How AsciiThis handles personal information.

AsciiThis is operated by Daniel Simons, a sole trader trading as AsciiThis. We are the controller of personal information processed through asciithis.com and the AsciiThis API.

For privacy questions, requests, or complaints, contact notifications@asciithis.com.

If our legal entity, public address, or regulator registration details change, this section will be updated.

We collect the information needed to run AsciiThis: account details, uploads, prompts, generated assets, billing records, support messages, usage events, logs, cookies, and device or session data. We use it to provide the service, keep accounts secure, process payments, prevent abuse, improve reliability, and meet legal obligations.

Private uploads and prompts may be processed by our infrastructure and model providers so we can provide generation, conversion, export, moderation, and support features. Public gallery assets are public and may be indexed, copied, or cached by third parties. We do not sell personal information.

• Account data: email address, password hash, username or handle, Google sign-in identifiers if used, account settings, sessions, and security metadata.
• Content data: uploads, prompts, generated outputs, edits, exports, gallery publications, titles, descriptions, tags, media files, and asset metadata.
• Billing data: plan, credits, subscription status, Stripe customer or subscription identifiers, invoice and payment event data, refunds, and limited transaction metadata. We do not store full card numbers or CVV codes.
• Technical data: IP address, browser and device information, request metadata, referrer, cookies, local storage identifiers, CSRF data, rate-limit data, logs, diagnostics, and security telemetry.
• Communications: support emails, password reset activity, service messages, and information needed to respond to your request.

We process personal information only where we have a lawful basis to do so. The main bases are contract, legitimate interests, legal obligation, and consent where required by law.

• Contract: to create accounts, authenticate users, process uploads and prompts, generate assets, provide exports, manage API access, provide support, and administer subscriptions or credits.
• Legal obligation: to keep tax, accounting, billing, fraud, compliance, and dispute records where the law requires it.
• Legitimate interests: to secure the service, prevent abuse, enforce limits, investigate incidents, debug errors, improve reliability, understand product usage, and protect users, AsciiThis, and the public.
• Consent: where consent is required for optional cookies, similar device storage, certain marketing communications, or optional public sharing choices.

When you ask AsciiThis to generate, convert, enhance, moderate, export, or otherwise process media, your uploads, prompts, outputs, and related metadata may be sent to third-party AI, media-processing, infrastructure, storage, and delivery providers as needed to complete the request, secure the service, troubleshoot failures, and monitor abuse.

Our providers may include OpenAI, Google services used for media generation or authentication, Tripo for image-to-3D workflows, Cloudflare Turnstile for bot checks, Stripe for payments, Resend for email delivery, and hosting or infrastructure providers. Their handling of information is also governed by their own terms and privacy notices.

We do not use your private uploads or prompts to train our own models unless we clearly tell you first and obtain any permission required by law.

We share personal information only where reasonably needed to operate AsciiThis, comply with law, process payments, provide AI and media-processing features, deliver emails, secure the product, investigate abuse, enforce our terms, respond to legal requests, or protect rights and safety.

We may disclose information to service providers, payment processors, AI and media-processing providers, hosting and storage providers, email providers, security tools, professional advisers, regulators, courts, law enforcement, counterparties, or a buyer or successor if the service is sold, reorganised, or transferred.

If you publish an asset, the asset, title, description, handle, public metadata, and public page may be visible to anyone. Public pages may be indexed by search engines, AI crawlers, social platforms, and other third parties.

If you unpublish or delete an asset, we will stop displaying it in the service within a reasonable period, but copies, previews, caches, search snippets, scraped versions, and shares controlled by third parties may remain outside our control.

We use cookies, local storage, and similar technologies for login, security, CSRF protection, abuse prevention, rate limiting, preferences, diagnostics, performance, error tracking, and internal analytics.

We do not currently use third-party advertising cookies. Where optional cookies or similar technologies require consent under UK law, we will request consent before setting or reading them. Blocking strictly necessary technologies may stop account, upload, export, API, or payment features from working.

We keep personal information only for as long as reasonably needed for the purposes in this policy, including service delivery, account administration, security, billing, tax, accounting, dispute resolution, backups, and legal compliance.

• Account records are usually kept while the account exists, then deleted or anonymised within a reasonable period unless we need to keep them for security, billing, disputes, or legal reasons.
• Private uploads and generated assets are usually kept until you delete them, request account deletion, or we remove them under our retention rules. Stale or orphaned upload blobs may be purged earlier.
• Temporary guest export artifacts are currently targeted for deletion after about 60 minutes. Orphaned deleted upload blobs are currently targeted for deletion after about 24 hours.
• Refresh sessions are designed to expire after 30 days unless revoked sooner. Related security records may be kept longer where needed.
• Billing, subscription, and payment records are kept for contract administration and typically up to 6 years or longer where required for UK tax, accounting, audit, dispute, or legal reasons.
• Security logs, audit records, event logs, and backups are kept for as long as reasonably necessary for security, reliability, incident investigation, legal compliance, and normal backup rotation.

Do not upload personal information about other people unless you have the legal right and any required permission to do so. You are responsible for the legality of your uploads, prompts, generated outputs, published assets, and exports.

AsciiThis is not designed for highly sensitive personal information. Do not upload medical, financial, biometric, identity-document, children's, criminal-offence, or similarly sensitive information unless you are comfortable processing it through the service and have the legal right to do so.

Depending on where you live, you may have rights to access, correct, erase, restrict, object to, or receive a copy of your personal information, and to withdraw consent where consent is the legal basis.

You can request account deletion or exercise privacy rights by emailing notifications@asciithis.com. We may need to verify your identity before acting on a request. Some records may be retained where required for billing, tax, accounting, security, disputes, fraud prevention, or legal compliance.

You may complain to us at the same email address. You also have the right to complain to the UK Information Commissioner's Office if you are unhappy with how we handle your personal information.

Some providers may process information outside the UK. Where required, we rely on adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or other lawful safeguards.

We use administrative, technical, and organisational safeguards designed to protect information, including access controls, session protections, security headers, abuse prevention tools, and monitoring. No system is perfectly secure.

We may send service emails about your account, password resets, payments, security, and important product changes. If we introduce marketing emails, we will handle them in accordance with applicable law and provide unsubscribe controls where required.

AsciiThis is intended for users aged 16 or over and is not directed to children. If we learn that we have collected personal information from a child below the age at which they can lawfully use the service without parental consent, we will take appropriate steps to delete it or obtain appropriate consent.

We do not make solely automated decisions about users that produce legal effects or similarly significant effects.

We may update this Privacy Policy from time to time. The updated version becomes effective when posted here unless a different date is stated. Material changes may also be communicated through the service or by email where appropriate.