Privacy Policy — How Image-AI.run Handles Your Data

How Image-AI.run collects, uses, and protects your data — GDPR, UK GDPR, CCPA compliant. What we store, how long, and your rights as a user.

May 20, 2026

Privacy Policy

Last Updated: May 20, 2026

Introduction

Welcome to Image-AI.run (https://z-image-ai.run/), an AI-powered image generation platform. This Privacy Policy explains what information we collect, how we use it, how we safeguard it, and the choices you have regarding your data when using the Image-AI.run platform (the "Service").

By accessing or using Image-AI.run, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use our Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Email address
Display name
Password (stored as a salted hash; never in plain text)
Optional profile picture (if you choose to upload one)

We use this information to authenticate you, manage your account, send essential service notifications, and respond to support requests.

1.2 Payment Information

When you purchase credits or subscribe to a plan:

Payment is processed by our payment provider (Creem). We do not receive or store your credit card number, CVV, or full card details.
We store: order metadata (amount, currency, plan name, order timestamp, transaction ID, refund status), the masked customer identifier returned by Creem, and the email used at checkout.

1.3 Usage and Generation Data

This is what most platforms hide. We're being explicit:

Prompts you submit are stored in our database (ai_task table) along with the model used, generation parameters (aspect ratio, output format, quality, seed, etc.), timestamps, and status.
Reference images you upload (for image-to-image generation) are stored in our Cloudflare R2 bucket.
Generated images returned by the AI providers are also stored in our Cloudflare R2 bucket and linked to your account.
We retain credit-consumption history, including how much each generation cost and which generations were refunded (e.g., when an AI provider rejected a prompt).

Why we store this:

To show you your generation history
To enable downloads after the original provider URL expires
To provide customer support (e.g., "why did this generation fail?")
To detect and prevent abuse (e.g., users repeatedly submitting policy-violating prompts)
To diagnose and improve service reliability

What we do NOT do with your prompts and generated images:

We do not use them to train any AI model (we don't train models — we call third-party APIs)
We do not sell them to data brokers or any third party
We do not scan them for advertising or marketing purposes
We do not share them publicly without your explicit action

1.4 Technical Information

Automatically collected when you use the Service:

Browser type and version
Operating system and platform
Device type (desktop, mobile, tablet)
IP address (for security, fraud prevention, rate limiting, and regional compliance only)
Language preferences
Approximate geographic location (derived from IP)

1.5 Cookies and Local Storage

We use cookies and browser local storage for:

Essential: authentication session, security tokens
Preference: language, UI settings, recent generation parameters
Analytics (if enabled): anonymous usage statistics

You can disable cookies through your browser settings, but doing so may break login and other essential features.

2. How We Use Your Information

Purpose	Examples
Service operation	Authenticating logins, executing generations, processing payments
Account management	Tracking credit balance, billing history, refunds
Fraud and abuse prevention	Detecting policy-violating prompts, rate limiting, blocking automated abuse
Customer support	Investigating "my generation failed" reports
Service improvement	Analyzing aggregate usage patterns to identify bugs and prioritize features
Legal compliance	Responding to lawful requests, tax records, retention obligations
Essential communications	Account security alerts, transactional emails (receipts, password resets)

What we do NOT do:

Sell your personal data to any third party
Use your data for targeted advertising on or off our site
Share your prompts, reference images, or generated images with any external party other than the AI provider executing your request

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on:

Contract performance: To provide the Service you signed up for
Legitimate interest: Security, fraud prevention, service analytics
Consent: Optional marketing emails (you can withdraw at any time)
Legal obligation: Tax records, regulatory compliance

We do not sell, trade, or rent your personal information. We share data only with the trusted service providers below — each contractually obligated to use your data solely to perform their service for us:

Provider	Purpose	Data shared
fal.ai	AI image generation execution	Your prompt, reference image (i2i), generation parameters
Creem	Payment processing, subscription management	Your email, name, order details (no card data — Creem handles it)
Cloudflare R2	Storage of generated images and uploaded reference images	The image files
Cloudflare	CDN, DDoS protection	Standard HTTP request metadata
Better Auth	Authentication infrastructure	Email, hashed password, session tokens
Brevo	Transactional emails (receipts, password resets, alerts)	Your email, the email content
Database / hosting providers	Application hosting and data storage	All operational data described above

We may also disclose information when required by law (court orders, subpoenas, lawful government requests). We will push back on overly broad requests.

In the event of a merger, acquisition, or sale of assets, your information may transfer to the acquiring entity. You will be notified by email or prominent site notice if this happens.

5. International Data Transfers

Image-AI.run operates globally. Your data may be processed and stored on servers outside your country of residence. We use:

Standard Contractual Clauses (SCCs) approved by the European Commission for transfers out of the EEA
Industry-standard security safeguards (encryption in transit and at rest)
Data Processing Agreements with each sub-processor listed above

6. Data Retention

Data type	Retention
Account information	Until you delete your account; deleted within 30 days of account closure
Prompts and generation history (`ai_task` records)	For the lifetime of your account; deleted when the account is deleted
Generated and uploaded images in R2	For the lifetime of your account; deleted within 30 days of account closure
Payment and order records	Retained for as long as legally required (typically 7 years for tax and financial regulations)
Server access logs	90 days (extended if required for security investigations)
Customer support correspondence	2 years after case closure

You can request earlier deletion of specific generations or your entire account at any time (see Section 8).

7. Data Security

We use industry-standard security controls:

Technical safeguards

TLS encryption for all data in transit
Password hashing using modern algorithms (bcrypt/argon2-class)
Encrypted storage at rest for the database and R2 bucket
Server-side input moderation via Creem's Moderation API and our content-policy filters before submitting to AI providers
Output safety checks via the AI providers' built-in moderation
Webhook signature verification for all payment events

Organizational measures

Access to user data is restricted to authorized personnel on a need-to-know basis
Regular security review of dependencies and infrastructure

No system is 100% secure. We will notify you in accordance with applicable law in the event of a data breach affecting your personal information.

8. Your Privacy Rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA, PIPEDA, LGPD, etc.) you may have the following rights:

Access: Request a copy of the personal data we hold about you
Correction: Have inaccurate or incomplete data corrected
Deletion ("right to be forgotten"): Have your data deleted, subject to legal retention exceptions
Portability: Receive your data in a structured, machine-readable format
Restriction: Request that we limit processing of your data
Objection: Object to certain processing (e.g., legitimate-interest processing)
Withdraw consent: Where we rely on consent, you can withdraw it at any time
Opt-out of marketing: Use the unsubscribe link in any marketing email

How to exercise your rights: Email us at support@z-image-ai.run with your request. We will respond within 30 days (or as required by applicable law). For deletion requests, we will verify your identity by responding to your registered account email before processing.

9. Children's Privacy

Image-AI.run is not intended for users under 13 years of age (or the age of digital consent in your jurisdiction, whichever is higher).

We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us personal information, please contact us at support@z-image-ai.run and we will delete it promptly.

10. California Residents (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Right to know what personal information we collect, use, and share
Right to delete your personal information
Right to correct inaccurate personal information
Right to opt-out of the sale or sharing of your personal information
Right to limit use of sensitive personal information
Right to non-discrimination when you exercise these rights

We do not sell your personal information for monetary consideration. We do not knowingly share personal information for cross-context behavioral advertising.

To exercise your CCPA / CPRA rights, email support@z-image-ai.run.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or service offerings.

How we notify you:

Material changes are communicated via email to account holders at least 14 days before taking effect
Non-material updates are posted on this page with a new "Last Updated" date at the top
Your continued use of the Service after the effective date constitutes acceptance of the updated policy

We recommend reviewing this page periodically.

12. Third-Party Links

Our Service may link to external sites (such as our AI providers' status pages, payment provider documentation, or social media). We are not responsible for the privacy practices of those sites. Review their respective privacy policies before submitting any information.

13. Governing Law

This Privacy Policy and any disputes arising from it are governed by applicable data protection laws in the jurisdictions in which we operate, including (without limitation) the EU GDPR for EEA users, UK GDPR for UK users, and CCPA / CPRA for California residents.

14. Contact Us

For any privacy-related question, request, or concern, please contact us:

Image-AI.run Support Team

Website: https://z-image-ai.run/
Email: support@z-image-ai.run

We aim to respond to inquiries within 1-3 business days.

By using Image-AI.run, you acknowledge that you have read and understood this Privacy Policy. Thank you for trusting us with your data — we take that responsibility seriously.