Privacy Policy

1. Information We Collect

Account data: When you sign in with Google OAuth, we receive your name, email address, and profile picture from Google. We store only the information necessary to create and maintain your account.

Images: Images you upload are processed in-memory to generate enhanced outputs. We do not persistently store your original images beyond the active request. Enhanced output URLs are hosted on Replicate's CDN and expire automatically.

Usage data: We log enhancement jobs (mode used, credit cost, timestamp) for billing accuracy and abuse prevention. We do not sell or share this data with third parties.

Guest sessions: If you use AIEnhance.io without signing in, we create an anonymous session tied to a browser ID cookie. No personally identifiable information is collected for guest sessions.

Marketing data: If you have opted in to marketing cookies via our cookie banner, we may share a hashed (irreversibly encrypted) version of your email address with Google Ads for audience matching, so we can show you relevant ads about our service on Google's network. The hashed email cannot be reversed to identify you. You can opt out at any time via the "Cookie Settings" link in our footer.

2. How We Use Your Information

• To provide and improve our AI enhancement services
• To process payments and manage your subscription via Monobank (or Stripe as a backup provider)
• To credit your account accurately after successful enhancements
• To send transactional emails (billing receipts, subscription renewals)
• To detect and prevent fraud and abuse of the free tier
• To measure ad performance and reach you with relevant ads on Google’s network (subject to your marketing cookie consent)

We do not use your images to train AI models.

3. Cookies

We use the following types of cookies and similar technologies:

• Essential cookies: required for authentication (NextAuth session), guest sessions (browser ID), and storing your cookie preferences. Always active.
• Analytics cookies (with your consent): Google Analytics 4 and Microsoft Clarity for usage statistics, session recordings, and heatmaps.
• Marketing cookies (with your consent): Google Ads conversion tracking and Google Signals for audience measurement and retargeting. With Google Signals enabled in our GA4 property, we may associate your visit with your Google account if you are signed in and have consented to ad personalization in your Google account settings.

You can change your cookie preferences at any time via the "Cookie Settings" link in our footer. Outside the EEA/UK, marketing and analytics cookies are enabled by default; inside the EEA/UK, both require explicit consent via our cookie banner.

4. Third-Party Services

We use the following third parties to operate our service:

• Google OAuth – identity and authentication
• Replicate – AI model inference and output storage
• fal.ai – FLUX image generation
• OpenRouter – Nano Banana (Gemini) and GPT image generation
• Monobank – payment processing and subscription management (primary)
• Stripe – payment processing (backup provider)
• Railway – application hosting and database
• Google Analytics 4 (with Google Signals enabled) – usage statistics and audience measurement (subject to your marketing cookie consent)
• Google Ads – advertising performance measurement and audience matching for retargeting (subject to your marketing cookie consent; we share hashed email addresses for Customer Match)
• Microsoft Clarity – session recordings and heatmaps (anonymized, subject to your analytics cookie consent)

Each provider has their own privacy policy governing their data handling.

5. Data Retention

Account data is retained as long as your account is active. Enhancement job logs are kept for 90 days for billing dispute resolution. Credit ledger entries are kept for 12 months for tax and compliance purposes. You can request account deletion by emailing [email protected].

6. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal data. To exercise these rights, contact us at [email protected]. We will respond within 30 days.

7. Security

We use HTTPS for all data transmission, bcrypt hashing for any sensitive tokens, and environment-variable-based secret management. Database access is restricted to our application server. We conduct periodic security reviews and address vulnerabilities promptly.

8. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. When we do, we will update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance.