Privacy Policy
Last updated: September 10, 2025
Please read this Privacy Policy carefully before using the APImage service.
Definitions
Controller Contact
Data Controller
APImage is the data controller responsible for the processing of your personal data in connection with our Service.
Data Protection Officer
According to the provisions of the General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (BDSG-neu), APImage is currently not legally obliged to appoint a data protection officer, as our company does not meet the relevant thresholds and criteria for such an obligation.
Contact Information
For any questions or concerns regarding this Privacy Policy or our data protection practices, please contact us at:
Email: ask@support.apimage.org
We typically respond to privacy-related inquiries within 30 days.
Categories of Personal Data We Process
- Full name or username
- Email address
- Company or organization name (if applicable)
- User preferences and settings
- API usage statistics (e.g., number of calls, endpoints used)
- Counts of images processed or generated
- IP addresses and device identifiers
- Browser and operating system details
- Log files and error reports
- Subscription plan details
- Billing and invoice history
- Payment transaction metadata
- Images you upload for processing (transient, deleted after processing)
- AI-generated images or outputs from your inputs
- Processing logs (non-identifiable)
Purposes and Legal Bases of Processing
| Purpose | Legal Basis | Description |
|---|---|---|
| Provision and operation of the Service | Art. 6(1)(b) - Contract performance | To fulfill our contractual obligations to you, enabling access to and functioning of the Service. |
| Payment and billing | Art. 6(1)(b), (f) - Contract performance and legitimate interest | To process subscriptions and payments securely and prevent fraud. |
| Service notifications and updates | Art. 6(1)(b), (f) | To inform you of Service changes, new features, or security alerts. |
| Usage monitoring and security | Art. 6(1)(f) - Legitimate interest | To monitor service usage patterns, prevent unauthorized access, and enhance security. |
| Compliance with applicable laws | Art. 6(1)(c) - Legal obligation | To meet statutory requirements, tax obligations, and law enforcement requests. |
We do not process your information for purposes incompatible with these objectives without your explicit consent.
Image Processing and File Handling
Your images are handled carefully with privacy and security in mind:
- Images you upload or generate are processed and stored by us or our subprocessors on disks or servers for generation, editing, analysis, and storage. They are retained only until the expiration of the retention period defined by your plan, which may be subject to change.
- By using our service and creating an account, you consent to the use of your uploaded or generated images and processing metadata for training and improving AI models. By accepting these terms and/or using our services, you provide your consent for this use, which you can withdraw at any time.
- Logs and monitoring data may include metadata about image processing events anonymized wherever possible, strictly used for system performance monitoring, usage tracking, abuse detection, and troubleshooting.
- Any files or text you upload or generate may be transmitted to an AI subprocessor for moderation to help prevent illegal or harmful conduct.
Data Retention
We retain personal data only as long as necessary to fulfill the purposes for which the data was collected or as required by law:
Account Data: Retained as long as your account is active. You may request deletion of your personal data at any time subject to contractual or legal retention obligations.
- Usage Data and Logs: Data is retained for up to 12 months to enable effective analytics, security monitoring, and abuse prevention. Information directly associated with your account is stored for the duration that your account remains active. This may include, but is not limited to, usage data, activity history, requests made through the web application or API, and corresponding API response data. In some cases, a limited subset of data may be retained after account closure to prevent misuse of our free services..
- Invoices, Billing, and Payment Records: Retained for at least 10 years to comply with German tax and accounting laws (§ 147 AO).
After expiration of applicable retention periods, personal data is securely deleted or anonymized.
Subprocessors and International Data Transfers
| Subprocessor | Purpose | Location | Details |
|---|---|---|---|
Lemon Squeezy Lemon Squeezy, LLC | Payment processing and billing | United States | |
Legal Basis & PurposePayment processing and billing Art. 6(1)(b), (f) GDPRTo fulfill contractual obligations and ensure secure transactions, including fraud prevention. Compliance with applicable laws Art. 6(1)(c) GDPRTo meet financial and legal obligations. Personal Data ProcessedName Email address Billing information IP address Payment details Data TransfersTransfers to the USA are protected by Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR. Privacy PolicyLemon Squeezy Privacy Policy | |||
Netlify Netlify, Inc. | Provision and operation of the Service | United States | |
Legal Basis & PurposeProvision and operation of the Service Art. 6(1)(b) GDPRNecessary for contractual performance. Usage monitoring and security Art. 6(1)(f) GDPRTo ensure service integrity and prevent abuse. Personal Data ProcessedIP address Browser metadata Request headers Data TransfersTransfers to the USA are based on Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR. Privacy PolicyNetlify Privacy Policy | |||
Supabase Supabase Inc. | Provision and operation of the Service | United States | |
Legal Basis & PurposeProvision and operation of the Service Art. 6(1)(b) GDPRFor core app functionality. Usage monitoring and security Art. 6(1)(f) GDPRTo ensure integrity and detect misuse. Compliance with applicable laws Art. 6(1)(c) GDPRTo fulfill regulatory obligations. Personal Data ProcessedLogin data Email addresses Session tokens IP addresses Data TransfersSupabase stores data primarily in EU data centers. Where data is processed in third countries (e.g., USA, Singapore), SCCs apply in accordance with Art. 46 GDPR. Privacy PolicySupabase Privacy Policy | |||
OpenAI OpenAI, L.P. | Provision and operation of the Service | United States | |
Legal Basis & PurposeProvision and operation of the Service Art. 6(1)(b) GDPRFor AI features and functionality. Usage monitoring and security Art. 6(1)(f) GDPRTo protect systems and detect misuse. Personal Data ProcessedImage data Prompts Request metadata Data TransfersTransfers to the USA are secured through Standard Contractual Clauses (SCCs) as per Art. 46 GDPR. Privacy PolicyOpenAI Privacy Policy | |||
SendGrid Twilio Inc. (SendGrid) | Service communications | United States | |
Legal Basis & PurposeService communications Art. 6(1)(b) GDPRTo deliver important service-related communications. Marketing communications Art. 6(1)(a) GDPRWith user consent for marketing purposes. Personal Data ProcessedEmail address Name Email engagement data IP address Data TransfersTransfers to the USA are protected by Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR. Privacy PolicySendGrid Privacy Policy | |||
Mailgun Mailgun Technologies, Inc. | Service communications | United States | |
Legal Basis & PurposeService communications Art. 6(1)(b) GDPRTo deliver important service-related communications. Personal Data ProcessedEmail address Name IP address Email content Data TransfersTransfers to the USA are protected by Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR. Privacy PolicyMailgun Privacy Policy | |||
MailerLite UAB MailerLite | Marketing communications | EU | |
Legal Basis & PurposeMarketing communications Art. 6(1)(a) GDPRWith user consent for receiving marketing emails. Personal Data ProcessedEmail address Name Email engagement data Location data IP address Data TransfersData is stored in the EU. Any transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR. Privacy PolicyMailerLite Privacy Policy | |||
Stability AI Stability AI Ltd | Provision of AI features | EU | |
Legal Basis & PurposeProvision of AI features Art. 6(1)(b) GDPRTo provide AI image generation functionality. Service improvement Art. 6(1)(f) GDPRTo improve and optimize our AI services. Personal Data ProcessedImage generation prompts Image data Usage data IP address Data TransfersData may be transferred to the UK and other countries where Stability AI operates, protected by Standard Contractual Clauses (SCCs) where applicable. Privacy PolicyStability AI Privacy Policy | |||
Anthropic Anthropic PBC | Provision of AI features | United States | |
Legal Basis & PurposeProvision of AI features Art. 6(1)(b) GDPRTo provide AI-powered text processing functionality. Service improvement Art. 6(1)(f) GDPRTo improve and optimize our AI services. Personal Data ProcessedText inputs Usage data IP address Data TransfersTransfers to the USA are protected by Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR. Privacy PolicyAnthropic Privacy Policy | |||
Black Forest Labs Black Forest Labs Inc. | Provision of AI features | United States | |
Legal Basis & PurposeProvision of AI features Art. 6(1)(b) GDPRTo provide specialized AI capabilities. Service improvement Art. 6(1)(f) GDPRTo enhance and optimize our AI services. Personal Data ProcessedInput data for processing Usage patterns IP address Data TransfersTransfers to the USA are protected by Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR. Privacy PolicyBlack Forest Labs Privacy Policy | |||
Your Data Protection Rights
Under GDPR, you have extensive rights regarding your personal data. To exercise these rights, please contact us at ask@support.apimage.org. We will respond promptly, and you can expect a reply within 30 calendar days in compliance with Art. 12 GDPR.
Right of Access
Request a copy of your personal data we hold. You can do so in the Settings section of your account.
Right to Rectification
Request corrections of inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data, subject to legal and contractual limitations. You can do so in the Settings section of your account. Please note that this action will permanently delete your account and cannot be undone.
Right to Restrict Processing
Request temporary suspension of processing under certain circumstances.
Right to Data Portability
Obtain your personal data in a structured, machine-readable format for transfer to another provider.
Right to Object
Object to processing based on legitimate interests or direct marketing.
Security Measures
We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Our security practices are regularly reviewed and updated to address emerging threats.
Data Encryption
End-to-end encryption for data in transit and at rest, using industry-standard protocols (TLS 1.3+) and strong ciphers.
Access Controls
Strict role-based access controls (RBAC) and principle of least privilege for all systems handling personal data.
Secure Infrastructure
Enterprise-grade hosting in SOC 2 Type II and ISO 27001 certified data centers with physical security controls.
Incident Response
Comprehensive incident response plan with defined procedures for data breach notification within 72 hours when required.
Vulnerability Management
Regular security audits, penetration testing, and automated vulnerability scanning of all systems.
Employee Training
Regular security awareness training for all employees with access to personal data.
Children's Privacy
Age Restrictions Apply
Our Services are not intended for children under 13 years of age.
1Age Requirements
Our Services are exclusively for users who are at least 13 years old (or 16 years old where required by local law, such as in the EU). We do not knowingly collect personal data from children under these age limits.
2Parental Controls
We encourage parents and guardians to monitor their children's online activities. If you believe your child has provided us with personal data without your consent, please contact us immediately.
For Parents & Guardians
To request review, deletion, or to place restrictions on your child's personal data, please contact us at ask@support.apimage.org.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service functionality. We encourage you to review this page periodically for the latest information on our privacy practices.
Last Updated: September 10, 2025
1Notification of Changes
We will notify you of any material changes through your registered email address and/or by posting a prominent notice on our website before the changes take effect.
2Your Acceptance
Your continued use of our Services after we post any modifications to the Privacy Policy will constitute your acknowledgment of the modifications and your consent to abide by the updated Policy.
Version History
You can review previous versions of this Privacy Policy by contacting us at ask@support.apimage.org.
For your convenience, we also maintain an archive of recent policy changes on our website.
Supervisory Authority
Your Data Protection Rights
You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates applicable data protection laws.
1European Economic Area (EEA)
For users in the EEA, you can find your local data protection authority through the link below. The relevant authority is determined by your country of residence, place of work, or the location of the alleged violation.
Find your DPA2United Kingdom
For users in the United Kingdom, the supervisory authority is the Information Commissioner's Office (ICO). You can contact them directly through their website.
ico.org.ukContact Us
Email Support
For questions about these terms or any other inquiries, our support team is here to help.
ask@support.apimage.orgResponse Time
We typically respond to all inquiries within 24-48 hours during business days.
Business hours: Monday - Friday, 9:00 AM - 6:00 PM CET
Last updated: June 3, 2025
See also our Terms of Service
APImage
Professional Image Processing Solutions
Company Details
- Provider
- APImage
- Legal Name
- Ole Nepomuk Mai
- Legal Form
- Solopreneurship
- VAT ID
- DE335582063