case we will notify affected users where practical).

The providers above operate in the United States, the European Union, Israel and other regions. Where personal data is transferred out of the EEA / UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent mechanisms.

• Account & content. Retained for as long as your account is active.
• After deletion. When you delete your account or specific content, we delete or anonymize it within 30 days, except where we are required to retain records (e.g. invoices for tax purposes — typically up to 7 years).
• Logs & usage data. Operational logs are retained for up to 90 days; aggregated analytics may be kept longer in de-identified form.

Depending on where you live, you may have the right to access, correct, delete, port, restrict or object to processing of your personal information, and to withdraw consent at any time. EEA / UK users have the right to lodge a complaint with their supervisory authority. California (CCPA / CPRA) and other US-state residents have rights to know, delete, correct and opt out of any "sale" or "sharing" — Prisfol does not sell or share personal information for cross-context behavioral advertising.

To exercise any of these rights, email support@prisfol.com from the address on your account. We respond within the timeframes required by applicable law.

We use a small set of cookies and equivalent technologies, grouped as follows:

• Strictly necessary. Authentication session tokens (Supabase), CSRF protection and load-balancing identifiers. The Service cannot function without these and they are exempt from consent requirements.
• Preferences. Local-storage entries that remember your selected theme and UI state.
• Analytics & performance. Vercel Analytics and Vercel Speed Insights collect anonymized usage and performance metrics. In regions where consent is required (EEA, UK, California), these are loaded only after you accept them via our cookie banner.

You can change or withdraw your cookie choices at any time by clearing your browser storage for this site, which will trigger the consent banner again on your next visit.

We use industry-standard safeguards including TLS in transit, encryption at rest on our database provider, role-based access controls and Supabase Row-Level Security to limit access to your data. No method of transmission or storage is 100% secure; if we become aware of a breach affecting your personal information we will notify you and the relevant authorities as required by law.

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we will delete it.

We may update this Privacy Policy from time to time. If a change is material, we will provide notice (for example by email or in-product banner) before it takes effect. The "Last updated" date above always reflects the current version.

Privacy questions or requests: support@prisfol.com.