Privacy Policy

Last updated: February 10, 2026 · Effective: February 10, 2026

1. Introduction & scope

Gizmoji (“we”, “us”, or “our”) operates the Gizmoji platform available at gizmoji.com (the “Platform”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered creative production platform, including all related websites, applications, APIs, and services (collectively, the “Services”).

By accessing or using the Services, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please discontinue use of the Services immediately.

2. Information we collect

2.1 Account information

When you create an account we collect your email address, display name, and authentication credentials (managed securely via our authentication provider). If you sign up using a third-party provider (e.g. Google, GitHub) we receive profile information permitted by that provider.

2.2 Payment & billing data

Credit purchases and subscription payments are processed by our PCI-DSS Level 1 compliant payment processor. We receive a transaction reference, amount, and payment status. We do not store your full credit/debit card number, CVV, or bank account details — these are handled exclusively by our payment processor.

2.3 Usage & generation data

We collect data related to your use of the platform, including:

  • Prompts & parameters — text prompts, model selections, generation settings, and job metadata you submit for AI generation tasks.
  • Generated content — images, videos, audio, 3D objects, and avatars produced by the Services on your behalf.
  • Project data — projects, stories, scenes, shots, concepts, and associated metadata you create within the production workflow.
  • Credit activity — credit holds, transactions, purchases, refunds, and usage history.
  • Interaction logs — feature usage patterns, navigation events, error reports, and session duration (anonymized where possible).

2.4 Device & technical data

We automatically collect device type, operating system, browser type and version, screen resolution, IP address, referring URL, and approximate geolocation (country/region level). This data is used for security, analytics, and service optimization.

2.5 Communications

If you contact us via email or in-app support, we retain the content of those communications, your contact details, and our responses for quality assurance and dispute resolution.

3. Legal bases for processing

We process personal data on the following legal grounds under applicable data protection law (including the GDPR, UK GDPR, and India’s Digital Personal Data Protection Act, 2023):

  • Performance of a contract — to provide the Services, process payments, and manage your account.
  • Legitimate interests — to improve our platform, prevent fraud, enforce our terms, and conduct aggregated analytics.
  • Consent — for marketing communications, optional cookies/analytics, and any processing where consent is specifically required.
  • Legal obligation — to comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. How we use your information

  • Providing, maintaining, and improving the Services.
  • Processing and fulfilling AI generation requests through our multi-model pipeline.
  • Managing your credit balance, holds, and transaction history.
  • Processing payments and issuing invoices.
  • Sending service-critical communications (job status, account security, billing).
  • Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity.
  • Enforcing our Terms of Service and acceptable use policies.
  • Conducting anonymized and aggregated analytics to improve model quality, platform performance, and user experience.
  • Responding to support requests, legal proceedings, and regulatory inquiries.

5. AI-specific data practices

5.1 Prompt & output handling

Your prompts are sent to third-party AI model providers solely to fulfil your generation request. We do not use your prompts, input images, or generated outputs to train, fine-tune, or improve any AI model — whether our own or a third party’s — without your explicit, informed, opt-in consent.

5.2 Content safety screening

Prompts and generated outputs may be screened by automated safety classifiers to detect content that violates our acceptable use policy (e.g. CSAM, non-consensual deepfakes, violent extremism). This screening is limited to policy enforcement and does not involve human review unless a violation is flagged.

5.3 Model provider data sharing

Generation requests are routed to vetted third-party AI providers for media generation (images, video, audio, 3D) and text generation. These providers receive only the data necessary to fulfil the request (prompt text, parameters, reference images). We contractually require providers to process data solely for the purpose of completing the request and to not retain or use it for training. Please review each provider’s privacy policy for their specific practices.

6. Third-party services & data sharing

We do not sell, rent, or lease your personal data to third parties. We work with a limited number of vetted service providers to operate the platform — including hosting, content delivery, payment processing, and fulfilling your generation requests. Each provider receives only the minimum data necessary to perform its function and is contractually required to protect your information and not use it for any other purpose.

We may also disclose your information to: (a) law enforcement or government authorities when required by law or valid legal process; (b) professional advisors (legal, accounting, audit) under confidentiality obligations; (c) a successor entity in the event of a merger, acquisition, or asset sale (with prior notice to affected users).

7. International data transfers

Your data may be processed in countries outside your jurisdiction, including the United States, the European Union, and India. Where we transfer data internationally, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where available.
  • Contractual safeguards with sub-processors requiring equivalent protections.

You may request a copy of the relevant transfer safeguards by contacting us at the address below.

8. Data retention

  • Account data — retained for the lifetime of your account plus 30 days after deletion to facilitate recovery.
  • Generated assets — retained until you delete them or your account is terminated. Assets are permanently purged within 90 days of account deletion.
  • Payment records — retained for 7 years to comply with tax and financial reporting obligations.
  • Credit transactions — retained for the lifetime of your account for audit and dispute resolution.
  • Server logs — retained for up to 90 days, then automatically purged or anonymized.
  • Content safety logs — records of policy-violating content may be retained for up to 12 months for abuse prevention.

9. Data security

We implement multi-layered security measures to protect your data:

  • Encryption in transit — all data transmitted between your browser and our servers uses TLS 1.3.
  • Encryption at rest — database contents and stored assets are encrypted using AES-256. Sensitive fields (API keys, secrets) use an additional application-layer encryption with a master key.
  • Row-Level Security — database-level security policies ensure users can only access their own data.
  • Access controls — pre-signed URLs for asset access with time-limited validity; role-based access control (RBAC) for administrative operations.
  • Webhook verification — all inbound webhooks from third-party services are verified via cryptographic signatures before processing.
  • Rate limiting — API rate-limiting to prevent brute-force and abuse attacks.
  • Admin security — multi-layer authentication for administrative access including TOTP (time-based one-time password) verification and audit logging of all admin actions.

While we use commercially reasonable measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Your rights

Depending on your jurisdiction, you may have some or all of the following rights:

10.1 Under the GDPR / UK GDPR

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion of your data (“right to be forgotten”).
  • Restriction — restrict processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Automated decision-making — not be subject to decisions based solely on automated processing with legal effects.
  • Withdraw consent — withdraw consent at any time where processing is consent-based.

10.2 Under the CCPA / CPRA (California residents)

  • Right to know — categories and specific pieces of personal information collected.
  • Right to delete — deletion of personal information.
  • Right to opt-out — we do not sell personal information, so this right is automatically satisfied.
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.
  • Right to correct — correct inaccurate personal information.
  • Right to limit use of sensitive data — limit use or disclosure of sensitive personal information.

10.3 Under India’s DPDP Act, 2023

  • Right to access — a summary of personal data processed and processing activities.
  • Right to correction & erasure — correct or erase personal data.
  • Right to grievance redressal — have grievances addressed within the prescribed timeframe.
  • Right to nominate — nominate another individual to exercise rights in case of death or incapacity.

To exercise any of these rights, email us at support@gizmoji.com. We will respond within 30 days (or sooner if required by applicable law). We may ask for identity verification before processing your request.

11. Children’s privacy

The Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a minor, we will take immediate steps to delete that data and terminate the associated account. If you believe a child has provided us with personal information, please contact us immediately.

12. Cookies & tracking technologies

12.1 Essential cookies

We use strictly necessary cookies for authentication, session management, and security (e.g. CSRF tokens). These cannot be disabled as they are required for the platform to function.

12.2 Analytics cookies

We may use privacy-respecting analytics to understand aggregate usage patterns. Where applicable, these are loaded only with your consent.

12.3 Third-party cookies

We do not use third-party advertising cookies, cross-site tracking pixels, or fingerprinting technologies.

12.4 Do Not Track (DNT)

We honor Do Not Track browser signals. When DNT is enabled, we disable any non-essential tracking.

13. Data breach notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware (where required by law).
  • Notify affected users without undue delay via email and in-app notification.
  • Provide details on the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide at least 30 days’ notice via email or a prominent notice on the Platform before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was last revised. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

15. Contact us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

support@gizmoji.com

If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

See also: Terms of Service