Privacy Policy

The short version

Who we are

Promly ("we," "us," "our") is operated by Erez Haim. We build an AI image studio that turns a description into generated images, using image models including GPT Image 2, Google's Nano Banana family, and Black Forest Labs' FLUX.2. Our website is promly.ai.

For privacy questions, email legal@promly.ai.

What we collect

Here is everything we store, why, and where:

Data	Why	Where it lives
Email address	Account identity, sign-in via magic link	Supabase (auth + your row in pl_users)
OAuth profile (Google or Discord)	Sign-in if you choose social login. We receive your email and display name only — never your password	Supabase auth, scoped to your row
Prompts you submit	To tune them and generate images — the core service	Sent to Anthropic (Claude Haiku) for prompt analysis, then to the active image model (GPT Image 2 / Nano Banana / FLUX.2) for generation. See "Third parties & cross-border data transfer" below for jurisdictions. Stored in your account history so you can revisit past work
Reference images you upload (including face references)	Used as visual input to the active image model when you upload them in the studio (People, Character, Sticker, Infographic, Storyboard Kits)	Sent to the active image provider (Google / OpenAI / BFL). Stored in your account history so you can reuse them; deleted when you delete the generation or the account
Generated images	So you can view, download, and reuse them	Your account history in Supabase, scoped to your row
Plan and usage state	Track which plan you're on (Free, Starter, Pro, or Studio), your remaining subscription Pixels, and any top-up Pixel balance with its expiry date	Supabase (pl_users, pl_subscriptions, pl_credits)
Payment state (subscription ID, order ID, status)	Match your Polar checkout to your account; renew, refund, expire	Supabase. We never see or store your card number — Polar handles all card data and is PCI DSS Level 1
Browser session token	Keep you signed in between visits	Your browser (localStorage and an sb-…-auth-token cookie set by Supabase)

That's the complete list of what we store about your account. For traffic measurement we use cookieless, aggregate analytics (Plausible and Vercel Web Analytics + Speed Insights) that don't identify you individually — no behavioral tracking, ad pixels, retargeting, or fingerprinting.

What we don't collect

• We don't track you across other websites
• We don't use Google Analytics, Segment, Mixpanel, or any cross-site or profiling analytics — only cookieless, aggregate visit measurement (Plausible and Vercel)
• We don't run Facebook, Twitter, Reddit, or LinkedIn pixels
• We don't store your credit card number — Polar handles all payment data
• We don't collect your name, phone number, or address unless you email us directly
• We don't build profiles or sell data to third parties

Third-party services

Promly is a small operation that relies on a few specialized services. Each handles a slice of the product and has its own privacy policy:

• Anthropic — runs Claude Haiku, our primary prompt-tuning model. When you submit a prompt, we send the prompt content to Anthropic's API for processing. Anthropic Privacy Policy →
• OpenAI — runs GPT Image 2 (image generation) and GPT-4o-mini (prompt-analysis fallback when Anthropic errors). When either is the active model, your prompt content and any reference images are sent to OpenAI's API. OpenAI Privacy Policy →
• Black Forest Labs (BFL) — runs FLUX.2 (image generation). When FLUX.2 is the active model, your prompt content and any reference images are sent to BFL's API. BFL Privacy Policy →
• FLUX model licence (BFL API Terms). Generations using FLUX models (shown as "Flux," "Flux · Fast," "Flux · Flex," or "Flux · Max" in the Studio) are processed under Black Forest Labs' API Terms of Service. Under §2(b) of those terms, BFL receives a perpetual, irrevocable, sublicensable licence to use your inputs and generated outputs, including for model training. There is no opt-out from this licence while using FLUX-powered generation. Full terms: docs.bfl.ai/agreement/ →
• Supabase — handles authentication and stores your account data, plan state, and generation history. Hosted on AWS. Supabase Privacy Policy →
• Polar — processes payments, subscriptions, and refunds. PCI DSS Level 1. We never touch your card data. Polar Privacy Policy →
• Google — runs Nano Banana 2 and Nano Banana Pro (image generation). When either is the active model, your prompt content and any reference images are sent to Google's API. Also used if you choose Google sign-in (we receive your email and name only in that case). Google Privacy Policy →
• Discord — only if you choose Discord sign-in. Same scope: email and username. Discord Privacy Policy →
• Resend — sends transactional emails on our behalf (low-Pixels notifications, welcome emails, account-related notices). We send your email address and the message content; no other account data. Resend Privacy Policy →
• Vercel — hosts the website and provides cookieless, aggregate Web Analytics + Speed Insights (visit and performance counts; no personal data, no cross-site tracking). Also keeps standard server logs (IP, user agent, request path) for operational purposes. Vercel Privacy Policy →
• Plausible — privacy-friendly, cookieless website analytics (aggregate visit counts only; no personal data, no cross-site tracking, EU-hosted). Plausible Privacy Policy →

Third parties & cross-border data transfer

When you generate an image with Promly, your prompt text and any reference images you upload (including images that may contain your face or the faces of others you have permission to upload) are sent to one or more of the following third-party AI providers to produce the requested output:

• OpenAI, Inc. (United States) — for image generation when GPT Image 2 is the active model. OpenAI Privacy Policy →
• Google LLC (United States, with global infrastructure) — for image generation when Nano Banana 2 or Nano Banana Pro is the active model. Google Privacy Policy →
• Black Forest Labs GmbH (Germany, EU) — for image generation when FLUX.2 is the active model. BFL Privacy Policy →
• Anthropic, PBC (United States) — for prompt analysis and audit (Claude Haiku 4.5). Anthropic Privacy Policy →

These transfers leave Israel and the European Union. None of the listed destinations has an EU adequacy decision for personal data. Promly relies on the following safeguards: (a) explicit consent given by you at signup and again at the moment you upload a face reference; (b) standard data processing terms offered by each provider through their enterprise / API agreements; (c) data minimization (we send only the prompt text and reference images you provide — we do not send your email, IP address, or other account metadata to these providers).

You may withdraw consent at any time by deleting your account, which deletes all generations and references. Note that AI providers may retain inputs for short durations per their own policies (see OpenAI, Google, BFL, and Anthropic privacy policies for current terms). Promly does not have a contractual right to compel deletion at the provider level beyond what those providers offer publicly.

We use these providers' API endpoints, not their consumer chat products. Each provider's terms govern whether your inputs may be used for model training and other purposes — see the linked policies above for current terms (note that one or more providers may train on inputs by default). As a precaution, do not paste secrets, credentials, or anything you wouldn't want a third-party processor to see: once a prompt is submitted, the active provider receives it in full.

Cookies and browser storage

Promly uses the bare minimum:

• Supabase auth cookie (sb-…-auth-token) — keeps you signed in. Strictly necessary for the service to work. Cleared when you sign out.
• localStorage — Supabase auth library uses localStorage to refresh your session token. Stored in your browser; never sent to us as a cookie.

That's it. Our analytics (Plausible and Vercel) are cookieless, so there are no analytics cookies, no consent-banner tracking cookies, and no third-party advertising cookies. There's nothing to consent to beyond the strictly-necessary sign-in cookie above.

Your rights

Regardless of where you live, you can:

• See your data — your account state and generation history are visible from your account. For anything else, email us
• Delete your account — use the danger-zone card in your account, or email us. We delete your row in pl_users and your generation history. Polar transaction records remain for the legal retention window noted below
• Export your history — email us and we'll send a JSON dump within 14 days
• Cancel your subscription — manage via the Polar customer portal linked from your account, or email us

If you live in the EU (GDPR), UK (UK GDPR), California (CCPA/CPRA), Brazil (LGPD), or Israel (PPL 5741-1981), you have additional statutory rights. Use the contact email at the bottom of this page with your request and we'll respond within 30 days.

Data retention

• Account data — retained until you delete your account
• Generation history (your prompts and images) — retained until you delete it or delete the account; you can clear individual items from your gallery in the Studio at any time
• Payment records — Polar retains transaction records as required by financial regulations (typically 7 years). We retain the subscription/order IDs that link your Polar account to your Promly account; we delete those when you delete your account
• Server logs — Vercel keeps standard request logs; we don't use them beyond operational debugging

Children

Promly is not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, use the contact email at the bottom of this page and we'll delete it.

Changes to this policy

If we change this policy, we'll update the "Last updated" date at the top. For material changes, we'll notify account holders by email. We won't reduce your rights without notice.

Contact

Questions about this policy? Email legal@promly.ai.

Promly · Erez Haim
erez@promly.ai