← Back to homeTerms of Service →

Privacy Policy

Last updated: 2026-04-25

Draft notice. This policy is a working draft. Have qualified legal counsel review and adapt it for your jurisdiction before relying on it in production. It is provided as a starting point and not as legal advice.

1. Who we are

Carousel-gen ("Carousel-gen", "we", "our", "us") provides an AI-powered social-media carousel generation service operated at carousel-gen.com and its subdomains (collectively, the "Service"). You can contact us at hello@carousel-gen.com.

2. What this policy covers

This policy explains what information we collect when you use the Service, how we use it, the third-party processors we share it with, how long we keep it, and the rights you have over it. If you do not agree with this policy, do not use the Service.

3. Information you provide directly

  • Account credentials. Email address and password, handled by our authentication provider (Supabase). We never see your password in plaintext; it is hashed before storage.
  • Brand details. Brand name, social handle, niche, and accent color you save to use across generations.
  • Prompts and inputs. Topics, scripts, premises, image prompts, custom URLs, and any other text you submit during a generation flow.
  • Payment information.Card details and billing data are entered directly into Stripe's hosted checkout. We do not see, store, or transmit your card number; we only receive a billing event confirming that a purchase occurred.
  • Optional integrations. If you connect Google Drive, we receive an OAuth token scoped to drive.file so we can upload finished carousels to your Drive. We cannot read or modify files we did not create.

4. Information collected automatically

  • Network metadata. IP address, user-agent, request timestamps, and basic request paths used for rate limiting, abuse prevention, and operational debugging.
  • Generation history. Records of carousels, slides, prompts, and credit transactions tied to your account.
  • Server logs. Application and worker logs are retained for approximately 30 days for operational and security purposes.

5. Cookies and similar technologies

We use the minimum set of browser storage required to run the Service:

  • Authentication cookies set by Supabase so you stay signed in. These are essential and cannot be disabled while using the Service.
  • localStorage (pwa-install-dismissed-at) to remember that you dismissed the install banner.
  • sessionStorage (credits:last) to cache your credit balance for a snappier UI.

We do not use third-party advertising cookies, cross-site tracking pixels, or fingerprinting.

6. How we use your information

  • To provide, operate, and improve the Service.
  • To generate, store, and deliver the carousels you request.
  • To process payments and manage your credit balance.
  • To prevent abuse, fraud, and security incidents.
  • To send transactional messages (e.g. password reset, billing receipts). We do not currently send marketing email.
  • To comply with applicable law and respond to lawful requests.

7. Third-party processors we share data with

We share the minimum information necessary with the following sub-processors so the Service can function. Each has its own privacy policy.

  • Supabase — authentication and database (email, hashed password, brand and carousel records).
  • Anthropic — receives the topic, script, prompt, and caption text you submit so it can be processed by the Claude model.
  • OpenAI — receives image prompts when you choose gpt-image-1 or DALL·E.
  • Stability AI / Replicate — receive image prompts when you choose Stable Diffusion or Flux.
  • Stripe — handles all payment data; we never see your card information.
  • Cloudflare R2 — stores generated images in a private bucket; access requires short-lived presigned URLs.
  • Railway — hosts the application, worker, and Redis cache.
  • Google — only invoked if you explicitly connect Google Drive, in which case we use the drive.file scope to upload finished carousels.
  • RSS feed providers (e.g. Bloomberg, MarketWatch, TechCrunch) — we fetch their public RSS feeds on your behalf when you choose News mode. They may log the request from our servers.

We do not sell your personal information to third parties. We do not share your data for cross-context behavioral advertising.

8. AI processing — important disclosures

  • Prompts and other text you submit are sent to the AI providers listed above for processing. Each provider may retain inputs subject to its own retention policy; please review their terms before submitting sensitive content.
  • Do not include sensitive personal information, trade secrets, or confidential third-party content in your prompts.
  • We do not train AI models on your content.
  • Generated content is yours to use, subject to the terms of the underlying model provider and applicable law.

9. Data retention

  • Account data is retained until you delete your account.
  • Carousels and slides are retained until you delete them or your account is closed.
  • Generated image objects in our private R2 bucket are deleted approximately 30 days after generation by an automated lifecycle rule.
  • Server logs are retained for approximately 30 days.
  • Billing records are retained as required by Stripe and applicable tax / accounting law.

10. Your rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data.
  • Export your data in a portable format.
  • Object to or restrict certain processing, where applicable.
  • Withdraw any consent you previously gave (e.g. revoke Google Drive access).
  • Lodge a complaint with your local data protection authority.

EU/UK residents have additional rights under the GDPR (Articles 15-22). California residents have rights under the CCPA / CPRA, including the right to know, delete, and opt out of "sale" or "sharing" (we do neither). To exercise any right, email hello@carousel-gen.com. We respond within 30 days.

11. Data security

We use industry-standard controls to protect your information, including TLS for data in transit, encryption at rest in Supabase and R2, password hashing via our authentication provider, JWT-based session tokens, rate limiting, a private object storage bucket served only via short-lived presigned URLs, non-root container deploys, and least-privilege API keys.

No system is 100% secure. If we ever experience a breach affecting your data, we will notify you and applicable regulators as required by law.

12. International data transfers

The Service is operated from the United States. If you access it from outside the United States, you understand your data will be transferred to and processed in the United States or in regions where our sub-processors operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

13. Children's privacy

The Service is not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

14. Account deletion

To request full deletion of your account, email hello@carousel-gen.com. Within 30 days we will delete your account, brands, carousels, slides, and stored images. Billing records held by Stripe are retained per their legal obligations.

15. Changes to this policy

We may update this policy from time to time. Material changes will be posted on this page and, where appropriate, communicated via email. The "Last updated" date at the top reflects the current version.

16. Contact

Questions, requests, or complaints? Email hello@carousel-gen.com. You can also review our Terms of Service.