Privacy Policy: How We Handle Your Data
Last Updated: May 20, 2026
Introduction
Welcome to Z-Image AI (https://z-image-ai.run/), an AI-powered image generation platform. This Privacy Policy explains what information we collect, how we use it, how we safeguard it, and the choices you have regarding your data when using the Z-Image AI platform (the "Service").
By accessing or using Z-Image AI, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use our Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address
- Display name
- Password (stored as a salted hash; never in plain text)
- Optional profile picture (if you choose to upload one)
We use this information to authenticate you, manage your account, send essential service notifications, and respond to support requests.
1.2 Payment Information
When you purchase credits or subscribe to a plan:
- Payment is processed by our payment provider (Creem). We do not receive or store your credit card number, CVV, or full card details.
- We store: order metadata (amount, currency, plan name, order timestamp, transaction ID, refund status), the masked customer identifier returned by Creem, and the email used at checkout.
1.3 Usage and Generation Data
This is what most platforms hide. We're being explicit:
- Prompts you submit are stored in our database (
ai_tasktable) along with the model used, generation parameters (aspect ratio, output format, quality, seed, etc.), timestamps, and status. - Reference images you upload (for image-to-image generation) are stored in our Cloudflare R2 bucket.
- Generated images returned by the AI providers are also stored in our Cloudflare R2 bucket and linked to your account.
- We retain credit-consumption history, including how much each generation cost and which generations were refunded (e.g., when an AI provider rejected a prompt).
Why we store this:
- To show you your generation history
- To enable downloads after the original provider URL expires
- To provide customer support (e.g., "why did this generation fail?")
- To detect and prevent abuse (e.g., users repeatedly submitting policy-violating prompts)
- To diagnose and improve service reliability
What we do NOT do with your prompts and generated images:
- We do not use them to train any AI model (we don't train models, we call third-party APIs)
- We do not sell them to data brokers or any third party
- We do not scan them for advertising or marketing purposes
- We do not share them publicly without your explicit action
1.4 Technical Information
Automatically collected when you use the Service:
- Browser type and version
- Operating system and platform
- Device type (desktop, mobile, tablet)
- IP address (for security, fraud prevention, rate limiting, and regional compliance only)
- Language preferences
- Approximate geographic location (derived from IP)
1.5 Cookies and Local Storage
We use cookies and browser local storage for:
- Essential: authentication session, security tokens
- Preference: language, UI settings, recent generation parameters
- Analytics (if enabled): anonymous usage statistics
You can disable cookies through your browser settings, but doing so may break login and other essential features.
2. How We Use Your Information
| Purpose | Examples |
|---|---|
| Service operation | Authenticating logins, executing generations, processing payments |
| Account management | Tracking credit balance, billing history, refunds |
| Fraud and abuse prevention | Detecting policy-violating prompts, rate limiting, blocking automated abuse |
| Customer support | Investigating "my generation failed" reports |
| Service improvement | Analyzing aggregate usage patterns to identify bugs and prioritize features |
| Legal compliance | Responding to lawful requests, tax records, retention obligations |
| Essential communications | Account security alerts, transactional emails (receipts, password resets) |
What we do NOT do:
- Sell your personal data to any third party
- Use your data for targeted advertising on or off our site
- Share your prompts, reference images, or generated images with any external party other than the AI provider executing your request
3. Legal Bases for Processing (GDPR / EEA Users)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on:
- Contract performance: To provide the Service you signed up for
- Legitimate interest: Security, fraud prevention, service analytics
- Consent: Optional marketing emails (you can withdraw at any time)
- Legal obligation: Tax records, regulatory compliance
4. Service Providers and Data Sharing
We do not sell, trade, or rent your personal information. We share data only with the trusted service providers below, each contractually obligated to use your data solely to perform their service for us:
| Provider | Purpose | Data shared |
|---|---|---|
| fal.ai | AI image generation execution | Your prompt, reference image (i2i), generation parameters |
| Creem | Payment processing, subscription management | Your email, name, order details (no card data, Creem handles it) |
| Cloudflare R2 | Storage of generated images and uploaded reference images | The image files |
| Cloudflare | CDN, DDoS protection | Standard HTTP request metadata |
| Better Auth | Authentication infrastructure | Email, hashed password, session tokens |
| Brevo | Transactional emails (receipts, password resets, alerts) | Your email, the email content |
| Database / hosting providers | Application hosting and data storage | All operational data described above |
We may also disclose information when required by law (court orders, subpoenas, lawful government requests). We will push back on overly broad requests.
In the event of a merger, acquisition, or sale of assets, your information may transfer to the acquiring entity. You will be notified by email or prominent site notice if this happens.
5. International Data Transfers
Z-Image AI operates globally. Your data may be processed and stored on servers outside your country of residence. We use:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers out of the EEA
- Industry-standard security safeguards (encryption in transit and at rest)
- Data Processing Agreements with each sub-processor listed above
6. Data Retention
| Data type | Retention |
|---|---|
| Account information | Until you delete your account; deleted within 30 days of account closure |
Prompts and generation history (ai_task records) | For the lifetime of your account; deleted when the account is deleted |
| Generated and uploaded images in R2 | For the lifetime of your account; deleted within 30 days of account closure |
| Payment and order records | Retained for as long as legally required (typically 7 years for tax and financial regulations) |
| Server access logs | 90 days (extended if required for security investigations) |
| Customer support correspondence | 2 years after case closure |
You can request earlier deletion of specific generations or your entire account at any time (see Section 8).
7. Data Security
We use industry-standard security controls:
Technical safeguards
- TLS encryption for all data in transit
- Password hashing using modern algorithms (bcrypt/argon2-class)
- Encrypted storage at rest for the database and R2 bucket
- Server-side input moderation via Creem's Moderation API and our content-policy filters before submitting to AI providers
- Output safety checks via the AI providers' built-in moderation
- Webhook signature verification for all payment events
Organizational measures
- Access to user data is restricted to authorized personnel on a need-to-know basis
- Regular security review of dependencies and infrastructure
No system is 100% secure. We will notify you in accordance with applicable law in the event of a data breach affecting your personal information.
8. Your Privacy Rights
Depending on your jurisdiction (GDPR, UK GDPR, CCPA, PIPEDA, LGPD, etc.) you may have the following rights:
- Access: Request a copy of the personal data we hold about you
- Correction: Have inaccurate or incomplete data corrected
- Deletion ("right to be forgotten"): Have your data deleted, subject to legal retention exceptions
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Request that we limit processing of your data
- Objection: Object to certain processing (e.g., legitimate-interest processing)
- Withdraw consent: Where we rely on consent, you can withdraw it at any time
- Opt-out of marketing: Use the unsubscribe link in any marketing email
How to exercise your rights: Email us at support@z-image-ai.run with your request. We will respond within 30 days (or as required by applicable law). For deletion requests, we will verify your identity by responding to your registered account email before processing.
9. Children's Privacy
Z-Image AI is not intended for users under 13 years of age (or the age of digital consent in your jurisdiction, whichever is higher).
We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us personal information, please contact us at support@z-image-ai.run and we will delete it promptly.
10. California Residents (CCPA / CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to know what personal information we collect, use, and share
- Right to delete your personal information
- Right to correct inaccurate personal information
- Right to opt-out of the sale or sharing of your personal information
- Right to limit use of sensitive personal information
- Right to non-discrimination when you exercise these rights
We do not sell your personal information for monetary consideration. We do not knowingly share personal information for cross-context behavioral advertising.
To exercise your CCPA / CPRA rights, email support@z-image-ai.run.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or service offerings.
How we notify you:
- Material changes are communicated via email to account holders at least 14 days before taking effect
- Non-material updates are posted on this page with a new "Last Updated" date at the top
- Your continued use of the Service after the effective date constitutes acceptance of the updated policy
We recommend reviewing this page periodically.
12. Third-Party Links
Our Service may link to external sites (such as our AI providers' status pages, payment provider documentation, or social media). We are not responsible for the privacy practices of those sites. Review their respective privacy policies before submitting any information.
13. Governing Law
This Privacy Policy and any disputes arising from it are governed by applicable data protection laws in the jurisdictions in which we operate, including (without limitation) the EU GDPR for EEA users, UK GDPR for UK users, and CCPA / CPRA for California residents.
14. Contact Us
For any privacy-related question, request, or concern, please contact us:
Z-Image AI Support Team
- Website: https://z-image-ai.run/
- Email: support@z-image-ai.run
We aim to respond to inquiries within 1-3 business days.
By using Z-Image AI, you acknowledge that you have read and understood this Privacy Policy. Thank you for trusting us with your data. We take that responsibility seriously.
