Privacy Policy

Last updated: April 12, 2026. Version 1.1

This Privacy Policy is available in Ukrainian at Політика конфіденційності (UA). For users resident in Ukraine, the Ukrainian version prevails in case of discrepancies.

1. Introduction and Data Controller

This Privacy Policy explains what personal data OxieAI ("we", "us") collects, how we use it, who we share it with, and the rights you have under the GDPR and the Law of Ukraine "On Personal Data Protection" No. 2297-VI. By using OxieAI, you confirm that you have read this Policy.

Data Controller: OxieAI is the data controller responsible for your personal data. For privacy requests, including exercising your rights, contact us at:

Email: [email protected]
Website: https://oxieai.com

2. Data We Collect

2.1 Account data:

  • Name and email address.
  • Password (stored as a salted hash, never in plain text).
  • Profile settings you choose to configure.

2.2 Payment data:

  • Payment tokens and transaction references processed by our payment provider. We do not store full card details on our servers.
  • Credit balance and purchase history.

2.3 Content and technical data:

  • Images you upload for image or video processing.
  • Images and videos generated by the Service and custom styles you create.
  • Technical data: IP address, browser and device identifiers, logs.

3. How and Why We Use Your Data

We process your personal data only where a valid legal basis exists under the GDPR and the Law of Ukraine "On Personal Data Protection" No. 2297-VI.

Purpose Legal Basis
Providing the Service and generating imagesPerformance of a contract (Art. 6(1)(b))
Account management and supportPerformance of a contract (Art. 6(1)(b))
Processing payments and creditsPerformance of a contract (Art. 6(1)(b))
Fraud prevention and securityLegitimate interests (Art. 6(1)(f))
Anonymised usage analyticsLegitimate interests (Art. 6(1)(f))
Tax, accounting, and legal complianceLegal obligation (Art. 6(1)(c))
Marketing emails (where applicable)Consent (Art. 6(1)(a))

We do not use your uploads, generated images, or videos to train AI models.

4. Data Retention

Uploaded images: stored for up to 90 days, then automatically deleted.

Generated images and videos: stored for 14 days, then automatically deleted. You can download or delete them earlier at any time.

Account data: kept for as long as your account is active. Deleted within 30 days after account closure, except where longer retention is required by law.

Payment records: retained for up to 7 years to comply with tax and accounting law.

Logs: retained for up to 90 days for security and diagnostic purposes.

5. Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2+), encryption at rest, hashed passwords, access controls, isolated processing environments, and regular security reviews. Our primary infrastructure is hosted in ISO 27001-certified data centres within the European Union. No system is 100% secure, but we work continuously to protect your data.

6. Who We Share Data With (Sub-processors)

We share personal data only with trusted third parties acting as data processors under GDPR Art. 28. Each is bound by a data processing agreement and may only process data on our instructions. Our current sub-processors are:

Provider Purpose Location
Hetzner Online GmbH Cloud hosting, compute, and object storage Germany / Finland (EU)
Paddle.com Market Limited Payment processing, Merchant of Record, tax handling United Kingdom / Ireland
Runware AI image generation (FLUX model family, under commercial licence) EU (SCCs apply where relevant)
Email delivery provider Transactional emails (verification, receipts, notifications) EU

6.1 Hosting and storage: Our servers, databases, and object storage are operated on infrastructure provided by Hetzner Online GmbH in EU-based data centres. Hetzner is ISO 27001-certified.

6.2 Payment processing: Payments are handled by Paddle.com Market Limited, which acts as the Merchant of Record. Paddle processes your payment data (including card details) directly and is PCI DSS certified. OxieAI receives only transaction references and billing metadata, not your full card number. Paddle's processing is governed by its own Privacy Notice.

6.3 AI image generation: Image generation is powered by models from the FLUX family, operated through Runware, our AI inference partner. Runware holds a commercial licence for the FLUX models from Black Forest Labs, which covers our use of the Service. Uploaded and generated images are transmitted to Runware solely for the purpose of processing your request and are not used to train any AI models. Runware acts as our data processor under a data processing agreement.

6.4 Analytics: We may use privacy-focused analytics tools to monitor Service health. These tools process anonymised usage data only and do not collect personally identifiable information.

6.5 Legal disclosures: We may disclose data if required by law, court order, or to protect our legal rights, users, or the public.

We do not sell your personal data. Ever.

7. Your Rights

Under the GDPR and Ukrainian law you have the following rights. To exercise them, contact [email protected]. We respond to verified requests within 30 days.

  • Access (Art. 15): Request a copy of your personal data.
  • Rectification (Art. 16): Correct inaccurate or incomplete data.
  • Erasure (Art. 17): Request deletion of your data, subject to legal retention obligations.
  • Portability (Art. 20): Receive your data in a machine-readable format.
  • Restriction (Art. 18): Restrict processing while a dispute is pending.
  • Object (Art. 21): Object to processing based on legitimate interests or direct marketing.
  • Withdraw consent: Withdraw any consent at any time, without affecting prior lawful processing.
  • Complaint: Lodge a complaint with your local supervisory authority. EU authorities: edpb.europa.eu.
  • Ukraine residents: You may file a complaint with the Ukrainian Parliament Commissioner for Human Rights (Ombudsman) at ombudsman.gov.ua.

8. Cookies

8.1 Essential cookies: Required for authentication and core functionality. Cannot be disabled.

8.2 Analytics cookies: Used only with your consent to measure performance. You can withdraw consent at any time.

8.3 Managing preferences: Manage cookies via our Cookie Preferences panel or your browser settings. Disabling non-essential cookies does not affect core functionality.

9. International Data Transfers

Our primary infrastructure is located within the European Union. Some sub-processors (for example, certain AI model providers) may be located outside the European Economic Area. In such cases, transfers are protected by Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other lawful mechanisms under Chapter V of the GDPR. You may request a copy of the relevant safeguards by emailing [email protected].

10. Minors

The Service is intended for users aged 18 and older. We do not knowingly collect data from minors. If we learn that we have collected data from a person under 18, we will delete it. If you believe a minor has provided us data, contact [email protected].

11. Changes to This Policy

We may update this Policy as our Service, sub-processors, or legal obligations change. For material changes, we will notify you at least 14 days in advance by email or in-app notice. The updated date is always shown at the top of this page. Continued use of the Service after the effective date constitutes acceptance.

12. Contact

For questions about this Policy or to exercise your rights, contact us:

Email: [email protected]
Website: https://oxieai.com