Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

For any questions about this Privacy Policy or how we process your personal data, please contact us at the above email address.

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Discord Authentication Data

When you sign in using Discord OAuth, we collect:

• Discord User ID (unique identifier)
• Discord username and discriminator
• Discord avatar URL
• Email address associated with your Discord account

2.2 Payment and Billing Data

When you subscribe to a paid plan, we collect:

• Stripe Customer ID (unique identifier)
• Subscription plan and status
• Payment transaction records

Important: We do NOT store your credit card numbers, bank account details, or other direct payment credentials. All payment processing is handled securely by Stripe, our payment processor. Stripe maintains its own compliance with PCI-DSS standards.

2.3 Usage and Service Data

To provide and improve our service, we collect:

• Credit balance and transaction history (credits consumed, added, or refunded)
• AI generation requests (prompts, settings, timestamps)
• Generated content metadata (creation dates, types of generations)
• IP addresses and approximate geolocation
• Browser type, device information, and operating system
• Login timestamps and session information

2.4 Communications

We may collect and store correspondence when you contact our support team, including email content, support tickets, and any attachments you provide.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data only when we have a valid legal basis under GDPR. The legal bases we rely on are:

3.1 Performance of Contract (Article 6(1)(b))

Processing is necessary to provide the Gentok AI service to you under our Terms of Service. This includes:

• Creating and managing your user account
• Processing your AI generation requests
• Managing your credit balance and subscription
• Delivering generated images and videos
• Providing customer support

3.2 Legitimate Interest (Article 6(1)(f))

We process certain data based on our legitimate interests, which include:

• Preventing fraud, abuse, and unauthorized access
• Improving our service quality and user experience
• Analyzing usage patterns to optimize system performance
• Maintaining system security and detecting technical issues
• Enforcing our Terms of Service and acceptable use policies

We have carefully balanced these interests against your rights and freedoms. You have the right to object to processing based on legitimate interest (see Section 7).

3.3 Consent (Article 6(1)(a))

For certain processing activities, we rely on your explicit consent, such as:

• Sending you marketing communications (if you opt in)
• Using non-essential cookies (if implemented in the future)

You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3.4 Legal Obligation (Article 6(1)(c))

We process certain data to comply with legal obligations, including:

• Retaining financial transaction records for tax and accounting purposes
• Responding to valid legal requests from authorities
• Complying with anti-money laundering regulations

4. How We Use Your Data

We use your personal data for the following purposes:

4.1 Service Delivery

• Authenticating your identity and maintaining your account
• Processing your AI image and video generation requests
• Managing your credit balance and tracking usage
• Enabling Discord bot functionality
• Providing access to the web dashboard

4.2 Billing and Payments

• Processing subscription payments
• Issuing invoices and receipts
• Managing refunds and chargebacks
• Preventing payment fraud

4.3 Communication

• Responding to your support requests and inquiries
• Sending transactional emails (account notifications, payment confirmations, service updates)
• Notifying you of important changes to our service or policies
• Sending marketing communications (only with your consent)

4.4 Security and Abuse Prevention

• Detecting and preventing fraudulent activity
• Monitoring for Terms of Service violations
• Preventing generation of prohibited content (illegal, harmful, or copyrighted material)
• Protecting against unauthorized access and security threats
• Investigating and responding to security incidents

4.5 Service Improvement

• Analyzing usage patterns to improve features
• Troubleshooting technical issues
• Optimizing system performance and reliability
• Understanding user preferences and behavior (in aggregate)

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share your data only with trusted third-party service providers who assist us in operating our service:

5.1 Stripe (Payment Processing)

We use Stripe, Inc. to process subscription payments. When you subscribe to a paid plan, Stripe collects and processes your payment information. Stripe's processing is governed by their own Privacy Policy: https://stripe.com/privacy

We receive from Stripe only the Customer ID, subscription status, and transaction confirmations—never your full payment card details.

5.2 Discord (Authentication)

We use Discord OAuth 2.0 for user authentication. When you sign in with Discord, Discord shares your user ID, username, avatar, and email address with us according to their Privacy Policy: https://discord.com/privacy

5.3 deAPI.ai (AI Generation Service)

We use deAPI.ai infrastructure to process your AI generation requests. Your prompts and generation parameters are transmitted to deAPI.ai servers to generate images and videos. deAPI.ai's data processing is governed by their own privacy practices. We do not share your account information, payment details, or personal identifiers with deAPI.ai beyond what is necessary to process generation requests.

5.4 Legal Disclosures

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., court orders, law enforcement agencies) to:

• Comply with legal obligations
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing
• Protect the personal safety of users or the public

5.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our service of any such change in ownership or control of your personal data.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

6.1 Active Accounts

While your account is active, we retain all account data, usage history, and transaction records to provide continuous service.

6.2 Account Deletion

When you delete your account or request data erasure:

• Your account data, Discord information, and usage history will be permanently deleted within 30 days
• Generated content stored on our servers will be removed
• Your access to the service will be immediately terminated

6.3 Financial Records

We are legally required to retain certain financial and transaction records for 7 years to comply with tax, accounting, and anti-money laundering regulations. This includes:

• Payment transaction records
• Invoices and receipts
• Subscription history
• Refund and chargeback documentation

These records are stored securely with restricted access and are not used for any purpose other than legal compliance.

6.4 Security Logs

For security and fraud prevention purposes, we may retain certain logs (IP addresses, login attempts, suspicious activity records) for up to 12 months after account deletion.

7. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

7.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, where that is the case, access to your personal data and information about how it is processed.

7.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and to have incomplete personal data completed. You can update most of your account information directly through the dashboard settings.

7.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in certain circumstances, including when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing based on legitimate interest and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: This right is not absolute. We may be required to retain certain data to comply with legal obligations (e.g., financial records for 7 years).

7.4 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) and to transmit that data to another service provider.

7.5 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interest. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

7.6 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing.

7.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at support@gentok.ai with:

• Your Discord username or account email
• A clear description of which right you wish to exercise
• Any additional information needed to verify your identity

We will respond to your request within 30 days (one month) as required by GDPR. In complex cases, we may extend this period by two additional months and will inform you of such extension.

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

• United States: Stripe payment processing infrastructure
• Various locations: deAPI.ai generation servers (depending on infrastructure deployment)

When we transfer your data outside the EEA, we ensure appropriate safeguards are in place:

8.1 Adequacy Decisions

We rely on European Commission adequacy decisions where available, recognizing that certain countries provide an adequate level of data protection.

8.2 Standard Contractual Clauses

Where adequacy decisions are not available, we use Standard Contractual Clauses (SCCs) approved by the European Commission, which require recipients to protect your data in accordance with EU standards.

8.3 Third-Party Certifications

Our service providers (such as Stripe) may participate in frameworks like the EU-U.S. Data Privacy Framework or implement other recognized transfer mechanisms.

You may request more information about the safeguards we have in place for international transfers by contacting us at support@gentok.ai.

9. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

9.1 Technical Security

• Encryption: Data in transit is protected using TLS/SSL encryption. Sensitive data at rest is encrypted.
• Secure Authentication: We use industry-standard OAuth 2.0 for authentication with JWT session tokens.
• Infrastructure Security: Our servers are hosted in secure data centers with physical access controls.
• Regular Updates: We maintain up-to-date software dependencies and security patches.

9.2 Organizational Security

• Access Controls: Access to personal data is restricted to authorized personnel who need it to perform their duties.
• Data Minimization: We collect only the data necessary to provide our service.
• Incident Response: We have procedures in place to detect, respond to, and report security incidents.

9.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours (as required by GDPR Article 33)
• Notify affected users without undue delay if the breach poses a high risk (GDPR Article 34)
• Provide information about the nature of the breach, likely consequences, and measures taken

9.4 Limitations

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our security measures.

10. Cookies and Tracking Technologies

Our service uses minimal cookies and tracking technologies:

10.1 Essential Cookies

We use only one essential cookie:

• Session Cookie: Required for authentication and maintaining your logged-in session. This cookie is strictly necessary for the service to function.

10.2 What We Don't Use

We do NOT use:

• Third-party analytics cookies (no Google Analytics, no tracking pixels)
• Advertising or marketing cookies
• Social media tracking cookies (beyond Discord OAuth authentication)
• Cross-site tracking technologies

10.3 Browser Controls

Most web browsers allow you to control cookies through their settings. However, disabling essential cookies will prevent you from logging in and using our service. You can learn more about cookie management in your browser's help documentation.

11. Children's Privacy

Our service is not intended for children under the age of 13 years. We do not knowingly collect personal data from children under 13.

If you are a parent or guardian and you become aware that your child has provided us with personal data without your consent, please contact us at support@gentok.ai. If we become aware that we have collected personal data from a child under 13 without verification of parental consent, we will take steps to remove that information from our servers within 30 days.

For users in the European Union, the age of digital consent may vary by member state (typically 13-16 years). We rely on Discord's age verification mechanisms, as Discord requires users to be at least 13 years old (or older in certain jurisdictions).

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service functionality. When we make changes:

• We will update the "Last updated" date at the top of this page
• For material changes, we will notify you by email or through a prominent notice on our service
• We will archive previous versions of this Privacy Policy for your reference

Your continued use of the service after changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree to the updated Privacy Policy, you should discontinue use of the service and may request deletion of your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact Us and Complaints

13.1 Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

13.2 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

As we are established in Malta, the relevant supervisory authority is:

You may also contact the supervisory authority in your own country if you are located in the EU/EEA.

13.3 Our Commitment

We take your privacy seriously and are committed to resolving any concerns you may have. We encourage you to contact us first so we can address your concerns directly before escalating to a supervisory authority.