Privacy Policy

1. Data controller

The controller of your personal data is:

2. Data we collect

When you use mchbasic, we collect the following data:

• Account data — when you sign in with Google, we receive your name, email address, and profile picture from Google OAuth.
• Usage data — we record which tools you use, how many credits you consume, and timestamps of activity.
• Technical data — IP address, browser type, and basic device information for security and abuse prevention.
• Payment data — payment transactions are handled by Stripe. We do not store card numbers or full payment details.

3. How we use your data

We use your data to:

• Provide and operate the service
• Authenticate you via Google OAuth
• Track credit usage and process payments
• Prevent abuse and ensure fair use of the service
• Send service-related emails (e.g. low credit alerts)
• Comply with legal obligations

We do not sell your data. We do not use your photos for AI model training.

4. Image processing

Processing: Images you upload are transmitted to third-party AI providers (Replicate, fal.ai) for processing. These providers process images on our behalf and are bound by data processing agreements.

Temporary storage: Processed images are temporarily stored on our server to allow you to download the result. They are not used for any other purpose.

No long-term retention: We do not permanently store your original or processed images for purposes other than providing the service.

5. Third-party services

We share data with the following service providers only as necessary to operate the service:

• Google OAuth — for authentication (Google Privacy Policy applies)
• Replicate & fal.ai — for AI image processing
• Stripe — for payment processing (Stripe Privacy Policy applies)
• DigitalOcean — for hosting and database storage

We do not sell, rent, or share your personal data with third parties for marketing purposes.

6. Data security

We apply appropriate technical and organisational measures to protect your data:

• All data is transmitted over HTTPS (TLS encryption)
• Passwords are not stored — authentication is handled by Google OAuth
• Database access is restricted and protected
• We regularly monitor for security issues

7. Your rights (GDPR)

As a data subject under GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate data
• Deletion — request deletion of your personal data ("right to be forgotten")
• Portability — request your data in a structured, machine-readable format
• Objection — object to processing of your data in certain circumstances

To exercise your rights, contact us at contact@mchbasic.pl. We will respond within 30 days.

8. Cookies

We use session cookies only for authentication purposes (NextAuth.js). These are strictly necessary cookies. No third-party tracking, analytics, or advertising cookies are used.

9. Children

mchbasic is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us immediately.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on the site. We encourage you to review this policy periodically.