Legal

Privacy Policy

Last updated: April 6, 2026

1. Introduction

ULCUT AI Creative Studio ("we," "us," "our," or the "Platform") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at https://ulcut.com and use our AI-powered creative services.

Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

This Privacy Policy applies to information we collect on the Platform, in email, text, and other electronic communications between you and the Platform, and through any mobile or desktop applications that link to this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide when using the Service, including:

• Account Information: Your name, email address, and profile avatar when you register for an account.
• Authentication Data: One-time passcodes (OTPs) sent to your email for account verification, and Google OAuth tokens if you choose to sign in with Google.
• Generation Prompts: Text prompts, parameters, and settings you submit to generate AI content.
• Uploaded Images: Images you upload for image-to-video or image reference features.
• Contact Information: Your name, email, subject, and message content when you submit our contact form.
• Communication Data: Records and content of correspondence if you contact us directly.

2.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

• IP Address: Your Internet Protocol address, collected during account registration, login, and general usage for security and fraud prevention.
• Device Information: Browser type and version, operating system, device type, and screen resolution.
• Usage Data: Pages visited, features used, generation history, click patterns, and time spent on pages.
• Session Information: Session identifiers, login timestamps, and session duration for security monitoring.
• Referral Data: The URL that referred you to our Platform and any search terms used.
• Generation Metadata: AI model used, generation parameters, credit costs, status (completed, failed, cancelled), processing times, and output file information.

2.3 Information from Third Parties

We may receive information about you from third-party services:

• Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from your Google account.
• Stripe: We receive payment confirmation, subscription status, and transaction identifiers from Stripe. We do not receive or store your complete credit card number, CVV, or full card details.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

• To create and manage your account.
• To authenticate your identity and maintain session security.
• To process your generation requests by transmitting prompts and parameters to AI providers.
• To store and deliver generated content through your Library.
• To track and manage your credit balance and usage history.
• To process payments and manage subscriptions through Stripe.

3.2 Communication

• To send you OTP verification codes during registration and login.
• To send transactional emails regarding your account, payments, and generations.
• To respond to your contact form submissions and support requests.
• To send important service-related announcements and updates.

3.3 Security & Fraud Prevention

• To monitor and prevent fraudulent activity, abuse, and violations of our Terms of Service.
• To detect and respond to security incidents and unauthorized access attempts.
• To manage session security and identify suspicious login patterns.
• To enforce our Terms of Service and applicable policies.

3.4 Improvement & Analytics

• To analyze usage patterns and improve the Service's features and performance.
• To understand user preferences and optimize the user experience.
• To monitor system performance, identify bugs, and troubleshoot issues.
• To generate aggregate, anonymized analytics and reports.

3.5 Legal Compliance

• To comply with applicable laws, regulations, and legal processes.
• To respond to lawful requests from public and government authorities.
• To protect our rights, privacy, safety, or property, or that of our users or the public.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a legal basis for processing personal data, we rely on the following:

• Contract Performance: Processing necessary to perform our agreement with you and provide the Service (account management, content generation, payment processing).
• Consent: Where you have given explicit consent for specific processing activities (e.g., analytics cookies, marketing communications).
• Legitimate Interests: Processing necessary for our legitimate interests, including improving the Service, ensuring security, and preventing fraud, provided these interests are not overridden by your rights.
• Legal Obligation: Processing necessary to comply with applicable legal requirements.

5. AI Processing & Data Handling

When you use our AI generation features, your data is processed as follows:

5.1 Prompt Processing

Your text prompts and generation parameters are transmitted to third-party AI providers (such as Nano Banana/Google Gemini, FLUX, and Kling) for processing. These providers process your prompts to generate the requested content. We store your prompts in our database for your generation history and to facilitate the generation workflow.

5.2 Image Uploads

When you upload images for image-to-video generation or reference, the images are temporarily stored on our servers and transmitted to the relevant AI provider. Uploaded images are retained only as long as necessary for the generation process and your Library access.

5.3 Generated Content

AI-generated photos and videos are stored on our servers and accessible through your Library. Generated content is associated with your account via unique UUIDs and is accessible only to you and authorized administrators. We do not use your generated content to train AI models.

5.4 AI Provider Data Practices

Each AI provider has its own data handling practices. We select providers that maintain appropriate data protection standards, but we encourage you to review the privacy policies of these providers. The specific AI providers used and their policies may change as we update our service offerings.

6. Data Storage & Security

We implement comprehensive security measures to protect your personal information:

• Encryption at Rest: Sensitive data, including API keys and configuration secrets, is encrypted using AES-256-CBC encryption.
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
• Secure Authentication: Passwords are hashed using bcrypt with appropriate cost factors. OTP codes are time-limited and single-use.
• Session Security: Sessions are managed with secure tokens, IP-based validation, and automatic expiration.
• Access Control: Generated content is stored with UUID-based paths, preventing unauthorized access through URL guessing.
• CSRF Protection: All form submissions are protected with CSRF tokens to prevent cross-site request forgery attacks.
• Content Security Policy: We implement CSP headers to mitigate cross-site scripting (XSS) attacks.
• Database Security: Database credentials are stored securely in environment variables and are never committed to version control.

Despite these measures, no method of electronic storage or transmission over the Internet is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

7. Cookies & Tracking Technologies

7.1 Essential Cookies

We use essential cookies that are strictly necessary for the operation of the Service:

• Session Cookies: To maintain your login session and authentication state.
• CSRF Tokens: To protect against cross-site request forgery attacks.
• Cookie Consent: To remember your cookie preferences.

7.2 Analytics Cookies

With your consent, we may use analytics cookies and tracking technologies:

• Google Analytics: We may use Google Analytics to collect information about how you interact with the Service. Google Analytics uses cookies to collect information such as how often you visit the Platform, what pages you visit, and what other sites you visited prior to coming to our Platform. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Google Tag Manager: We may use Google Tag Manager to manage analytics and marketing tags on our Platform.

7.3 Managing Cookies

You can manage your cookie preferences through our cookie consent banner when you first visit the Platform. You can also control cookies through your browser settings. Please note that disabling essential cookies may prevent certain features of the Service from functioning properly.

8. Third-Party Services

We share information with the following categories of third-party service providers:

8.1 Payment Processing (Stripe)

We use Stripe to process all payments. When you make a purchase, Stripe collects your payment card information directly. We receive from Stripe: transaction confirmations, subscription status, Stripe customer IDs, and payment method identifiers. We do not have access to your full card number. Stripe's privacy policy is available at stripe.com/privacy.

8.2 Authentication (Google)

If you choose to sign in with Google, we use Google's OAuth 2.0 service. Google shares your name, email address, and profile picture with us. Google's privacy policy is available at policies.google.com/privacy.

8.3 AI Generation Providers

We transmit your generation prompts, parameters, and uploaded images to AI providers for content generation. These providers include, but are not limited to:

• Nano Banana / Google Gemini: For AI photo generation.
• FLUX (Black Forest Labs): For high-quality image synthesis.
• Kling (Kuaishou): For text-to-video, image-to-video, and motion-controlled video generation.

Each AI provider processes data according to their own privacy policies and terms. We select providers that maintain appropriate data protection standards but cannot guarantee the data practices of third-party providers.

8.4 Analytics (Google Analytics & Tag Manager)

With your consent, we may use Google Analytics and Google Tag Manager to analyze Platform usage. These services may collect information about your browsing behavior, device characteristics, and geographic location (at the city level). This data is used in aggregate to understand usage trends and improve the Service.

8.5 Email Services

We use SMTP-based email services to send transactional emails, including OTP verification codes, payment receipts, and contact form notifications. Your email address and message content are transmitted through our email service provider.

9. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We may disclose your information in the following circumstances:

• Service Providers: To third-party service providers who perform services on our behalf, as described in Section 8, subject to confidentiality obligations.
• Legal Requirements: When required by law, regulation, legal process, or governmental request.
• Protection of Rights: To protect the rights, property, or safety of ULCUT AI Creative Studio, our users, or the public.
• Business Transfers: In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of the business assets. We will notify you of any such transfer and any changes to the applicable privacy policy.
• With Your Consent: With your explicit consent or at your direction.

10. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law:

• Account Data: Retained for the duration of your account. If you deactivate your account, we retain your data for 30 days before permanent deletion to allow for account recovery.
• Generation History: Retained for the duration of your account. Generation metadata may be retained in anonymized form for analytics after account deletion.
• Generated Content: Stored for the duration of your active account. Content may be deleted after 180 days of account inactivity.
• Payment Records: Retained for 7 years to comply with financial record-keeping requirements.
• Session Logs: Security-related session data is retained for up to 90 days.
• Contact Form Submissions: Retained for up to 2 years for customer service purposes.
• Anonymized Analytics: Aggregate, anonymized data may be retained indefinitely for statistical analysis.

11. Your Rights

Depending on your location and applicable data protection laws, you may have the following rights regarding your personal information:

11.1 General Rights

• Right of Access: You have the right to request a copy of the personal information we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete personal information. You can update most account information directly through your Profile page.
• Right to Erasure: You have the right to request deletion of your personal information, subject to certain legal exceptions. You can deactivate your account through Profile > Security.
• Right to Restrict Processing: You have the right to request restriction of processing of your personal information under certain circumstances.
• Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, machine-readable format.
• Right to Object: You have the right to object to the processing of your personal information for certain purposes, including direct marketing.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

11.2 GDPR Rights (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and UK GDPR, including the right to lodge a complaint with your local data protection authority. For EU users, you may file a complaint with your national Data Protection Authority. For UK users, you may contact the Information Commissioner's Office (ICO).

11.3 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including: the right to know what personal information we collect, the right to request deletion, the right to opt-out of the sale of personal information (we do not sell your personal information), and the right to non-discrimination for exercising your privacy rights.

11.4 Exercising Your Rights

To exercise any of your rights, please contact us at info@ulcut.com or through our contact form. We will respond to your request within 30 days (or the period required by applicable law). We may need to verify your identity before processing your request.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly. If you believe that we have inadvertently collected personal information from a child under 18, please contact us immediately at info@ulcut.com.

13. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country. When we transfer your information internationally, we take appropriate safeguards to ensure your information remains protected in accordance with this Privacy Policy and applicable law.

For transfers from the EEA or UK, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms under applicable data protection law.

AI providers used by the Service may process your generation prompts and uploaded images in various jurisdictions. By using the Service's AI generation features, you acknowledge and consent to the international transfer of your data to these AI providers.

14. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no common understanding of how to interpret DNT signals, the Service does not currently respond to browser DNT signals. You can manage your cookie preferences through our cookie consent banner and browser settings.

15. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

16. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay (and within 72 hours where required by GDPR) through email and/or a prominent notice on the Platform. We will also notify the relevant supervisory authority where required by applicable law.

17. Automated Decision-Making

The Service uses automated processes for the following purposes:

• Credit Deduction: Credits are automatically deducted when you initiate a generation and refunded if the generation fails.
• Content Moderation: AI providers may apply automated content safety filters to generation requests.
• Fraud Prevention: Automated systems may flag or restrict accounts based on suspicious activity patterns.

These automated processes do not produce legal effects or similarly significantly affect you. If you believe an automated decision has been made in error, you may contact us for human review.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top. For significant changes, we will provide additional notice through email or a prominent notification on the Platform.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after changes to this Privacy Policy constitutes your acceptance of those changes.

19. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: info@ulcut.com
• Contact Form: https://ulcut.com/contact

For GDPR-related inquiries, you may also contact our designated data protection contact at the email address above.