Privacy Policy

1. Data We Collect

• From Google Sign-In: your name, email address, profile image.
• Photos you voluntarily upload (selfies used as input for image generation).
• Payment data via Stripe (we do not store card numbers ourselves).
• Access logs (IP address, browser/user-agent, timestamps).
• Cookies for session management and language preference (charmly_locale).

2. Why We Use It

• Authenticate you and manage your account.
• Provide the AI image generation feature you requested.
• Process credit purchases.
• Operate, secure, and improve the Service.
• Detect abuse, fraud, and policy violations.

3. Special Care for Face Photos

Selfie photos can identify you and are treated with elevated care:

• Encrypted at rest and in transit.
• Source photos used in a generation are retained for up to 90 days for history display, then auto-deleted.
• Generated images are also retained for up to 90 days, then auto-deleted.
• All your data is deleted immediately when you close your account.
• We do not use your photos to train AI models. Per OpenAI's API policy, content sent via the API is not used for training.

4. Service Providers

To operate the Service, we share specific data with the following providers:

• OpenAI — receives selfie photos and prompts for image generation.
• Google — handles sign-in authentication.
• Stripe — processes payments and webhooks.
• Cloudflare — provides image storage, CDN, and DDoS protection.
• Vultr — hosts the application server.

Each provider handles data only to the extent necessary to provide their service and operates under its own published privacy practices.

5. Cookies

• Session cookies for authentication.
• charmly_locale cookie for language preference.
• We do not use third-party advertising or tracking cookies.

6. Your Rights

You may request to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data — close your account from My Page to delete everything immediately, or contact us for a manual erasure request.
• Receive your data in a portable format.
• Object to or restrict certain processing.
• Withdraw any consent you have given.

To exercise these rights, email [email protected].

7. Security

• All traffic uses TLS 1.2 or higher.
• API keys and secrets are stored with restrictive file permissions.
• Server access is restricted to SSH key authentication only.
• Database is backed up daily and retained 30 days.

8. Data Retention

• Account data: until account deletion.
• Source photos and generated images: up to 90 days.
• Upload temporary files: 24 hours.
• Access logs: up to 30 days.

9. Children

The Service is not directed to children under 13. If we learn we have collected data from a child under 13, we will delete it.

10. Changes to This Policy

We may update this Policy as the Service evolves. Material changes will be posted on this page.

11. Contact

Email: [email protected]