Privacy Policy

This policy explains what we collect, why, and the rights you have under the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable US state privacy laws. As a US-based controller, we are committed to providing equivalent protection to users located in the EU, UK and other jurisdictions with consumer-privacy frameworks.

01 — Data we collect

Account data: email address, authentication identifiers, name (optional), and plan tier.
Creative data: photos you upload, prompts you write, and generated outputs.
Billing metadata: country, last four card digits, and invoice history, received from Polar. We never store full card numbers.
Product telemetry: basic usage events, error logs, and referral attribution.

02 — Purposes & legal bases

We process your data to (i) deliver the service (performance of contract, GDPR Art. 6(1)(b)), (ii) bill you and prevent fraud (legal obligation and legitimate interest, Art. 6(1)(c) and (f)), (iii) improve our product and models (legitimate interest, Art. 6(1)(f)), and (iv) send service emails. Marketing emails are sent only with your explicit consent (Art. 6(1)(a)) and can be withdrawn at any time.

03 — Retention

Uploaded photos and generated outputs on Starter plans are retained up to 10 creations (older ones are auto-deleted). On Creator plans, we retain the last 50 creations. On Pro plans, creations are kept until you delete them or close your account. Account and billing records are kept as long as required by US tax and accounting rules (typically 7 years).

Abuse, safety and legal-hold logs. To comply with our obligations under the EU Digital Services Act, the French LCEN (Loi n° 2004-575, decree 2011-219), the UK Online Safety Act, and applicable US law, we retain a limited set of technical logs for 12 months after the event, or longer where we are subject to a preservation request from law enforcement or a pending civil claim. These logs cover:

• IP address and timestamp of account creation, login, upload, and generation;
• User account identifier associated with each action;
• A cryptographic hash (not the pixels) of each uploaded image and generated output;
• The textual prompt that produced each output;
• Automated moderation signals (block, flag, allow) and the reason code;
• Abuse reports received and the decision taken in response.

These logs are access-restricted, used only to investigate violations of the Acceptable Use Policy, answer lawful requests from authorities, and defend legal claims. They are not used for advertising, profiling, or model training.

04 — International transfers

Yosuble AI LLC is based in the United States and our sub-processors may also process data in the US. For transfers from the European Economic Area, the UK, or Switzerland, we rely on the Standard Contractual Clauses issued by the European Commission (2021) and, where available, additional safeguards such as the EU-U.S. Data Privacy Framework.

05 — Sub-processors

We rely on the following sub-processors to run Opiniac. Each operates under a data-processing agreement consistent with GDPR Article 28 and, where relevant, appropriate safeguards for international transfers (see §04):

• Vercel Inc. (United States) — application hosting, CDN, and request logs for opiniac.app.
• Supabase Inc. (United States, primary region: EU/Frankfurt) — authentication, PostgreSQL database, and object storage for uploaded photos and generated outputs.
• Google LLC (United States) — generative image processing via the Gemini API, under Google’s paid-API terms which prohibit training on customer data.
• Mistral AI SAS (France, European Union) — text-only prompt rewriting for the “Improve prompt” feature and automatic retry. Only the textual prompt is sent — never your photos, account data, or generated outputs.
• Polar / Polar Software Inc. (United States) — Merchant of Record: payment processing, subscription billing, global tax calculation and remittance.

The list above is complete at the “last updated” date shown on this page. We will update this page before engaging any new sub-processor that processes your personal data.

06 — Your rights

Under GDPR Articles 15 to 22 and equivalent frameworks, you have the right to access, rectify, erase, restrict, or port your data, and to object to processing. EU and UK residents may also lodge a complaint with their local data-protection authority (for France, the CNIL — cnil.fr; for the UK, the ICO — ico.org.uk). California residents have rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale/sharing. To exercise any right, email support@opiniac.app. We respond within 30 days.

06.1 — Photos containing faces (biometric data)

Opiniac allows you to upload photos that may depict human faces. We do not run facial recognition, identity matching, or biometric template extraction, and we do not build profiles of identifiable individuals from uploaded faces. Facial images are processed transiently to generate the requested output and are retained only according to the plan tier described in section 03.

Because facial images can, in some pipelines, fall within the “special category” of data defined by Article 9(1) of the EU/UK GDPR, we rely on your explicit consent under Article 9(2)(a) GDPR as the legal basis for processing them. This consent is collected at the moment you upload a photo and can be withdrawn at any time by deleting the upload or your account — without affecting processing already completed. Our Acceptable Use Policy additionally requires documented consent from every identifiable person whose face you upload, and we may ask you to prove it.

06.2 — No AI training on your data

We do not use your uploads, prompts, or generated outputs to train, fine-tune, or evaluate any machine-learning model — ours or a third party’s. Content sent to our AI sub-processor (Google LLC, Gemini API) is processed under the provider’s no-training API terms for paid workloads.

06.3 — Children

Opiniac is not directed to, and must not be used by, anyone under the age of 18. We do not knowingly collect personal data from children, and we comply with the US Children’s Online Privacy Protection Act (COPPA) and equivalent EU/UK child-protection rules. If you believe a minor has created an account or uploaded data, contact support@opiniac.app and we will terminate the account and delete the data without delay.

07 — Cookies

We use strictly necessary cookies for authentication and security, plus minimal analytics cookies set only with your consent. You can adjust preferences through the cookie banner at any time.

07.1 — Automated decision-making

Opiniac does not make decisions producing legal or similarly significant effects solely on the basis of automated processing within the meaning of Article 22 GDPR. AI image generation is a creative tool you direct; we do not automate access, pricing, or account-level decisions about you without human oversight.

08 — EU representative (GDPR Art. 27)

Yosuble AI LLC is established outside the European Union and the United Kingdom. Pursuant to Article 27 GDPR / UK GDPR, we have appointed an EU representative to act as our contact point for data subjects and supervisory authorities on matters related to the processing of personal data of EU/EEA residents.

EU representative: contact us at eu-rep@opiniac.app for the current representative’s details. You may also reach us directly at privacy@opiniac.app.

09 — Complaints & supervisory authority

You have the right to lodge a complaint with the supervisory authority of your EU/EEA member state or the UK Information Commissioner’s Office. A list of EU authorities is available at edpb.europa.eu. We’d appreciate the chance to resolve any concern first — email privacy@opiniac.app and we will respond within 30 days.

10 — Data breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and within the timelines required by Article 33 and 34 GDPR (72 hours to the competent supervisory authority, and to affected users when the risk is high).

11 — Contact

For any privacy question, email support@opiniac.app or call +33 6 51 90 89 25. By mail: Yosuble AI LLC, 1209 Mountain Road Pl NE, Ste R, Albuquerque, NM 87110, USA.