Privacy Policy

Effective date: 01.01.2026.

The legally binding version of this Privacy Policy is the Polish-language version. Other language versions are provided for convenience only. In case of interpretation discrepancies, the Polish version prevails.
Document language
Changing the language here affects only this document view and does not update your account language settings.
English Deutsch Polski Français

1. General Information

This Privacy Policy describes the rules for processing personal data in the DropAi.ovh service. This document fulfills the information obligation under Article 13 GDPR and, for data not collected directly from the data subject, also under Article 14 GDPR.

The policy covers data provided when using a user account, contact forms, purchasing credits, file-processing features, and publishing materials through Share Pages.

This document refers to: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR"), and, for cookies and similar technologies, the Polish Act of 12 July 2024 - Electronic Communications Law (in particular Articles 399-400).

2. Data Controller and Contact

Data controller: SMOVE sp. z o.o.

Registered address: ul. Przemysłowa 14, 44-190 Knurów, Polska

E-mail:

Phone: not provided

Contact form: /contact

Privacy and GDPR rights contact:

3. Scope of Data and Sources

Categories of data

  • identification and account data (e.g., e-mail, user identifier, account settings, language preferences),
  • service usage data (e.g., prompts, job parameters, job metadata, operation history, execution logs, Share Page settings, and branding settings),
  • files uploaded for processing and generated outputs (including a person's image, face, or other data visible in a photo or video),
  • technical data transferred as part of AI job execution (e.g., public input file URLs, prediction id, statuses, model metrics, and logs),
  • billing and transaction data (e.g., credit purchase history, Stripe payment identifiers, and the current failed/canceled terminal charge of 0.0100 credits per Job),
  • contact data and communication content (contact form, e-mail),
  • technical and security data (e.g., IP, user-agent, session identifiers, anti-bot tokens, server logs).

Data sources (Article 14 GDPR)

  • as a rule, data is collected directly from you when using the service,
  • for payments, some data is received from the payment provider Stripe (e.g., transaction status, payment identifier),
  • for AI job execution, we also receive return data from the AI provider Replicate, Inc. (e.g., prediction status, timing metadata, output file links, and technical logs),
  • in event, agency, or B2B scenarios, some photos and participant data may be uploaded by the account holder, event organizer, photobooth operator, or another entity acting for participants or the client,
  • if data comes from a third party, we provide an additional information clause within the deadlines from Article 14 GDPR where required.

4. Purposes and Legal Bases

  • account creation, account maintenance, and service delivery: Article 6(1)(b) GDPR (performance of a contract),
  • execution of AI jobs with an external processor (Replicate): Article 6(1)(b) GDPR and, for service security and reliability, also Article 6(1)(f) GDPR,
  • payments, settlements, and tax/accounting obligations: Article 6(1)(b) and (c) GDPR,
  • handling inquiries and correspondence: Article 6(1)(b) or (f) GDPR,
  • service security (including abuse and bot prevention): Article 6(1)(f) GDPR,
  • establishing, pursuing, or defending legal claims: Article 6(1)(f) GDPR,
  • publishing and delivering output files through public Share Pages and galleries at the User's request: Article 6(1)(b) GDPR and, where necessary, also Article 6(1)(f) GDPR,
  • marketing activities requiring consent (if enabled): Article 6(1)(a) GDPR.

The controller's legitimate interests include, in particular: ensuring service continuity, infrastructure security, abuse prevention, user support, and the establishment or defense of claims.

5. Data Recipients

Data may be disclosed to the following categories of recipients:

  • hosting and server infrastructure provider: dhosting.pl (Poland),
  • e-mail and communication tools provider (SMTP),
  • payment provider: Stripe,
  • AI technology provider and processor: Replicate, Inc. (USA) - execution of predictions, processing prompts, parameters, and input file URLs, and returning output files, logs, and metrics,
  • infrastructure used to deliver Replicate output files (replicate.delivery and its subdomains),
  • subprocessors used by the AI provider as listed in Replicate's current subprocessor list,
  • anti-bot security provider (Google reCAPTCHA v3),
  • front-end resource providers loaded from external CDNs (e.g., jsDelivr, Google Fonts),
  • recipients of public Share Page links and, after public publication of such links, search engines, messengers, and social platforms that generate previews or index public pages,
  • authorized recipients under applicable law (e.g., public authorities).

6. Transfers Outside the EEA

As a rule, data is processed within the European Economic Area. However, when executing AI jobs, data (in particular prompt text, input file URLs, and prediction metadata) is transferred to Replicate, Inc., based in the United States, which constitutes a transfer outside the EEA.

In such cases, we use mechanisms compliant with Chapter V GDPR, in particular an adequacy decision (e.g., for entities covered by the EU-US Data Privacy Framework) or Standard Contractual Clauses (SCCs), supplemented where needed by additional safeguards. Information about the mechanism currently used for a specific recipient can be obtained by contacting the controller.

7. Data Retention Period

  • account data: for the duration of the contract/account, then until the limitation periods for claims expire,
  • billing and accounting data: for the period required by tax and accounting laws,
  • contact form data and correspondence: up to 24 months after the case is closed, or longer if required for claims,
  • technical and security data (logs): for the period necessary to ensure security and investigate incidents,
  • data sent to Replicate through the Predictions API (input/output/logs): removed on Replicate's side by default after about 1 hour after prediction completion (according to provider API documentation),
  • job metadata stored by us (e.g., statuses, prediction IDs, parameters, and technical payloads): retained for the period necessary for settlements, complaint handling, and defense against claims,
  • cookie consent settings (CMP): in the browser for up to 180 days or until changed/deleted; in the user account until changed or account deletion,
  • net pricing request cooldown cookie (dropai_net_pricing_request): in the browser for up to 48 hours or until deleted,
  • Share Page settings and branding files: until they are changed, the account is deleted, or they are removed by the User, unless longer retention is required for claims or security,
  • user files stored on disk: 90 days; after that period files are permanently deleted from disk and cannot be recovered; database records may remain longer.

8. Roles of the Controller, the User, and Public Galleries

With respect to account data, billing, security, support requests, and day-to-day operation of the Service, we act as the data controller.

In event, agency, B2B, or photobooth scenarios, the User, event organizer, or operator may independently decide whether and which participant data are collected, uploaded to the Service, processed by AI, or published. In that scope, the User may act as a separate controller of participant data, and we may process such data as a technical service provider acting on the User's instructions, independently of our controller role for account, billing, and security data.

Public Share Pages and galleries are intended for link-based access. If the User shares such a link, materials and preview metadata may become available to link recipients and to external services generating previews or indexing public content. Removing a file from our Service does not guarantee immediate removal from external caches or indexes.

9. Photos, Faces, Special Categories of Data, and Minors

The Service processes faces and other elements visible in an image only as part of the image necessary to execute the AI job and deliver the result. In our own systems, we do not provide a feature intended for face recognition, identity verification, or building permanent biometric templates.

In our own systems, we do not independently use uploaded files to train our own AI models. AI processing is carried out with external providers and selected models, whose own terms and privacy rules may affect how data is processed on their side.

The Service is not intended for direct use by children as account holders. If you upload photos of minors or special category data, you must have an appropriate legal basis and, where required, the consent of a parent, legal guardian, or another valid legal basis under applicable law.

10. User Rights and Complaint to UODO

You have the right to:

  • access your data,
  • rectify your data,
  • erase your data ("right to be forgotten"),
  • restrict processing,
  • data portability,
  • object to processing based on Article 6(1)(f) GDPR,
  • withdraw consent at any time (where consent is the legal basis), without affecting lawfulness of processing before withdrawal.

Right of access to all registered data: you may request information about all personal data the system has recorded about you, including a copy of your data (Article 15 GDPR). Send your request to .

Right to erasure: you may request permanent deletion of your account and content created in the service (Article 17 GDPR). Send your request to . We fulfill such requests without undue delay, subject to data that must be retained under applicable law (e.g., accounting records) or for defense against legal claims.

The exercise of the rights above also covers data processed by our processors (including Replicate), to the extent we have access to such data and can effectively fulfill your request.

We respond to data-subject-rights requests without undue delay and, as a rule, within 1 month of receipt, with the possibility of extension in cases provided for by GDPR.

You also have the right to lodge a complaint with the supervisory authority: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

11. Voluntary Provision of Data

Providing data is voluntary, but in many cases necessary to conclude and perform a contract (e.g., account registration, job execution, payment). Failure to provide data required for a given action may prevent use of the service or part of it.

The scope of uploaded materials should be limited to the data necessary to execute the effect, perform the job, or publish materials. If a less intrusive way to achieve the same purpose exists, it should be preferred.

12. Profiling and Automated Decision-Making

The controller does not make decisions producing legal effects concerning users, or similarly significantly affecting users, solely on the basis of automated data processing, including profiling.

13. Cookies and Analytics/Marketing Tools

The service uses cookies and similar technologies (including localStorage) for necessary, functional, and security purposes. As of this version, we do not use active marketing pixels or tools such as Google Analytics, Meta Pixel, Hotjar, or Microsoft Clarity.

Rules for storing information on a user's device and accessing that information are implemented in accordance with the Electronic Communications Law (Articles 399-400). Consent is required for technologies other than those strictly necessary to provide the service.

Tool Type Purpose Duration
PHPSESSID Necessary cookie Maintains user session and login security. Session (until browser session ends).
dropai_lang Functional cookie Stores the selected interface language. Up to 12 months.
dropai_remember Necessary cookie Maintains login after selecting "remember me". Up to 30 days.
dropai_cmp Necessary cookie (compliance) Stores the user's cookie consent decision. Up to 180 days or until settings are changed.
dropai_net_pricing_request Functional cookie Prevents repeated net pricing activation requests from the same logged-in account for 48 hours. Up to 48 hours.
localStorage: dropai_job_remove_confirm_until Local storage Temporarily suppresses the job deletion confirmation dialog. Up to 1 hour.
Google reCAPTCHA v3 Third-party script/cookies Protects forms against abuse and bots (on login/contact forms). According to provider policy.
Google Fonts / jsDelivr CDN External front-end resources Delivers fonts and UI libraries; when resources are fetched, the provider may receive technical data (e.g., IP). No cookie on the service side; durations depend on the provider.
Stripe Checkout Third-party script/cookies Processes payments for credits. According to provider policy.

Cookies strictly necessary for service operation are used without a separate consent. If we introduce analytics or marketing cookies in the future, they will be activated only after user consent (cookie banner with accept/reject and granular settings).

You can manage cookie settings in your browser, via the persistent "Cookie settings" link in the footer, and (after login) in your account settings. You can change your consent at any time.

14. Security and Policy Changes

We apply organizational and technical measures adequate to the risk, including encrypted transmission (SSL/TLS), access control, authorization mechanisms, abuse prevention, logical separation of user resources, and service security monitoring.

Hosting infrastructure is located in Poland (dhosting.pl), in an environment declared by the provider as meeting Tier-3 class requirements (ANSI/TIA-942), with power redundancy, monitoring systems, and physical security controls.

This policy may be updated due to legal, organizational, or technological changes. The current version applies from the date indicated at the beginning of this document.