Privacy Policy
Last updated: July 1, 2026
1. Overview
This policy explains what personal data PuffyBee processes, why, and your rights. We operate from the United Kingdom and comply with the UK GDPR, the EU GDPR for users in the European Economic Area, and Türkiye's KVKK for users in Türkiye.
2. What we collect
- Account data: name, email, password hash (never the plain password), or your Google account identifier if you sign in with Google.
- Content: prompts you write, media you upload, and media you generate. Generated results are stored so they appear in your studio.
- Usage & billing: credit balance, generation history, purchase records (product, amount, date — never card numbers; payments are handled by Lemon Squeezy as merchant of record).
- Technical: IP address and user-agent attached to sessions for security, and server logs for abuse prevention.
3. What we do NOT do
- We do not sell your personal data.
- We do not use your prompts, uploads, or generations to train AI models.
- We do not run advertising or cross-site tracking cookies — only strictly necessary session cookies.
4. How your content is processed
To generate media, your prompt and any uploaded media are sent to the AI model provider you select (e.g. Google, ByteDance, Black Forest Labs, via infrastructure partners such as TokenLab). Providers process this data to produce your result under their own terms. Generated files are stored in our object storage (Cloudflare R2) so your studio keeps working even after provider links expire.
5. Legal bases
- Contract: operating your account, generating media, delivering purchases.
- Legitimate interests: service security, abuse and fraud prevention.
- Legal obligation: tax and accounting records for purchases.
6. Retention
- Account data: kept while your account exists; deleted within 30 days of account deletion.
- Generated media: kept while your account exists so your studio history works; deleted with your account.
- Purchase records: kept as long as tax law requires.
7. Your rights
Depending on your jurisdiction (UK/EU GDPR, KVKK), you may request access, correction, deletion, portability, or restriction of your personal data, and you may object to processing based on legitimate interests. Write to support@puffybee.ai — we respond within 30 days. You may also complain to your supervisory authority (ICO in the UK, or your local authority).
8. International transfers
Our servers are in the European Union, and media storage is on Cloudflare R2. AI providers may process data in other countries (including the United States); where required we rely on appropriate safeguards such as standard contractual clauses.
9. Contact
Data controller: PuffyBee (United Kingdom). Contact: support@puffybee.ai