Privacy Policy of Paintitai LTD

Last Updated: May 5, 2026

This Privacy Policy ("Policy") describes how Paintitai LTD ("we," "us," or "Company") collects, uses, stores, discloses, and protects personal data of users ("you" or "User") of the Paintit.ai web application at app.paintit.ai and related products and services (collectively, the "Service"). By accessing or using the Service, you agree to the terms of this Policy.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Input" means any text, images, or other materials you submit to the Service.
"Output" means the results generated by the Service based on your Input.

2. Data We Collect

Registration Data:

Name, email address, date of birth (if required to verify age).

Payment Data:

Payment card details or account information, processed by Stripe, Inc. (https://stripe.com).

Technical Data:

IP address, device identifiers, browser type, operating system, server logs.

Usage Data:

History of images generated or modified, features used, chat interactions with AI.

Marketing Data:

Advertising identifiers, click-through and impression data.

Referral Data:

Referral codes and rewards activity.

Content Data:

The actual content of your prompts, messages, and chat history with our AI assistant, as well as any images and other files you upload, generate, or modify using the Service (together with associated metadata such as timestamps, model parameters, and style presets).

Affiliate Program Data:

If you join our affiliate program, we collect information such as your name, email address, affiliate ID, payout details, referral link performance, and commission history. This data is used to track referrals, calculate commissions, and operate the affiliate program, and may be processed through our affiliate tracking provider Tolt, Inc.

Credit and Billing Activity Data:

Information about your subscription plan, credit balance, credit usage, top-up purchases, refunds, chargebacks, invoices, billing status, and related transaction metadata. We do not store full payment card details; such data is processed by our payment processor.

Sources: Directly from you; automatically via cookies and similar technologies; from our advertising and affiliate partners.

We do not intend the Service to be used for the submission or processing of special categories of personal data (such as health information, financial account numbers, government identifiers, information about children, or data revealing racial or ethnic origin, political opinions, religious beliefs, or sexual orientation). Please do not include such information in your Input. If you nevertheless choose to provide such data, you do so at your own risk, and we process it only as necessary to provide the Service and in accordance with this Policy.

3. Purposes and Legal Bases for Processing

Purpose	Legal Basis
Account creation, authentication, and management	Performance of contract
Payment processing and billing	Performance of contract
Service personalization and improvement (GTM, GA4, Clarity)	Legitimate interests of the Company
Marketing communications (upon consent)	Your consent
Analytics and reporting	Legitimate interests of the Company
Referral program administration	Performance of contract / Legitimate interests
Targeted advertising, retargeting, audience creation, and advertising measurement through third-party platforms	Your consent where required by applicable law; otherwise, legitimate interests of the Company
Credit balance management, top-up purchases, billing status, refund review, fraud prevention, and chargeback handling	Performance of contract / Legitimate interests of the Company / Legal obligations where applicable
Affiliate program administration (including tracking referrals, calculating commissions, and issuing payouts)	Performance of contract / Legitimate interests of the Company
Operating, maintaining, and improving our AI models and image generation systems (including quality control, testing, and training of models using Content Data)	Legitimate interests of the Company; where required by applicable law, your consent
Deriving aggregated insights from Content Data for product analytics, audience segmentation, and measuring the effectiveness of our marketing campaigns and advertising	Legitimate interests of the Company

4. Cookies and Similar Technologies

We use the following categories of cookies and tracking technologies:

Strictly Necessary Cookies: enable core functionality (authentication, security).
Performance & Analytics Cookies: Google Tag Manager (GTM), Google Analytics 4 (GA4), Microsoft Clarity.
Marketing Cookies: used by Meta (Facebook & Instagram), TikTok, Pinterest, and Google Ads for ad targeting.

You may manage or disable cookies via your browser settings or through the "Cookie Settings" section on our website. Although we do not respond to Do Not Track signals, when DNT is enabled we refrain from using marketing cookies.

We do not set non-essential analytics or marketing cookies where prior consent is required by applicable law unless and until you have provided such consent through our cookie banner or cookie settings.

Some analytics tools, including Microsoft Clarity, may help us understand how users interact with the Service through heatmaps, session recordings, clicks, scrolling, page interactions, and similar usage analytics. We use this information to improve usability, detect friction points, debug product issues, and enhance the user experience.

4A. Content Review and AI-Assisted Processing

4A.1. To operate the Service, investigate abuse, provide support, and improve our products, authorized employees and contractors may access and review Content Data on a strictly “need-to-know” basis and subject to confidentiality obligations.
4A.2. We may process Content Data using third-party AI infrastructure providers and AI tools, such as OpenAI, Google (Gemini), Anthropic (Claude), Perplexity AI, and similar vendors, to generate responses, perform analysis, improve product quality, test features, and develop or evaluate our own systems. Where available and commercially reasonable, we configure API-based services to limit the provider’s use of submitted data for training its own foundation models. Third-party AI providers may process data in accordance with their own terms, privacy policies, data processing agreements, and technical settings applicable to the specific service used.
4A.3. Where feasible, we aggregate, anonymize, or pseudonymize Content Data before using it for analytics, model training, or marketing-related purposes.

4B. Public Display and Marketing Use of Generated Content

We may use, display, reproduce, publish, or feature AI-generated or AI-modified images created through the Service for product improvement, demonstrations, marketing, advertising, portfolio, gallery, social media, investor materials, and similar business purposes.

Where reasonably practicable, we may remove or avoid displaying obvious personal identifiers. However, you should not upload images, prompts, or other materials containing private, sensitive, confidential, or identifying information unless you are comfortable with such content being processed as described in this Policy and our Terms of Service.

5. Disclosure to Third Parties

We share Personal Data with the following categories of service providers:

Payment Processor:

Stripe, Inc. (https://stripe.com)

See Stripe's Privacy Policy sections on "Payment Data Processing," "Data Retention," and "Your Privacy Rights."

Advertising Platforms:

Meta Platforms, Inc. (Facebook & Instagram) – https://www.meta.com/legal/privacy

See sections on "Targeted Advertising," "Use of Cookies and Local Storage," and "Data Sharing with Partners."

TikTok Inc. – https://www.tiktok.com/legal/privacy-policy

See sections on "Personalization and Advertising," "Information Collected from Your Device," and "Third-Party Sharing."

Pinterest, Inc. - https://policy.pinterest.com/privacy-policy

See sections on "Ad Targeting," "Cookies and Similar Technologies," and "Sharing Information with Businesses."

Google LLC (Google Ads) - https://policies.google.com/privacy

See sections on "Advertising Services," "Information Google Collects," and "Data Use for Ad Personalization."

Affiliate Networks:

AWIN AG - https://www.awin.com/gb/privacy-policy

See "Tracking Technologies," "Data Collected in the Program," and "Your Rights."

CJ Affiliate by Conversant – https://www.cj.com/legal/privacy

See "Cookies and Tracking," "Data Use for Commissioning," and "Opt-Out Mechanisms."

Webgains Ltd – https://www.webgains.com/legal/privacy-policy

See "Partner Tracking," "Retention of Click and Conversion Data," and "Your Rights."

Skimlinks Ltd – https://skimlinks.com/privacy/

See "Link Transformation," "Data Collected," and "Data Sharing Practices."

Analytics Providers:

Google Analytics 4 (GA4) – https://policies.google.com/privacy

See sections on "Data Collection," "Use of Data," and "Data Retention."

Microsoft Clarity – https://privacy.microsoft.com/privacystatement

See "Usage Data Collection," "Session Recording," and "Your Privacy Choices."

Affiliate Tracking Provider:

Tolt, Inc. – https://tolt.com and https://tolt.io

We use Tolt’s affiliate tracking platform to operate our affiliate program, including tracking visits and sign-ups generated through affiliate links, calculating commissions, and managing payouts. Tolt acts as an independent data controller or processor (as applicable) for certain processing activities.

You can learn more about how Tolt processes personal data in Tolt’s Privacy Policy, available at https://tolt.com/privacy-policy. We encourage you to review Tolt’s privacy documentation for details on data collection, use, and your rights in relation to Tolt’s services.

To the extent permitted by law, we are not responsible for Tolt’s independent processing activities, websites, or services, which are governed by Tolt’s own terms and privacy policies.

AI Infrastructure and Model Providers:

OpenAI OpCo, LLC – https://openai.com

Google LLC (Gemini Apps) – https://gemini.google.com and https://policies.google.com/privacy

Anthropic PBC (Claude) – https://claude.ai and https://privacy.claude.com

Perplexity AI, Inc. – https://www.perplexity.ai and https://www.perplexity.ai/hub/legal/privacy-policy

We use these providers to host and run certain AI models, generate responses, and analyze Content Data as described in this Policy. These providers process data under their own privacy policies and, where applicable, under data processing agreements with us. We encourage you to review their privacy documentation for details on their practices.

To the extent permitted by law, we are not responsible for such providers’ independent processing activities, which are governed by their own terms and privacy policies.

Marketing, Product and Operational Contractors:

We may share limited Personal Data, Usage Data, Content Data, Marketing Data, and aggregated or pseudonymized insights with trusted contractors, consultants, agencies, freelancers, and service providers who help us operate, improve, analyze, promote, or support the Service. This may include product research, UX analysis, customer support, advertising campaign setup, creative production, analytics, and model evaluation.

Such parties are authorized to use the data only for the purposes we specify and are subject to confidentiality and contractual obligations where required by applicable law.

When transferring data outside the European Economic Area (EEA) or the United Kingdom, we rely on Standard Contractual Clauses (SCC) or other legally recognized transfer mechanisms to ensure adequate protection.

6. Data Retention

Account and Transaction Data: retained for as long as necessary to provide the Service, comply with legal, tax, accounting, and contractual obligations, resolve disputes, and enforce our agreements.
Credit and Billing Activity Data: retained for as long as necessary to manage credit balances, top-up purchases, refunds, chargebacks, billing disputes, fraud prevention, accounting, and legal compliance.
Content Data: including prompts, chat history, uploaded images, generated images, modified images, and related metadata, retained for as long as your account remains active and for a reasonable period thereafter, unless deletion is requested and no legal, contractual, security, fraud prevention, product integrity, or operational reason requires further retention.
AI improvement and analytics datasets: where feasible, we use aggregated, anonymized, or pseudonymized data. Such data may be retained for longer periods because it is no longer directly associated with an identifiable user.
Analytics and Marketing Data: retained for up to two (2) years from collection, unless a shorter or longer period is required or permitted by applicable law.
Backup copies and security logs may remain for a limited period after deletion due to technical backup, fraud prevention, security, and disaster recovery requirements.

7. Your Rights

You have the right to:

Access your Personal Data;
Rectify inaccurate data or complete incomplete data;
Erase your data ("right to be forgotten");
Restrict processing of your data;
Object to processing based on legitimate interests;
Port your data in a structured, commonly used format;
Withdraw consent at any time for processing based solely on consent.

Where we rely on legitimate interests as our legal basis (for example, to improve our models or for certain marketing and analytics uses), you have the right to object to such processing. If you object, we will cease processing your Personal Data for those purposes unless we demonstrate compelling legitimate grounds or are required to continue by law.

You also have the right to lodge a complaint with a data protection supervisory authority. If you are located in the United Kingdom, you may contact the UK Information Commissioner’s Office (ICO). If you are located in the EEA, you may contact the supervisory authority in the country where you live, work, or where you believe an infringement occurred.

Depending on your jurisdiction, you may have additional privacy rights. For example, residents of certain U.S. states may have the right to know, access, correct, delete, or obtain a copy of certain Personal Data, and to opt out of certain types of targeted advertising, sale, or sharing of Personal Data as defined by applicable law.

We do not sell Personal Data for money. However, our use of advertising and analytics technologies may be considered a “sale,” “sharing,” or targeted advertising under certain privacy laws. Where required, you may opt out through our cookie settings, browser-based opt-out signals where supported, or by contacting us at support@paintit.ai.

To exercise any of these rights, please contact us at support@paintit.ai.

8. Security Measures

We implement organizational and technical safeguards, including encryption, access controls, and regular security audits. Access to Personal Data is limited to authorized personnel only.

9. Legal Disclosures

We may disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, to the extent permitted by law.

10. Age Restrictions

Consistent with our Terms of Service, we do not knowingly collect Personal Data from children under 13. Users aged 13–17 may use the Service only with parental or guardian consent.

11. Changes to This Policy

We reserve the right to modify this Policy at any time. Material changes will be communicated at least thirty (30) days before taking effect via email and/or in-app notification.

12. Contact Information

If you have questions or concerns about this Policy or our data practices, please contact:

PAINTITAI LTD
52 Leytonstone road, London, E15 1SQ, UK
Phone: +44 7366 359241
Alternate Phone: +34 697 357 937
Email: support@paintit.ai