Privacy Policy
Last updated: May 24, 2026
We respect your privacy and only collect what we need to run the Service. This policy explains what we collect, why, who else sees it, and what rights you have.
1. What we collect
Account: email address (required), name and profile fields you choose to provide during onboarding. Usage: prompts you submit, generated assets, the API tokens you create, credit transactions. Technical: IP address (for rate limiting), browser user-agent, cookies for session management and locale preference.
2. How we use it
To run the Service: authenticate you, run generations, send credit balances and billing events, deliver notifications you opted into. To improve the Service: aggregate, non-identifying metrics. We do not sell your data. We do not use your prompts or generated images to train AI models.
3. Third parties
We use these processors: OpenAI (image generation, runs your prompts), Cloudflare R2 (asset storage), PostgreSQL on our own infrastructure (account data), ahaSend (transactional email), Google (OAuth sign-in only — only if you choose Google login), and Dodo Payments (payments and subscriptions). Each handles only the data needed for their function. Payment cards: all payments are processed by Dodo Payments as Merchant of Record. Your full card details are entered on Dodo Payments' secure checkout and are never sent to or stored by us — we only receive the billing events needed to grant credits and manage your subscription (plan, amount, status).
4. Cookies
Strictly necessary cookies for session (vxl_session) and locale (vxl_locale). No analytics or advertising cookies. No tracking pixels.
5. Public catalog
Assets you mark public (or which are auto-published on Free tier) are visible to anyone, indexed by search engines, and may be cached by third-party crawlers. The prompt you submitted is shown alongside the asset. Don't put private information in your prompts.
6. Your rights (GDPR / CCPA)
You have the right to access, correct, export, or delete your data. Email [email protected] from your registered address. We respond within 30 days. Deletion is irreversible; catalog-published assets stay under our license (see Terms §4).
7. Data retention
Account data: as long as your account exists, plus 30 days after deletion. Logs: 90 days. Catalog assets: kept indefinitely under the license granted at publication.
8. Security
HTTPS-only. API tokens stored as SHA-256 hashes (we never see the plaintext after creation). Database backups encrypted at rest. Limited access on a need-to-know basis.
9. Children
The Service is not directed at children under 16. If we learn we've collected data from a child under 16, we delete it.
10. Changes
We may update this policy. Material changes notified at least 14 days in advance via email and in-app.
11. Contact
Privacy questions or data requests: [email protected].