Privacy Policy

1. Introduction

Subliminal Inc. is committed to handling personal information with transparency, fairness and respect. This Privacy Policy applies to all Subliminal Inc. websites and services, including our studio website at subliminalhq.com and our product portfolio.

We collect only the information we need, keep it only as long as necessary, and never sell it. We build our products with privacy in mind from the start.

2. Individual Product Privacy

Each product in the Subliminal portfolio, including Stargazer, SpeechGeneratorAI, PFPMakerAI, SeeYourBabyAI, Priyansh Animations and LetterGeneratorAI, may have its own privacy policy published on its respective website. Those product-specific policies describe in detail how personal information is processed within that specific product.

Where an individual product's privacy policy addresses a matter covered by this Policy, the individual product's policy takes precedence for your use of that product. This Policy applies to Subliminal Inc. as a whole and covers matters not specifically addressed by a product-level policy.

We encourage you to read the privacy policy of any Subliminal product you use, in addition to this Policy.

3. Data Controller

The data controller responsible for processing your personal information is:

Where we operate as a data processor on behalf of a business customer, the relevant data processing agreement governs our obligations.

4. What We Collect

Depending on the product or service you use, we may process the following categories of personal information:

Account and identity information: name, email address, password (stored as a secure hash), and any profile details you choose to provide.

Content you submit: photos, images, text prompts or other content you upload for processing by our products. This content is used solely to generate your requested output and is not retained beyond the periods described in Section 9.

Payment information: transaction details, billing name and address. Full payment card numbers are handled exclusively by our payment processor, Stripe, and are never stored on our servers.

Communications: messages you send us via contact forms, email or support channels, including any information you volunteer in those communications.

Usage and technical data: IP address, browser type and version, operating system, referring URL, pages visited, session duration, and other standard log data. This is used to operate and improve our services and to detect abuse.

Device information: device type, screen resolution, and general geographic location derived from IP address (country or city level; we do not collect precise GPS coordinates).

5. How We Collect Information

Directly from you: when you create an account, make a purchase, use a product feature, contact support, or submit a form.

Automatically: through cookies, web server logs and similar technologies when you visit our websites or use our applications. See Section 12 for more on cookies.

From third parties: from our payment processor (Stripe) and, where applicable, from social login providers you authorise. We receive only the information necessary to complete the relevant transaction or authentication.

6. How We Use Information

We use personal information for the following purposes:

• Delivering our services: processing your orders, generating outputs, and providing the features you request.
• Account management: creating and maintaining your account, authenticating your identity, and communicating important service updates.
• Payments: processing transactions, issuing receipts, and managing refunds or disputes.
• Customer support: responding to your questions, troubleshooting issues, and investigating complaints.
• Security and fraud prevention: detecting and preventing unauthorised access, abuse, spam and fraud.
• Service improvement: analysing usage patterns to improve reliability, performance and user experience. Where this involves personal data, we use aggregate or anonymised data wherever possible.
• Legal and regulatory compliance: meeting our obligations under applicable law, including tax, financial reporting, and responding to lawful requests from authorities.
• Direct marketing: sending you product news and updates, where you have provided consent or we have a legitimate interest and you have not opted out. You may unsubscribe at any time via the link in any marketing email.

We do not use your content or outputs to train AI models, and we do not engage in automated decision-making that produces legal or similarly significant effects without human oversight.

7. Legal Bases (GDPR / UK GDPR)

For individuals in the European Economic Area (EEA), the United Kingdom and other jurisdictions with similar frameworks, we rely on the following legal bases for processing personal data:

• Performance of a contract (Article 6(1)(b)): processing necessary to provide the service you have purchased or requested, including account creation, order fulfilment, and customer support.
• Legitimate interests (Article 6(1)(f)): where our interests in operating, improving and securing our services outweigh any impact on your privacy. This includes fraud prevention, service analytics and direct marketing to existing customers.
• Consent (Article 6(1)(a)): where you have given us specific, freely given and informed consent, such as for certain marketing communications or optional cookies. You may withdraw consent at any time.
• Legal obligation (Article 6(1)(c)): where processing is necessary to comply with a legal obligation, such as tax record-keeping or responding to court orders.
• Vital interests (Article 6(1)(d)): in rare circumstances where processing is necessary to protect someone's life.

For special category data (such as biometric or health-related information, which some products may process when generating images), we rely on explicit consent (Article 9(2)(a)) or another applicable Article 9 basis.

8. Sharing and Disclosure

We do not sell your personal information. We share data only in the following limited circumstances:

• Service providers: we share data with vetted third-party providers who process it on our behalf, under contract, solely to provide services to us. These include Stripe (payments), cloud infrastructure providers (hosting and storage), email delivery providers (transactional and support emails), and AI model providers (for generating product outputs). Each provider is bound by confidentiality and data processing obligations consistent with applicable law.
• Business transfers: in connection with a merger, acquisition, financing, reorganisation, or sale of some or all of our assets, your data may be transferred to the acquiring entity, provided the acquiring entity agrees to protect your data in a manner consistent with this Policy.
• Legal requirements: we may disclose information where required by applicable law, regulation, court order, or other legal process, or where we believe disclosure is necessary to protect the rights, property or safety of Subliminal Inc., our users, or the public. Where legally permitted, we will notify you before disclosing.
• Consent: we may share your data for other purposes with your explicit prior consent.

We require all third-party service providers to maintain appropriate technical and organisational security measures and to use personal data only as instructed by us.

9. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes described in this Policy, or as required by applicable law. Our default retention principles are:

• Content you upload (photos, text, images submitted for processing): deleted after your output is delivered, typically within 30 days, unless longer retention is required by law or you explicitly request otherwise.
• Account data: retained for the lifetime of your account plus a reasonable period to resolve any post-closure queries or legal claims (generally up to 3 years after closure).
• Payment records: retained for the period required by tax and financial regulations (typically 7 years in the United States).
• Support communications: retained for up to 3 years to assist with follow-up queries and to detect patterns of abuse.
• Technical log data: retained for up to 12 months in identifiable form and may be retained longer in aggregated, anonymised form.

You may request deletion of your personal data at any time by contacting [email protected]. We will action your request within 30 days, subject to our legal retention obligations.

10. Security

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, accidental loss, destruction or alteration. These measures include:

• Encryption of data in transit using TLS/SSL (256-bit AES);
• Encryption of sensitive data at rest;
• Role-based access controls restricting data access to personnel who need it;
• Regular security reviews and vulnerability assessments;
• Secure, hashed storage of passwords using industry-standard algorithms;
• Incident response procedures to detect, investigate and notify in the event of a data breach.

No method of transmission over the internet or electronic storage is 100% secure. While we work hard to protect your information, we cannot guarantee absolute security. In the event of a breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

11. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information. To exercise any right, contact us at [email protected]. We will respond within 30 days (or within the timeframe required by applicable law).

European Union and UK (GDPR / UK GDPR):

• Right of access (Article 15): obtain a copy of your personal data and information about how it is processed.
• Right to rectification (Article 16): correct inaccurate or incomplete data.
• Right to erasure (Article 17): request deletion of your data where it is no longer necessary or where you withdraw consent.
• Right to restriction (Article 18): restrict processing in certain circumstances.
• Right to data portability (Article 20): receive your data in a structured, machine-readable format.
• Right to object (Article 21): object to processing based on legitimate interests, including direct marketing.
• Rights related to automated decision-making (Article 22): not be subject to solely automated decisions that produce significant legal effects.
• Right to lodge a complaint with your national supervisory authority (e.g. the ICO in the UK, or your local EU data protection authority).

California (CCPA / CPRA):

• Right to know what personal information we collect, use, disclose or sell.
• Right to delete your personal information (subject to certain exceptions).
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of your personal information (we do not sell personal information).
• Right to limit the use of sensitive personal information.
• Right to non-discrimination for exercising your rights.

Canada (PIPEDA / provincial privacy laws): you have the right to access personal information we hold about you and to challenge its accuracy. You may contact us to request access or correction.

Brazil (LGPD): you have rights including confirmation of processing, access, correction, anonymisation, portability, deletion of data processed with consent, and the right to information about third parties with whom data is shared.

Other jurisdictions: we respect and honour privacy rights granted to individuals under applicable national or regional law, including but not limited to Japan (APPI), Australia (Privacy Act), Singapore (PDPA) and South Africa (POPIA). Contact us to exercise applicable rights.

12. Cookies and Tracking Technologies

We use cookies and similar technologies (such as local storage and session tokens) to operate our services and understand how they are used. Categories of cookies we use include:

• Strictly necessary: required for the core operation of our services, including session management and security. These cannot be disabled without breaking functionality.
• Functional: used to remember your preferences and settings, such as language or display options.
• Analytics: used to understand how visitors interact with our websites, in aggregate and anonymised form where possible. We use privacy-respecting analytics tools and avoid sharing raw user data with third-party advertising networks.

We do not use tracking cookies for third-party behavioural advertising. You can control or disable cookies through your browser settings, but disabling certain cookies may affect the functionality of our services.

Where required by law (including the EU ePrivacy Directive and UK PECR), we obtain your consent before placing non-essential cookies.

13. International Data Transfers

Subliminal Inc. is based in the United States. If you are located in the EEA, UK, Switzerland or another jurisdiction with restrictions on international data transfers, your personal information may be transferred to and processed in a country with different data protection laws, including the United States.

When we transfer personal data internationally, we rely on approved transfer mechanisms to ensure adequate protection, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• The UK International Data Transfer Agreement (IDTA) for transfers from the United Kingdom;
• Adequacy decisions where applicable;
• Other approved transfer mechanisms under applicable law.

You may request a copy of the transfer mechanisms we use by contacting [email protected].

14. Children's Privacy

Our services are not directed at children under the age of 16, or under 13 in the United States. We do not knowingly collect, use or share personal information from children below the applicable minimum age.

If you believe a child has provided us with personal information without parental consent, please contact us immediately at [email protected] and we will delete that information promptly.

Certain products may have specific age requirements, which are stated in those products' own terms. If a product is designed for or likely to be accessed by younger users, the product's privacy policy will contain age-specific provisions consistent with applicable law (including COPPA in the United States).

15. Do Not Sell or Share My Personal Information

We do not sell your personal information to third parties for monetary consideration, and we do not share it with third parties for cross-context behavioural advertising purposes.

California residents have the right under the CCPA/CPRA to opt out of the sale or sharing of their personal information. Because we do not engage in these practices, no opt-out mechanism is required. If our practices change, we will update this Policy and provide a prominent opt-out mechanism.

To submit a data rights request under the CCPA or any other applicable law, please contact [email protected] with the subject line "Privacy Rights Request".

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services or legal requirements. When we make material changes, we will update the "last updated" date at the top of this page and, where appropriate, notify you by email or by a prominent notice on our website.

Your continued use of our services after the effective date of any updated policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

17. Contact and Data Protection

For privacy questions, to exercise your rights, or to raise a concern about how we handle your personal information, please contact us:

If you are located in the European Union or United Kingdom and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, you may contact the supervisory authority in your country of residence.

We aim to respond to all privacy enquiries within 30 days. Complex requests may take longer, in which case we will keep you informed of progress.