Privacy Policy

Effective Date: 23 April 2025

This Privacy Policy ("Policy") explains how GenFLOW ("GenFLOW", "Company", "we", "us", or "our") - collects, uses, discloses, and safeguards your information when you access or use the GenFLOW website, application, and related services (collectively, the "Service"). This Policy applies to all personal data processed in connection with the Service and forms an integral part of our Terms of Service.

Please read this Policy carefully. By accessing or using the Service, you acknowledge that you have read and understood this Policy and that we will process your information as described herein. If you do not agree with any part of this Policy, you must refrain from using the Service.

1. Information We Collect

We collect and process the following categories of information in order to operate the Service, perform our contractual obligations, and otherwise pursue our legitimate interests or comply with legal obligations:

• Personal Data you provide to us. When you create an account, purchase credits, contact support, or otherwise interact with the Service, you may provide us with personal data such as:
  • Email address;
  • Authentication data from single-sign-on providers (e.g., Google Sign-In);
  • Payment-related details handled by our payment processor (e.g., Stripe) – we only receive limited transaction metadata and never store full card numbers.
• Input Content. Images or text prompts that you upload or submit to the Service ("Input Content").
• Generated Images. Images produced by our AI systems based on your Input Content ("Generated Images").
• Usage Data. Technical data automatically collected when you interact with the Service, including IP address, browser type and version, device identifiers, pages visited, date/time stamps, and other diagnostic information.
• Cookies and Similar Technologies. We use essential cookies for core functionality (e.g., authentication) and, with your consent, non-essential cookies and similar technologies (like the Meta Pixel) for analytics and marketing purposes. You may adjust your preferences via the cookie banner or your browser settings.

2. Legal Bases for Processing (GDPR)

Where the EU General Data Protection Regulation ("GDPR") applies, we rely on the following legal bases:

• Contractual Necessity (Art. 6 [1][b] GDPR). Processing necessary to provide the Service, manage your account, and process transactions.
• Legitimate Interests (Art. 6 [1][f] GDPR). Processing Usage Data to maintain and improve the Service, ensure security, and enforce our Terms, provided such interests are not overridden by your fundamental rights and freedoms.
• Consent (Art. 6 [1][a] GDPR). Processing for marketing communications and the use of non-essential cookies. You may withdraw consent at any time with future effect.
• Legal Obligation (Art. 6 [1][c] GDPR). Processing necessary to comply with legal requirements (e.g., bookkeeping, tax, and regulatory obligations).

3. How We Use Your Information

We use the collected information for various purposes:

• To provide, operate, and maintain the Service;
• To authenticate users and secure accounts;
• To process payments and manage credit balances;
• To generate, store, and deliver Generated Images;
• To communicate with you and provide customer support;
• To conduct analytics, debug, and enhance Service performance;
• To enforce our Terms of Service and other policies;
• To detect, prevent, and address fraud and security threats;
• To comply with applicable laws and regulations.

4. How We Share Your Information

We do not sell your Personal Data. We only disclose information:

• Service Providers. Third-party companies acting on our behalf under written agreements, such as Supabase (authentication & database), Stripe (payments), Google (identity). These providers may access Personal Data solely to perform contracted services and are bound by confidentiality and data-processing agreements.
• Legal or Regulatory Authorities. Where required by law or to protect rights, safety, or property.
• Business Transfers. In connection with a merger, acquisition, or sale of assets, provided the recipient honors this Policy.
• With Your Consent. For any other disclosure you explicitly authorize.

We do not share your specific Input Content or Generated Images with third parties except where this is strictly necessary to operate the Service (e.g., storage providers) or where we are legally compelled to do so.

5. Data Retention

We retain Personal Data for as long as necessary to fulfill the purposes outlined in this Policy, including to satisfy legal, accounting, or reporting requirements. Account data is kept while your account is active and for a reasonable period thereafter. Input Content and Generated Images are retained as part of your account or for model-improvement purposes, subject to your rights described below.

6. Your Rights (EEA Residents)

Subject to statutory conditions, you have the right to request access, rectification, erasure, restriction, or portability of your Personal Data, to object to processing, and to withdraw consent. To exercise these rights, please contact us using the details in Section 14. We may require proof of identity before responding. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.

7. Data Security

We implement appropriate technical and organisational measures to protect Personal Data. Nevertheless, no Internet transmission is completely secure, and we cannot guarantee absolute security. You use the Service at your own risk.

8. Data Breach Notification

In the event of a personal-data breach, we will notify the competent supervisory authority without undue delay and, where required, affected individuals, in accordance with Articles 33 and 34 GDPR.

9. International Transfers

We and our Service Providers may process Personal Data outside the European Economic Area. Where such transfers occur, we rely on European Commission adequacy decisions or Standard Contractual Clauses to ensure an adequate level of protection.

10. Automated Decision-Making & Profiling

The generation of images is an automated process based on user inputs. This does not constitute automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR.

11. Children's Privacy

The Service is not directed to persons under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with Personal Data, please contact us so that we can delete the information.

12. Changes to This Policy

We may update this Policy from time to time. The updated version will be posted on this page and will take effect on publication. Material changes will be announced at least 30 days in advance, where legally required.

13. Data Protection Officer

Based on our current processing activities, we are not obliged to appoint a statutory Data Protection Officer. Nonetheless, we maintain robust data protection governance internally. Questions may be directed to the contact details below.

14. Contact Us

If you have questions about this Policy or our privacy practices, you may contact us:

• Email: [email protected]