Privacy without the fog machine.

1. Who we are

FCK Expensive AI is a product of FGX Studios (Pty) Ltd, a company registered in South Africa. We operate the platform at fckexpensive.ai and any related subdomains (the "Service").

For the purposes of the General Data Protection Regulation (GDPR), the UK GDPR, and equivalent legislation, FGX Studios (Pty) Ltd is the data controller of your personal data.

Our designated contact for data protection matters is reachable at privacy@fckexpensive.ai.

2. What data we collect and why

2.1 Account data

When you register, we collect your email address and a hashed password. You may optionally provide a display name. We use this data to create and manage your account, authenticate you, and communicate with you about your account and the Service.

2.2 Generation data

We store the text prompts you submit, the model you selected, the generation parameters (resolution, duration, quality), and the resulting generated files. This data is used to deliver the Service, populate your gallery, and troubleshoot issues. Generated files are stored in our cloud object storage and associated with your account.

2.3 Credit and billing data

We record your credit balance, transaction history (credits purchased, credits consumed per generation), and subscription status. Payment transactions are processed by PayPal. We store the PayPal order ID, the amount, and the transaction status. We do not store full card numbers or bank account details - those remain with PayPal.

2.4 Usage and technical data

We automatically collect IP addresses, browser type and version, operating system, referring URL, pages visited, time and date of requests, and session identifiers. This data is used for security, fraud prevention, debugging, and understanding how the Service is used in aggregate.

2.5 Communications data

If you contact us by email or a support channel, we retain that correspondence. This is used to resolve your query and to maintain a record in case of follow-up or dispute.

2.6 Two-factor authentication data

If you enable TOTP-based two-factor authentication, we store a secret seed and a set of one-time recovery codes. We do not store the codes you enter - only the seed used to verify them.

3. Legal basis for processing (GDPR and UK GDPR)

We rely on the following legal bases under Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)): Processing your account data, generation data, and credit data is necessary to provide the Service you signed up for.
• Legitimate interests (Art. 6(1)(f)): We process usage and technical data to keep the platform secure, detect fraud, improve performance, and maintain reliable service. Our interests do not override your rights.
• Legal obligation (Art. 6(1)(c)): We may process data to comply with applicable laws, including tax obligations and law enforcement requests made in accordance with applicable law.
• Consent (Art. 6(1)(a)): Where we send marketing communications (not currently active), we will ask for your explicit consent.

4. How we share your data

We do not sell your personal data. We do not share it with advertisers or data brokers. We share data only in the following circumstances:

4.1 Service providers (processors)

• KIE.ai: The AI generation API that processes your prompts. Your prompt text and generation parameters are sent to KIE.ai to produce outputs. Please review KIE.ai's privacy policy for their data handling practices.
• PayPal: Our payment processor. Billing data is shared as necessary to process payments and subscriptions.
• Google Cloud Platform: Our object storage provider. Generated files and application data are stored on their infrastructure under data processing agreements.

4.2 Legal and safety disclosures

We may disclose data if required to do so by applicable law, court order, or governmental authority. We may also disclose data to enforce our Terms of Service, protect the safety of our users, or prevent fraud.

4.3 Business transfers

If FGX Studios (Pty) Ltd is acquired, merged, or its assets are transferred, your data may be transferred to the acquiring entity. We will notify you via the email address on your account before your data is subject to a materially different privacy policy.

5. International data transfers

FGX Studios (Pty) Ltd is based in South Africa. Our service infrastructure and sub-processors may be located in the United States, the European Economic Area, or other jurisdictions.

Where we transfer data outside of the EEA or the UK, we rely on one of the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The UK International Data Transfer Agreement (IDTA)
• Adequacy decisions where applicable

You may request a copy of the relevant safeguards by contacting privacy@fckexpensive.ai.

6. Data retention

We retain your data for as long as your account is active and for a reasonable period thereafter to allow for dispute resolution and legal compliance. Specifically:

• Account data: Retained while your account is active. Deleted within 90 days of account deletion request.
• Generated files: Retained while your account is active. Deleted within 90 days of account deletion.
• Billing records: Retained for 7 years from the transaction date to meet tax and accounting obligations.
• Usage logs: Retained for up to 12 months for security and debugging purposes, then deleted.
• Support communications: Retained for up to 3 years from the last correspondence to resolve any follow-up matters.

7. Your rights

7.1 Rights under GDPR and UK GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights:

• Right to access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may ask us to correct inaccurate data.
• Right to erasure ("right to be forgotten"): You may ask us to delete your personal data in certain circumstances.
• Right to restriction of processing: You may ask us to pause processing of your data in certain circumstances.
• Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
• Right to object: You may object to processing based on legitimate interests.
• Rights relating to automated decision-making: You have the right not to be subject to solely automated decisions that significantly affect you.

To exercise these rights, email privacy@fckexpensive.ai. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (for EU residents) or the Information Commissioner's Office (for UK residents).

7.2 California residents (CCPA)

California residents have the following rights under the California Consumer Privacy Act and its amendments (CCPA/CPRA):

• Right to know: You may request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell.
• Right to delete: You may request deletion of personal information we hold about you, subject to certain exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt-out of sale or sharing: We do not sell or share your personal information for cross-context behavioural advertising. There is nothing to opt out of.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a verifiable CCPA request, email privacy@fckexpensive.ai from the email address associated with your account.

7.3 Other jurisdictions

We extend reasonable data access and deletion rights to all users regardless of location. Contact privacy@fckexpensive.ai for any personal data request.

8. Cookies and tracking

We use session cookies to keep you logged in. These are strictly necessary for the Service and do not require consent. We do not use third-party advertising trackers, fingerprinting, or cross-site tracking technologies.

Our cookies:

• session_token: A server-signed session identifier. HttpOnly and Secure. Expires at the end of your browser session or when you log out.

We do not use Google Analytics, Meta Pixel, or similar advertising trackers.

9. Security

We implement industry-standard security measures including encrypted HTTPS connections, server-side session signing, bcrypt password hashing, and TOTP two-factor authentication. We perform regular security monitoring. No system is perfectly secure, and we cannot guarantee absolute security, but we work hard to protect your data.

If you discover a security vulnerability, please report it responsibly to security@fckexpensive.ai.

10. Children's privacy

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from children under 16 (or under 13 for US users). If you believe a minor has created an account, please contact us at privacy@fckexpensive.ai and we will delete the account promptly.

11. Third-party links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those sites. We recommend reviewing their privacy policies.

12. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you via the email address associated with your account at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact us

For any privacy-related questions, data requests, or complaints:

• Email: privacy@fckexpensive.ai
• Contact page: /contact

For EU and UK residents with unresolved complaints, you have the right to contact your national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. The UK ICO is reachable at ico.org.uk.