Plain-language summary: we collect the information needed to operate your account, process creative jobs, secure the service, and handle billing. Saved provider API keys are encrypted and are not returned to your browser. Prompts and media are sent only to the providers needed to complete your request. We do not sell your personal information.
1. Overview
This Privacy Policy applies to the Pixtor AI website, web application, API, command-line tools, MCP integrations, and related services (collectively, the “Service”). “Pixtor,” “we,” “us,” and “our” refer to the operator of the Service. “You” refers to a visitor, account holder, or authorized workspace user.
By using the Service, you acknowledge the data practices described here. If you use Pixtor for an organization, that organization may control workspace content and account administration.
2. Information we collect
| Category | Examples | Why we collect it |
|---|---|---|
| Account information | Email address, password hash, account identifier, profile and preferences | Authentication, account management, communication, and personalization |
| Creative content | Prompts, negative prompts, uploaded references, images, video, audio, links you approve, generated outputs, project names, and job history | To perform generations, edits, research you request, storage, organization, and delivery |
| Provider credentials | API keys you choose to save for supported third-party AI providers | To submit authorized requests on your behalf using bring-your-own-key workflows |
| Billing information | Plan, credit balance and ledger, Stripe customer and subscription identifiers, checkout and payment status | Checkout, subscriptions, top-ups, fraud prevention, accounting, and support. Pixtor does not store full payment card numbers |
| Usage and device data | IP address, browser and device type, timestamps, feature activity, request identifiers, errors, security and session events | Service operation, troubleshooting, abuse prevention, reliability, and security |
| Communications | Support messages, feedback, survey responses, and records of requests | Support, service improvement, and resolving disputes |
We receive information directly from you, automatically through your use of the Service, and from service providers such as payment processors and AI generation providers.
3. How provider API keys are handled
If you save a provider API key, Pixtor encrypts it before database storage. Saved plaintext keys are not sent back to the browser or displayed in account responses. The server decrypts a key only when it is needed to submit an authorized generation request to the applicable provider.
Access to saved credentials is scoped to the authenticated account. We use server-side authorization checks, session protections, and restricted data access policies to reduce unauthorized access. You can replace or delete a saved key in Settings. You remain responsible for permissions, spending limits, and security settings in the provider account that issued the key.
4. How we use information
- Provide, maintain, personalize, and improve the Service.
- Authenticate users and keep accounts, projects, assets, and billing records separated.
- Process prompts, media, model requests, job status, and output delivery.
- Provide requested prompt enhancement, link research, routing, and creative direction.
- Calculate generation quotes, deduct or credit service credits, and process subscriptions and top-ups.
- Detect fraud, abuse, compromised sessions, policy violations, and security incidents.
- Monitor reliability, debug errors, develop features, and understand aggregate service usage.
- Communicate about transactions, security, support, and material service changes.
- Comply with law, enforce agreements, and protect users, Pixtor, and others.
Where required, we rely on consent; otherwise, processing may be necessary to perform our contract with you, pursue legitimate service and security interests, or meet legal obligations.
5. AI models and other service providers
When you ask Pixtor to create or edit content, we send the information necessary for that job—such as your prompt, selected settings, reference media, and request identifier—to the AI provider selected by you or by the routing setting you approve. That provider processes the data under its own terms and privacy policy.
Depending on your configuration, providers may include image, video, language, storage, hosting, database, email, observability, and payment services. Provider availability changes over time. We encourage you to review a provider’s retention, training, and content policies before using it for sensitive material, particularly when you bring your own key.
7. Data retention
We keep account and workspace data while your account is active and as needed to provide the Service. Deleted content and credentials are removed from active systems according to our operational processes, but limited copies may remain temporarily in protected backups, security logs, provider systems, or records required for fraud prevention, accounting, dispute resolution, and legal compliance.
Retention periods vary by data type, purpose, provider requirements, workspace settings, and law. When information is no longer reasonably needed, we delete or de-identify it.
8. Security
We use administrative, technical, and organizational measures designed to protect information, including transport encryption, password hashing, encrypted provider credentials, server-side authorization, session and CSRF protections, restricted secrets, logging controls, and database access policies.
No online service can guarantee absolute security. Protect your password, provider credentials, and devices; use provider-side spending restrictions when available; and contact us promptly if you believe an account or key has been compromised.
9. Your choices and privacy rights
Depending on your location, you may have rights to access, correct, delete, restrict, object to, or receive a portable copy of certain personal information, and to withdraw consent where consent is the basis for processing. You may also have a right to appeal a denied request or complain to a data protection authority.
You can update account settings, delete provider keys, and request export or account deletion through the Service where available. We may verify your identity and retain limited information when required by law or legitimate security needs. Authorized agents may submit requests where local law permits.
11. International data transfers
Pixtor and its providers may process information in countries other than the one where you live. Where required, we use recognized transfer safeguards and take steps intended to protect information consistently with this policy.
12. Children’s privacy
The Service is not directed to children under 13, and users must meet the minimum age required by law in their country to consent to online services. We do not knowingly collect personal information from a child who cannot lawfully use the Service. Contact us if you believe a child has provided such information.
13. Changes to this policy
We may update this policy as the Service, providers, or law changes. We will publish the revised version with a new effective date and provide additional notice when a change is material and law requires it. Continued use after an update takes effect means the updated policy applies to later activity.
14. Contact us
Questions about privacy or a data request can be sent to support@pixtorai.com. Include enough detail for us to understand and verify the request, but never email passwords or provider API keys.