Privacy Policy

Effective: 2 May 2026

This Privacy Policy explains how TQDM Inc. (“TQDM”, “we”, “us”, or “our”) collects, uses, shares, retains, and otherwise processes personal information in connection with the ImageChat service available at imagechat.ai and the ImageChat mobile apps (collectively, the “Service”). It is written with regard to the California Consumer Privacy Act, as amended (“CCPA/CPRA”), the EU/UK General Data Protection Regulation (“GDPR”) where applicable, and other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, etc.).

1. Who we are

The Service is operated by TQDM Inc., a corporation incorporated in the State of Delaware, United States of America. For privacy-law purposes, TQDM is the “business” (CCPA) / “controller” (GDPR) of personal information processed through the Service.

• Company: TQDM Inc.
• Address: 1111B S Governors Ave, STE 23256, Dover, DE 19904, USA
• Privacy contact: Emil Suleymanov
• Email: contact@tqdm.org (subject line “ImageChat privacy request”)
• Phone: +1 (814) 524-5685

2. Scope

This Policy applies to personal information you provide to us, that we collect automatically, or that we receive from third parties when you: (a) browse the website at imagechat.ai or any sub-domain; (b) sign in or create an account; (c) submit prompts, attachments, or other inputs to the image-generation features; (d) make a purchase or manage your subscription; (e) communicate with us; or (f) install and use any ImageChat-branded mobile application.

3. Personal information we collect

3.1 Information you provide

• Account data — email address, and (if you sign in with Google) the Google account identifier and basic profile (name, profile picture URL).
• Prompts and attachments — text you type into the composer and any images you upload or paste. These inputs may incidentally contain personal information about you or third parties (faces, names, locations, written content). Do not upload material depicting other people without their consent, and never upload material involving minors in any sexual, intimate, or exploitative context.
• Generated outputs — images and text returned by the AI models in response to your prompts, stored against your account so you can review them later.
• Payment data — when you purchase credits or a subscription, billing information is collected and processed by Stripe, Inc. We receive a payment confirmation, the last four digits of the card, brand, and country — we do not store full card numbers.
• Communications — the contents of support emails, bug reports, and feedback.

3.2 Information collected automatically

• Device and connection data — IP address, approximate geolocation derived from IP, device type, OS, browser, language, and user-agent.
• Usage data — sign-in timestamps, session activity, features used, model selections, prompt timestamps, error events, and similar telemetry needed to operate and secure the Service.
• Cookies / local storage — strictly-necessary cookies for authentication (a session cookie issued after magic-link or Google sign-in) and small browser-local values to remember your model selection. We do not currently use third-party advertising or cross-site tracking cookies.

3.3 Information from third parties

• Google Sign-In — when you choose “Continue with Google”, Google sends us a signed ID token containing your Google subject identifier, email, and (if granted) basic profile fields. We use it to create or match your ImageChat account.
• Stripe — payment status, customer ID, and event notifications via webhook.

4. How we use personal information

• To create and authenticate your account, including issuing magic-link sign-in emails and validating Google ID tokens.
• To provide the image-generation features: forwarding your prompts and attachments to the AI model you selected, and returning the results to you.
• To meter usage and apply credits against your balance.
• To detect, investigate, and prevent abuse, fraud, and policy violations (including content that violates our Acceptable Use rules).
• To respond to support requests, deliver service announcements, and — only with your consent — product updates.
• To comply with legal obligations and enforce our Terms.

5. Legal bases (GDPR/UK)

Where GDPR applies, we rely on: (a) performance of a contract for account, payment, and image-generation processing; (b) legitimate interests for security, fraud prevention, and service improvement; (c) consent for any optional marketing emails; and (d) legal obligation for tax, accounting, and law-enforcement responses.

6. AI model providers and content moderation

To generate images, we send your prompt and any attachments to one of several AI model providers via OpenRouter, Inc. (our upstream API gateway). Depending on the model you pick, the request is fulfilled by Google (Gemini family), OpenAI (GPT family), or another supported provider. Your inputs and the generated outputs are subject to those providers’ own policies for the duration of the request. We do not authorise OpenRouter or its sub-providers to use your prompts or images to train their models, except where you explicitly opt into a model that requires it.

We run automated moderation over both inputs and outputs to refuse requests that violate our Acceptable Use rules — in particular, sexual content involving minors, non-consensual intimate imagery, and targeted harassment material. Confirmed CSAM is reported to the National Center for Missing & Exploited Children (NCMEC) as required by 18 U.S.C. § 2258A.

7. Sharing

We share personal information only with:

• Service providers (sub-processors) — AWS (hosting), Stripe (payments), Resend (transactional email), Google (sign-in / Gemini), OpenAI, OpenRouter, Cloudflare (DNS/CDN where applicable). Each is contractually bound to use personal information only to provide their service to us.
• Law enforcement — in response to a valid subpoena, court order, or other legally binding request, or when we have a good-faith belief that disclosure is necessary to prevent imminent harm.
• Acquirers — in the event of a merger, acquisition, or asset sale, with notice to affected users.

We do not sell or “share” personal information for cross-context behavioural advertising, as those terms are defined under CCPA/CPRA. We do not authorise third-party advertising on the Service.

8. International transfers

The Service is operated from the United States. If you access it from outside the US, your personal information will be transferred to, processed, and stored in the US and other jurisdictions where our sub-processors operate. Where required, we rely on the EU Standard Contractual Clauses or equivalent UK/Swiss mechanisms for these transfers.

9. Retention

• Account data — kept for as long as your account exists. Deleted within 30 days of account closure, except where we must retain records for legal, tax, or fraud-prevention reasons.
• Prompts, attachments, and generated outputs — kept for as long as the associated chat exists in your account; you can delete individual chats or all chats from the app at any time.
• Billing records — retained for at least seven years to satisfy US tax and accounting obligations.
• Server logs — retained up to 90 days for security and debugging, then aggregated or discarded.

10. Your rights

Depending on where you live, you may have rights to:

• Know what personal information we hold about you.
• Access a copy of that information in a portable format.
• Correct inaccurate information.
• Delete your account and the personal information we hold about you.
• Object to or restrict certain processing.
• Opt out of any sale or sharing of personal information — not applicable to us, but available on request.
• Withdraw consent where we relied on it.
• Lodge a complaint with your data-protection authority (e.g. your state Attorney General, the UK ICO, or your EU national DPA).

To exercise any of these rights, email contact@tqdm.org. We respond within the timeline required by applicable law (45 days under CCPA, 30 days under GDPR, with a one-time extension where permitted). We do not discriminate against you for exercising your rights.

You can also delete your account and all associated chats from the app: open the account menu → Profile → Delete account.

11. Children

The Service is not directed to children under 13 (or under 16 in the EEA/UK), and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact contact@tqdm.org and we will delete it.

12. Security

We use TLS 1.2+ for traffic between your device and the Service, store passwordless authentication tokens hashed at rest, isolate workloads in private subnets, and apply principle-of-least-privilege to internal access. No system is perfectly secure; if we become aware of a personal data breach affecting you, we will notify you and the appropriate regulators without undue delay as required by law.

13. Changes to this Policy

We may update this Policy to reflect changes in our practices or applicable law. The “Effective” date at the top of the document indicates when the latest version took effect. Material changes will be highlighted in-app or by email at least 14 days before they take effect.

14. Contact

Questions, requests, or complaints about this Policy: contact@tqdm.org.