Privacy Policy
Last updated: May 31, 2026
This Privacy Policy describes personal data processing related to use of the platform. Purchase and payment terms are covered in our Commercial Terms. Cookie use is described in our Cookie Policy. General platform usage rules are in our Terms of Service.
1. Introduction
FantasyAI ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our AI image generation service, in compliance with the General Data Protection Regulation (GDPR), the Danish Data Protection Act (Databeskyttelsesloven), and the EU AI Act.
2. Data Controller
Company: FantasyAI
Address:
Contact Email: contact@secretfantasyai.com
Supervisory Authority: Danish Data Protection Agency (Datatilsynet) - datatilsynet.dk
3. Data We Collect
We collect the following categories of personal data:
- Account Information: Name, email address, date of birth (for age verification), password (hashed), referral code
- Generation Data: Text prompts, negative prompts, generated images, style presets, model selections, generation parameters (width, height, steps, CFG scale, sampler, scheduler, seed)
- Payment Information: Payment transactions processed via third-party payment providers (Stripe, Mollie, PayPal, Razorpay, Paddle, LemonSqueezy). We do not store credit card details.
- Technical Data: IP address, browser type, device information, session data, cookies, timestamps
- Usage Data: Number of generations, credits used, subscription status, account activity logs
- Communication Data: Support emails, feedback, and any communications with our team
4. Legal Basis for Processing
We process your personal data based on the following legal grounds under Article 6 GDPR and the Danish Data Protection Act (Databeskyttelsesloven):
- Contract Performance (Article 6(1)(b) GDPR): To provide our AI generation services and manage your account
- Consent (Article 6(1)(a) GDPR): For optional features, marketing communications, and non-essential cookies
- Legitimate Interests (Article 6(1)(f) GDPR): For security purposes, fraud prevention, service improvement, and analytics
- Legal Obligation (Article 6(1)(c) GDPR): To comply with applicable laws and regulations
For special category data (such as biometric data that may appear in images), we rely on explicit consent (Article 9(2)(a) GDPR) where applicable, in accordance with Danish law.
5. AI System Transparency
In compliance with the EU AI Act and GDPR transparency requirements:
- We clearly disclose when content is AI-generated
- We provide information about the AI models used for image generation
- We explain how your prompts are processed by our AI systems
- We maintain technical documentation for our AI processing activities
- We implement human oversight mechanisms for content moderation and safety
6. Automated Decision-Making
Our service involves automated processing for:
- Content safety screening and moderation to prevent prohibited material
- Credit deduction and account balance management
Under Article 22 GDPR, you have the right to not be subject to decisions based solely on automated processing that produce legal effects or significantly affect you. You may request human intervention or challenge automated decisions by contacting us.
7. Data Retention
We retain your personal data for the following periods:
- Account Information: For the duration of your account plus 3 years after account closure (legal compliance period)
- Generated Images & Prompts: Indefinitely, unless you delete them, subject to our Terms of Service and content policies
- Payment Data: Transaction records retained for 5 years (Danish Bookkeeping Act / bogføringsloven requirement)
- Technical/Usage Logs: 12 months for security and analytics purposes
- Marketing Communications: Until you unsubscribe or withdraw consent
You may request deletion of your generated images and prompts at any time through your account settings or by contacting us.
8. Data Sharing and Third Parties
We may share your data with the following third parties:
- Payment Processors: Stripe, Mollie, PayPal, Razorpay, Paddle, LemonSqueezy for payment processing
- AI Infrastructure: ComfyUI backend servers for image generation (data processed in transit, not stored)
- Service Providers: Hosting providers, email services, analytics tools (with appropriate data processing agreements)
- Legal Authorities: When required by law or to protect our rights
We do not sell your personal data to third parties. All third-party processors are subject to Data Processing Agreements (DPAs) ensuring GDPR-compliant handling.
9. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with GDPR-compliant clauses
- Adequacy decisions from the European Commission where applicable
For more information about international transfers, please contact us.
10. Data Security
We implement appropriate technical and organizational measures under Article 32 GDPR:
- Encryption of data in transit (HTTPS/TLS 1.3)
- Encryption of sensitive data at rest
- Secure password hashing (bcrypt/argon2)
- Regular security audits and penetration testing
- Access controls and authentication mechanisms
- Secure backup and disaster recovery procedures
- Employee training on data protection
11. Your Data Subject Rights
Under GDPR, you have the following rights:
- Right of Access (Article 15): Request a copy of your personal data
- Right to Rectification (Article 16): Request correction of inaccurate data
- Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing (Article 18): Request limitation of processing
- Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format
- Right to Object (Article 21): Object to processing based on legitimate interests
- Right to Withdraw Consent (Article 7(3)): Withdraw consent at any time
- Right to Human Intervention (Article 22): Request human review of automated decisions
To exercise these rights, contact us at contact@secretfantasyai.com. We will respond within 30 days.
12. Cookies and Tracking
We use cookies in accordance with the Danish Cookie Act and GDPR. See our Cookie Policy for detailed information.
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
| laravel_session | Necessary | Session management | 2 hours (persistent) |
| XSRF-TOKEN | Necessary | CSRF protection | 2 hours (persistent) |
| cookie_consent | Necessary | Stores cookie preference | 1 year |
| locale | Functional | Language preference | 1 year |
| remember_web | Functional | Remember login | 5 days |
13. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR and the Danish Data Protection Act. We will also notify the Danish Data Protection Agency (Datatilsynet) when required by law.
14. Data Protection Impact Assessment (DPIA)
We have conducted a Data Protection Impact Assessment for our AI image generation processing activities, in accordance with Article 35 GDPR and Danish law. This assessment is available upon request.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through our website. Your continued use of our service after such changes constitutes acceptance of the updated policy.
16. Contact Us
For any questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact:
Company: FantasyAI
Address:
Email: contact@secretfantasyai.com
Website: https://secretfantasyai.com
You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet): datatilsynet.dk