Privacy Policy

Last updated: May 2026

This Privacy Policy explains how NextMotive (Houriehsadat Jalali), operator of ImageScript ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use the ImageScript service. This Policy applies in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR").

1. Data controller

The data controller responsible for your personal data is:

2. Data we collect

Account data

When you sign in with Google via Firebase Authentication, we receive and store your Firebase UID, email address, display name, and profile photo URL. This data is used to create and manage your account and identify you across sessions.

Analysis data

Images you upload are processed to generate SEO metadata. We store the analysis results (alt texts, captions, filenames, structured data) linked to your account for your reference history. We do not store original image files beyond the active analysis session unless temporary media storage is explicitly enabled, in which case files are deleted within 24 hours.

Payment data

Premium subscription payments are processed by Stripe or PayPal. We store only your subscription status, tier, and billing period dates. We do not store payment card numbers or bank details; those are handled exclusively by Stripe and PayPal under their own data protection obligations.

Usage analytics (consent required)

With your explicit consent, we record page views and feature usage events. Event records store a hashed, truncated IP address and a hashed user-agent string, your raw IP address and user-agent are never stored. If analytics consent is withdrawn, your identity is disassociated from all future event records.

Training dataset (consent required)

With your explicit ML training consent, anonymised analysis records may be included in our training dataset to improve AI quality. Dataset entries reference only an HMAC-SHA-256 derived anonymous identifier, never your raw user ID or email. You may withdraw this consent at any time via your privacy settings below.

3. Legal basis for processing (GDPR Art. 6)

• Performance of a contract (Art. 6(1)(b)): Authentication, image analysis, subscription management, and account history.
• Consent (Art. 6(1)(a)): Analytics event recording, ML training dataset inclusion, and marketing communications. You may withdraw consent at any time.
• Legitimate interest (Art. 6(1)(f)): Security logging, fraud prevention, and rate limiting. Security event records are retained for 90 days.
• Legal obligation (Art. 6(1)(c)): Tax and billing records required by German law (§ 147 AO, § 14b UStG).

4. Image processing and privacy safeguards

We have implemented the following technical measures to protect your image data:

• EXIF stripping: All metadata (GPS coordinates, device identifiers, timestamps) is removed from JPEG and PNG files at a single authoritative point in the processing pipeline, before any image bytes are transmitted to an AI vision provider.
• No AI-side retention: Vision API requests are made without requesting data retention by the provider. For xAI (Grok), all API requests explicitly include "store": false, ensuring images are never retained on xAI servers (GDPR Art. 5(1)(c), data minimisation).
• Upload validation: All uploads undergo MIME spoofing detection, full image integrity checks, and SVG rejection before processing begins.
• Prompt injection detection: Text extracted from images by vision models is scanned for prompt injection patterns before being passed to language models.

5. Third-party data processors

We share data with the following sub-processors under appropriate data processing agreements:

• Google Firebase / Firestore (Google LLC / Google Cloud EMEA Ltd.): Authentication and database storage. Google is certified under the EU–US Data Privacy Framework.
• Google Cloud Storage: Temporary image storage when enabled. Files are automatically deleted within 24 hours.
• OpenAI (OpenAI, LLC): Vision and language model analysis. EXIF-stripped image bytes are transmitted; no retention is requested.
• Google Gemini (Google LLC): Alternative vision and language model provider. Same privacy safeguards apply.
• xAI (xAI Corp.): Alternative vision and language model provider. All requests include "store": false.
• Stripe (Stripe Payments Europe, Ltd., Dublin, Ireland): Payment processing for premium subscriptions.
• PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg): Alternative payment processing.
• Cloudflare (Cloudflare, Inc.): Transactional email delivery (e.g. account notifications). Data transfers to the US are protected by Standard Contractual Clauses.
• SendGrid / Twilio (Twilio Inc.): Alternative transactional email provider. Data transfers to the US are protected by Standard Contractual Clauses.

Where processors are located outside the EEA, data transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary technical measures, or adequacy decisions.

6. Data retention

• Account and analysis data: Retained for as long as your account is active and for up to 12 months thereafter, or until you request erasure.
• Payment and billing records: Retained for 10 years as required by German tax law (§ 147 AO).
• Analytics events: Retained for 12 months from the date of recording.
• Security event records: Retained for 90 days.
• Consent records: Retained for the duration of your account plus 3 years for accountability purposes (GDPR Art. 5(2)).

7. Cookies and tracking

We use cookies and similar technologies in accordance with the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) and GDPR. Cookies that are not strictly necessary require your prior consent before being set.

We use the following categories of cookies and similar technologies:

• Necessary: Session management and authentication state. Always active; required for the Service to function.
• Functional: User preferences such as theme and display settings. Requires your consent.
• Analytics: Anonymous usage tracking. Requires your consent.
• ML Training: Inclusion of your anonymised analysis results in our training dataset. Requires your explicit consent.
• Marketing: Communications about new features and offers. Requires your consent.

You can manage all consent preferences at any time in the settings section below.

8. Automated decision-making and profiling

ImageScript does not use solely automated decision-making, including profiling, within the meaning of GDPR Art. 22(1) that produces legal effects or similarly significantly affects you. Subscription tier limits are determined by your chosen plan and are not the result of automated profiling of your personal data.

9. Your rights under GDPR

As a data subject you have the following rights:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate data.
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten"). Deleting your account triggers full data erasure.
• Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): Withdraw any consent at any time via the settings below, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at imagescript@nextmotive.studio. We will respond within one month of receiving your request (GDPR Art. 12(3)). In complex or multiple requests, we may extend this period by up to two additional months; we will notify you within the first month if an extension is required.

10. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. As we are a private company based in Baden-Württemberg, the competent supervisory authority is:

You also have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement (GDPR Art. 77).