Privacy Policy
Last updated: April 22, 2026
This Privacy Policy describes how EdMyPic ("we", "our", or "us") collects, uses, and protects your information when you use our AI photo editing service at edmypic.com, including any embedded version of the editor on third-party sites.
Where applicable, references to the "GDPR" mean Regulation (EU) 2016/679; "EU AI Act" means Regulation (EU) 2024/1689; "DSA" means Regulation (EU) 2022/2065.
1. Information We Collect
Account Data. When you create an account we collect your name, email address, and (if you sign in via Google or another OAuth provider) the basic profile fields that provider releases to us. We store a hashed identifier - we do not receive your OAuth provider password.
Billing Data. We do NOT store your payment card details. All card data is transmitted directly to our PCI-DSS compliant processor (currently Stripe, Inc.) and we retain only: plan tier, amount paid, transaction ID, purchase date, and a masked card brand/last-4 for receipts.
Input Images. Photos you upload for editing are transmitted to our servers and relayed to third-party AI model providers (see §4). We do not retain input images after the editing session ends, except in a short-lived processing cache (up to 24 hours) needed to deliver the generated output to your browser.
AI Prompts. The text prompts you enter are stored against your account for the purpose of displaying your history, calculating credits, and - where required by law - investigating policy violations. See §5 for details on prompt moderation.
Output Images. AI-generated images are stored against your account as long as it is active, so you can re-download them from your dashboard. You can delete any output from your history at any time.
Usage & Technical Data. Standard server logs (IP address, user agent, referer, timestamps), feature-usage events (tool selected, model used, credit cost), and crash/error telemetry. IP addresses are pseudonymised (hashed with a rotating secret) after 30 days unless retention is required for a live abuse investigation.
Cookies & Local Storage. A session cookie to keep you logged in; a theme cookie to remember dark/light preference; local storage for a client-side favourites list. We do not use third-party advertising cookies.
2. Legal Basis for Processing (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Delivering the editor to your browser | Contract (Art. 6(1)(b)) |
| Account management, billing, receipts | Contract + legal obligation (Art. 6(1)(b),(c)) |
| Fraud / abuse prevention, moderation | Legitimate interests (Art. 6(1)(f)) |
| Statistical product analytics | Legitimate interests (Art. 6(1)(f)) |
| Marketing email (when opted-in) | Consent (Art. 6(1)(a)) - withdrawable |
| Legal reporting (e.g. CSAM to NCMEC) | Legal obligation (Art. 6(1)(c)) |
If you are in a jurisdiction that does not recognise "legitimate interests", we rely on your acceptance of these terms as your consent to the processing described.
3. Biometric and Sensitive Personal Data (GDPR Art. 9)
Photos of identifiable faces are biometric data when processed by machine-learning systems. Under GDPR Art. 9 we process such data ONLY on the basis of your explicit consent, which you grant by voluntarily uploading the photo to the editor.
We do NOT: build a face database, train models on your photos, perform identity recognition across sessions, or share biometric data with advertisers.
You may withdraw consent at any time by deleting the relevant images from your account. Withdrawal does not affect lawfulness of processing that already occurred.
Special rule for photos of other people. You are responsible for obtaining consent from any identifiable third party whose face appears in an uploaded photo. Uploading photos of other people - especially children - without their (or their guardian's) informed consent is a breach of these Terms and may be illegal in your jurisdiction.
4. Third-Party AI Model Providers
The AI image-generation and editing operations are executed by external model providers. As of the last-updated date these include (subject to change without notice):
- Replicate, Inc. (US) - image generation and editing
- Black Forest Labs (DE) - FLUX model family
- fal.ai (US) - image processing pipelines
- Together AI (US) - language models for prompt optimisation
- Google / DeepMind (US) - vision models for image-to-prompt
Each provider has its own privacy policy; by using EdMyPic you accept that your prompt and (where applicable) your uploaded image will be transmitted to the chosen provider for the sole purpose of fulfilling your request. We do not authorise providers to use your content for their own training, but we cannot unilaterally warrant their internal practices - please consult their policies if you require stronger guarantees.
5. Content Moderation
To comply with law and to protect other users, every prompt you submit is checked against an automated blocklist before being sent to an AI model. Every generated image is checked against an automated NSFW/safety classifier before being returned. When either check fails:
- The prompt or output may be blocked and a reason shown to you.
- A moderation event is recorded, containing: your user ID, the category of rule matched (e.g. "adult content"), a SHA-256 hash of the prompt, the timestamp, and the locale.
- We do NOT log the full prompt in this event record for a first-time low-severity match. For high-severity matches (e.g. suspected CSAM) the full content, together with account and IP metadata, is preserved for the legal reporting described in §7.
See the Acceptable Use Policy for a full list of prohibited content.
6. AI-Generated Content Labelling (EU AI Act Art. 50)
Images produced by EdMyPic are AI-generated or AI-edited. Where the EU AI Act applies to your use (e.g. you are a user in the EU, or you distribute the output to EU users), you are required to disclose that the content is AI-generated when you publish it, unless a legal exception applies. EdMyPic may embed cryptographic metadata (C2PA / IPTC) in exported images to support this disclosure; removing such metadata is at your own risk.
7. Mandatory Legal Reporting
Some categories of content trigger non-discretionary reporting obligations that we cannot waive even with your consent:
- Child Sexual Abuse Material (CSAM). We are required to report apparent CSAM to the US National Center for Missing & Exploited Children (NCMEC, 18 U.S.C. § 2258A) or to the equivalent competent authority in your jurisdiction (e.g. the IWF in the UK, Internet Watch foundation lines across the EU). We also preserve the relevant data for at least 90 days to support investigation.
- Non-Consensual Intimate Imagery (NCII) / "deepfake" sexual content. Under the US "Take It Down Act" (2025) and comparable laws in the UK (Online Safety Act 2023) and EU member states (Directive (EU) 2024/1385), we will remove such content upon valid notice and may be required to share data with law enforcement.
- Threats, terrorism, incitement to violence. Reported to law enforcement where required by the applicable law.
8. Payment Data
All payment card processing is performed by our payment service provider, currently Stripe, Inc. (US - PCI-DSS Level 1). We receive only tokenised references; we never store raw card numbers, CVVs, or bank account details. If the provider changes, any replacement will be held to equivalent security and privacy standards.
9. Data Retention
| Category | Retention |
|---|---|
| Account profile | Lifetime of account; deleted within 30 days of account closure |
| Billing records | 7 years (legal / tax obligation) |
| Uploaded input images | Up to 24 hours (processing cache) |
| Generated output images | Lifetime of account or until you delete the history entry |
| Prompts (history) | Lifetime of account or until you delete the history entry |
| Moderation events (low severity) | 12 months (hashed) |
| Moderation events (high severity) | 5 years or as required by law |
| Server logs / IP addresses | Raw: 30 days; pseudonymised aggregates: up to 24 months |
10. International Transfers
Our servers and processors are located in the United States and the European Union. When we transfer personal data from the EEA/UK to the US we rely on Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, as applicable.
11. Your Rights
Under the GDPR and most comparable regimes you have the right to: access, rectify, or erase your data; restrict or object to processing; data portability; lodge a complaint with a supervisory authority. Under the California CCPA/CPRA you additionally have the right to know, to delete, to correct, and to opt out of "sale" or "sharing" - we do not sell or share personal information for cross-context behavioural advertising.
To exercise any right, contact [email protected] from the email address on file. We will respond within 30 days (up to 90 days for complex requests).
12. Third-Party Embeds
The EdMyPic editor may be embedded on external websites using our embed feature. We are not responsible for the privacy practices of third-party sites that embed our editor. Your interaction with the editor remains subject to this Policy, but the embedding site may independently collect analytics about your visit.
13. Children
EdMyPic is not intended for users under 18. We do not knowingly collect personal data from children. If you believe a child has created an account, email [email protected] and we will delete the account.
14. Changes to This Policy
We may update this Policy at any time. Material changes (a new processor, a new data category, a change in legal basis) will be surfaced in-app at least 14 days before they take effect. The date of the last update is shown at the top of this page. Continued use after the effective date constitutes acceptance.
15. Contact
Support: [email protected] Data requests: [email protected] (subject line: "Data Request") EU / UK Data Protection queries: [email protected]