Privacy Policy | Genematic

1. Who We Are

Genematic ("Genematic", "we", "us", or "our") operates the website https://genematic.ai and its associated mobile web app (collectively, the "Service"). Genematic is an AI-powered media generation platform that allows users to create videos and images using state-of-the-art AI models.

The Service is operated by Genematic Ltd, a private limited company registered in England and Wales (Company No.17150072).

For questions about this Privacy Policy, contact us at support@genematic.ai.

2. Information We Collect

2.1 Information You Provide Directly

Account credentials: email address and password when you register with email/password authentication.
Display name and profile photo: set by you in account settings.
Payment information: token top-up transactions (amounts, timestamps). We do not store raw payment card data — payments are processed by third-party payment providers.
Prompts and inputs: text, image, and other inputs you submit to generate AI content.
Generated content: AI-generated videos and images produced through the Service that you choose to save or share.
Communications: messages you send to our support team.

2.2 Information from OAuth / Social Login Providers

When you sign in using a third-party provider, we receive information permitted by your account settings with that provider:

Google Sign-In: name, email address, and profile picture from your Google account.
Sign in with Apple: name (first-time only, at your discretion) and email address or Apple-generated relay address. Apple may provide a private relay email address if you choose "Hide My Email."
Facebook Login: name, email address, and profile picture from your Facebook account. Also used as the underlying authentication mechanism for "Continue with Instagram" on our sign-in screen.
TikTok Login Kit: TikTok Open ID, display name, and profile picture. TikTok does not provide an email address; we create an internal placeholder identifier solely to maintain your account.

We do not receive or store your social provider passwords. OAuth access tokens received from providers (where applicable) are stored encrypted and used solely to maintain your session and, where explicitly requested, to perform actions on your behalf.

2.3 Information Collected Automatically

Usage data: pages visited, features used, generation history, timestamps.
Device and browser data: browser type, operating system, device identifiers, IP address, and referrer URL.
Cookies and session tokens: HTTP-only session cookies used for authentication. We do not use third-party tracking or advertising cookies.
Push notification tokens: browser push subscription endpoints and encryption keys, if you grant permission.

3. How We Use Your Information

We use the information we collect to:

Create and manage your account and authenticate your identity.
Provide, operate, and improve the Service.
Process your AI generation requests and deliver results to you.
Manage your token balance, process top-up transactions, and maintain billing records.
Send transactional notifications (generation completed, balance updates) and, with your consent, push notifications.
Operate the referral programme and credit earnings to referring users.
Respond to support enquiries and resolve disputes.
Detect and prevent fraud, abuse, and violations of our Terms of Service.
Comply with legal obligations.

Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data on the following legal bases:

Contract performance: processing necessary to provide the Service you have requested (account creation, generation delivery, billing).
Legitimate interests: fraud prevention, security, product improvement, and operating the referral programme — where these interests are not overridden by your rights.
Consent: push notifications and any optional marketing communications. You may withdraw consent at any time.
Legal obligation: compliance with applicable laws.

4. How We Share Your Information

We do not sell your personal information. We share data only as described below:

4.1 Service Providers and Sub-processors

We engage the following third parties to operate the Service. Each processes data only on our instructions and under appropriate data processing agreements:

Supabase, Inc. — database, authentication, and file storage. Privacy Policy
Vercel, Inc. — hosting and serverless infrastructure. Privacy Policy
Fal.ai, Inc. — AI model inference for image and video generation. Prompts and input media you submit are transmitted to Fal.ai for processing. Privacy Policy
OpenAI, LLC — AI-assisted features (e.g. prompt enhancement). Privacy Policy
BunnyWay d.o.o. (Bunny.net / Bunny Stream) — video CDN and streaming delivery. Privacy Policy

4.2 Other Disclosures

Legal requirements: we may disclose information if required by law, court order, or governmental authority, or to protect the rights, safety, or property of Genematic, our users, or the public.
Business transfers: in connection with a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
Community Feed: content you explicitly mark as shared (opt-in) is visible to other users of the Service. Your display name and profile picture are shown alongside publicly shared content.

5. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Service. Specifically:

Account data (email, display name, profile picture) — retained until you request deletion.
Generated content — retained until you delete it or request account deletion.
Billing and transaction records — retained for 7 years for accounting and legal compliance.
Push notification tokens — retained until you unsubscribe or the subscription expires.
Server logs — retained for up to 90 days.

After account deletion, we may retain anonymised aggregate data (e.g. usage statistics) indefinitely, as this cannot be linked back to you.

6. Cookies and Tracking Technologies

We use the following cookies and browser storage:

Authentication session cookies (HTTP-only, Secure): set by Supabase SSR to maintain your login session. These are strictly necessary and cannot be disabled without breaking the Service.
Referral code storage (localStorage): stores your referral code locally for automatic application during registration.
OAuth state and PKCE cookies (HTTP-only, Secure, 10-minute TTL): used during the TikTok OAuth flow to prevent CSRF attacks.

We do not use advertising cookies, fingerprinting technologies, or cross-site tracking.

7. International Data Transfers

Our service providers operate in the United States and the European Union. If you are located in the EEA or UK, your data may be transferred to countries that do not have the same data protection laws as your home country. Where required, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission.
The EU–US Data Privacy Framework (where applicable).

8. Your Rights

8.1 Rights for EEA / UK Users (GDPR)

You have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention requirements.
Restriction — request that we restrict processing of your data in certain circumstances.
Data portability — receive your data in a machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent (e.g. push notifications), withdraw it at any time without affecting lawfulness of prior processing.

To exercise these rights, email support@genematic.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g. your national data protection authority).

8.2 Rights for California Residents (CCPA / CPRA)

California residents have the right to:

Know what personal information we collect, use, disclose, and sell (we do not sell personal information).
Delete personal information we have collected, subject to certain exceptions.
Correct inaccurate personal information.
Opt out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising.
Non-discrimination — we will not discriminate against you for exercising your privacy rights.

To submit a California privacy request, email support@genematic.ai with the subject line "California Privacy Request."

8.3 Account Deletion

Step-by-step instructions (including in-app and email options) are on our User data & account deletion page. You may also email support@genematic.ai. Note that billing records are retained as required by law. Token balances are non-refundable upon deletion.

9. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 where required by applicable law, including in the EEA). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us immediately and we will take steps to delete such information.

10. Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

TLS encryption for all data in transit.
Encryption at rest for database contents.
HTTP-only, Secure, SameSite session cookies.
Row Level Security (RLS) policies so users can only access their own data.
PKCE and state parameters for all OAuth flows.
Service role keys never exposed to the client.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

11. AI-Generated Content and Inputs

Prompts, images, and other inputs you submit to generate content are transmitted to our AI model providers (Fal.ai, OpenAI) for processing. Please review their respective privacy policies regarding how they handle inference inputs. We recommend you do not include sensitive personal data (e.g. government ID numbers, health information) in generation prompts.

AI-generated outputs are stored in your account. Content you share publicly on the Community Feed is visible to other users and may be indexed by search engines.

Prohibited subject matter: As described in our Terms of Service, you must not request generations involving NSFW / 18+ adult content, politics, violence, or “dangerous” subject matter.

Responsibility for generations: You are solely and exclusively responsible for your prompts, uploads, and the AI outputs produced from your account. Genematic processes requests on your behalf as a technical intermediary and does not assume liability for user-generated content or for your compliance with law or third-party rights.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with a new effective date and, where appropriate, by email. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@genematic.ai
Website: https://genematic.ai