1. Introduction and Scope

Past Lives AI (“we,” “us,” or “our”) operates the Past Lives AI website and related services (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service. Please read it carefully. By using the Service, you consent to the practices described in this policy.

This policy applies to information we collect through the Service and, where relevant, through email or other communications in connection with the Service. It does not apply to information collected by third-party sites, services, or applications that you may access via the Service (e.g. Google, payment processors); those are governed by their own privacy policies. Our Terms of Service govern your use of the Service and are incorporated by reference.

2. Data Controller

For the purposes of applicable data protection laws (including the GDPR where it applies), the data controller responsible for your personal data in connection with the Service is Past Lives AI. You can reach us using the contact details in Section 15 below.

3. Information We Collect

We collect information that you provide directly, that we obtain automatically when you use the Service, and that we receive from third parties when you use linked services (e.g. sign-in or payment).

Account and profile information. If you sign in through a third-party provider (e.g. Google via Firebase), we receive identifiers such as your email address, display name, and profile photo from that provider. We use this to create and manage your account, associate your credits and generated Portraits with you, and display your profile within the Service. We do not receive or store your third-party account password.

Content you submit. When you create a Portrait, you provide a photo (and optionally a name or other text). This content is necessary to generate the Portrait. We process and store this data, and we transmit it to our AI and media partners (see Section 6) as required to deliver the Service. We may retain your uploaded photos and generated Portraits for as long as needed to provide the Service, enforce our terms, and comply with law (see Section 10).

Payment-related information. When you purchase credits, payment is processed by our payment provider (Stripe). We may receive transaction identifiers, purchase amounts, and limited billing-related information (e.g. country) to fulfill orders, manage credits, and prevent fraud. We do not store full payment card numbers; those are handled entirely by the payment provider in accordance with their privacy policy.

Communications. If you contact us (e.g. for support or feedback), we collect the information you provide (such as your email and message content) to respond and to improve our Service.

Usage and device information. We automatically collect certain information when you use the Service, including: IP address, browser type and version, device type, operating system, referring URLs, pages or features accessed, and approximate time of access. We use this to operate and secure the Service, analyze usage patterns, debug issues, and improve performance. We may use cookies, local storage, and similar technologies for this purpose (see Section 8).

4. Legal Basis for Processing (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we process your personal data on the following bases:

Contract: Processing necessary to perform our contract with you (e.g. providing the Service, managing your account and credits).
Legitimate interests: Processing necessary for our legitimate interests (e.g. security, fraud prevention, analytics, improving the Service), where those interests are not overridden by your rights.
Legal obligation: Processing necessary to comply with applicable law (e.g. tax, anti-fraud, or data retention obligations).
Consent: Where we rely on consent (e.g. for optional marketing or specific uses), you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose or we are required or permitted by law to do otherwise.

5. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Service (including generating Portraits, storing and displaying your content, and managing your account and credits).
Process payments and fulfill credit purchases through our payment provider.
Authenticate you and communicate with you about your account, the Service, or support requests.
Detect, prevent, and address fraud, abuse, security issues, and violations of our Terms of Service.
Analyze usage and improve the Service (e.g. performance, design, and user experience).
Comply with legal obligations and enforce our rights.
Send you service-related or administrative messages (e.g. about policy changes or security), where permitted by law.

We do not sell your personal data to third parties for advertising or marketing. We do not use your photos or Portraits to train AI models for purposes unrelated to providing the Service to you, except as disclosed here or with your consent.

6. How We Share Your Information

We share information only as described below or with your consent. We do not sell your personal data.

Service providers. We use third-party providers to operate the Service. They process data on our behalf under contractual obligations to protect data and use it only for the purposes we specify. Key providers include:

Authentication: Google (Firebase Authentication) — to enable sign-in; they process your email, name, and profile photo in accordance with Google’s privacy policy.
AI generation: Replicate (and similar AI providers) — to generate Portraits; they receive and process your uploaded photo and related inputs temporarily to produce the image.
Media storage and delivery: Cloudinary — to store, transform, and deliver your photos and generated Portraits (e.g. thumbnails, shareable URLs, watermarked versions).
Payments: Stripe — to process credit purchases; they collect and process billing and payment information in accordance with their privacy policy.
Hosting and infrastructure: Our application and databases may be hosted on platforms such as Vercel and related services; they process traffic and system data to host and run the Service.

Legal and safety. We may disclose your information if required by law, court order, or government request, or when we believe in good faith that disclosure is necessary to protect our or others’ rights, safety, or property, or to investigate fraud or violations of our terms.

Business transfers. If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction, subject to the same privacy commitments.

We do not share your personal data with third parties for their own marketing purposes.

7. International Transfers

Your information may be processed in the United States and in other countries where our service providers operate. Data protection laws in these countries may differ from those in your country of residence. When we transfer personal data from the EEA or UK to countries that have not been recognized as providing an adequate level of data protection, we implement appropriate safeguards (such as standard contractual clauses approved by the European Commission or UK authorities, or other mechanisms permitted by law) to protect your information.

You may request details about the safeguards we use for international transfers by contacting us (Section 15).

8. Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to:

Keep you signed in and maintain your session (e.g. authentication tokens).
Remember your preferences (e.g. language, region).
Understand how the Service is used (e.g. analytics) and to improve performance.
Support security and fraud prevention.

You can control cookies through your browser settings (e.g. block or delete cookies). Note that blocking certain cookies may affect the functionality of the Service (e.g. you may need to sign in again, or some features may not work as intended). We do not use third-party advertising cookies on the Service.

9. Data Security

We implement technical and organizational measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit (e.g. HTTPS), access controls, and secure handling of credentials. No method of transmission or storage is completely secure; we cannot guarantee absolute security and are not responsible for the actions of third parties who may obtain access to your data despite our safeguards.

You are responsible for keeping your account credentials confidential. If you believe your account or data has been compromised, please contact us promptly.

10. Retention and Deletion

We retain your information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. For example:

Account data: Retained while your account is active and for a reasonable period after you delete your account (e.g. for backup, legal, or fraud-prevention purposes).
Content and Portraits: Retained as needed to deliver the Service and to allow you to access and share your Portraits; may be deleted or anonymized when you delete your account or request deletion, subject to legal retention requirements.
Transaction and payment records: Retained as required by tax and financial regulations (often several years).
Logs and usage data: Retained for a limited period for security, debugging, and analytics, then deleted or anonymized.

You may delete your account (and request deletion of associated personal data) through the Service (e.g. in Settings). We will process deletion requests in accordance with our procedures and applicable law. Some data may remain in backup or in anonymized form. Third-party providers may retain data in accordance with their own policies; we do not control their retention.

11. Children

The Service is not directed at children under 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected information from a child, please contact us and we will take steps to delete it promptly.

12. Your Rights

Depending on where you live, you may have the following rights in relation to your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data, subject to legal exceptions.
Portability: Request a copy of your data in a structured, machine-readable format (where applicable).
Objection / restriction: Object to certain processing or request restriction of processing (e.g. in the EEA/UK).
Withdraw consent: Where we rely on consent, withdraw it at any time.
Complaint: Lodge a complaint with a supervisory authority (e.g. a data protection authority in your country).

If you are in California, you may also have the right to know the categories and specific pieces of personal information we collect, to delete personal information, to opt out of “sales” or “sharing” (we do not sell or share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA), and to non-discrimination for exercising your rights. We do not sell or share your personal data as those terms are defined under applicable California law.

To exercise any of these rights, contact us using the details in Section 15. We will respond within the time required by applicable law. We may need to verify your identity before processing your request. If you are in the EEA or UK, you have the right to lodge a complaint with your local data protection authority.

13. Do Not Track and Opt-Out

Some browsers offer a “Do Not Track” (DNT) signal. There is no uniform standard for how sites respond to DNT. We do not currently respond to DNT signals. You can control certain tracking and cookies through your browser settings and the choices we provide in the Service (e.g. cookie preferences, if offered). For opt-out of marketing communications, use the unsubscribe link in any marketing email or contact us.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or the law. We will post the updated policy on the Service and update the “Last updated” date at the top. For material changes, we may also notify you by email (if we have it) or through a prominent notice in the Service.

Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes. If you do not agree, you should stop using the Service and, where applicable, delete your account.

15. Contact Us

For questions, requests, or complaints about this Privacy Policy or our handling of your personal data, please contact us via the contact details provided in the Service or on our website. We will respond to legitimate requests within a reasonable time and in accordance with applicable law. If you are in the EEA or UK, you may also have the right to contact our designated representative or your local data protection authority.