privacy policy

we collect what we need to run the service and keep your account secure. we do not sell your data. we share inputs with model providers strictly to fulfill your generations. you can export or delete your data from the account page at any time.

account data: email address, password (hashed with bcrypt, never stored in plaintext), display name. usage data: prompts you submit, references you upload, projects and storyboards you create, exports you render, and a record of credit transactions. technical data: ip address, browser type, and request logs used for security, fraud prevention, and debugging. payment data: handled by our payment processor (stripe); we receive metadata such as plan and last four digits of card, never the full card number.

to provide and improve the service; to authenticate you and protect your account; to process generations through model providers; to send transactional email (verification, password reset, low-credit warnings, receipts) via resend; to enforce these terms; to comply with legal obligations.

we share data only as needed to deliver the service. current processors include: ai model providers (for image and video generation), anthropic and google (text/image models), aws s3 and cloudfront (storage and delivery), mongodb atlas (database), resend (transactional email), stripe (payments). each handles your data under their own privacy terms; we choose vendors that offer reasonable security and processing safeguards.

we do not use your prompts, references, or outputs to train our own models. our model providers may have separate policies on whether they retain or train on api submissions; where possible we use no-retention or zero-data-retention modes.

we use a minimal set of cookies and local storage entries necessary for authentication and to remember your session. we do not use third-party advertising trackers. analytics, if enabled, is privacy-respecting (no individual fingerprinting).

account and project data is retained while your account is active. you can delete projects and references at any time from the dashboard. on account deletion, we remove personal data within 30 days, except where retention is required to comply with legal obligations, resolve disputes, or enforce agreements (e.g., billing records may be retained for up to seven years for tax compliance).

depending on where you live, you may have rights to access, correct, export, or delete your data, to object to or restrict certain processing, and to withdraw consent. you can exercise most of these rights directly from /dashboard/account. for additional requests or to ask about california ccpa, european gdpr, or similar local rights, email support@mangotangoai.com.

we encrypt data in transit (tls) and at rest (where the underlying provider supports it). passwords are hashed with bcrypt. we use rate limiting, account lockout on repeated failed logins, and ip-based fraud signals. no system is perfectly secure, but we work to keep yours protected and to disclose any material breach within applicable timeframes.

the service is not intended for users under 18. if you believe a child has created an account, contact us and we will remove it.

our infrastructure is primarily hosted in the united states. by using the service from outside the us, you consent to the transfer and processing of your data in the us, which may have different data protection rules than your home jurisdiction.

we may update this policy. material changes will be posted to this page with a new effective date and, where appropriate, communicated by email.

questions or requests can be sent to support@mangotangoai.com.