Privacy Policy

Last Updated: April 18, 2026

Effective Date: April 18, 2026

Preamble

AISnapEdit ("AISnapEdit," "we," "us," "our," or "the Platform") operates the website https://aisnapedit.com, together with all of its subdomains, API endpoints, and related client applications (collectively, the "Service") — an All-In-One AI SaaS platform for a global user base, offering AI content generation capabilities across images, videos, audio, music, and more.

This Privacy Policy (the "Policy") explains, in detail, what information we collect, how we use it, whom we disclose it to, how long we retain it, what rights you have, and how you can exercise those rights when you access, register for, or use the Service.

This Policy is designed to satisfy the transparency requirements for the processing of personal information under, among others:

• The EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679)
• The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
• The Swiss Federal Act on Data Protection (FADP)
• The California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA)
• The Virginia Consumer Data Protection Act (VCDPA)
• The Colorado Privacy Act (CPA)
• The Connecticut Data Privacy Act (CTDPA)
• The Utah Consumer Privacy Act (UCPA)
• The Texas Data Privacy and Security Act (TDPSA)
• The Washington My Health My Data Act (MHMDA)
• Nevada SB220
• The U.S. Children's Online Privacy Protection Act (COPPA)
• The EU Artificial Intelligence Act (EU AI Act, Regulation (EU) 2024/1689)
• Article 4 (text and data mining) of the EU Digital Single Market Copyright Directive (DSM, Directive (EU) 2019/790)
• Other applicable data protection and consumer protection laws

Relationship With Other Documents: This Policy, together with the Terms of Service and the Refund Policy, forms part of the complete contractual relationship between you and AISnapEdit. Terminology and cross-references between the three documents are explicitly noted in each text; in the event of a direct conflict between the three documents, this Policy shall prevail, but only with respect to matters of data processing.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, please do not use the Service.

1. Definitions

The following defined terms are used in this Policy; terms shared with the Terms of Service and the Refund Policy are kept fully consistent across all three documents.

Shared definitions (consistent across all three documents):

• First-time subscriber: a unique natural person who is paying for the first time, identified through a combination of email address, payment method, device fingerprint, IP address, and related signals; creating multiple accounts to circumvent this definition constitutes a violation.
• Sole discretion: a decision made by AISnapEdit based on reasonable judgment, which shall be final.
• Business day: a U.S. federal business day (Monday through Friday, excluding U.S. federal public holidays), calculated in the U.S. Pacific Time Zone (PT) where our operating headquarters is located.
• Final output file: an image, video, audio, text, or similar piece of content successfully generated by the user through AI and downloaded, copied, shared, or exported at least once.
• Usage: any successful API call, credit consumption, or content generation activity, regardless of whether the user retained the generated output.
• Credits: virtual consumer products issued by AISnapEdit to users; Credits do not constitute a prepayment, deposit, stored value, or any similar financial instrument.
• Service outage: a continuous period of Service unavailability exceeding 24 hours due to technical issues on our end.
• Chargeback: a payment dispute initiated by the user directly with the card issuer.
• Blocklist: a risk-control dataset of identifiers associated with violations, including hashed emails, payment card fingerprints, IP addresses, and device fingerprints.

Privacy-specific definitions:

• Personal Data: information relating to an identified or identifiable natural person, as defined in GDPR Art. 4(1).
• Personal Information: information that identifies, relates to, or could reasonably be linked with a particular California resident, as defined in CCPA / CPRA §1798.140(v).
• Sensitive Personal Information: the nine categories of sensitive information defined in CPRA §1798.140(ae).
• Processing: any operation performed on personal data, whether or not by automated means, as defined in GDPR Art. 4(2).
• Controller: the entity that determines the purposes and means of processing, as defined in GDPR Art. 4(7).
• Processor: the entity that processes personal data on behalf of the Controller, as defined in GDPR Art. 4(8).
• Sub-Processor: a party engaged by the Processor to carry out downstream processing on its behalf.
• SCCs: the 2021 modular Standard Contractual Clauses adopted by the European Commission.
• DPF: the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795).
• GPC: Global Privacy Control, an opt-out preference signal transmitted by a browser or extension to websites.
• DPIA: Data Protection Impact Assessment (GDPR Art. 35).
• ROPA: Record of Processing Activities (GDPR Art. 30).
• TIA: Transfer Impact Assessment (required following the Schrems II judgment).
• LIA: Legitimate Interest Assessment (GDPR Art. 6(1)(f)).
• ADMT: Automated Decision-Making Technology (CCPA 2026 regulations).

2. Data Controller Information

2.1 Data Controller

Applicable to the European Economic Area (EEA), the United Kingdom, Switzerland, and other jurisdictions that require the controller to be identified:

AISnapEdit

• Website: https://aisnapedit.com
• Privacy email: [email protected]
• General inquiries: [email protected]
• Operating headquarters jurisdiction: California, United States (operating on U.S. Pacific Time, PT)

AISnapEdit acts as the "Controller" within the meaning of the GDPR for the processing activities described in this Policy. We receive user notices and data subject rights requests solely via the email addresses above; full legal entity registration details will be published with the formal effective version of this Policy.

2.2 Privacy Contact

We do not meet the threshold under GDPR Art. 37 requiring the mandatory appointment of a Data Protection Officer (DPO) (we do not carry out large-scale processing of special categories of data, nor do we conduct large-scale systematic monitoring). We have nevertheless designated a dedicated Privacy Contact, led by our Legal Lead, who is responsible for:

• Responding to data subject rights requests
• Coordinating the handling of, and notification about, data breach incidents
• Cooperating with regulatory investigations and inquiries
• Liaising with our EU / UK representatives

Contact: [email protected]

2.3 EU Representative (GDPR Art. 27)

Pursuant to GDPR Art. 27, AISnapEdit has designated the following third-party professional services firm as our EU Representative within the European Union:

• Entity name: Instant EU GDPR Representative Limited
• Registered address: Office 2, 12a Lower Main Street, Lucan, Dublin, Ireland
• Contact: via [email protected] (we will forward requests to our EU Representative upon receipt)

Data subjects in the European Union may exercise their rights through the channel above; supervisory authorities may also contact the EU Representative or AISnapEdit through the same contact details.

2.4 UK Representative (UK GDPR Art. 27)

Pursuant to UK GDPR Art. 27, AISnapEdit has designated the same entity as both EU Representative and UK Representative:

• Entity name: Instant EU GDPR Representative Limited
• Registered address: Office 2, 12a Lower Main Street, Lucan, Dublin, Ireland
• Contact: via [email protected] (we will forward requests to our UK Representative upon receipt)

3. Information We Collect

This section discloses, by source and category, all data we collect. For each category, further detail is provided in §4 (Legal Basis), §5 (Purposes), §7 (Recipients), and §9 (Retention Periods).

3.1 Information You Provide Directly

3.2 Information We Collect Automatically

3.3 Information From Third Parties

3.4 Anti-Fraud and Account-Security Data [New Disclosure]

To prevent payment fraud, multi-account abuse, and refund abuse, and to protect the interests of compliant users and business continuity, we collect, process, and retain the following risk-control data:

The data described above corresponds directly to the anti-fraud rules disclosed in Refund Policy §4. For device-fingerprinting techniques that are planned but not yet deployed, we commit to updating the disclosure scope in this Policy and adjusting the retention table accordingly before any actual deployment.

Legal basis: GDPR Art. 6(1)(f) legitimate interest — preventing fraud, protecting the interests of compliant users, and maintaining business continuity. We have completed and filed a Legitimate Interest Assessment (LIA) for this processing activity, and you may request a summary of the balancing test by emailing [email protected].

3.5 Inferences and Derived Data [CCPA / CPRA Required Disclosure]

From the source data described in §3.1–§3.4, we generate certain inferences or derived data:

• Usage preference inferences: based on your model-selection frequency and generation content category tendencies, we infer your feature-module preferences to improve user experience;
• Aggregate risk scores: the anti-fraud system's overall risk-level assessment for your account;
• Subscription and credit usage profiles: state calculations required to support features such as subscription renewal reminders and credit balance alerts.

We expressly do not infer the following categories:

• Racial or ethnic origin
• Political opinions, religious, or philosophical beliefs
• Trade union membership
• Health condition or medical data
• Sexual orientation or sex life
• Genetic data or biometric identification templates

4. Legal Basis for Processing

In accordance with GDPR Art. 6, Art. 9, and equivalent provisions in other jurisdictions, the legal basis for each data category and processing purpose is as follows.

4.1 Legal Basis Matrix

4.2 Statement on Special Categories of Data (GDPR Art. 9)

We do not actively collect the following special categories of data:

• Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
• Biometric data (biometric templates used to uniquely identify a natural person)
• Genetic data
• Health-related data
• Data concerning sex life or sexual orientation

For faces that may appear in images uploaded to the Service, we do not perform facial recognition, identity matching, or biometric template extraction, and we do not build any biometric database. For a statement on the product's boundaries around deepfakes, face-swapping, real-person voice cloning, and related sensitive capabilities, see §6.5.

4.3 Right to Withdraw Consent

For any processing activity whose legal basis is your consent (such as marketing emails and certain optional cookies), you may withdraw your consent at any time; withdrawal does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal. For how to withdraw, see §10 (Cookie preference management) and §11 (Exercising rights).

5. How We Use Your Information

This section corresponds to the "Processing Purpose" column in the §4 legal basis matrix, providing additional detail.

5.1 Account and Service Delivery

• Create and manage your account and authenticate your identity
• Provide you with AI generation services (see §6)
• Present final output files and support downloading, sharing, and exporting
• Manage credit balances, subscription status, and history
• Send transactional notifications related to your account (order confirmations, subscription renewal reminders, password resets)

5.2 Payments and Fraud Prevention

• Process payments, subscription renewals, and refunds
• Enforce the anti-fraud rules described in Refund Policy §4
• Run automated risk-control assessments (see §14.2)
• Maintain blocklists to prevent suspended users from circumventing our enforcement and re-registering

5.3 Service Improvement and Analytics

• Analyze usage behavior to improve features and the user experience
• Troubleshoot errors from logs
• Conduct A/B testing and usability research (using anonymized or pseudonymized data)
• Aggregate statistics on overall Service performance

5.4 Compliance and Security

• Comply with applicable laws, regulations, and government orders
• Respond to lawful law-enforcement requests, subpoenas, and court orders
• Protect the rights, property, and safety of AISnapEdit and other users
• Prevent fraud, abuse, and other unlawful conduct

5.5 Communications and Marketing

• Send transactional emails related to your account and Service updates (on the basis of contract performance)
• Send marketing emails (on the basis of your explicit consent; revocable at any time via the "unsubscribe" link at the bottom of the email or by contacting [email protected])
• Use in-product notifications to inform you of material policy changes or security incidents

6. AI Generation and Your Data

6.1 AI Service Architecture

AISnapEdit acts as the Data Controller for the AI generation service; when you trigger an AI generation task, we send your prompt and uploaded media files to downstream AI model providers (acting as Processors) for inference, and, once processing is complete, the generated output is returned and stored in our storage systems.

We do not train our own AI models, nor do we operate any server-side model fine-tuning pipelines. The specific model used is determined by the model you actively select in the user interface.

6.2 Data Sharing With AI Model Providers

To provide a diverse range of generation capabilities (images, videos, audio, music, etc.), we route your input data to the following categories of AI model providers based on the model you select:

The AI model providers we currently use include (disclosed by functional category rather than by vendor, to accommodate the rapid pace of change in the AI ecosystem): Google (Gemini family), Replicate, Kie, Fal, Tuzi, and other AI content generation services. A complete, continuously updated list of model providers is available in the model selection page of the Service; we plan to launch a dedicated disclosure page at /legal/ai-providers in the future, and will publish the same information there when that page goes live.

Please note: The Service does not currently provide an AI chat feature; the related entry points and chat-routing services such as OpenRouter have been removed from the product, and conversational messages are no longer collected or shared.

Each AI model provider independently processes your data in accordance with its own privacy policy. We impose contractual constraints on such processing through Data Processing Agreements (DPAs) signed with each provider, and we use commercially reasonable efforts to route downstream only the data strictly necessary to provide the generation service.

6.3 Training Data Policy

AISnapEdit does not use your prompts or generated output to train our own AI models (we do not train our own models).

With respect to downstream AI model providers:

• Default policy (opt-out mechanism): If you do not actively adjust your settings, your inputs may be used by downstream AI providers for model quality improvement (in accordance with each provider's standard contractual terms). You may opt out at any time in your account settings ("Do not use for model improvement" toggle); after opting out, we will attach the corresponding "do not train" flag when transmitting requests downstream.
• Data categories prohibited from training: Regardless of whether you have enabled the opt-out, content involving payment information, account credentials, or anti-fraud risk-control data is prohibited from being transmitted to any downstream model for training or improvement purposes.

EU DSM Directive Art. 4 (TDM Opt-Out):

Under Art. 4 of the EU Digital Single Market Copyright Directive, you have the right to reserve your work from text and data mining. For the Service:

• We have deployed robots.txt and ai.txt files at the root of our website declaring a TDM opt-out preference that applies to all third-party crawlers and AI training systems.
• For content you have made publicly available on our Gallery / showcase pages, you may submit a written request to [email protected] asking us to apply additional opt-out markers to specific content.

6.4 AI Processing Data Retention

6.5 Boundaries on Biometrics, Faces, and Deepfakes

• We do not perform facial recognition, identity matching, age estimation, emotion recognition, or any biometric template extraction;
• Images uploaded by users that contain human faces are transmitted solely as pixel data to downstream AI providers for generation processing and are not used to build any identification database after processing;
• The product does not support face-swapping of real persons, voice cloning of real persons, deepfake generation targeting real natural persons, or similar capabilities with the potential to cause serious deception or reputational harm to others;
• If future Service iterations introduce features involving biometric identification, we will obtain your separate, explicit consent (GDPR Art. 9(2)(a), BIPA §15(b), CPRA §1798.121), and will prominently disclose to you the specific processing scope and opt-out mechanism before such features are enabled.

7. How We Disclose Your Information

Except in the situations expressly set out below, we do not disclose your personal information externally.

7.1 Service Providers (Sub-Processor List)

To provide, maintain, and improve the Service, we engage the following vetted service providers to process relevant data. All providers are bound by a written Data Processing Agreement (DPA), and the processing scope is limited to what is necessary to provide the corresponding service.

Important notes:

• This table discloses only the service providers currently in active use. Our codebase may retain other integration options (such as alternative payment providers or alternative support tools), but those integrations constitute an actual data disclosure only if enabled in production.
• We will update changes to sub-processors through revisions to this Policy; we plan to launch a dedicated disclosure page at /legal/sub-processors in the future, and will publish the same information there when that page goes live.

7.2 Legal Compliance and Law Enforcement Requests

We may disclose your information, in compliance with legal requirements and to a reasonable extent, in the following circumstances:

• Complying with applicable laws, regulations, court orders, or lawful subpoenas from law-enforcement agencies
• Cooperating with ongoing investigations or judicial proceedings
• Protecting the rights, property, and safety of AISnapEdit, our users, or the public
• Investigating, preventing, or responding to potential illegal conduct or violations of our Terms of Service

7.3 Business Transfers

In the context of a merger, acquisition, reorganization, asset sale, or similar corporate transaction, your information may be transferred as part of the transferred assets to the new entity. We will notify you by reasonable means before such a transfer and will ensure that the receiving entity continues to process your information under standards no less protective than this Policy.

7.4 Disclosures Based on Your Consent

With your explicit authorization, we may disclose your information to third parties for purposes not covered by this Policy. Such authorization can be withdrawn at any time.

7.5 Cross-Context Behavioral Advertising and "Sharing" Disclosure [CPRA-Specific]

Under the CPRA's extended definition of "sharing," certain third-party cookies (particularly those used for analytics and advertising) may constitute "cross-context behavioral advertising sharing" even if they do not amount to a traditional "sale."

• We do not sell your personal information for monetary consideration;
• However, on pages where Google Analytics and Microsoft Clarity are enabled, the associated data transmissions may constitute "sharing" under the CPRA;
• California residents and other users exercising similar rights can opt out by:
  • Clicking the "Do Not Sell or Share My Personal Information" link in the website footer;
  • Enabling the Global Privacy Control (GPC) signal through your browser or extension — we automatically recognize and treat it as an opt-out instruction;
  • Sending an email to [email protected].

7.6 Third-Party Links

The Service may contain links to third-party websites, plugins, or applications. We do not control those third parties and are not responsible for their privacy practices. We recommend reading their privacy policies before clicking external links.

8. International Data Transfers

Due to the multi-region architecture of the Service, your personal data may be transferred to, and processed in, countries other than your country of residence.

8.1 Transfer Mechanisms

For transfers from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on one of the following mechanisms depending on the receiving party:

• EU-US Data Privacy Framework (EU-US DPF): where the recipient has self-certified under the DPF (Commission Implementing Decision (EU) 2023/1795), we rely on the DPF as the adequacy safeguard — for example, Stripe, Google, Cloudflare, AWS, Microsoft, and Resend have all joined the DPF;
• UK Extension to the DPF: for transfers from the UK to the U.S.;
• Swiss-US DPF: for transfers from Switzerland to the U.S.;
• EU Standard Contractual Clauses (SCCs) (2021 modular version): for recipients that have not joined the DPF;
• UK International Data Transfer Agreement (IDTA) or UK SCC Addendum: for transfers involving the UK;
• Adequacy decisions: where the transfer is to a country the European Commission has determined provides an adequate level of protection (e.g., Japan, South Korea, and the Canadian commercial sector).

8.2 Primary Data-Receiving Regions

Based on the service providers listed in §7 of this Policy, your data may be transferred to:

• United States: Stripe, Google, AWS, Cloudflare, Resend, Microsoft Clarity, and others
• European Union: Stripe Europe, some AWS / Cloudflare nodes
• Singapore, Hong Kong: certain AI model provider inference nodes
• United Kingdom: certain Cloudflare edge nodes

8.3 Your Rights in Relation to Transfers

You have the right to:

• Learn to which countries your data is transferred
• Request the safeguard documentation applied to specific transfers (such as the non-commercially-sensitive portions of a copy of the SCCs)
• Object to specific transfers

8.4 Transfer Impact Assessment (TIA)

Following the Court of Justice of the European Union's Schrems II judgment (Case C-311/18), we have carried out or are carrying out a Transfer Impact Assessment (TIA) for each non-DPF U.S. recipient and for other higher-risk transfer destinations, assessing whether the legal environment and safeguards in the recipient country are sufficient to protect data subjects' fundamental rights. You may request a TIA summary by emailing [email protected].

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods are as follows:

Note on indefinite blocklist retention: Under GDPR Art. 17(3)(e), the right to erasure does not apply where processing is necessary for "the establishment, exercise or defense of legal claims." Anti-fraud blocklist data is necessary to: (a) defend against dispute claims subsequently brought by banned users under other identities; (b) prevent banned users from circumventing Terms of Service restrictions and causing new losses; and (c) support industry-wide recognition of known fraud patterns. We therefore do not set a fixed deletion period, but we review the necessity of the blocklist annually.

At the end of the retention period, data is either securely deleted or irreversibly anonymized.

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

10.2 Third-Party Cookies and Opt-Outs

10.3 Managing Cookies

You can manage cookies in the following ways:

• Browser settings (block or clear cookies)
• The Service's cookie consent banner (gradual rollout planned): users in the EEA, UK, and Switzerland see opt-in by default on first visit; users in the U.S. see opt-out by default with automatic GPC recognition
• The opt-out links for the individual providers above

Note: Disabling strictly necessary cookies may prevent login or render core functionality unavailable.

10.4 Do Not Track (DNT) Signals

Because DNT signals lack a consistent industry-wide implementation standard, we do not respond to DNT signals sent by browsers, but we do respond to the more recent GPC signal (see §10.5).

10.5 Global Privacy Control (GPC) [New — Required by CPRA]

In accordance with the CPRA and equivalent laws in Colorado, Connecticut, and similar states, we automatically detect and honor the Global Privacy Control (GPC) signal. When we detect a GPC signal from your browser or extension, we treat it as a valid instruction under the CCPA / CPRA to "opt out of the sale or sharing of personal information" and adjust the loading of, and data sharing through, analytics and advertising cookies accordingly.

11. Your Privacy Rights

11.1 Rights Under the GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

Exceptions to the right to erasure: Under GDPR Art. 17(3), a deletion request may be denied in the following circumstances:

• Retention is required by law (such as transaction data within statutory tax-record retention periods)
• Retention is necessary for the establishment, exercise, or defense of legal claims (this applies to anti-fraud blocklist data)
• Retention is necessary for reasons of public interest or scientific research

Response timeline: We will respond within 30 days of receiving the request; if the request is complex or numerous, the period may be extended by 60 days, in which case you will be informed within the first 30 days.

11.2 Rights Under the CCPA / CPRA (California Residents)

If you are a California resident, you have the following rights:

Categories of Sensitive Personal Information we collect (CPRA §1798.140(ae)):

• Account login credentials (email + password / OAuth token)
• Precise geolocation (only when you grant browser location permission)
• Sensitive content you may choose to include in your uploads (at your own discretion)

We do not use the above Sensitive Personal Information for the purpose of inferring sensitive characteristics; we use it only for business purposes permitted by the CPRA (authentication, fraud prevention, and contract performance). You do not need to exercise the "right to limit use" separately to obtain this default safeguard.

Response timeline: 45 days; may be extended by an additional 45 days for complex requests.

Authorized agents: You may designate an authorized agent to submit requests on your behalf, subject to reasonable identity verification.

California Shine the Light Act (§1798.83): See §17.

11.3 Rights Under Other U.S. State Laws

Appeals: If your rights request is denied, you may appeal within 45 days, and the appeal will be reviewed by a designated individual.

11.4 Washington My Health My Data Act (MHMDA)

The Service does not process "Consumer Health Data" as defined by the MHMDA and does not perform any health-related inferences, diagnostics, or ancillary medical services. If, in the course of using the Service, you voluntarily upload health-related personal content, we will not use or disclose that content for commercial purposes, nor will we sell it to data brokers or similar third parties.

11.5 How to Exercise Your Rights

• By email: Send an email to [email protected] with subject line "Privacy Rights Request - [Right Type]";
• Website form: Submit a structured request at /privacy/rights-request (being rolled out progressively);
• Identity verification: To prevent fraudulent requests, we may require you to verify your identity via your registered email, linked payment method, or similar means, used solely for identity verification;
• Response timelines: Within the timelines required by the law of your jurisdiction (GDPR: 30 days + 60-day extension; CCPA / CPRA: 45 days + 45-day extension);
• Denials and appeals: If we deny your request, we will explain the reasons in writing; you may appeal to [email protected], with appeals reviewed by a human and answered within 5 business days.

11.6 Complaints to Regulatory Authorities

If you believe our processing violates applicable law, you have the right to lodge a complaint with a regulatory authority:

• EEA residents: The data protection authority in your Member State; a full list is available on the EDPB website
• UK residents: Information Commissioner's Office (ICO), https://ico.org.uk
• Swiss residents: Federal Data Protection and Information Commissioner (FDPIC)
• U.S. residents: Federal Trade Commission (FTC) at https://ftc.gov or the office of your state Attorney General

12. Data Security

We implement technical and organizational measures commensurate with the risk of our processing activities to protect your personal data against unauthorized access, disclosure, alteration, or destruction.

12.1 Technical Measures

• Encryption in transit: TLS 1.3 site-wide encryption;
• Encryption at rest: AES-256 encryption for databases and object storage;
• Access control: Role-Based Access Control (RBAC), the principle of least privilege, and mandatory multi-factor authentication (MFA) for critical administrative operations;
• Session security: Better-Auth-based session management with short-lived access tokens and refresh mechanisms;
• Monitoring and alerting: 24/7 monitoring of anomalous traffic and access patterns;
• Regular audits: Periodic internal and external security audits and vulnerability scans.

12.2 Organizational Measures

• Data minimization: We collect and retain only the data necessary to achieve our processing purposes;
• Employee training: All employees receive regular privacy-compliance and security training;
• Vendor assessment: All processors and sub-processors undergo due diligence and sign standardized DPAs;
• Incident response: Written incident-response processes and documented drill records;
• Data lifecycle management: Clear mechanisms for data classification, retention, and deletion.

12.3 Data Breach Notification

Upon confirming a breach incident that may affect your personal data:

• Notification to regulatory authorities: We will notify the relevant data protection authority within 72 hours of first awareness (GDPR Art. 33);
• Notification to data subjects: If the breach is likely to result in high risk to your rights and freedoms, we will notify you no later than 72 hours after confirming the scope of impact (GDPR Art. 34). The notice will include: the nature of the incident, the approximate categories of data affected, likely consequences, the measures we have taken and suggest you take, and the Privacy Contact;
• U.S. state law requirements: We will comply with state-specific timelines (such as the 30–45-day timelines under California §1798.82 and the New York SHIELD Act).

13. Children's Privacy

The Service is intended for users 18 years of age and older.

• Unified age threshold: Consistent with the Terms of Service, we set a minimum age of 18 for all users worldwide; this threshold is higher than the statutory floor under COPPA (13 in the United States), GDPR Art. 8 (16 by default in the EU), and UK GDPR (13);
• No knowing collection: We do not knowingly collect personal information from minors under 18;
• Age verification: Age is declared at registration via a confirmation checkbox; we will further strengthen age verification in combination with registration-region prompts over time;
• Parental / guardian channel: If a parent or guardian discovers that a minor has submitted personal information to us without consent, they may request deletion via [email protected]; we will process the request promptly after verification.

14. Automated Decision-Making and Profiling

14.1 AI Content Generation

Our AI content generation is based entirely on your explicit input (the model you select and the prompts and media you submit). Such processing:

• Does not, in nature, constitute a decision "based solely on automated processing which produces legal effects concerning you or similarly significantly affects you" within the meaning of GDPR Art. 22(1);
• Relies on the legal basis of contract performance (Art. 6(1)(b)) + contractual necessity (Art. 22(2)(a));
• You may stop using the generation features at any time.

14.2 Anti-Fraud Automated Decisions [Key Disclosure — GDPR Art. 22 Compliance]

We expressly inform you: to prevent payment fraud and account abuse, we operate an automated risk-control system (including Stripe Radar and our internal rule engine) which, in certain circumstances, may automatically:

• Deny a refund request;
• Suspend or permanently terminate an account;
• Immediately void Credits in the account;
• Add the associated email hash, payment card fingerprint, IP address, and device fingerprint to our blocklist.

The decisions above constitute automated decisions under GDPR Art. 22 that may produce legal effects or similarly significantly affect you.

Decision logic (high-level disclosure):

To avoid exposing sensitive details of our anti-fraud strategy — which would enable malicious circumvention — we disclose only the categories and general dimensions of the decision logic:

• Payment risk dimensions: Multiple payment failures, frequent switching of payment methods within a short window, Stripe Radar fraud score exceeding internal thresholds;
• Account association dimensions: Multi-dimensional matching signals across email hash, payment card fingerprint, device fingerprint, and IP;
• Refund anomaly dimensions: Refund request submitted within a very short time (hours) after purchase, multiple refunds within 6 months, prior chargeback records;
• Account behavior dimensions: Use of bots / crawlers / automated scripts to access the Service, selling or sharing accounts and credits, creating multiple accounts to circumvent this Policy.

Your rights under GDPR Art. 22(3):

• Right to human intervention: You may request human review of an automated decision;
• Right to express a point of view: You may provide supporting materials (usage records, payment receipts, correspondence, reasonable explanations of your location, etc.) to contest the system's determination;
• Right to appeal: In accordance with the procedure set out in Refund Policy §10, you may file an appeal within 14 days of receiving a decision by emailing [email protected]; appeals will be reviewed by a human and answered within 5 business days;
• Right to an explanation: You have the right to obtain a general explanation of the decision logic (i.e., the content set out in this section); for reasons of anti-fraud effectiveness, we do not disclose specific thresholds, weights, or rule parameters;
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority (see §11.6).

Legal basis: GDPR Art. 22(2)(a) contractual necessity (performing the anti-fraud obligations set out in the Terms of Service and the Refund Policy) + Art. 6(1)(f) legitimate interest (preventing fraud, protecting compliant users). We have completed the corresponding Legitimate Interest Assessment (LIA) and Data Protection Impact Assessment (DPIA) for this processing (see §15).

14.3 Profiling for Service Improvement

Inferences drawn from usage data about your feature preferences (see §3.5) do not affect your account status and are used only for product improvement and personalized recommendations; you can disable personalized recommendations in your account settings.

15. Data Protection Impact Assessment (DPIA)

In accordance with GDPR Art. 35, we have conducted or are conducting Data Protection Impact Assessments for processing activities that may pose a high risk to the rights and freedoms of data subjects:

• Anti-Fraud Automated Decision DPIA: completed (covering the data categories described in §3.4 and the decision-making flow described in §14.2);
• AI-Generated Abuse Detection DPIA: in progress;
• Planned Device Fingerprinting DPIA: will be completed before deployment.

The DPIAs above identify appropriate risk-mitigation measures (data minimization, irreversible hashing, limited retention periods, human-review appeal channels, etc.). You may request a DPIA summary (excluding commercially sensitive and security-sensitive details) by emailing [email protected].

16. EU AI Act Compliance

The transparency-related provisions of the EU Artificial Intelligence Act (EU AI Act, Regulation (EU) 2024/1689) begin to apply in phases from August 2, 2026. With respect to the Service:

16.1 AI System Risk Classification

As a downstream deployer of AI systems, the services we offer fall within generative AI, which is generally classified as limited risk under the AI Act. We do not operate:

• Prohibited AI systems under Art. 5 (social scoring, subliminal manipulation, etc.);
• High-risk AI systems listed in Annex III (recruitment screening, credit scoring, law-enforcement decision-making, etc.).

16.2 Training Data Transparency

We do not train our own AI models; the models we use are all operated by downstream AI model providers that have fulfilled the corresponding transparency obligations. Links to each provider's training-data disclosures will be consolidated on the future /legal/ai-providers page; until that page goes live, you may request training-data disclosure information for a specific provider by contacting [email protected].

16.3 AI-Generated Content Marking (Art. 50(2))

For AI-generated synthetic content (images, videos, audio):

• We embed machine-readable markers (such as C2PA Content Credentials) to the extent supported by downstream AI providers;
• Some outputs may also include visible watermarks;
• You may not remove, tamper with, or circumvent these markers (see Terms of Service §5.4).

16.4 AI Interaction Disclosure (Art. 50(1)(a))

When you interact with the Service's AI generation features (including image editing, video generation, etc.), the user interface clearly indicates that you are interacting with an AI system rather than a human.

16.5 Deepfake Disclosure Obligations (Art. 50(4))

Although the product does not support the generation of deepfake content that could be mistaken for real persons, events, or places (see the boundary statement in §6.5), if you use AI-generated content for matters of public interest (news, politics, medical topics, etc.), you must still clearly disclose that the content is AI-generated or AI-assisted when publishing it. The corresponding contractual obligation is set out in Terms of Service §5.4.

17. California Shine the Light Act

Under California Civil Code §1798.83 (the "Shine the Light Act"), California residents may request a list of personal information disclosed to third parties for those third parties' direct marketing purposes. We do not share your personal information with third parties for their direct marketing purposes; related processing and inquiries may be submitted to [email protected].

18. Nevada Privacy Rights

Under Nevada SB220, Nevada residents may opt out of the sale of personal information. We do not sell your personal information for monetary consideration; you may nevertheless submit a confirmation opt-out request to [email protected], and we will respond within 60 days.

19. Changes to This Policy

19.1 Change Mechanism

We may revise this Policy from time to time. All revisions will be published on this page with updated "Last Updated" and "Effective Date" fields.

19.2 Notice of Material Changes

For revisions that materially affect your rights (such as new processing purposes, changes to international transfer arrangements, or new categories of third-party sub-processors), we will notify you at least 30 days before the revisions take effect, by:

• Sending a notice to your registered email address;
• Publishing a prominent notice in a visible location on the website;
• Providing in-app notification on your next login.

19.3 Historical Versions

All historical versions will be archived and published on the future /privacy-policy/history page; until that page goes live, you may request historical versions by contacting [email protected].

19.4 Continued Use Constitutes Acceptance

Continued use of the Service after a revised Policy takes effect constitutes acceptance of the revised Policy. If you do not agree with the revisions, please discontinue use of the Service and exercise your right to erasure in accordance with §11.

20. Contact Us

20.1 Dedicated Contact Addresses

20.2 Communication Method

AISnapEdit

• Website: https://aisnapedit.com
• Operating headquarters jurisdiction: California, United States (operating on U.S. Pacific Time, PT)
• We accept user notices, rights requests, and service of legal process exclusively by email; please use the dedicated email addresses listed in §20.1.
• Full legal entity registration details will be published with the formal effective version of this Policy.

20.3 EU Representative / UK Representative

Our EU Representative (GDPR Art. 27) and UK Representative (UK GDPR Art. 27) are the same entity:

• Entity name: Instant EU GDPR Representative Limited
• Registered address: Office 2, 12a Lower Main Street, Lucan, Dublin, Ireland
• Contact: via [email protected] (we will forward requests to the EU / UK Representative)

See §2.3 and §2.4 for full details.

20.4 Response Timelines

By using AISnapEdit, you acknowledge that you have read, understood, and agree to this Privacy Policy.

© 2026 AISnapEdit. All rights reserved.

Appendix: P0 + P1 Gap Coverage Checklist

Coverage summary: This Privacy Policy covers 7 / 7 P0 gaps and 9 / 9 P1 gaps that fall within Privacy's scope of responsibility (GAP-017 is primarily addressed by the Terms of Service). The remaining gaps (GAP-001 / 008 / 018 / 019 / 021 / 022) fall within the scope of the Terms of Service v2 effort.