This Privacy Policy explains how Luxo (“we”, “us”, “our”) collects and uses personal data when you use our website and image generation app (the “Service”).

We designed Luxo to be privacy-friendly. We only collect the data we need to run the Service, we don’t sell your data, and we don’t use third-party tracking or advertising cookies.

If you have any questions, you can reach us via email.

1. DATA WE COLLECT

We collect the following categories of data when you use Luxo:

1.1 Account information

When you sign up, we collect:
- First name
- Last name
- Email address
- Encrypted password or auth identifier (via our auth provider)

We use this to create and secure your account, provide access to the Service, and communicate with you about your usage (for example, onboarding, product updates, or important changes).

1.2 Generated images, prompts, and settings

To give you access to your history and help you iterate on your work, we store:
- Generated images associated with your account
- The text prompts you used
- The settings you applied (such as style, model, or other parameters)

You can delete individual generations from your account; once deleted, they are removed from our storage after a reasonable period from backups/logs.

1.3 Payment information (via Polar.sh)

We do not store your full payment details ourselves.
When you purchase a plan or credits, payments are processed by Polar.sh and their payment partners. We receive limited information such as:

- Transaction identifiers
- Basic billing details (for example, country, last 4 digits of card, subscription status)
- Plan, price, and time of purchase

We use this to provide access to paid features, handle billing questions, and comply with accounting and tax obligations.

1.4 Infrastructure and storage (Supabase)

We use Supabase for our databases and storage. Your account details, prompts, generation settings, and generated images are stored there as part of running the Service.

Supabase may process technical data such as IP address and basic request logs as part of providing secure hosting.

1.5 Emails (Resend)

We use Resend to send transactional emails such as sign-in emails, receipts, and important account notices. Resend processes your email address and the content of messages we send.

1.6 Technical logs

When you use the Service, our systems may log:
- IP address
- Browser or device type
- Date and time of requests
- Basic error and performance information

We use this to keep the Service secure, debug issues, and prevent abuse. We do not run third-party analytics or tracking scripts for profiling or advertising.

1.7 No permanent storage of uploaded images

If you upload an image to generate a new result (image-to-image), we send that image to our model provider (OpenAI) to perform the generation. We do not keep a persistent copy of the uploaded image in our own storage beyond what is technically necessary to carry out the request.

2. HOW WE USE YOUR DATA (AND LEGAL BASES)

We process your data for the following purposes:

2.1 To provide the Service

Creating and managing your account, generating and storing images, showing your history, and delivering support.

Legal basis: performance of a contract.

2.2 To process payments

Managing subscriptions, credits, invoices, and preventing payment fraud. Legal basis: performance of a contract; legal obligation.

2.3 To improve and protect the Service

Debugging issues, monitoring stability, and preventing misuse or abuse. Legal basis: legitimate interests.

2.4 To communicate with you

Sending onboarding info, important service updates, security notices, or changes to this policy or our Terms. Legal basis: performance of a contract; legal obligation. We do not use your prompts or generated images to train our own models.

3. USE OF OPENAI’S API

We use OpenAI’s API Platform to generate and transform images. When you submit a prompt (and optionally an upload), this content is sent to OpenAI so the model can create the output.

According to OpenAI’s current documentation, API inputs and outputs are not used to train OpenAI’s models by default. OpenAI may retain API inputs and outputs for a limited period to provide the service and monitor for abuse.

You can learn more about OpenAI’s data practices in their published privacy and enterprise documentation.

We do not control OpenAI’s systems. By using Luxo, you understand that your prompts and images are processed by OpenAI under their own terms and policies.

4. SHARING OF DATA

We share your personal data only with service providers who help us run the Service:

- Supabase (databases and storage)
- Polar.sh (billing and payments)
- Resend (email delivery)
- OpenAI (image generation)

These providers are contractually required to handle your data securely and only for the purposes we specify. We do not sell your personal data to third parties and we do not share data for advertising purposes.

We may also share data when required to:
- Comply with applicable law or legal requests
- Protect the safety, rights, or property of our users, the public, or us
- Enforce our Terms of Use

5. INTERNATIONAL TRANSFERS

Our service providers may process your data in countries outside your own, including outside the European Economic Area (EEA). When this happens, we rely on appropriate safeguards such as Standard Contractual Clauses and equivalent measures, where required by law.

6. DATA RETENTION

We keep your data only as long as necessary:
- Account information: kept while your account is active. If you delete your account, we remove or anonymize your data within a reasonable period, except where we must keep certain information for legal or accounting reasons.
- Generated images, prompts, and settings: kept until you delete them or delete your account.
- Payment records: retained as required by tax and accounting laws.
- Logs: retained for a limited period for security and debugging, then deleted or anonymized.

7. YOUR RIGHTS

Depending on where you live, you may have rights to:

- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data (“right to be forgotten”)
- Restrict or object to certain types of processing
- Receive a copy of your data in portable format
- Withdraw consent where processing is based on consent

You can exercise most of these rights from your account settings (where available) or by contacting us at [CONTACT EMAIL]. We may need to verify your identity before fulfilling a request.

You also have the right to lodge a complaint with your local data protection authority if you believe we have processed your data unlawfully.

8. CHILDREN

Luxo is not intended for children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

9. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the app, email, or our website. Your continued use of the Service after changes become effective means you accept the updated Policy.