Privacy Policy

This Privacy Policy explains how Dirtybunny ("we", "us", "our") collects, uses, stores, and shares information when you use dirtybunny.io (the "Service"). It applies to all users of the Service and should be read together with our Terms of Service.

By using the Service, you consent to the practices described below. If you do not agree, please stop using the Service.

Account information: when you sign up, we collect your email address, an authentication identifier, and (optionally) information you provide via single sign-on providers such as Google.

Payment information: when you purchase credits or a subscription, Stripe collects and processes your payment details. We receive a customer identifier, the amount, currency, plan, and status — we do NOT receive or store full card numbers.

Generation inputs: any prompts, reference images, source faces, or other inputs you submit for image generation, image editing, image merging, face swap, or video generation.

Generated outputs: the images and videos returned by the AI providers in response to your inputs.

Usage data: model used, credit cost, timestamps, status (completed/failed), error messages, and basic device/browser metadata (IP address, user agent) used for security, rate limiting, and abuse prevention.

By default, prompts and metadata are stored in our database, linked to your user account, so that the "Generation History" sidebar can show your past creations and so we can audit failures, refund credits, and investigate abuse.

By default, reference images you upload (for editing, merging, or face swap) are stored in our private object storage bucket and referenced via short-lived signed URLs. They are linked to your user account.

By default, generated outputs (images and videos) are downloaded from the AI provider, re-uploaded to our private object storage, and served to you via signed URLs valid for up to one (1) year so your history continues to work.

You control what we keep. From Account → Privacy & retention you can independently turn off retention of (a) your prompts, (b) your uploaded reference images, and (c) your generated outputs. When a toggle is off, Dirtybunny will not keep that category for new activity going forward — those items are discarded once the generation completes (we keep only the minimum metadata required to charge credits, prevent abuse, and meet legal obligations). Turning a toggle off does not retroactively delete items already stored; use the per-item delete button in your gallery, or submit a request at /data-request, to remove existing data. Disabling retention also does not affect what upstream AI providers do with the data we transmit to them on your behalf — see Section 4.

Your inputs and outputs are private to your account by default. Other users of the Service cannot see them. Our staff may access them only when strictly necessary to operate the Service, debug issues, respond to a support request, or investigate suspected abuse or illegal content.

You can delete individual generations from your history at any time, which removes the database record and queues the associated stored files for deletion. Deleting your account removes your generation history and stored files within a reasonable period, except where retention is required by law (e.g., billing records).

Biometric and facial data: when you use the face swap feature, the images you upload may contain biometric identifiers (facial geometry). Under laws such as the EU/UK GDPR (Article 9), Illinois BIPA, Texas CUBI, and similar statutes, this is "special category" or "biometric" personal data. We process these images solely on the basis of your explicit consent (which you provide when ticking the consent checkbox before each face swap) and solely to perform the face swap you requested. We do not build, store, or sell facial recognition templates, and we do not use your face data to identify or track individuals. The uploaded images and the resulting output are stored only according to your retention settings (Section 3) and the AI provider's processing terms (Section 4). You can withdraw consent at any time by deleting the relevant generations and disabling upload retention in Account → Privacy & retention.

To fulfill your generation requests, we transmit your prompt and any reference images to third-party AI providers. The primary providers we use are:

• fal.ai — routes requests to underlying image and video models (including Nano Banana Pro and Kling 2.6 / 3.0 Pro). See https://fal.ai/legal/privacy-policy and https://fal.ai/legal/terms-of-service.

• Lovable AI Gateway — used as an automatic fallback for image generation when fal.ai is unavailable, which routes to providers such as Google.

When you use the DM Assistant feature, your messages are sent to a large-language-model provider via the Lovable AI Gateway in order to generate a response.

These providers receive your prompt, any reference images, and basic request metadata. We do not send them your email, payment information, or any other identifying account data beyond what is technically required to authenticate the API call. The providers' own privacy and data-retention practices apply to data they process; we encourage you to review their policies.

Do not submit anything to the Service that you would not want a third-party AI provider to process.

We do NOT use your prompts, inputs, or generated outputs to train our own AI models. We do not have any AI models of our own.

We cannot guarantee how upstream AI providers handle data they receive. Their published policies (linked in Section 4) describe whether and how they may use submitted data for model training or improvement. If this is a concern, review their policies before submitting sensitive content.

Payments are processed exclusively by Stripe, Inc. When you check out, you interact with Stripe directly via Stripe Checkout or Stripe Elements. Stripe collects your payment method and billing details under its own privacy policy: https://stripe.com/privacy.

We receive only the metadata Stripe shares back with us — customer ID, subscription status, plan, amount, currency, and event timestamps — which we store to fulfill orders, grant credits, manage subscriptions, and meet tax/accounting obligations.

We collect minimal operational logs (request paths, response status codes, error stack traces, IP addresses, user-agent strings) to keep the Service running, prevent abuse, and enforce rate limits.

We do not currently run any third-party advertising trackers or behavioral-advertising analytics. If we add a privacy-respecting product analytics tool in the future (for example, to understand which features are used), we will update this policy and, where required by law, request your consent.

We do not sell your personal data.

We use cookies and browser local storage strictly to keep you signed in, remember your session, and operate Stripe checkout. We do not use advertising or cross-site tracking cookies.

We share information only with the service providers required to operate Dirtybunny: our hosting and database provider (Lovable Cloud / Supabase), our payment processor (Stripe), our AI providers (fal.ai, Lovable AI Gateway and the upstream models they route to), and our email/transactional providers, in each case only to the extent needed to deliver the Service.

We may disclose information if required by law, subpoena, or other valid legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or abuse.

If we are involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction, subject to the terms of this policy.

A "sub-processor" is a third party that processes personal data on our behalf to help us operate Dirtybunny. We use the providers listed in the table below. We review each provider's security and privacy practices before onboarding and we limit what they receive to what is strictly necessary.

We may add or replace sub-processors as the Service evolves. The list on this page is the current list — check back to see updates. Where required by law (e.g. for enterprise data-processing agreements), we will give advance notice of material changes.

We retain account information for as long as your account is active. Generation history, prompts, inputs, and outputs are retained until you delete them or your account is closed — and only to the extent permitted by your Privacy & retention settings (see Section 3). If you have turned off retention for a category (prompts, uploads, or generations), we discard that category for new activity once the generation completes.

Billing and tax records are retained for the period required by applicable law (typically up to seven years), regardless of your retention settings.

Operational logs are retained for a short rolling window (typically up to 90 days) for security and debugging.

We use industry-standard measures to protect your data, including encryption in transit (HTTPS), encryption at rest for our database and storage, row-level security on database tables so users can only access their own data, and access controls on administrative tooling.

No system is perfectly secure. If you discover a vulnerability, please contact us at support@dirtybunny.io.

Depending on your jurisdiction (including under the EU GDPR, UK GDPR, and California CCPA/CPRA), you may have rights to access, correct, export, or delete your personal data, restrict or object to certain processing, and withdraw consent. You can exercise most of these directly in the app (delete generations, change email, close your account). For a written, trackable record — or if you are not the account holder (e.g. you want content depicting you removed) — submit a request at /data-request and you will receive a tracking link plus an email confirmation when the request is completed.

For all other requests, email support@dirtybunny.io and we will respond within the timeframe required by applicable law (typically 30 days).

You also have the right to lodge a complaint with your local data protection authority.

Dirtybunny and its providers may process your data in countries other than your own, including the United States. Where required, we rely on appropriate safeguards (such as standard contractual clauses) to protect international transfers.

The Service is not directed to anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us at support@dirtybunny.io and we will delete it.

We may update this Privacy Policy from time to time. The "Effective date" at the top will reflect the most recent change. Material changes will be communicated through the Service or by email where appropriate. Continued use of the Service after the changes take effect means you accept the updated policy.

Questions, requests, or complaints about this Privacy Policy? Contact us at support@dirtybunny.io.