Privacy Policy

Last updated: 2026-05-23

Contents
  1. The short version
  2. Who we are
  3. Data we collect
  4. How we use your data and lawful basis
  5. Service providers (data processors)
  6. How long we keep data
  7. International transfers
  8. Your rights
  9. Automated decisions and anti-abuse
  10. Security
  11. Data breaches
  12. Children
  13. Changes to this policy
  14. Contact and complaints
  15. Cookies and local storage
  16. California residents (CCPA / CPRA)

The short version

  • We collect what we need to run the product: your account, your generations, your settings.
  • We use third-party providers for authentication and database hosting, object storage and content delivery, AI image generation, error monitoring, and product analytics. When paid plans launch, payment processing is handled by a third-party payment processor (the "[Payment Processor]").
  • We capture your device fingerprint, IP address, and User-Agent at signup to prevent duplicate-account farming of free credits.
  • We do not sell your data. We do not share it with advertisers.
  • You can delete your account at any time from Settings, which removes your data from our database and our CDN.
  • If you are in the EU, UK, or California, you have the rights described in section 8.

Who we are

recreateme.ai (the "Service") is operated by Targamos Group LLC, a Limited Liability Company registered with the LEPL National Agency of Public Registry of Georgia on 28 January 2026 under Identification Number 405832764 (the "Operator", "we", "us"). Registered office: Vazha-Pshavela Avenue, block 5, building 1, apartment 31, Vake district, Tbilisi, Georgia. For the purposes of the EU General Data Protection Regulation (GDPR), the Operator is the data controller for personal data processed through the Service.

Contact: [email protected].

EU representative (GDPR Article 27). As the Operator is established outside the European Union, we will appoint a representative in the EU under Article 27 of the GDPR where our processing brings us within its scope. Until an appointment is published here, data subjects and supervisory authorities may raise all data-protection matters with us directly at [email protected].

We are not currently required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR because our processing does not constitute large-scale, systematic monitoring of data subjects nor large-scale processing of special-category data. For all data-protection enquiries, write to the contact address above.

Data we collect

Account data

When you sign up: email address, chosen username, password (hashed and stored by our authentication provider, we never see the plaintext), and OAuth profile fields (typically: provider user ID and email) if you sign in with Google or Apple.

Content you create

Reference images you upload, prompts you write, generations the AI produces, collections you create, posts you share to the Discover feed, likes, bookmarks, and follows.

Anti-abuse signals (collected at signup only)

  • Your IP address, used to detect duplicate-account creation from the same network.
  • A device fingerprint computed by an open-source browser fingerprinting library that hashes browser characteristics like canvas rendering, fonts, audio context, and screen properties into a stable identifier.
  • Your browser's User-Agent string.

These three signals are stored only on your account row and used solely to enforce our 8-free-credits-per-user policy. We do not use them to track you across the web, build advertising profiles, or share them with third parties.

Payment data (when paid plans launch)

When you upgrade to a paid plan, payment is processed by a third-party payment processor (the "[Payment Processor]"). The processor collects and processes your payment-method data (card number, billing address, country) on its own infrastructure under its own privacy policy. We receive only a transaction reference, the amount, the date, and your country for tax-compliance purposes. We never see your full card number.

Usage data

If you consent to analytics in the cookie banner, we collect product-usage events (page views, clicks, feature use, generation success rates) via a third-party product-analytics provider hosted in the European Union. Events are pseudonymous before you sign in (random distinct ID stored in your browser) and linked to your account ID after you sign in so we can measure activation and retention. You can revoke this consent at any time from the cookie preferences and subsequent events stop within the page session.

Local storage in your browser

We use your browser's local storage to keep you signed in (auth tokens) and to remember preferences (theme, generation defaults, sidebar widths, dismissed onboarding tour). For the full list, see our Cookie Policy.

How we use your data and lawful basis (GDPR Article 6)

PurposeData usedLawful basis
Provide the Service (authenticate you, run generations, store and serve your content) Account data, content you create Performance of a contract (Article 6(1)(b))
Detect and prevent abuse of the free tier IP address, device fingerprint, User-Agent Legitimate interest (Article 6(1)(f)) in protecting the Service and our other users from fraud
Process payments and comply with tax law Payment metadata via the payment processor, country Performance of a contract and legal obligation (Article 6(1)(b) and (c))
Send transactional emails (account confirmation, password reset, billing receipts) Email address Performance of a contract (Article 6(1)(b))
Send marketing emails Email address Consent (Article 6(1)(a)). Off by default; opt in from Settings.
Improve the product through analytics Anonymous usage events Consent via the cookie banner (Article 6(1)(a))
Comply with legal obligations and respond to lawful requests Whatever is required Legal obligation (Article 6(1)(c))

Service providers (data processors)

We rely on the following sub-processors. Each operates under its own privacy policy. Where required by GDPR, our agreements with them include the EU Standard Contractual Clauses for international transfers.

Changes to sub-processors. We may update our sub-processors from time to time. Where we add a new sub-processor that will process your personal data, we will give active users advance notice by email (we aim for at least 30 days) unless a shorter period is required for security or legal reasons. You may object by writing to [email protected] before the change takes effect; if we cannot resolve your concern, you may stop using and cancel the Service.

  • A managed PostgreSQL database and authentication provider (data hosted in the United States): stores your account, content metadata, and authentication records.
  • An object storage and content-delivery network provider (data hosted in the United States): generated images and reference uploads, plus CDN delivery.
  • A generative AI image-model API (data hosted in the United States): processes the prompts and reference images you submit to produce generations. Inputs are subject to the model provider's API data-use terms.
  • A container hosting provider (data hosted in the United States): application hosting.
  • A backend error-monitoring service (data hosted in the United States): captures stack traces and request IDs but no browser-side personal data.
  • A product-analytics provider (data hosted in the European Union): receives pseudonymous usage events only if you consent to analytics cookies. Linked to your account ID after sign-in for activation and retention measurement.
  • [Payment Processor] (when paid plans launch): payment processing. Handles card data, refunds, and chargebacks under its own privacy policy.

How long we keep data

Data categoryRetention period
Account data, content you createdUntil you delete your account or the specific item
Anti-abuse signals (fingerprint, IP, UA)Lifetime of the account, deleted with the account
Backend error-monitoring logs30 days, then auto-deleted
Server access logs14 days
Payment recordsAs required by tax law (typically 7-10 years), held by our payment processor
BackupsUp to 30 days, then overwritten

When you delete your account, your row is removed from our database and your media is removed from our CDN. Backups containing your data continue to exist for up to 30 days until they are overwritten in the normal rotation, after which all references are gone.

International transfers

Our infrastructure providers store and process data in data centers located outside the European Economic Area, primarily in the United States. Where personal data is transferred from the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (Module 2: Controller to Processor) as the lawful transfer mechanism. Each provider above maintains its own SCCs or equivalent safeguards.

Your rights

If you are in the EU, UK, EEA, or California, you have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: delete your data. Available one-click from Settings; cascades through our database and CDN. Backups age out within 30 days.
  • Portability: export your data in a structured, machine-readable format. Email us to request.
  • Restriction: request that we limit how we process your data while you contest its accuracy or our legal basis.
  • Objection: object to processing based on legitimate interest (such as our anti-abuse system).
  • Withdraw consent: for analytics, marketing emails, or any processing based on your consent. Available from the cookie banner (analytics, marketing) and from Settings (email preferences).
  • Lodge a complaint: with your local data-protection authority. EU residents can find theirs at edpb.europa.eu. UK residents: ICO at ico.org.uk.

To exercise any of the above (other than the ones available in-product), email [email protected]. We respond within 30 days as required by GDPR.

Automated decisions and anti-abuse

At signup we run an automated check that compares your device fingerprint and IP address to recently created accounts. If a match is found within the past 90 days, your account is created normally but your free credits are withheld pending manual review. This is the only automated decision we make that has any effect on you.

If your free credits are withheld and you believe this is in error (for example, you share a network with a household member who already has an account), email [email protected] and we will review your account manually within 48 hours.

Security

Passwords are hashed by our authentication provider using bcrypt; we never see your plaintext password. Authentication uses signed JSON Web Tokens (JWTs) that are validated server-side on every request against a secret stored only on our servers. Database access is restricted to our backend service role and protected by row-level security on all public tables. All traffic is HTTPS in production. We do not store payment cards on our infrastructure (our payment processor handles them).

Data breaches

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay (Article 34).

Children

The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe a child has registered an account, contact us and we will delete the account and any associated data.

This is stricter than the United States COPPA threshold of 13 to align with the most restrictive GDPR implementations across EU member states.

Changes to this policy

If we make material changes we will update the "Last updated" date at the top and, for changes that affect your rights or how your data is used, notify active users by email at least 14 days before the change takes effect. Continued use of the Service after the effective date means you accept the updated policy. Earlier versions are available on request.

Contact and complaints

For any privacy enquiry: [email protected].

If you are not satisfied with our response, you have the right to complain to your local data-protection authority. EU residents can find their authority via the European Data Protection Board.

Cookies and local storage

The full inventory of cookies, localStorage, and sessionStorage keys we use lives on the dedicated Cookie Policy. It follows the EU ePrivacy convention of grouping storage into essential, functional, analytics, and marketing categories, lists every key with its purpose and lifetime, and includes a control to manage your consent at any time.

California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), gives you the following additional rights and entitles you to the disclosures in this section.

Categories of personal information we collect

In the past 12 months we have collected the following categories of personal information, as defined by the CCPA:

  • Identifiers: email address, username, account ID, OAuth provider ID, IP address, device fingerprint.
  • Customer records: hashed password (handled by our authentication provider; we never see plaintext), display name.
  • Commercial information: subscription plan, credit balance, transaction metadata received from our payment processor (amount, date, country; no card details).
  • Internet or network activity: User-Agent string, request logs, product-analytics events (only if you consent), feature usage.
  • Geolocation data: approximate location inferred from IP address and from the billing country received from our payment processor. We do not collect precise geolocation.
  • Inferences: derived signals used to enforce our anti-abuse policy (e.g. similarity scores between fingerprints across accounts).
  • User-generated content: prompts you write, reference images you upload, generations produced for your account, collections, posts, likes, follows.

We do not knowingly collect "sensitive personal information" as defined by the CPRA (e.g. precise geolocation, racial or ethnic origin, religious beliefs, contents of mail, genetic data, biometric data for identification, health information).

Business or commercial purposes for which we use it

We use each of the above categories solely for the purposes described in section 4 of this Policy (providing the Service, preventing abuse, processing payments, transactional communications, opt-in analytics, and compliance with legal obligations). We do not use personal information for any purpose beyond those.

Categories of third parties we share with

We share categories of personal information with the sub-processors listed in section 5 (database/authentication provider, object storage and CDN, generative AI image-model API, container hosting, error monitoring, product analytics, and our payment processor for payment processing). Each acts as a service provider under the CCPA; their processing is limited by contract to the purposes for which we engage them, and they are prohibited from selling or sharing personal information.

"Do Not Sell or Share My Personal Information"

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We have not sold or shared personal information in the past 12 months. Because we do not engage in these activities, we do not display a "Do Not Sell or Share My Personal Information" link; the equivalent right is satisfied by default. If we ever begin to sell or share personal information, we will update this Policy, post the required link, and request your opt-in consent where required.

Your California rights

In addition to the rights listed in section 8, California residents have the right to:

  • Know: request that we disclose the specific pieces of personal information we have collected about you.
  • Delete: request that we delete personal information we have collected from you (subject to legal-retention exceptions).
  • Correct: request that we correct inaccurate personal information we maintain about you.
  • Limit use of sensitive personal information: not applicable as we do not knowingly collect sensitive personal information.
  • Non-discrimination: we will not deny you the Service, charge you a different price, or provide a different level of quality because you exercised your CCPA rights.

To exercise these rights, email [email protected] from the address on your account, or use the deletion control in Settings. We may need to verify your identity (typically by matching the request email to your account email) before fulfilling a request. You may designate an authorized agent to make a request on your behalf; we will require the agent to provide a signed written authorization.

Retention

We retain each category of personal information for the periods set out in section 6 above.

Metrics

If we receive enough CCPA requests in a calendar year to be required to publish metrics under ยง999.317(g) of the CCPA Regulations, we will do so at this URL.