Privacy Policy
隐私政策

The table below is a plain-language summary of the most-asked questions about how we handle your data. It does not replace the full Privacy Policy below — the detailed sections govern in case of any conflict.

• What data do we collect?  Account information, billing data, your prompts and generated outputs, usage and device data, and a small set of cookies. See Section 2.
• Do we use your content to train AI models?  No. We do not train our own foundational AI models, and we do not use your prompts, uploaded reference materials, or generated Outputs to train, fine-tune, or otherwise develop machine-learning models. See Section 5.
• Do we sell your personal data?  No. See Section 7.
• Who can access your data?  Our authorized engineering and support staff, plus a small set of vetted sub-processors (cloud hosting, payment processing, third-party AI model providers, email delivery, analytics). See Section 8.
• How long do we keep your data?  Account info: while active + up to 24 months. Billing records: at least 7 years for tax/AML. User content: until you delete it. Logs: up to 12 months. See Section 10.
• What rights do you have?  Access, correct, delete, export, object, withdraw consent, and opt out of "sale/sharing" (including via the Global Privacy Control signal). See Section 14.
• How do you contact us?  [email protected] — see Section 20.

This Privacy Policy applies to personal data we collect when you:

• visit our website;
• create or use a Flux Art account;
• use our web, mobile, desktop, or API-based Services;
• contact us for support, business inquiries, or legal requests; or
• otherwise interact with us in connection with the Services.

This Privacy Policy does not apply to third-party websites, products, or services that are not operated by us, even if they are linked to or integrated with our Services.

We may collect the following categories of personal data, depending on how you interact with the Services:

2.1 Information You Provide to Us

• Account Information: such as your name, email address, username, password, profile details, billing country, and account preferences.
• Payment and Transaction Information: such as subscription plan, purchase history, billing status, invoice details, and limited payment-related information provided by our payment processors. We do not typically store full payment card numbers.
• User Content: such as prompts, text, images, files, edits, instructions, and other content you upload, submit, generate, or request through the Services.
• Communications: such as the contents of messages, support requests, feedback, survey responses, and correspondence you send to us.

2.2 Information We Collect Automatically

• Usage Information: such as the features you use, pages you visit, actions you take, timestamps, referring URLs, and interactions with the Services.
• Device and Technical Information: such as IP address, browser type, device type, operating system, app version, language settings, crash reports, and diagnostic logs.
• Cookie and Similar Technology Data: such as cookie identifiers, advertising identifiers, and information collected through pixels, local storage, SDKs, and similar technologies.

2.3 Information We Receive from Third Parties

• Login or Account Providers: if you register or sign in through a third-party login provider.
• Payment Processors: limited transaction and payment status information.
• Analytics, Advertising, and Fraud Prevention Partners: information used to help us measure traffic, prevent abuse, and improve our Services.
• Referral, Affiliate, or Marketing Partners: where you arrive through a referral or campaign.

We may use personal data for the following purposes:

• to provide, operate, maintain, and improve the Services;
• to create and manage your account;
• to process purchases, subscriptions, renewals, refunds, and billing administration;
• to provide AI-generated outputs and requested features;
• to authenticate users and secure the Services;
• to detect, prevent, investigate, and address fraud, abuse, policy violations, illegal activity, and security incidents;
• to respond to support requests, feedback, and inquiries;
• to send service-related notices, technical updates, security alerts, and legal communications;
• to send marketing communications where permitted by law and subject to your preferences;
• to conduct analytics, debugging, quality assurance, product development, and service optimization;
• to comply with legal obligations and enforce our agreements; and
• to establish, exercise, or defend legal claims.

If you are located in a jurisdiction that requires a legal basis for processing personal data, including the European Economic Area, the United Kingdom, or Switzerland, we generally rely on one or more of the following legal bases:

• Performance of a contract: where processing is necessary to provide the Services you request.
• Legitimate interests: where processing is necessary for our legitimate business interests, such as securing, operating, and improving the Services, provided that such interests are not overridden by your rights.
• Consent: where required by law, such as for certain cookies or direct marketing activities.
• Legal obligation: where processing is necessary to comply with applicable law, regulation, court order, or lawful request.

We process prompts, images, files, and other User Content to provide the functionality you request, including generating, editing, transforming, storing, and displaying outputs.

We may also use User Content:

• to maintain and improve service quality, safety, and reliability;
• to detect abuse, fraud, or policy violations; and
• to comply with legal obligations.

5.1 No Use for Model Training. We do not train our own foundational AI models. We do not use your prompts, uploaded reference materials, or generated Outputs to train, fine-tune, or otherwise develop machine-learning models. This commitment applies to all individual user accounts; if we ever introduce a feature or program that permits opt-in contribution of data for model improvement, it will be presented separately with clear, granular consent and will be off by default.

5.2 Third-Party Model Providers. The Services rely on third-party AI model providers (listed in Section 8) to perform generation, moderation, and related tasks. These providers process your Inputs and Outputs to deliver the requested results to us. Some providers may, under their own policies, use submitted content for their own training or service-improvement purposes; where commercially available, we configure our integrations to disable third-party training on your content and to honor "do not train" or "zero data retention" options offered by the relevant provider. Each provider's data-handling practices are governed by its own policies.

5.3 Safety, Moderation, and Legal Holds. Where required by law or by our content-moderation obligations, we may retain copies of specific User Content (for example, content matched to known-bad hashes, or content subject to a preserve-evidence request from law enforcement) beyond normal retention windows. Such retention is strictly limited to the legitimate purpose and is held under restricted access.

We use cookies and similar technologies to operate and improve the Services. These may include:

• Essential Cookies: necessary for authentication, security, network management, and core functionality.
• Preference Cookies: used to remember settings such as language, login state, and interface preferences.
• Analytics Cookies: used to understand traffic, usage patterns, feature performance, and product quality.
• Advertising Cookies: where permitted, used to measure campaigns and show more relevant promotions on third-party platforms.
• Affiliate or Referral Cookies: used to attribute referrals and partner traffic.

You can manage cookies through your browser settings and, where required by law, through our cookie banner or consent tools. Please note that disabling certain cookies may affect the functionality of the Services.

We may share personal data with the following categories of recipients:

• Service Providers: including hosting, cloud infrastructure, payment processing, analytics, customer support, security, email delivery, and other vendors who process data on our behalf under contractual safeguards (see Section 8 for the categorized list).
• AI and Technology Providers: where necessary to provide generation, processing, moderation, storage, or related technical functions.
• Professional Advisers: such as lawyers, auditors, insurers, and consultants, where reasonably necessary.
• Corporate Transaction Participants: in connection with a merger, acquisition, financing, restructuring, sale of assets, or similar transaction.
• Authorities and Law Enforcement: where required by law or where necessary to protect rights, safety, property, users, or the public.
• Other Parties at Your Direction: where you choose to connect third-party services or request that we share data.

We do not sell personal data for monetary consideration. If applicable law treats certain disclosures for advertising or analytics purposes as a "sale" or "sharing," you may have the right to opt out as described in Section 14 ("Your Privacy Rights").

We engage trusted third-party sub-processors to help us operate the Services. We require our sub-processors, by contract, to provide at least the same level of data protection that we commit to under this Privacy Policy, to process personal data only on our documented instructions, and to assist us in responding to user-rights requests and security incidents.

The current categories of sub-processors include:

• Cloud Infrastructure & Storage: e.g., Cloudflare, AWS, Google Cloud Storage, and equivalent providers used for compute, content delivery, DNS, and object storage. Data is stored in the region appropriate to the user's location and our service architecture.
• Third-Party AI Model Providers: a curated set of leading AI model and inference providers (which may include providers headquartered in the United States, Europe, and Asia) used solely to perform the text-to-image, image-editing, video-generation, and moderation tasks that you request. The current list of specific providers, their function, and the region in which they process data is available on request by emailing [email protected].
• Payment Processing: our authorized payment processors used to securely accept payments and process refunds and chargebacks.
• Email Delivery: transactional email providers (such as Resend, Postmark, or similar) used to deliver account, security, and service emails.
• Analytics & Observability: privacy-respecting analytics, error monitoring, and product-telemetry providers.
• Customer Support: ticketing or live-chat tools used by our support team to respond to your requests.

An up-to-date list of specific sub-processor entities, along with their function and the region in which they process data, is available on request by emailing [email protected]. We will provide reasonable notice of material changes to our sub-processor roster.

We process personal data in Hong Kong, where Flux Art is established, and may transfer data to service providers and sub-processors operating in the United States, the European Economic Area, the United Kingdom, Singapore, and other regions where our infrastructure or sub-processors are located.

Data Localization by User Region. For users located in the EEA, the United Kingdom, Switzerland, the United States, and other jurisdictions outside the People's Republic of China, personal data is processed in Hong Kong, the United States, Singapore, the European Economic Area, and the United Kingdom; we do not route the personal data of these users to processing facilities located within the People's Republic of China. For users located within the People's Republic of China, personal data may additionally be processed within the People's Republic of China to comply with applicable local data-localization laws.

Because Hong Kong has not received an "adequacy decision" from the European Commission, when we transfer personal data of EEA, UK, or Swiss residents to Hong Kong or to other non-adequate jurisdictions, we rely on the following lawful transfer mechanisms:

• the European Commission's Standard Contractual Clauses (SCCs) (Module 1, 2, or 3 as applicable) for transfers out of the EEA;
• the UK International Data Transfer Addendum (IDTA) or the UK Addendum to the EU SCCs, for transfers out of the United Kingdom;
• the Swiss FADP-compliant variant of the SCCs, for transfers out of Switzerland;
• where required, supplementary technical and organizational measures (such as encryption in transit and at rest, access controls, and pseudonymization) identified through a Transfer Impact Assessment; and
• other lawful transfer mechanisms permitted by applicable law (such as your explicit consent, or transfers necessary for the performance of a contract with you).

You may request a copy of the relevant transfer mechanism, with commercial and confidential information redacted where appropriate, by contacting [email protected].

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Account Information: retained while your account is active and for up to 24 months after account closure to handle disputes, fraud investigation, legal claims, and tax/accounting obligations.
• Billing and Transaction Records: retained for at least 7 years to comply with applicable tax, accounting, and anti-money-laundering laws (this is generally the longest mandatory retention period in relevant jurisdictions including Hong Kong, the EU, the U.S., and the U.K.).
• User Content (prompts, reference materials, generated Outputs): retained for as long as needed to provide the Services. Generated images and videos remain accessible in your account until you delete them or your account is closed; thereafter, residual copies are deleted from active systems within 30 days, subject to ordinary backup-rotation windows of up to 90 days.
• Support Communications: retained for up to 36 months after the last interaction.
• Usage Logs and Security Logs: retained for up to 12 months, unless longer retention is required for security investigation, fraud prevention, or legal compliance.
• Content Flagged Under Section 5.3 (Safety / Legal Holds): retained for the duration of the relevant legal hold or moderation obligation.

When personal data is no longer needed, we will delete, anonymize, or securely dispose of it, unless retention is required by law.

We implement reasonable administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction. These measures may include access controls, encryption in transit where appropriate, network protections, logging, and role-based restrictions.

However, no method of transmission over the Internet or method of storage is completely secure. We therefore cannot guarantee absolute security.

We operate an incident-response process to detect, investigate, contain, and remediate personal-data security incidents.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and, where required by law, the relevant supervisory authorities, in accordance with applicable legal obligations (including GDPR Articles 33 and 34, the UK GDPR equivalents, and any other applicable breach-notification laws). Notifications will be made without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

Where notification to all affected individuals would involve disproportionate effort, we may provide a public communication or equivalent measure by which affected individuals are informed in an equally effective manner, as permitted by applicable law.

The Services are intended for users who are 18 years of age or older, consistent with Section 1 of our Terms of Use. We do not knowingly collect personal data from individuals under 18.

If you believe that a person under 18 has provided personal data to us, please contact us at [email protected] so that we can promptly delete the data and terminate the relevant account.

For users in jurisdictions where the digital age of consent is lower than 18 (for example, certain EU member states under GDPR Article 8), our 18+ age requirement still applies as a contractual matter; in addition, where local law sets a separate minimum age of digital consent that is lower, parental consent requirements under that local law apply in addition to our age-gating measures.

Depending on where you live, you may have certain rights regarding your personal data, subject to applicable law and any permitted exceptions. These rights may include:

• the right to access personal data we hold about you;
• the right to correct inaccurate or incomplete personal data;
• the right to request deletion of personal data;
• the right to object to or restrict certain processing;
• the right to withdraw consent where processing is based on consent;
• the right to data portability, where applicable;
• the right to opt out of certain marketing communications; and
• the right not to be discriminated against for exercising applicable privacy rights.

14.1 Response Timelines. We will respond to verified privacy-rights requests within 30 days where required by applicable law (such as GDPR Article 12). Where the request is complex or we have received a high volume of requests, we may extend this period by up to 60 additional days and will notify you of the extension and the reasons for it. For California residents, we will respond within 45 days as required by the CCPA, with one possible 45-day extension.

14.2 Hong Kong. If the Personal Data (Privacy) Ordinance (Cap. 486) applies, you may have the right to request access to and correction of your personal data. We may need to verify your identity before responding, and we may charge a reasonable fee where permitted by law for complying with a data access request.

14.3 EEA / UK / Switzerland. If applicable, you may also have rights under the GDPR, the UK GDPR, or equivalent laws, including rights to restriction, portability, and objection. You have the right to lodge a complaint with your local supervisory authority — for example, the Information Commissioner's Office (ICO) in the UK, the Irish Data Protection Commission, or the supervisory authority in the EU member state of your residence.

14.4 California / Global Privacy Control. If the California Consumer Privacy Act, as amended by the CPRA, applies to your data, you may have the right to know, access, correct, delete, and opt out of certain sales or sharing of personal information, subject to statutory exceptions. We recognize and honor the Global Privacy Control (GPC) signal as a valid request to opt out of any "sale" or "sharing" of personal information under California law. When we detect a GPC signal from your browser, we will treat it as such an opt-out request for the browser session and, where it can be linked to a known user account, for that account.

To exercise any applicable rights, please contact us using the details in Section 20 ("Contact Us"). We may need to verify your identity and authority before fulfilling your request.

We may send you marketing emails or similar communications where permitted by law. You can unsubscribe at any time by using the unsubscribe link in the message or by contacting us.

Even if you opt out of marketing communications, we may still send you non-promotional communications relating to your account, transactions, security, legal notices, or service updates.

The Services may contain links to third-party websites, applications, plug-ins, or services. We are not responsible for the privacy practices of those third parties, and this Privacy Policy does not apply to them. We encourage you to review their privacy policies separately.

We may use automated systems to operate and secure the Services, including for content generation, moderation, fraud detection, abuse prevention, personalization, and service optimization.

We do not use solely automated decision-making that produces legal or similarly significant effects on individuals unless permitted by applicable law and accompanied by any required safeguards.

While we are not currently legally required to appoint a Data Protection Officer under GDPR Article 37, our Data Protection Contact handles all data-protection inquiries, user-rights requests, and breach-notification matters. The Data Protection Contact can be reached at [email protected].

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make material changes, we will update the "Last Updated" date and provide additional notice where required by law.

Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acknowledgment of the revised Privacy Policy, to the extent permitted by law.

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of personal data, please contact us at:

Flux Art
MORNING STAR INDUSTRY LIMITED
Website: https://flux-art.ai
Support Email: [email protected]
Privacy / Legal Email: [email protected]
Registered Office: RM 19, UNIT C1, 6/F, KAISER ESTATE PHASE 1, 41 MAN YUE STREET, HUNG HOM HK