Privacy Policy
We are committed to protecting your privacy and personal data.
Scope
This policy applies to the Nano Banana Pro website, workbench, AI generation API, newsletters, and support channels. It covers all visitors, registered users, testers, and enterprise customers. By using Nano Banana Pro you agree that this policy applies together with the Terms of Service (undefined terms follow the Terms of Service), and continued use after updates means you accept the latest version.
Data we collect
We collect the following data types depending on the features you use:
Account & identity
- Name or nickname, avatar, language preference.
- Email address, encrypted password (Better Auth), or OAuth IDs (Google, GitHub, etc.).
- Session tokens, impersonation logs, anomaly/risk flags.
Payments & credits
- Stripe / Creem customer IDs, subscriptions, invoices, checkout session references.
- Credit packs, transaction logs, remaining balance, expiration, dispute records.
- Billing details required for invoicing or tax.
AI creations & storage
- Uploaded reference images, inpainting masks, brush strokes, and other assets.
- Prompts / negative prompts, style tags, seeds, camera/character parameters, output formats, counts, timestamps.
- Generated images, downloadable archives, preview thumbnails, signed URLs, and related metadata.
- Visitor IDs, batch IDs, runtime metrics, safety flags, error logs, historical migration records.
Device, usage, and logs
- IP address, browser/OS, language, referrer, time on page, feature usage.
- Analytics events (PostHog, OpenPanel), crash logs, upload quotas.
Communications
- Support tickets/emails, Crisp chat transcripts, newsletter preferences, surveys.
- Internal incident alerts sent via Lark/Feishu or Discord (limited to on-call staff).
Cookies & local storage
- Session cookies, CSRF tokens, language and theme preferences, payment state, Turnstile tokens, anti-abuse IDs, feature flags.
Data sources
- Directly from you: creating an account, configuring projects, uploading assets, buying credits, submitting feedback, or contacting support.
- Automatic collection: server logs, cookies, SDKs, and API telemetry.
- Third parties: payment processors, identity providers, AI compute providers (and other experimental models you enable), marketing/referral programs, and social platforms you authorize.
Purposes and legal bases
| Purpose | Legal basis |
|---|
| Provide core features, authenticate accounts, operate the workbench, launch AI jobs | Contractual necessity |
| Process payments, credits, invoices, and refunds | Contractual necessity + legal obligation |
| Prevent abuse, enforce quotas, secure uploads, investigate incidents | Legitimate interests |
| Improve experience, analyze usage, run testing programs | Legitimate interests (you can opt out of analytics in settings) |
| Marketing emails, Crisp outreach, non-essential cookies | Consent |
| Comply with tax, accounting, or legal orders | Legal obligation |
You may withdraw consent at any time; processing before withdrawal remains lawful.
Creative content and model usage
- We process prompts and assets only to fulfill your AI generation/editing requests, render previews, and maintain your creation history.
- User-uploaded and generated content is not used to train or fine-tune our own or third-party models unless you give explicit permission.
- Automated safety checks (e.g., NSFW or malware detection) may trigger manual review; reviewers are bound by confidentiality and see only the minimum necessary data.
Cookies, SDKs, and tracking
Disabling cookies may break login, checkout, or other key features.
Essential cookies
- Maintain sessions, remember language, enforce CSRF protection, and support uploads.
Functional cookies
- Preserve layout preferences, recent prompts, and UI state for a consistent workbench.
Performance / analytics cookies
- Used by PostHog, OpenPanel, Google Analytics, and Crisp; you can disable them under Settings → Privacy.
Marketing cookies
- Support landing pages, growth campaigns, or embedded media conversion tracking and can be turned off at any time.
Data sharing and processors
We only share necessary information with partners who sign data processing agreements and meet our security standards:
- Infrastructure: Cloudflare / OpenNext (hosting), Neon (Postgres), S3-compatible object storage/CDNs.
- Identity: Better Auth, Turnstile.
- AI execution: default routing to our selected AI model providers; we do not call other third-party models without your consent.
- Payments: Stripe, Creem (payment methods, tax information).
- Communications: Resend (transactional email) and newsletter vendors (Resend by default).
- Analytics & support: PostHog, OpenPanel, Crisp, and incident outreach via Lark/Feishu or Discord.
We do not sell personal data. Some partners operate outside your region; see "Cross-border transfers" below.
Cross-border transfers
Data may be stored or backed up in the EU, United States, Singapore, or other regions. When transferring data internationally, we rely on EU Standard Contractual Clauses (SCCs) or equivalent safeguards plus encryption and least-privilege controls.
Retention and deletion
- Payment and invoice records: retained for 5 years to meet accounting and tax obligations.
- Credit transaction logs: retained for 2 years for dispute resolution and reconciliation.
- AI jobs and generated content: retained for 30 days by default and can be deleted anytime from your creation history.
- Logs and analytics: retained up to 180 days before being aggregated or anonymized.
- Marketing preferences: kept until you unsubscribe or withdraw consent.
- When we receive a deletion request and have no other legal obligations, we erase or anonymize data within 30 days.
Security measures
We apply encryption in transit and at rest, hardware-backed encryption modules, granular permissions, admin MFA, environment isolation, audit logs, intrusion detection, and regular penetration testing. If a breach occurs, we will notify affected users and regulators as required.
Business transfers
If we undergo a merger, acquisition, financing, bankruptcy, or asset transaction, personal data may transfer with the business. The new entity must continue to honor this policy or request your consent before making material changes.
Your rights
Depending on regulations such as GDPR, CCPA, or LGPD, you can:
- Access, correct, or delete personal data.
- Restrict or object to processing based on legitimate interests.
- Withdraw consent and disable non-essential cookies.
- Opt out of marketing communications.
Contact support@nano-bananapro.com and we will respond within 30 days (extensions will be explained if needed).
Minors and sensitive data
Our services target users aged 16 or older. If we learn that we collected data from a minor, contact us immediately so we can delete it.
Do not upload health, financial, government ID, or other sensitive data unless legally authorized and secured.
Automated decisions and AI outputs
Nano Banana Pro relies on third-party models and may mirror jobs or run safety reviews to improve stability, but we do not make solely automated decisions that have legal or similarly significant effects.
If your prompts or assets contain personal data, the generated output might also contain it. Review content before sharing.
Policy updates
We will publish updates on this page and adjust the date above. For major changes we will also notify you via email or in-product messaging and can provide prior versions on request.
Request workflow
- Submit requests via email or the in-app ticket system and include your account email/ID.
- We will verify identity (challenge login, recent invoice, signed instruction, etc.).
- We complete the request within the statutory timeframe or explain why it cannot be fulfilled.
Contact
If you have questions about this policy or your rights:
Email: support@nano-bananapro.com
Thank you for trusting Nano Banana Pro with your privacy.
