Privacy Policy

Last updated: 21 April 2026

This policy explains what data Inpaintly (operated by Ascend Global Data (Pvt) Ltd., Colombo, Sri Lanka) collects, how we use it, and the rights you have over it.

1. Data we collect

• Email address — used for account creation and magic-link sign-in.
• Photos you upload — stored in a private cloud bucket while we process them.
• Masks you draw — stored alongside the input photo.
• Generated outputs — stored in a public bucket so you can view and share them.
• Generation metadata — prompt text, theme selected, timestamp, success/failure status.
• Purchase metadata — which pack you bought, how much you paid, payment provider. We do not receive or store your card details.

2. How we use your data

• To operate the Service (authenticate you, run the AI pipeline, show your history).
• To process payments through our payment providers.
• To prevent abuse and investigate terms violations.
• To communicate service updates and respond to support requests.

We do not sell your personal data. We do not use your photos to train third-party AI models. We do not profile you for ads.

3. Sub-processors

We share data with the following services strictly to provide Inpaintly:

• Supabase — authentication, database, and file storage (EU/US).
• Replicate — AI inference for inpainting. Your photo and mask are sent here at the moment of generation via a short-lived signed URL.
• Vercel — web hosting and edge delivery.
• Polar / LemonSqueezy — payment processing. They receive your email and transaction details.

4. Retention

• Account records are retained for the life of your account.
• Input photos, masks, and generated outputs are retained until you delete them or your account is deleted.
• Generation metadata is retained for up to 24 months for service analytics and fraud prevention, then deleted.

5. Your rights

You may at any time:

• Access your data (all visible on your account page).
• Delete individual generations from your account page.
• Delete your account and all associated data by emailing us.
• Export your data by emailing us.

EU/UK users have additional rights under GDPR, including objection and rectification. Contact us to exercise them.

6. Children

The Service is not intended for anyone under 16. If you believe a child has created an account, contact us and we will delete it.

7. Security

Transport is encrypted with TLS. Storage is encrypted at rest. Input and mask files are stored in private buckets accessible only to your authenticated session. We use row-level security policies on the database to prevent cross-account access.

8. International transfers

Our infrastructure is globally distributed. By using the Service you consent to your data being transferred to and processed in the United States, European Union, and other regions where our sub-processors operate.

9. Changes

Material changes to this policy will be notified by email at least 14 days in advance.

10. Contact

For data requests, deletions, or privacy questions: hello@inpaintly.app