1. What we collect
Account information
When you sign up: email address, display name, and (if you sign in with Google) the basic profile information Google shares. Authentication is handled by Supabase Auth.
Subject images and generations
The image you upload is sent to our generation pipeline, where it's transformed into an emote pack. If you're signed in, we store the resulting original-resolution emote PNGs and a metadata row (pack name, emote names, timestamp) so you can re-download from your Packs page. We do not store the source subject image after generation completes.
Usage and payments
Token balance, plan tier, generation history, and referral status. If you subscribe or buy a token pack, our payments processor handles your card details — we never see them.
Cookies
See our Cookie Policy for the full list. In short: a session cookie for authentication and a theme cookie for dark/light preference. No advertising cookies.
2. How we use it
We use the data above only to run the service:
- Running generations and delivering emote packs — you ask for a pack; we make it.
- Maintaining your account, balance, and pack history.
- Processing payments and detecting fraud — including preventing chargeback fraud.
- Sending service emails (sign-in links, billing receipts, plan changes, pack-ready notifications). We don't send marketing email.
- Error monitoring and aggregate analytics to keep the service working. PII is scrubbed before transmission.
- Subject images — used in-memory to generate your pack and then discarded; never stored or used to train models. The Acceptable Use Policy requires you to have the depicted person's consent before uploading.
3. Who we share it with
We use a small number of subprocessors:
- Supabase — auth, database, and file storage hosting.
- OpenAI — our generation pipeline calls OpenAI as an upstream inference provider. Your subject image is sent to OpenAI solely to produce your emote pack and is handled under OpenAI's API data policy (not used to train their models).
- Stripe — handles subscription billing and one-time token-pack purchases. Stripe receives your payment details directly; we never see your card information.
- Resend — sends transactional email (sign-in links, pack-ready notifications, billing receipts). Resend receives your email address and the message contents.
- Sentry — application error monitoring. Receives stack traces and request metadata with personally identifying fields (email, IP, session tokens, magic-link query strings) scrubbed before transmission.
- Vercel — hosting, edge runtime, and analytics (aggregate page-view counts only, no individual tracking).
- Google (only if you sign in with Google) — to verify your account.
We don't sell your data. We don't share it with third parties for advertising. We disclose data only when required by law or to protect rights and safety. See our Do Not Sell or Share page for the formal CCPA/CPRA statement.
Sub-processor changes. If we add a new sub-processor (or replace an existing one with a materially different vendor), we will post the change on this page with the effective date at least 30 days in advance and email registered users. If you object you may delete your account before the change takes effect.
Where data is processed. The service is operated from the United States and our sub-processors store and process data in the US. The service is offered to users in the United States and is not directed at, or available to, residents of the European Economic Area or the United Kingdom (see §8).
4. How long we keep it
- Account data: for as long as your account exists. You can delete your account at any time from settings (or by emailing us).
- Generated emote packs: kept until you delete them or close your account.
- Source subject images: not retained — they live in memory during generation and are dropped immediately afterward.
- Logs and billing records: retained for the time required by tax and accounting law (typically 7 years).
5. Your rights
You have the following rights over your personal information, including under the California Consumer Privacy Act (CCPA/CPRA) and similar US state laws:
- Access / know / portability — download a JSON dump of everything we hold on your account from Settings → Your data. The same dump is available by email on request.
- Correction — edit display name, email, password, theme, and avatar from the Profile and Settings pages.
- Deletion — Profile → Danger zone has a Delete account button that removes the auth row, every pack, every emote file, every preset, and every feedback row. Some aggregated billing records may persist for tax compliance (typically 7 years) as required by law.
- Opt out of "sale"/"sharing" — we don't sell or share your personal information; see our Do Not Sell or Share page.
- Withdraw consent for likeness processing — delete the relevant packs (which removes the stored emote PNGs) or delete the account.
- No retaliation — we won't deny service or charge you differently for exercising these rights.
For anything that can't be self-served from Settings, email hello@emotepack.ai. We respond within 45 days (CCPA/CPRA), or sooner where another applicable US state law requires.
6. Children
The service is not intended for users under 13 (United States, per COPPA). We do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, email hello@emotepack.ai and we'll delete it.
7. AI-generated content disclosure
Output emote PNGs include machine-readable metadata identifying them as AI-generated (PNG tEXt chunks: Software = "Emote Pack AI", Comment includes an AI-generated disclosure and consent reminder), consistent with US state AI-disclosure laws (California, Texas, Minnesota, and others). The metadata travels with every PNG you download.
When the output depicts a real person, you remain responsible for ensuring you have that person's consent before publishing or distributing the generated images. See our Acceptable Use Policy for the specifics.
8. Regions we serve
Emote Pack AI is offered to users in the United States. We do not currently offer the service to, or direct it at, residents of the European Economic Area (EEA) or the United Kingdom, and access from those regions is blocked. As a result we don't process EEA/UK personal data and the GDPR / UK-GDPR do not apply to us at this time. If we expand into those regions in the future, we'll update this policy and put the required safeguards in place first.
9. Security
We use TLS in transit and at-rest encryption on stored data. Access controls, audit logs, and regular review keep human access to user data narrow. No system is perfectly secure; we'll notify you promptly if a breach affects your data.
10. Changes
We'll post material changes on this page with an updated date, and email registered users for changes that meaningfully affect your rights or how we use your data.
11. Contact
Questions about this policy? Email hello@emotepack.ai.