GPT Image 2

Privacy Policy

Privacy Policy for gptimage2.design
Apr 17, 2026

Last updated: April 17, 2026

This Privacy Policy describes how gptimage2.design ("we", "us", or "our") collects, uses, discloses, and protects information about you when you use the website at gptimage2.design, related subdomains, and associated services (the "Service").

1. Information We Collect

1.1 Information you provide

  • Account information — name, email address, and password (or OAuth profile data when you sign in with Google, GitHub, etc.)
  • Billing information — processed directly by our payment providers (Stripe, Creem, PayPal). We receive only the last 4 digits of your card and a transaction identifier; we do not store full card numbers or CVVs on our servers.
  • User Content — prompts you enter, reference images you upload, and the resulting generations. Also, any feedback, bug reports, and messages you send to support.

1.2 Information collected automatically

  • Usage data — pages viewed, features used, generation counts, time stamps, and browser/device identifiers.
  • Log data — IP address, user agent, referrer URL, and request-level diagnostics (for security, abuse prevention, and debugging).
  • Cookies and similar technologies — strictly necessary cookies (session, CSRF) and optional analytics cookies (aggregated usage). You can control non-essential cookies through your browser settings.

1.3 Information from third parties

  • OAuth providers (Google, GitHub) share basic profile data per the scopes you authorize at sign-in.
  • Upstream model providers (OpenAI, Google, Microsoft) may return metadata such as safety-policy decisions or provider request IDs, which we associate with your generation.

2. How We Use Information

  • Operate, maintain, secure, and improve the Service
  • Authenticate you, manage your account, and process payments
  • Route your generation requests to the appropriate upstream model provider and return the result
  • Prevent fraud, abuse, and violations of our Terms of Service
  • Send transactional emails (receipts, security alerts, product announcements you have opted into)
  • Comply with legal obligations and respond to lawful requests

We do not sell your personal information. We do not use your prompts, reference images, or generated outputs to train our own or third-party machine-learning models.

3. Legal Bases (GDPR / UK GDPR)

If you are in the EEA or the UK, we process your information on the following legal bases:

  • Contract — to provide the Service you sign up for (Art. 6(1)(b))
  • Legitimate interests — to secure the Service, prevent abuse, and improve product quality (Art. 6(1)(f))
  • Consent — for optional analytics, marketing emails, and non-essential cookies (Art. 6(1)(a))
  • Legal obligation — to comply with laws and lawful requests (Art. 6(1)(c))

4. Sharing and Disclosure

We share information only with the following categories of recipients:

RecipientPurpose
OpenAI / Google / Microsoft and other model providersFulfilling your generation requests
Stripe / Creem / PayPalPayment processing
Cloudflare (R2)Object storage for your uploads and generations
Neon (Postgres)Primary database
VercelHosting and CDN
Better AuthAuthentication
Resend or similarTransactional email delivery
Law enforcementOnly when legally required

Each provider processes your data under its own contractual commitments and security controls.

5. Data Retention

  • Account data — retained for the lifetime of your account.
  • Prompts and uploads — retained for up to 90 days after the generation is created, then automatically purged, unless you save them explicitly to a project.
  • Generated outputs — retained while you keep them in your dashboard; deleted within 30 days after you remove them.
  • Billing records — retained as required by tax and accounting law (typically 5–7 years).
  • Logs — retained for up to 30 days for security diagnostics, then aggregated or deleted.

You may request earlier deletion by emailing support@gptimage2.design.

6. Security

We implement commercially reasonable technical and organizational safeguards including encryption in transit (TLS 1.2+), encryption at rest for databases and object storage, least-privilege access controls, and regular dependency auditing. No internet transmission or storage system is 100% secure, and we cannot guarantee absolute security.

7. Your Rights

Depending on where you live, you may have the right to:

  • Access, correct, or delete your personal data
  • Port your data in a machine-readable format
  • Object to or restrict certain processing
  • Withdraw consent for optional processing at any time
  • Lodge a complaint with your local supervisory authority (EU/UK residents)

To exercise these rights, email support@gptimage2.design. We will respond within 30 days.

California residents have additional rights under CCPA/CPRA, including the right to know, delete, correct, and opt out of "sharing." We do not sell personal information as defined by CCPA.

8. Children

The Service is not directed to children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will delete it.

9. International Transfers

Your data may be processed in regions outside your country, including the United States and the European Union. Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards.

10. Changes to This Policy

We may update this Policy from time to time. Material changes will be announced via the Service or by email. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy questions, data-subject requests, or complaints, contact us at support@gptimage2.design.

This document is provided as a general template and does not constitute legal advice. You should have a qualified attorney review it before relying on it in production.