Privacy Policy
ZSky AI, operated by FastLab Technologies LLC ("ZSky," "we," "us," or "our"), operates the website located at zsky.ai and its associated services (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, store, and protect your personal information when you use our Service.
By accessing or using ZSky AI, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.
1. Information We Collect
1.1 Information You Provide
- Account Information: Email address and encrypted password (managed through our authentication provider, Supabase).
- Payment Information: Processed by Stripe, Inc. We do not store your full credit card number, CVV, or bank account details. We receive and store transaction identifiers, plan type, billing status, and Stripe customer identifiers.
- User-Generated Prompts and Inputs: Text prompts and any images you upload for AI generation. These are processed by our systems and may be logged for content moderation, safety enforcement, and service improvement.
- Generated Outputs: Images and videos generated by the Service are stored temporarily on our servers as described in Section 5.
- Support Communications: Information you provide when contacting us for support, reporting issues, or providing feedback.
1.2 Information Collected Automatically
- Usage Data: Pages visited, features used, generation requests, timestamps, referral URLs, click patterns, and session duration.
- Device Information: Browser type and version, operating system, screen resolution, device type, and language preference.
- IP Address: Collected for security, fraud prevention, sanctions compliance, rate limiting, and approximate geolocation.
- Network Information: Internet service provider and connection type.
1.3 Cookies, Local Storage, and Tracking Technologies
| Technology | Purpose | Type |
|---|---|---|
| Age Verification Flag | Remembers that you confirmed you are 18+ | localStorage (essential) |
| Authentication Tokens | Keeps you signed in across visits (via Supabase) | localStorage (essential) |
| UI Preferences | Stores selected generation mode and settings | localStorage (functional) |
| Google Analytics (G-EDGHF5F98N) | Aggregated website traffic and usage analytics | Cookie (analytics) |
Google Analytics: We use Google Analytics to understand how visitors use our Service. Google Analytics collects information such as how often users visit the site, what pages they visit, and what other sites they used prior to coming to our Service. We use the information from Google Analytics only to improve our Service. Google Analytics collects the IP address assigned to you on the date you visit our Service, but not your name or other identifying information. Google's ability to use and share information collected by Google Analytics is governed by the Google Privacy Policy and the Google Analytics Terms of Service.
We do not use third-party advertising cookies or cross-site behavioral advertising pixels. We do not participate in ad networks or retargeting.
1.4 Do Not Track and Global Privacy Control
We honor Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we treat it as a valid opt-out of the sale or sharing of personal information (to the extent applicable). We currently do not respond to browser "Do Not Track" (DNT) signals as there is no industry standard for compliance.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Service: Processing your generation requests, managing your account, and delivering purchased credits and subscriptions.
- Safety and Moderation: Scanning prompts and generated content for prohibited material, enforcing our Content Policy, and complying with legal obligations including mandatory CSAM reporting under 18 U.S.C. § 2258A.
- Service Improvement and AI Training: Analyzing usage patterns to improve performance, reliability, user experience, and AI model quality. Your prompts and generated outputs may be used to train and improve our AI models, unless you opt out as described in Section 6.1.
- Security and Fraud Prevention: Detecting and preventing fraud, abuse, unauthorized access, and sanctions violations.
- Communications: Sending transactional emails related to your account, billing, or material changes to our policies. We do not send unsolicited marketing emails without your consent.
- Legal Compliance: Responding to lawful requests from law enforcement, regulatory authorities, or as otherwise required by applicable law.
- Analytics: Understanding aggregate trends in how the Service is used to make data-driven improvements.
3. Third-Party Services
We rely on the following third-party service providers to operate ZSky AI. Each provider has its own privacy policy governing the data it processes:
- Supabase (Privacy Policy) — Authentication, user account management, and database services. Hosted in AWS us-west-2.
- Stripe, Inc. (Privacy Policy) — Payment processing. Stripe receives your payment card details directly; we never have access to your full card number.
- Cloudflare, Inc. (Privacy Policy) — Content delivery network (CDN), DDoS protection, DNS, and tunnel services. Cloudflare processes connection metadata (IP addresses, request headers).
- Google LLC (Privacy Policy) — Google Analytics for aggregate website traffic analysis.
We do not sell your personal information to any third party. We do not share personal information with third parties for their own direct marketing purposes.
4. Data Sharing and Disclosure
We may disclose your information in the following circumstances:
- Legal Obligations: When required by law, subpoena, court order, or governmental regulation. This includes mandatory reporting of suspected CSAM to the National Center for Missing & Exploited Children (NCMEC) and cooperating with law enforcement.
- Safety and Rights Protection: When we believe disclosure is necessary to protect the safety of any person, to protect our rights or property, or to investigate violations of our Terms of Service.
- Service Providers: With the third-party providers listed in Section 3, solely to the extent necessary for them to perform services on our behalf, subject to contractual confidentiality obligations.
- Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy.
- With Your Consent: In any other circumstance where we have your explicit consent.
5. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Generated Content (images/videos) | 30 days from creation | Service delivery; auto-deleted |
| Account Data (email, preferences, credit balance) | Duration of account + 30 days | Contract; deleted on request |
| Prompt Logs (for moderation) | Up to 1 year | Legitimate interest / safety |
| Moderation Action Records | Up to 3 years | Legal compliance / safety |
| Payment / Transaction Records | 7 years | Tax and financial reporting |
| CSAM / Law Enforcement Records | As required by law | Legal obligation |
| Analytics Data (aggregated) | 26 months (Google Analytics default) | Legitimate interest |
You may download your generated content at any time during the retention period. Upon account deletion, we will remove your personal information within 30 days, except where retention is required by law.
6. Your Rights
6.1 All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal information we hold about you.
- Deletion: Request that we delete your personal information and account (subject to legal retention requirements).
- Export / Portability: Request an export of your data in a portable, machine-readable format.
- Correction: Request that we correct inaccurate personal information.
- Objection: Object to certain processing of your personal information.
- Opt-Out of AI Training: You may request that your prompts and outputs not be used for AI model training by emailing [email protected] with the subject line "Opt-Out AI Training." We will honor your request going forward; previously processed data that has already been incorporated into model weights cannot be individually extracted.
To exercise any of these rights, contact us at [email protected]. We will respond to verified requests within 30 days (or 45 days if an extension is necessary, with notice).
6.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You may request the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes, and the categories of third parties with whom we share your information.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. There is no need to opt out.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted by the CPRA.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
CCPA Categories of Personal Information Collected: Identifiers (email, IP address); commercial information (transaction records, credit balances, subscription status); internet/electronic network activity (usage data, browsing history on our Service, prompts, generated content metadata); and inferences (content preferences, usage patterns).
To submit a CCPA request, email [email protected] or use the subject line "CCPA Request." You may designate an authorized agent to make a request on your behalf. We may verify your identity before fulfilling requests.
6.3 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)
If you are located in the EEA, UK, or Switzerland, the following applies:
Data Controller: FastLab Technologies LLC is the data controller responsible for your personal data.
Legal Bases for Processing:
- Contractual Necessity: Processing necessary to provide the Service you requested (account management, generation processing, billing).
- Legitimate Interests: Security, fraud prevention, service improvement, analytics, and AI model improvement (balanced against your rights).
- Legal Obligation: Safety reporting, financial record-keeping, sanctions compliance.
- Consent: Where required (e.g., non-essential analytics cookies). You may withdraw consent at any time.
Your GDPR Rights:
- Right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), and rights related to automated decision-making (Art. 22).
- Right to withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint with your local supervisory authority.
International Data Transfers: Your data is transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, we rely on:
- The EU-U.S. Data Privacy Framework (DPF), where applicable to our service providers.
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with sub-processors.
- Adequacy decisions, where applicable.
You may request a copy of the transfer safeguards by contacting [email protected].
6.4 Brazil (LGPD)
If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) provides you with additional rights, including the right to: confirm the existence of processing; access your data; correct incomplete or inaccurate data; anonymize, block, or delete unnecessary data; obtain information about entities with whom your data has been shared; be informed about the possibility of denying consent and its consequences; and request the deletion of personal data processed with your consent. To exercise these rights, contact [email protected].
6.5 Other Jurisdictions
We are committed to complying with applicable privacy and data protection laws worldwide. If you are located in a jurisdiction that provides additional privacy rights not specifically listed above, please contact us and we will make reasonable efforts to honor your rights under local law.
7. Security
We implement commercially reasonable technical and organizational measures to protect your personal information, including:
- Encryption of data in transit (TLS 1.2+/HTTPS) and at rest.
- Access controls limiting employee and contractor access to personal information on a need-to-know basis.
- Regular security assessments, vulnerability scanning, and monitoring.
- Secure authentication through Supabase with support for strong passwords and session management.
- DDoS protection and web application firewall via Cloudflare.
- Prompt and output content stored separately from account identifiers where technically feasible.
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. We will notify affected users and relevant authorities of any data breach as required by applicable law.
8. Children's Privacy
ZSky AI is intended exclusively for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If we discover that a user is under 18, we will immediately terminate their account and delete all associated data. If you believe a minor is using our Service, please contact us immediately at [email protected].
We comply with the Children's Online Privacy Protection Act (COPPA) and equivalent international laws. We do not knowingly collect, use, or disclose personal information from children under 13 (or the applicable minimum age in your jurisdiction).
9. AI-Specific Disclosures
9.1 How AI Models Use Your Data
When you use the Service, your text prompts and any uploaded images are processed by our AI models to generate your requested content. We may use aggregated, de-identified prompt and output data to improve our AI models and the quality of the Service. You may opt out of this use as described in Section 6.1.
9.2 Automated Decision-Making
We use automated systems for content moderation, including prompt scanning and output analysis. These systems may automatically block prompts or outputs that are flagged as violating our Content Policy. If you believe content was incorrectly flagged, you may contact [email protected] for human review.
9.3 Output Non-Uniqueness
AI-generated outputs may not be unique. Similar prompts from different users may produce similar or identical results. We do not guarantee exclusivity of any generated content.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Provide at least fifteen (15) days' notice via email or a prominent notice on the Service before the changes take effect.
- Where required by law (e.g., GDPR), obtain your consent before implementing material changes that affect the legal basis for processing your data.
Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. If you do not agree, you should discontinue use and request account deletion.
11. Contact Us
If you have questions or concerns about this Privacy Policy, our data practices, or wish to exercise your privacy rights, you may contact us at:
- Privacy Inquiries: [email protected]
- General Support: [email protected]
- Safety Concerns: [email protected]
- DMCA / Legal: [email protected]
For GDPR-related inquiries, you may also contact your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.
Data Deletion
You may request deletion of your account and all associated data at any time by emailing [email protected] with the subject line "Delete My Account." We will process your request within 30 days and confirm deletion via email. Upon deletion, all personal data, generated content, and usage history will be permanently removed from our systems.