Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Username
• Password (stored in encrypted form)
• Date of birth (for age verification)
• Country of residence

1.2 Identity Verification Data

For age verification purposes, we use third-party verification services. We do not store your identity documents. We only receive and store the verification result (verified/not verified) and a reference ID.

1.3 Payment Information

Payment processing is handled by Stripe. We do not store your complete credit card numbers. We receive and store:

• Last four digits of your card
• Card type and expiry date
• Billing address
• Transaction history

1.4 Generated Content

When you use our AI generation services, we collect:

• Text prompts and descriptions you provide
• Generated images and videos
• Your generation history and preferences
• Conversation logs with AI assistants

1.5 Usage Data

We automatically collect certain information when you access our platform:

• IP address
• Device type and operating system
• Browser type and version
• Access times and dates
• Pages viewed and features used
• Referring website addresses

1.6 Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential cookies: Required for platform functionality and security
• Functional cookies: Remember your preferences and settings
• Analytics cookies: Help us understand how users interact with our platform

2. AI Training Data Handling

2.1 Third-Party AI Providers

We use third-party AI providers to power our generation services. Our contracts with these providers explicitly prohibit the use of user content for training purposes. Your content is processed solely to fulfill your generation requests.

2.2 Contractual Protections

All our AI provider agreements include:

• Prohibition on using user content for model training
• Data processing agreements compliant with UK GDPR
• Confidentiality obligations
• Data security requirements

3. Content Storage and Retention

3.1 Server Locations

Your data is stored on secure servers located in the United States. Data transfers are protected by appropriate safeguards as detailed in Section 7.

3.2 Retention Periods

• Active account data: Retained while your account is active
• Generated content: Retained according to your account settings, with options to auto-delete
• Usage logs: Retained for 12 months for security and fraud prevention
• Payment records: Retained for 7 years as required by law

3.3 Post-Deletion Retention

When you delete content or your account:

• Content is removed from active systems within 30 days
• Content may persist in encrypted backups for up to 90 days
• Anonymized usage statistics may be retained indefinitely

3.4 Violation Content Retention

Content that violates our Terms of Service, particularly content involving suspected illegal activity or child safety concerns, may be retained indefinitely for safety purposes and to comply with legal obligations, including potential law enforcement cooperation.

4. Third-Party Services

We work with the following categories of third-party service providers:

4.1 AI and Content Generation

We use third-party AI providers to generate images and videos. These providers process your prompts to create content but are contractually prohibited from using your data for training.

4.2 Payment Processing

Stripe handles all payment processing. Stripe is PCI DSS Level 1 certified. Their privacy policy is available at stripe.com/privacy.

4.3 Age Verification

Third-party age verification services process identity documents to confirm users meet our age requirements. We receive only the verification result, not the documents themselves.

4.4 Cloud Infrastructure

We use cloud service providers for hosting, storage, and content delivery. All providers are bound by data processing agreements.

4.5 Analytics

We use analytics services to understand platform usage patterns. These services collect anonymized or pseudonymized data to help us improve our services.

4.6 Data Processing Agreements

All third-party service providers are bound by data processing agreements that require them to:

• Process data only on our instructions
• Implement appropriate security measures
• Assist with data subject rights requests
• Delete data upon termination of services

5. Data Security

5.1 Technical Safeguards

• Encryption in transit: All data transmitted using TLS 1.3
• Encryption at rest: AES-256 encryption for stored data
• Password security: bcrypt hashing with appropriate work factor
• Access controls: Role-based access with principle of least privilege
• Network security: Firewalls, intrusion detection, and DDoS protection

5.2 Organizational Safeguards

• Regular security training for all staff
• Background checks for employees with data access
• Strict access logging and monitoring
• Regular security audits and penetration testing

5.3 PCI DSS Compliance

Our payment processing through Stripe is PCI DSS compliant. We do not store, process, or transmit cardholder data on our own servers.

5.4 Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the Information Commissioner's Office (ICO) within 72 hours
• We will notify affected users without undue delay if the breach poses a high risk
• Notifications will include the nature of the breach, likely consequences, and measures taken

6. Your Privacy Rights (UK GDPR)

Under the UK General Data Protection Regulation (UK GDPR), you have the following rights:

6.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information within one month of your request.

6.2 Right to Rectification

You have the right to request correction of inaccurate personal data or completion of incomplete data.

6.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes it was collected.

6.4 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.

6.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

6.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

6.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated.

ICO Contact:
Website: ico.org.uk
Telephone: 0303 123 1113

6.9 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@pandorastudio.ai. We will respond to your request within one month.

7. UK GDPR Compliance Details

7.1 Data Controller

Pandora Studio is the data controller responsible for your personal data.

7.2 Legal Bases for Processing

We process your personal data under the following legal bases:

• Contract: Processing necessary to provide our services to you
• Legal obligation: Processing required by law (e.g., tax records, safety reporting)
• Legitimate interests: Processing for fraud prevention, security, and service improvement
• Consent: Processing for marketing communications and optional analytics

7.3 International Data Transfers

When we transfer your data outside the UK, we ensure appropriate safeguards are in place:

• Adequacy decisions: Transfers to countries recognized by the UK as providing adequate data protection
• Standard Contractual Clauses (SCCs): UK-approved contractual safeguards with data importers
• Transfer Impact Assessments: Regular assessments of data protection levels in recipient countries

7.4 ICO Registration

Pandora Studio is registered with the Information Commissioner's Office as a data controller. Our registration number is available upon request.

7.5 Data Protection Contact

For data protection inquiries, please contact: dpo@pandorastudio.ai

8. Cookie Policy

8.1 Types of Cookies We Use

8.2 Managing Cookie Preferences

You can manage your cookie preferences through:

• Our cookie consent banner when you first visit
• Your browser settings (note: disabling essential cookies may affect functionality)
• Your account settings for platform-specific preferences

8.3 Third-Party Cookies

Some third-party services may set their own cookies. These are governed by the respective third party's privacy policy.

9. Age Verification Data

9.1 Verification Methods

We use third-party age verification services to confirm users are 18 years or older. Verification may involve:

• Date of birth confirmation
• Identity document verification (processed by third party)
• Database checks against authoritative sources

9.2 What We Store

We do not store copies of identity documents. We only store:

• Verification result (verified/not verified)
• Verification timestamp
• Reference ID for audit purposes

9.3 Security Measures

Age verification data is protected with the same security measures as other personal data and is only accessible to authorized personnel for compliance and support purposes.

10. Law Enforcement Requests

10.1 When We Disclose Information

We may disclose your personal data to law enforcement when:

• Required by valid legal process (court order, warrant, subpoena)
• Required by law (e.g., CSAM reporting obligations)
• Necessary to prevent imminent harm to individuals
• Necessary to protect our legal rights or property

10.2 Request Handling

When we receive law enforcement requests:

• We verify the request's validity and legal authority
• We narrow the scope to only what is legally required
• We maintain logs of all disclosures

10.3 User Notification

Unless prohibited by law or court order, we will notify you of law enforcement requests concerning your data, giving you the opportunity to challenge the request.

10.4 Emergency Disclosures

In emergency situations involving imminent risk of death or serious physical injury, we may disclose information without legal process.

10.5 CSAM Mandatory Reporting

We are legally required to report any apparent child sexual abuse material (CSAM) to the National Center for Missing & Exploited Children (NCMEC) and relevant law enforcement authorities. Such reports are made without user notification.

11. Children's Privacy

11.1 Age Verification

We implement age verification measures to prevent access by minors. All users must confirm they are 18 or older before using our services.

11.2 Discovery and Deletion

If we discover that we have collected personal data from a person under 18:

• We will immediately terminate the account
• We will delete all associated personal data
• We will retain only information required for legal compliance and safety

11.3 Reporting

If you believe a minor has accessed our platform, please contact us immediately at safety@pandorastudio.ai.

12. Changes to Privacy Policy

12.1 Right to Update

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons.

12.2 Notification of Changes

We will notify you of material changes by:

• Posting the updated policy on our website
• Updating the "Last updated" date at the top of this page
• Sending an email notification for significant changes
• Displaying a prominent notice on our platform

12.3 Continued Use

Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days, and to data subject rights requests within one month as required by UK GDPR.