This Privacy Policy explains what personal data Synexa ("we," "us") collects, why we collect it, how we use and share it, and the rights you have over it. It applies to synexa.art and all related services.

1. Data We Collect

Information you give us

Account data: email, username, password hash, optional avatar and bio.
Content: prompts you write, reference images you upload, and generated outputs.
Payment data: handled by Stripe. We never see your full card number; we store only Stripe's customer/subscription IDs and a transaction history.
Support communications: messages and screenshots you send when contacting support.

Information collected automatically

Basic device/browser info (user agent, language, screen size).
Coarse-grained product analytics (events like "generation completed", page views) — no third-party advertising trackers.
Server logs (IP address, request paths, timestamps) for security and debugging — retained for up to 90 days.

2. How We Use Data

To operate, secure, and improve the Service.
To process payments and grant credits.
To respond to support requests.
To detect abuse, fraud, and prohibited content.
To send transactional and authentication emails (e.g., password resets, purchase receipts). We do not send marketing email without your consent.

3. Legal Bases (EEA / UK)

We rely on the following legal bases under GDPR: contract performance (delivering the Service), legitimate interests (security, fraud prevention, product improvement), consent (where required), and legal obligations (tax, accounting, lawful requests).

4. AI Models & Your Inputs

Prompts and reference images you submit are sent to third-party model providers to produce outputs. We do not use your inputs or outputs to train third-party models without your consent. We may store generations to your account so you can access them; you can delete them at any time.

5. Sharing

We share data only with:

Infrastructure providers: cloud hosting, database, and storage (e.g., Supabase, Cloudflare).
Payment processor: Stripe.
AI model providers: to render your generations.
Email service: to send transactional and auth emails.
Authorities: where required by valid legal process, or to protect rights, safety, or prevent fraud.

We do not sell your personal data.

6. Data Retention

Account data: while your account is active, plus up to 90 days after deletion for backups.
Generations: until you delete them or close your account.
Payment records: as long as required by tax/accounting law (typically 7 years).
Server logs: up to 90 days.

7. Your Rights

Depending on your location, you may have the right to access, correct, export, or delete your personal data, to object to certain processing, or to lodge a complaint with a data protection authority. To exercise these rights, email privacy@synexa.art from the email address on your account.

8. Security

We use TLS for data in transit, encrypted storage at rest, role-based access controls, and routine security reviews. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

9. International Transfers

Your data may be processed in countries outside your own. Where required, we use Standard Contractual Clauses or other safeguards approved under applicable law.

10. Children

The Service is not intended for users under 18 (or the age of majority in your jurisdiction). We do not knowingly collect data from minors. If you believe a minor has used the Service, contact us and we will delete the account.

11. Cookies

We use first-party cookies and local storage strictly to keep you signed in and remember preferences. We do not use advertising cookies.

12. Changes

We may update this policy. Material changes will be announced via email or in-product notice at least 7 days before they take effect.

13. Contact

Privacy inquiries: privacy@synexa.art. General support: support@synexa.art.