Privacy Policy
Last updated: November 30, 2025
Privacy at a Glance (60-Second Summary)
- ✓Your photos = Your property. We never use them to train AI models.
- ✓7-day deletion. Original photos auto-delete after processing.
- ✓You control your data. Export or delete anytime in Account Settings.
- ✓No selling data. We never sell your personal information to third parties.
- !18+ only. This service is not available to anyone under 18 years old.
Who We Are
Email: info@taoapex.com
Data Protection Officer: privacy@taoapex.com
Age Restriction (Important)
TaoFlux is strictly for users aged 18 years and older.
We do not knowingly collect, process, or store any personal data from individuals under 18 years of age. If we discover that a user is under 18, their account will be immediately terminated and all associated data will be permanently deleted.
By using this service, you confirm that you are at least 18 years old. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@taoapex.com.
1. What Data We Collect
We collect the following categories of personal data:
| Data Category | Specific Data | legal.privacy.purpose | Retention |
|---|---|---|---|
| Account Information | Email address, name, encrypted password, profile photo | Account creation, authentication, communication | Until account deletion |
| Uploaded Photos | Original images, EXIF metadata (camera model, date, GPS if present)* May contain biometric data (facial features) | AI image generation processing | 7 days max |
| Generated Images | AI-generated output images, generation parameters | Service delivery, user gallery | Until user deletion or account closure |
| Text Prompts | User-provided prompts for AI generation | AI processing, abuse detection | 7 days (anonymized) |
| Technical Data | IP address, browser type, device info, access logs | Security, fraud prevention, debugging | 90 days |
| Payment Data | Transaction IDs, subscription status* Card details handled by Stripe/Creem only | Billing, subscription management | 7 years (legal requirement) |
| Usage Analytics | Page views, feature usage, session duration | Service improvement | 26 months (anonymized) |
About Biometric Data (Facial Features)
When you upload photos containing faces, we process facial features to generate AI portraits. This is considered biometric data under some regulations (e.g., Illinois BIPA). We:
- Only process faces for the specific generation task you request
- Do not create persistent biometric templates or identifiers
- Do not use facial data for identification or authentication purposes
- Delete original photos within 7 days of processing
2. AI Processing & Model Training
We DO NOT train our AI models on your photos or generated images.
Your data is used only for the specific generation task you request. Period.
- AI Providers: We use pre-trained models from Replicate (Flux) and Google (Gemini). These providers have their own data policies.
- Prompt Data: Anonymized prompts may be stored for 7 days to detect abuse patterns and improve content filtering.
- Future Opt-in: If we ever introduce a program where users can opt-in to contribute to model improvement, it will be:
- Completely voluntary with explicit consent
- Clearly explained with benefits and risks
- Revocable at any time
3. Data Storage & International Transfers
Your data is processed and stored in the following locations:
| Service | legal.privacy.provider | Location | Data Processed |
|---|---|---|---|
| Database | NeonDB (PostgreSQL) | AWS US East (Virginia) | Account data, metadata |
| File Storage | Supabase | AWS (US) | Uploaded & generated images |
| AI Processing | Replicate, Google Cloud | US | Images, prompts (transient) |
| Payments | Stripe, Creem | US/EU | Transaction data |
| Analytics | Google Analytics | US | Anonymized usage data |
For EU/EEA Users: Data transfers to the US are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission, and where applicable, the EU-US Data Privacy Framework.
For Singapore Users: We comply with PDPA requirements for cross-border transfers, ensuring recipient countries provide comparable protection.
4. Your Data Rights
Access & Portability
Download a copy of all your data in a machine-readable format.
How: Account Settings → Privacy → Download My Data
Deletion
Permanently delete your account and all associated data.
How: Account Settings → Privacy → Delete Account
Rectification
Correct inaccurate personal information.
How: Account Settings → Profile, or email us
Objection & Restriction
Object to or restrict certain processing activities.
How: Email privacy@taoapex.com
How to Submit a Data Request
- Self-Service (Fastest): Use the options in Account Settings → Privacy
- Email Request: Send to privacy@taoapex.com from your registered email
- Verification: We may ask you to verify your identity (email confirmation)
- Response Time: Within 14 days for standard requests, 30 days for complex cases
5. Cookies & Tracking
We use cookies and similar technologies. You can manage your preferences at any time using our Cookie Settings (accessible via the footer or the banner shown on first visit).
For full details, see our Cookie Policy.
6. Regional Privacy Rights
European Union (GDPR)
Under GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data ("right to be forgotten") (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Not be subject to automated decision-making (Art. 22)
- Lodge a complaint with your local Data Protection Authority
Legal Basis: We process your data based on: (a) contract performance (service delivery), (b) legitimate interests (security, improvement), (c) consent (analytics, marketing).
California (CCPA/CPRA)
California residents have the right to:
- Know what personal information is collected
- Know if personal information is sold or disclosed
- Say no to the sale of personal information
- Access your personal information
- Request deletion of your information
- Equal service and price (non-discrimination)
We do not sell your personal information. To exercise your rights, contact us at privacy@taoapex.com or use the self-service options in your account.
Singapore (PDPA)
Under PDPA, you have the right to:
- Access your personal data held by us
- Correct errors or omissions in your data
- Withdraw consent for data collection/use
- Request data portability
Contact us at privacy@taoapex.com for any PDPA-related requests.
7. Protection of Minors
This service is strictly 18+. We do not provide services to minors and do not knowingly collect data from anyone under 18.
Prohibited Content: Generating, uploading, or processing any images involving minors in inappropriate, sexual, or exploitative contexts is strictly prohibited and will result in:
- Immediate account termination
- Permanent ban from the platform
- Reporting to relevant law enforcement authorities
- Full cooperation with any legal investigations
If you are a parent or guardian and believe a minor has accessed this service, please contact us immediately at privacy@taoapex.com.
8. Security Measures
- All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Passwords hashed using bcrypt with salt
- Access controls with role-based permissions
- Regular security audits and penetration testing
- Incident response procedures in place
- Staff access limited to need-to-know basis
9. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. For material changes, we will notify you via email and/or a prominent notice on our website at least 14 days before they take effect.
Contact Us
General Inquiries
info@taoapex.comPrivacy & Data Requests
privacy@taoapex.com