Privacy Policy

1. Data Controller

The Data Controller for the processing of personal data is ForgeAISolution.
Contact email: [email protected]

2. Personal Data Collected

AIFLUX collects the following categories of personal data:

• Registration data: username, email address, password (stored in encrypted form using bcrypt hashing).
• Payment data: transactions are handled entirely by Stripe, Inc.. AIFLUX does not store credit card data. We only store the payment session identifier, the purchased plan, and the amount.
• Generated content: text prompts entered by the user and the URLs of images/videos generated by the service.
• Input files: images, videos, and audio files uploaded by the user as references for content generation. These files are stored on secure cloud infrastructure (Cloudflare R2) to enable the "Repeat" feature and are deleted when the associated generation is deleted or upon account deletion. The user has full control and can delete their data at any time.
• Technical data: IP address, browser user-agent, access timestamps — used exclusively for security purposes and abuse prevention.
• Technical cookies: session cookies and CSRF tokens strictly necessary for the functioning of the service (see our Cookie Policy).

3. Purposes of Processing

Personal data is processed for the following purposes:

• Service delivery: account creation and management, AI content generation, credit management.
• Payments: processing credit purchases through Stripe.
• Security: account protection, fraud prevention, rate limiting, detection of unauthorized access.
• Service communications: account verification emails, password resets.
• Marketing (consent-based only): sending promotional communications. You may withdraw your consent at any time.
• Legal obligations: compliance with legal and tax obligations.

4. Legal Basis for Processing

The processing of personal data is based on the following legal grounds (Art. 6 GDPR):

• Performance of a contract (Art. 6(1)(b)): for the provision of the service and account management.
• Consent (Art. 6(1)(a)): for sending marketing communications and acceptance of this privacy policy.
• Legitimate interest (Art. 6(1)(f)): for the security of the service and abuse prevention.
• Legal obligation (Art. 6(1)(c)): to comply with legal obligations (e.g., tax regulations).

5. Data Retention Period

• Account data: retained for the duration of the account and up to 30 days after deletion.
• Generated content: retained until account deletion or upon user request.
• Payment data: retained for 10 years as required by Italian tax law.
• Security logs: retained for a maximum of 12 months.

6. Recipients and Extra-EU Transfers

Personal data may be disclosed to the following third parties:

• Stripe, Inc. (USA) — payment processing. Stripe adheres to the EU-US Data Privacy Framework. Stripe Privacy Policy.
• WaveSpeed AI (USA) — image and video generation through AI models. Prompts and reference images are sent to their servers for processing.
• Google Gemini API (USA) — content processing through generative artificial intelligence models. Text prompts and associated data are transmitted to Google servers for processing. Google acts as a data processor. Google Privacy Policy.
• RunPod, Inc. (USA) — audio (TTS) and animated video generation on serverless GPU infrastructure. Input audio/image files and prompts are sent to their servers for processing and deleted at job completion. RunPod Privacy Policy.
• Atlas Cloud (USA) — video generation through dedicated AI models (e.g. Seedance 1.5 Spicy). Reference images and prompts are transmitted to their servers for the duration of processing. Atlas Cloud Privacy Policy.
• Neon Tech, Inc. (USA) — database hosting. Data is stored on cloud infrastructure with at-rest encryption.
• Cloudflare, Inc. (USA) — CDN, DDoS protection, object storage (R2). Adheres to the EU-US Data Privacy Framework.
• PostHog, Inc. (USA) — product analytics (page views, usage events, anonymous session identifier). The script is loaded only after the user's explicit consent to the "Analytics" category via the cookie banner; no data is sent without consent. PostHog Privacy Policy.
• Hetzner Online GmbH (Germany) — application server hosting, with data centers in the EU.

Transfers to the USA are carried out on the basis of the EU-US Data Privacy Framework or, where not applicable, on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Your Rights

In accordance with the GDPR (Articles 15-22), you have the right to:

• Access — obtain confirmation of processing and a copy of your personal data.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request the deletion of your data.
• Restriction — restrict processing in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdrawal of consent — withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.

To exercise your rights, write to [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (www.garanteprivacy.it).

8. Minors

The service is not intended for individuals under 16 years of age. We do not knowingly collect data from minors under 16. If you believe a minor has provided personal data, please contact us for removal.

9. Changes to This Policy

We reserve the right to update this privacy policy. In the event of substantial changes, we will notify you through the service or by email. The date of the last update is indicated at the top.

10. Contact

For any questions regarding the processing of your personal data:
ForgeAISolution
Email: [email protected]