Privacy Notice

Privacy Notice (Draft)


Last updated: September 10, 2025

1) Who we are
FantasyAI  ("we", "us", "our") provides AI-generation tools and related services (the "Service"). Contact: [Address]. Email: [support@yourdomain.com]. Data protection contact: [privacy@yourdomain.com].

2) What we collect
We collect information you provide and information generated by your use of the Service:
• Account data: name/username, email, password (hashed), country, plan, billing address, VAT/Tax ID.
• Payment data: handled by our processor (e.g., Stripe). We receive limited metadata (status, last 4, card brand). We do not store full card numbers.
• Content & prompts: text, images, videos, and related metadata you upload; outputs generated by the Service.
• Usage data: device, browser, language, IP address, timestamps, pages viewed, referring/exit pages, feature usage, crash logs.
• Safety & abuse signals: automated flags, rate-limit events, hash matches, moderation labels, and related logs.
• Cookies and similar: session cookies, preferences, analytics. See “Cookies” below.
• Support communications: emails, tickets, bug reports, feedback.
• Optional: marketing preferences, surveys, beta program info.

3) Why we use your data (purposes + legal bases)
We use data to:
• Provide the Service and features you request (contract). 
• Secure, maintain, debug, and improve the Service and models (legitimate interests / consent where required).
• Moderate for safety and legal compliance, including prevention of CSAM and other illegal content (legal obligation / vital interests / legitimate interests).
• Personalize non-sensitive features and recommend content (legitimate interests / consent where required).
• Process payments and manage subscriptions (contract / legal obligation).
• Communicate about changes, security alerts, and support (contract / legitimate interests).
• Comply with law, respond to lawful requests, enforce Terms (legal obligation / legitimate interests).
Where we rely on consent, you can withdraw it at any time.

4) Child safety (zero-tolerance)
We prohibit child sexual exploitation material (CSAM) and sexualization of minors, including AI-generated/fictional depictions. We use automated and manual measures to detect and address suspected CSAM and may preserve and report information to competent authorities and hotlines (e.g., NCMEC) consistent with applicable law. See our Terms and AUP.

5) Model training and product improvement
We may use de-identified or aggregated data (including prompts/outputs and safety signals) to improve safety systems, detection of abuse, and product quality, where allowed by law and our Terms. You can opt-out of such improvement processing by contacting [privacy@yourdomain.com], except where processing is necessary for security, abuse prevention, or to comply with law.

6) Sharing your data
We share data with:
• Service providers / processors: hosting, storage, analytics, email, support, payments, security, AI infrastructure.
• Moderation and safety vendors: abuse detection, hash-matching, incident response.
• Legal and compliance: if required by law, to protect users, investigate abuse, or enforce our Terms.
• Business transfers: in a merger, acquisition, financing, or sale of assets, subject to appropriate safeguards.
We do not sell your personal information. We do not share for cross-context behavioral advertising without your opt-in where required.

7) International transfers
We may process data globally. Where required, we use appropriate safeguards (e.g., SCCs, UK IDTA/Addendum, supplementary measures). Contact us for copies of relevant transfer mechanisms where legally permissible.

8) Retention
We keep data only as long as necessary for the purposes above, including security and legal obligations. Typical examples:
• Account data: life of the account + a short period after closure.
• Billing records: as required by tax/financial laws.
• Safety logs and moderation artifacts: retained for a limited period to prevent evasion and comply with reporting obligations.
• Backups: time-limited and then deleted.

9) Your rights
Depending on your location (e.g., EU/EEA/UK, California, Brazil, Canada), you may have rights to:
• Access, correct, delete, or port your data.
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.
• Opt-out of sale or sharing for targeted advertising (if applicable).
• Appeal a denied request (where required).
Submit requests to [privacy@yourdomain.com]. We will verify and respond as required by law. You may also complain to your local data protection authority.

10) Cookies and analytics
We use strictly necessary cookies (login/session, security) and, with consent where required, analytics/performance cookies. You can manage preferences in-app or via your browser. Blocking some cookies may affect functionality.

11) Security
We implement technical and organizational measures: encryption in transit, access controls, logging, least-privilege, periodic reviews. No method is 100% secure; please use strong passwords and enable additional protections where available.

12) Children’s privacy
The Service is not for children under 13, or younger where local law requires a higher age for consent to data processing. Limited features may be available to older minors with verifiable parental consent. We do not knowingly allow sexual content and we maintain a strict CSAM ban.

13) Third-party links and models
Our Service may link to third-party sites and use third-party models/APIs. Their privacy practices are governed by their policies.

14) Automated decision-making
We use automated systems for content generation and safety moderation (e.g., flagging suspicious activity). You can contact us to request human review of decisions that significantly affect you where required by law.

15) How to contact us
• Privacy: privacy@yFantasyVision.AI
• Support: support@FantasyVision.AI
• Abuse/CSAM reports: abuse@FantasyVision.AI
• Security: security@FantasyVision.AI
Mail: FantasyVision.AI, 588 Long Beach Blvd,CA

16) Changes to this notice
We may update this Privacy Notice from time to time. Material changes will be notified in-app or by email when appropriate. Continued use after the effective date indicates acceptance.

California (CPRA) disclosures (if applicable)
• Categories collected: identifiers, commercial information, internet activity, geolocation (coarse), in-app content, inferences (limited), and account profile.
• Sources: you, your devices, service providers.
• Purposes: as described above.
• Sharing: service providers, safety and compliance, as permitted by law.
• Sale/Share: we do not sell personal information; we do not share for cross-context behavioral advertising without your opt-in where required.
• Rights: access, deletion, correction, portability, limit use of sensitive PI, opt-out of sale/share (if applicable), non-discrimination.

EU/UK GDPR disclosures (if applicable)
• Controller: [Your Company Name], [Address].
• Legal bases: contract, legitimate interests, consent, legal obligation, vital interests.
• DPO/Representative (if appointed): [Contact].
• Transfers: safeguarded via SCCs/IDTA and supplementary measures.
• Rights: access, rectification, erasure, restriction, objection, portability, complaint to a supervisory authority.