Privacy Policy

1.Who we are

The Service is operated by Thamir Fuwad, a sole proprietor based in the Sultanate of Oman (together, “Soura AI”, “we”, “us”). For the purposes of applicable data protection law (including the GDPR for visitors from the European Economic Area and the UK GDPR for visitors from the United Kingdom), Soura AI is the data controller for the personal data you provide directly to us.

For billing, Paddle.com Market Ltd. acts as our Merchant of Record and handles payment processing, tax calculation, and invoicing. When you purchase a subscription, Paddle is a separate controller for the payment data it collects. See Paddle’s privacy notice at paddle.com/legal/privacy.

2.What we collect

We collect the following categories of personal data:

• Account data: your email address, a securely hashed password (managed by our authentication provider Supabase — we never store or see plaintext passwords), your chosen display language, and the timestamps of account creation and last sign-in.
• Generation inputs: the prompts, configuration choices (such as country, subject, scene, framing), and any product images you upload to generate Outputs. These may be personal data if they contain faces, names, or other identifying information.
• Generation outputs: the images the Service generates in response to your Inputs, together with related metadata (the prompt used, the Country Pack version, the model configuration).
• Usage data: your session activity inside the Service, such as which pages you visit, which features you use, Credit consumption events, error logs, and approximate language/locale preferences.
• Technical data: IP address, user-agent, device and browser type, referral URL, and cookie identifiers collected automatically when you visit the Service.
• Payment data: when you subscribe, Paddle collects your billing name, billing address, country, email, and payment-method details (card number, expiry, bank info, or wallet identifier) directly. We do not receive or store full card numbers. We do receive limited transaction metadata from Paddle (such as the last four digits, transaction ID, amount, currency, country, and VAT status) so that we can provision and manage your subscription.
• Support data: if you contact us, any messages you send and information you include in those messages.

3.How and why we use your data

We process personal data for the following purposes and on the following legal bases (where the GDPR or UK GDPR applies):

• To create and manage your Account, authenticate you, and provide the Service — legal basis: performance of a contract.
• To generate Outputs from your Inputs and deliver them to you — legal basis: performance of a contract.
• To process subscriptions, credits, and payments through Paddle — legal basis: performance of a contract, and compliance with legal obligations (tax, accounting).
• To operate, secure, monitor, and improve the Service, including diagnosing errors, preventing fraud and abuse, and enforcing our Terms — legal basis: our legitimate interests in running a reliable, safe Service and those of our customers in being protected from abuse.
• To send transactional emails you must receive (e.g. sign-in confirmations, receipts, service notices) — legal basis: performance of a contract and our legitimate interests.
• To send product updates or marketing emails, where we do so — legal basis: consent, which you can withdraw at any time.
• To comply with legal obligations and respond to valid legal requests — legal basis: legal obligation.

We do not use your Inputs, Outputs, or any other personal data to train third-party generative AI models. We do not sell your personal data. We do not share your personal data with advertising networks or data brokers.

4.Who we share data with (processors and sub-processors)

We rely on a small number of vetted service providers to operate the Service. Each of them is contractually required to protect your data and to use it only on our instructions:

• Supabase Inc. (United States) — authentication, database, and file storage for Account data, generation metadata, uploaded product images, and generated Outputs.
• Google LLC (United States) — the Gemini image generation model. Your prompts and any uploaded images are transmitted to Google to generate the Outputs you request. We configure the integration so that inputs are not used by Google to train its models to the extent their enterprise terms permit.
• Paddle.com Market Ltd. (United Kingdom and United States) — Merchant of Record for all payments. Paddle receives and processes payment data directly and issues invoices.
• Cloudflare, Inc. (United States) — DNS, content delivery, and network-level protection for our domain and traffic.
• Our hosting platform (such as Vercel, Inc., United States) — serving the Service and its API routes.
• Email delivery providers — sending transactional emails such as sign-in links, receipts, and service notices.

We may also disclose personal data to competent authorities or professional advisers where we are required to do so by law, to enforce our Terms, to protect the rights or safety of Soura AI or others, or in connection with a corporate transaction (such as a merger, acquisition, or sale of assets). We will use reasonable efforts to notify affected users where permitted by law.

5.International transfers

Soura AI is operated from the Sultanate of Oman and its service providers are located in the United States, the United Kingdom, and other countries. Where personal data originating from the European Economic Area or the United Kingdom is transferred outside those regions, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (or the UK’s International Data Transfer Agreement) put in place with our processors. You can request a copy of the safeguards used by contacting us at the address in Section 10.

6.How long we keep your data

We keep personal data only for as long as we need it for the purposes described in Section 3, or as required by law:

• Account data: kept for as long as your Account is active. If you delete your Account, we delete or anonymize Account data within 30 days, except where we must retain records for a longer period to comply with legal obligations (see below).
• Uploaded product images: retained for as long as the associated generation session exists. Sessions and their assets expire and are purged on the retention schedule shown in the Service (typically within 30–90 days of generation).
• Generated Outputs: retained while your Account is active, subject to the session expiry schedule above. You can download or delete Outputs at any time from the Service.
• Payment and tax records: kept by Paddle and by us for the period required by applicable tax and accounting law (typically at least 7 years).
• Server logs and security logs: typically kept for up to 12 months to debug, secure, and audit the Service.
• Support correspondence: typically kept for up to 24 months after the issue is resolved.

7.Your rights

Depending on where you live, you may have the following rights in relation to your personal data:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Deletion — ask us to delete your personal data where certain conditions apply.
• Restriction — ask us to limit how we process your data in specific situations.
• Portability — receive a copy of data you provided to us in a common, machine-readable format.
• Objection — object to processing based on our legitimate interests or to direct marketing.
• Withdraw consent — where we rely on consent, withdraw it at any time (this does not affect processing that already took place).
• Complain — lodge a complaint with the data protection authority in your country of residence.

To exercise any of these rights, contact us at the address in Section 10. We will respond within one month, subject to extensions permitted by law. We may need to verify your identity before we act on a request.

8.Cookies and similar technologies

We use a small number of cookies and similar technologies to run the Service. These include strictly necessary cookies (for example, to keep you signed in, remember your language preference via the `culturely_locale` cookie, and protect against abuse) and, where applicable, analytics cookies that help us understand how the Service is used in aggregate. We do not use cookies for cross-site advertising. Where consent is required by law, we will ask for it before setting non-essential cookies. You can clear cookies through your browser settings at any time, though doing so may disrupt parts of the Service.

9.Security and children

We apply technical and organizational measures designed to protect personal data against loss, misuse, and unauthorized access, including encryption in transit, access controls on our databases, minimum-privilege service credentials, and regular review of access logs. No system is perfectly secure, and we cannot guarantee absolute security, but we will notify you and any relevant authority of a personal data breach where we are required to do so by law.

The Service is not directed to children under 18 years of age, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10.Changes and contact

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Effective date” at the top and, where practicable, notify you by email or in-app notice at least 14 days before the change takes effect.

If you have any questions about this Privacy Policy, or if you want to exercise any of the rights in Section 7, please contact us:

• Email: privacy@soura-ai.com
• Phone: +968 77810788
• Address: PO Box 1922, PC 111, Central Post Office, Seeb, Sultanate of Oman