Edit
Painty.cc - AI Photo Editor

PRIVACY POLICY

Effective date: December 6, 2025

1. General Provisions

This Privacy Policy (the "Policy") describes how PE (IE) Sholokhov Mikhail ("we", "us", "our", the "Operator") collects, uses, stores, shares and protects the personal data of users ("you", the "User") of the Painty.cc service available at https://painty.cc/ (the "Service", the "Website").

By using the Service, you agree to the practices described in this Policy. If you do not agree with any part of this Policy, please do not use the Service.

We process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) where applicable, and the data protection laws of the Republic of Armenia.

Data Controller: PE (IE) Sholokhov Mikhail, TIN 20241649, registered at 81/1, Manushyan str., Arabkir, Yerevan, 0012, RA (Republic of Armenia).

2. Definitions

Personal Data — any information relating to an identified or identifiable natural person.

Processing — any operation performed on personal data, such as collection, recording, storage, retrieval, use, disclosure, transmission, erasure or destruction.

Operator (Data Controller) — a person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

User — a natural person who uses the Service and provides their personal data to the Operator.

Third-Party Processor — a service provider engaged by the Operator to process personal data on the Operator's behalf (e.g. payment processor, cloud storage, AI inference provider).

3. Categories of Personal Data We Collect

3.1. Data you provide directly:

  • Email address (used as your login and for notifications);
  • Password (stored as an Argon2 hash — we never see your plain-text password);
  • Display name (optional);
  • Photos and images you upload for AI processing;
  • Text prompts you enter for image generation or editing;
  • Support messages and any other content you submit to us.

3.2. Data we collect automatically:

  • IP address (used for security, anti-fraud and analytics);
  • Country code (provided by Cloudflare via the CF-IPCountry header);
  • Browser type, language, user agent;
  • Browser fingerprint (a hash used to detect multi-account abuse);
  • UTM parameters from the referring URL (utm_source, utm_medium, utm_campaign, utm_term, utm_content);
  • Landing URL and referrer header;
  • Usage data — pages visited, features used, timestamps, credit balance changes;
  • Cookies and similar technologies (see Section 8).

3.3. Payment data:

Payments are processed by Polar Software Inc. (Polar.sh) acting as our merchant of record. Polar.sh collects and processes your payment information (card details, billing address, tax-relevant information) directly. We do not store your card details on our servers. We receive only the following information from Polar.sh: order ID, customer ID, subscription ID (if applicable), amount paid, currency, payment status, and product/plan identifier. Please review the Polar.sh Privacy Policy for details.

4. Purposes of Processing

We process your personal data for the following purposes:

  • To provide the Service to you (process photos, generate images, manage your credit balance);
  • To authenticate you and maintain your session;
  • To process payments (via Polar.sh) and grant purchased credits;
  • To send transactional emails (registration confirmation, password reset, payment receipts);
  • To send service-related notifications (with your consent — promotional emails about new features and special offers);
  • To prevent fraud, abuse and unauthorized access (browser fingerprinting, rate limiting, IP analysis);
  • To improve the Service (analytics, performance monitoring);
  • To comply with legal obligations (tax reporting, response to lawful requests from authorities);
  • To resolve disputes and enforce our agreements.

5. Legal Basis for Processing

We rely on the following legal bases (under GDPR Article 6 where applicable):

  • Performance of contract — to provide the Service you signed up for;
  • Legitimate interest — to prevent fraud, secure the Service, and improve our offering;
  • Consent — for marketing emails and non-essential cookies;
  • Legal obligation — to comply with tax, accounting, and anti-money-laundering laws.

6. Third-Party Service Providers

We share personal data with the following categories of third-party processors who help us deliver the Service:

  • Polar Software Inc. (Polar.sh) — payment processing, merchant of record, invoicing, tax compliance.
  • AI inference providers — including OpenRouter, Replicate, Kie.ai, and our own ComfyUI infrastructure. They process your uploaded images and text prompts to produce AI outputs. They do not receive your email or identity data — only the image and prompt.
  • Cloudflare — DDoS protection, CDN, IP geolocation (CF-IPCountry header).
  • S3-compatible storage provider (Timeweb Cloud) — temporary storage of uploaded images and AI-generated outputs.
  • SMTP email provider — delivery of transactional and notification emails.
  • Analytics providers — to understand how the Service is used (only aggregated, anonymized data where possible).
  • FingerprintJS — generating a browser fingerprint hash for fraud and abuse prevention.

We do not sell, rent, or trade your personal data to advertisers or other third parties.

7. Data Storage and Security

  • Personal data is stored in a MySQL database hosted on infrastructure located in the Russian Federation, with backups encrypted at rest.
  • Passwords are hashed using Argon2 (industry-standard, slow, memory-hard hashing).
  • Communications between your browser and our servers are protected by TLS (HTTPS) via Let's Encrypt certificates, with HSTS enabled.
  • Uploaded images are stored in S3-compatible storage with a default retention policy of 48 hours, after which they are automatically deleted (or earlier if you delete them manually).
  • Access to the database and infrastructure is restricted to authorized personnel only, behind SSH key authentication and a private network.
  • We monitor our systems for unusual activity and log all authentication events for security audits.

8. Cookies and Tracking

We use the following categories of cookies:

  • Strictly necessary cookies — for authentication (NextAuth session token), anti-CSRF protection, and basic Service functionality. These cannot be disabled.
  • Functional cookies — to remember your preferences (e.g. last selected edit type, theme).
  • Analytics cookies — to measure usage of the Service. You may opt out via your browser's Do Not Track signal or by rejecting cookies.

You can configure your browser to refuse all cookies or to alert you when cookies are being sent. However, if you reject strictly necessary cookies, you will not be able to use the Service.

9. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

  • Right of access — to receive a copy of your personal data we hold;
  • Right of rectification — to correct inaccurate or incomplete data;
  • Right to erasure (right to be forgotten) — to request deletion of your personal data, subject to legal retention obligations;
  • Right to restrict processing — to limit how we use your data in certain circumstances;
  • Right to data portability — to receive your data in a structured, commonly used format;
  • Right to object — to object to processing based on legitimate interest or for marketing purposes;
  • Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time;
  • Right to lodge a complaint — with a supervisory data protection authority in your jurisdiction.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

10. Data Retention

  • Account data (email, password hash, profile) — retained while your account is active and for up to 24 months after account closure for legal/audit purposes.
  • Uploaded photos — automatically deleted after 48 hours (configurable retention).
  • Payment records — retained for at least 5 years for tax and accounting compliance.
  • Authentication and security logs — retained for 12 months.
  • Analytics data — retained in aggregated form for up to 36 months.

11. International Data Transfers

Because we work with global third-party providers (including Polar.sh in the United States, AI providers worldwide, and Cloudflare globally), your personal data may be transferred to and processed in countries outside your country of residence, including jurisdictions that may have different data protection standards than your own. We rely on Standard Contractual Clauses and adequacy decisions where applicable to ensure your data remains protected.

12. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

13. AI-Generated Content

Photos and prompts you submit are processed by third-party AI providers to generate the requested output. AI providers may temporarily retain the input and output for the duration of processing and for short-term caching. We do not authorize them to use your data to train their models. Please be aware that AI outputs are generated probabilistically and may not be unique or guaranteed to be free of artifacts.

14. Changes to this Policy

We may update this Policy from time to time. The "Effective date" at the top of this page indicates the date of the most recent revision. Significant changes will be communicated to you via email or a notice on the Website. Continued use of the Service after the changes take effect constitutes your acceptance of the updated Policy.

15. Contact Us

For any questions, complaints or data subject requests regarding this Policy or your personal data, please contact:

PE (IE) Sholokhov Mikhail
TIN 20241649 · Reg# 286.1574050
81/1, Manushyan str., Arabkir, Yerevan, 0012, RA
Republic of Armenia
Email: [email protected]
Website: https://painty.cc