Legal
Privacy Policy
Effective July 6, 2026 · Last updated July 6, 2026
This Privacy Policy describes how AI Image Detector (“AI Image Detector”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data when you visit aiimagedetector.infoor use our AI-image forensic screening service (the “Service”). This Policy forms part of our Terms of Service. By using the Service, you acknowledge that you have read and understood this Policy.
1. Who we are
AI Image Detector is operated as an independent sole proprietorship (the “Operator”). For all data-protection matters, including requests to exercise your rights, the controller of your personal data is the Operator. You can reach the Operator at hello@aiimagedetector.info.
If you are located in the European Economic Area, the United Kingdom, or Switzerland and require a local point of contact, please use the same email address; we will route your request appropriately. If we appoint an EU/UK representative under Article 27 GDPR in the future, their details will be published on this page.
2. Definitions
- Personal Data — any information relating to an identified or identifiable natural person.
- Processing — any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
- Controller — the entity that determines the purposes and means of Processing (AI Image Detector, for the data covered by this Policy).
- Processor / Sub-processor— a third party that processes Personal Data on the Controller's behalf.
- Service — the website at aiimagedetector.info and the related AI-image forensic screening features.
- Report — the forensic screening report the Service produces for an uploaded image, including per-signal results and a graded conclusion.
- You — a visitor, signed-in user, or paying customer of the Service.
3. Information we collect
3.1 Information you provide directly
- Account information. When you sign in with Google we receive your name, email address, profile picture, and Google account ID. Google OAuth is the only sign-in method; we never store passwords.
- Uploaded images.The images you submit for analysis (JPEG, PNG, or WebP, up to 15 MB each, individually or in batches of up to 50), including any metadata embedded in those files (EXIF fields, C2PA Content Credentials, editing-software text chunks). Embedded metadata can include camera details, timestamps, and — if present in the file — GPS coordinates; we read it because metadata forensics is a core part of the analysis.
- Analysis results. The Report we produce for each upload: per-signal outputs (credential verification, metadata findings, detection-engine scores, classifier and visual-inspection notes), the graded conclusion, and the SHA-256 hash of the uploaded file, all linked to your account history.
- Communications. When you email us, we keep the message, your email address, and any attachments you send.
- Optional profile info. Anything else you choose to add to your account.
3.2 Information collected automatically
- Device & log data. IP address, user agent, browser language, request timestamps, referring URL, the pages and API endpoints you access.
- Usage data. Number of analyses run, credits charged, plan tier, per-engine success / failure of analyses, error codes.
- Cookies and similar technologies. See §10.
3.3 Information from third parties
- Google OAuth. We receive the Google profile fields listed in §3.1 when you authorize sign-in.
- Stripe (when payments are enabled). When you purchase, Stripe sends us the billing event (success / failure), invoice ID, customer ID, plan purchased, and country / postal code for tax. We never receive your full card number, CVC, or full bank details.
- Browser fingerprint. When you first visit we ask your browser to compute a fingerprint (via the open-source FingerprintJS library, executed in your browser) and we store only a salted SHA-256 hash of that fingerprint plus a random visitor UUID. The raw fingerprint is never transmitted to or stored by us. At signup we record this visitor ID together with your IP address for abuse prevention.
3.4 Sensitive data
We do not knowingly collect special-category personal data (racial / ethnic origin, political opinions, religion, health data, biometric or genetic data). The images you upload may depict people; we analyze them only for signs of AI generation or manipulation and do not perform facial recognition or attempt to identify the people shown. Please do not upload images you have no right to submit.
4. Legal bases for processing (EEA / UK only)
If you are in the EEA, the United Kingdom, or Switzerland, our legal bases under the GDPR / UK GDPR are:
| Purpose | Legal basis |
|---|---|
| Provide the Service to you (run analyses, produce Reports) | Performance of a contract — Art. 6(1)(b) |
| Process payments and send invoices | Performance of a contract — Art. 6(1)(b) |
| Prevent fraud, abuse, and welcome-credit abuse | Legitimate interest — Art. 6(1)(f) |
| Comply with tax, accounting, and legal obligations | Legal obligation — Art. 6(1)(c) |
| Improve the Service via aggregated analytics | Legitimate interest — Art. 6(1)(f) |
| Send marketing emails (only with opt-in) | Consent — Art. 6(1)(a) |
| Respond to support requests | Legitimate interest / contract |
Where we rely on legitimate interests, you have the right to object — see §13.
5. How we use information
We use the information described in §3 to:
- Authenticate you and maintain your sign-in session.
- Run the forensic analysis you request: verify C2PA Content Credentials, examine EXIF and other embedded metadata, send your uploaded image to the third-party detection engines listed in §7, run a vision-model visual inspection, and aggregate everything into a graded Report. Images are sent to those providers solely to produce the analysis.
- Store your uploaded image and Report so you can revisit it from your account history and, if you choose, share the Report link.
- Track credit balances and deduct or refund credits per ledger rules (including automatic refunds when a detection engine fails to respond).
- Process payments via Stripe and grant or revoke plan benefits (when payments are enabled).
- Detect and prevent abuse of welcome credits, account take-overs, payment fraud, and brute-force attempts. Specifically, we compare your hashed visitor ID and IP address against prior signups to decide whether to grant the welcome credits.
- Operate, monitor, debug, and improve the Service, including running aggregated analytics (e.g. “average analysis time per engine”).
- Respond to your support requests and account inquiries.
- Comply with applicable law, respond to lawful requests from authorities, and enforce our Terms.
- Notify you of material changes, billing issues, or security incidents (transactional email — you cannot opt out of these as long as you have an account).
We do not use your uploaded images or Reports to train our models, and we instruct our detection providers not to use them to train theirs.
6. Sharing & disclosure
We do not sell your personal data. We do not share personal data with third parties for cross-context behavioral advertising. We share personal data only as described below:
- Sub-processors. Vendors that process data on our behalf to operate the Service — see §7. This includes sending your uploaded image to the detection providers solely to produce your analysis.
- Report sharing — your choice. Reports are private to your account by default. If you share a Report link, anyone with that link can view the Report and the analyzed image. Shared Report pages are marked
noindexso search engines are instructed not to index them, but you remain responsible for whom you give the link to. - Legal authorities. When required by valid legal process (subpoena, court order, government request) or to protect rights, property, or safety. We will challenge overbroad requests and notify you when permitted by law.
- Corporate transactions. If we are acquired, merged, or sell substantially all assets, your data may transfer to the acquirer subject to this Policy. We will notify you in advance and give you the chance to delete your account.
- With your consent. Any other sharing requires your explicit consent.
7. Sub-processors
We rely on the following sub-processors. Each has signed a Data Processing Agreement (DPA) or equivalent contractual safeguards committing them to confidentiality, security, and (where applicable) Standard Contractual Clauses for international transfers.
| Sub-processor | Purpose | Location | Privacy |
|---|---|---|---|
| Google LLC | OAuth sign-in | USA | Link |
| Vercel, Inc. | Web hosting, CDN & cookieless aggregated analytics (Vercel Web Analytics — page views and referrers only, no cookies, no cross-site or cross-device tracking) | USA & global edge | Link |
| Neon, Inc. | Managed PostgreSQL database (account records, Report results, credit ledger) | USA (configurable) | Link |
| Cloudflare, Inc. | R2 object storage and CDN (cdn.aiimagedetector.info) for uploaded images and derived report exhibits, so Reports can be rendered and re-shared; email routing for hello@aiimagedetector.info | USA & global edge | Link |
| Sightengine | Commercial AI-image detection engine (image analysis) | France (EU) | Link |
| Eden AI | API aggregator that routes our image-analysis request to the Winston AI detection engine | France (EU) | Link |
| Replicate, Inc. | Hosted model inference for the vision-model visual inspection (Google Gemini 2.5 Flash) | USA | Link |
| Stripe, Inc. | Payment processing & tax (when payments are enabled) | USA | Link |
The detection providers above receive your uploaded image solely to produce the analysis you requested. They are not authorized by us to use your images to train their models or for any other purpose.
We may add or replace sub-processors. Material additions will be announced on this page at least 14 days before they take effect.
8. International data transfers
Our infrastructure and most of our sub-processors are based in the United States, with some detection providers in the European Union. If you are located outside those regions, your data will be transferred to and processed in them.
For transfers from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as appropriate) and, where required, supplementary technical and organizational measures, including encryption in transit and at rest. Copies of the SCCs we have in place with sub-processors are available on request.
9. Data retention
We retain personal data only for as long as needed:
| Data | Retention |
|---|---|
| Account record (profile, plan, balance) | Until you delete your account |
| Uploaded images & derived exhibits (in R2) | 90 days from upload, then automatically expired; Report pages degrade gracefully once the image is gone |
| Report records (per-signal results, graded conclusion, SHA-256 hash) & credit ledger | While your account exists |
| Server & security logs (incl. IP) | 30 days |
| Anti-abuse signals (visitor hash, IP at signup) | 12 months |
| Stripe billing records (invoices, payment status) | 7 years (tax / accounting law) |
| Support email correspondence | 24 months from last reply |
| Backups | 30-day rolling window |
After the retention period, we delete or irreversibly anonymize the data. Deletion of an account (request it by email — see §21) removes your personal data within 30 days, except financial records we are legally required to keep; images and logs already past their retention window are unrecoverable.
10. Cookies & similar technologies
Every cookie we set is strictly necessary to deliver the Service (sign-in, abuse prevention, payment fraud detection). Our traffic analytics (Vercel Web Analytics) is cookieless: it counts page views in aggregate without setting any cookie, without fingerprinting for tracking purposes, and without following you across sites or devices. We do not use advertising or cross-site tracking cookies.
| Cookie | Purpose | Lifetime | Type |
|---|---|---|---|
authjs.session-token | Keeps you signed in | 30 days | Strictly necessary, HttpOnly + Secure |
vid | Salted hash of your browser fingerprint, used for signup abuse prevention | 365 days | Strictly necessary, HttpOnly |
vid_set | Non-sensitive flag — tells the client not to recompute the fingerprint | 365 days | Strictly necessary |
__stripe_mid, __stripe_sid | Stripe fraud detection on the checkout page (set by Stripe, only when payments are enabled) | 1 year / 30 min | Third-party (Stripe), strictly necessary for payments |
We do not show a cookie consent banner because none is required: under the EU ePrivacy rules, strictly necessary cookies are exempt from prior consent, and we set no other cookies. If we ever introduce a non-essential cookie, we will add a consent-first banner before it loads and update this section.
11. Security
- HTTPS / TLS 1.2+ everywhere; HSTS enforced.
- Database encryption at rest, managed by Neon.
- OAuth-only authentication — we never store passwords.
- Browser fingerprints are hashed with a server-side secret salt before storage.
- Every uploaded image is hashed (SHA-256) on receipt, so Reports are verifiably tied to the exact file analyzed.
- Card data is handled exclusively by Stripe (PCI DSS Level 1) and never touches our servers.
- API keys for detection providers are stored as environment variables, not in source control.
- Webhook calls from Stripe are verified with a signing secret to prevent replay or spoofing.
No system is 100% secure. If we discover a breach affecting your personal data we will notify you and (where applicable) the relevant supervisory authority within 72 hours of becoming aware, in line with Article 33 / 34 GDPR.
12. Your rights — general
Regardless of where you live, you can ask us to:
- Confirm whether we hold data about you and access a copy of it.
- Correct inaccurate data.
- Delete your data (subject to legal retention).
- Export your data in a portable, machine-readable format.
- Restrict or object to certain processing.
- Withdraw consent where processing is based on consent.
13. EEA / UK rights (GDPR & UK GDPR)
If you are in the EEA, the UK, or Switzerland, you have these specific rights:
- Right of access — Article 15
- Right to rectification — Article 16
- Right to erasure (“right to be forgotten”) — Article 17
- Right to restriction of processing — Article 18
- Right to data portability — Article 20
- Right to object — Article 21
- Right not to be subject to automated decisions producing legal or similarly significant effects — Article 22 (see §17)
- Right to lodge a complaint with your local data protection supervisory authority. A list is available at edpb.europa.eu. UK residents may complain to the ICO.
14. California rights (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what categories of personal information we collect, sources, and purposes.
- Receive a copy of the specific pieces of personal information we hold about you.
- Request correction of inaccurate personal information.
- Request deletion of your personal information.
- Opt out of the “sale” or “sharing” of personal information.
- Limit our use of sensitive personal information.
- Be free from retaliation for exercising these rights.
We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). We do not have actual knowledge that we sell or share the personal information of consumers under 16.
You may submit requests by emailing hello@aiimagedetector.info from the email address on your account. You may designate an authorized agent to make a request on your behalf; we may require proof of authorization.
15. Other US state privacy laws
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other US states with comprehensive privacy laws have rights similar to those above (access, deletion, correction, portability, opt-out of targeted advertising, profiling appeal). Use the same email channel; we will honor requests under your applicable state law.
16. Children
The Service is not directed to children under 13 (or under 16 in the EEA where applicable). We do not knowingly collect personal data from such children. If you believe a child has provided us with personal data, please contact us and we will delete it without delay. Paid plans require users to be 18 or older.
17. Automated decision-making & AI
The core output of the Service is automated image analysis: we verify cryptographic Content Credentials, examine embedded metadata, obtain probability scores from AI-detection engines, run a vision-model visual inspection, and aggregate the signals into a graded screening conclusion (AI-proven / high risk / inconclusive / low risk / camera-proven). We want to be honest about what that is and is not:
- A Report is an advisory screening grade about an image file, not a decision about a person, and it has no legal or similarly significant effect on anyone within the meaning of GDPR Article 22. You — not the Service — decide what, if anything, to do with a Report.
- Except where cryptographic credentials are present, results are probabilistic and can be wrong in both directions. Our Terms warn you never to rely on a Report as the sole basis for accusations, disciplinary action, publication decisions, or legal proceedings.
- Reports expressly include an “inconclusive” grade; we would rather say “we cannot tell” than manufacture false certainty.
Separately, our anti-abuse system uses your visitor fingerprint hash and IP address to decide whether to grant the welcome credits at signup. If you believe that decision was made in error, you can email hello@aiimagedetector.info to request a manual review by a human.
18. Links to third-party sites
Our Service may contain links to third-party websites (e.g. Stripe Checkout, Google sign-in, detection-provider documentation, reverse image search engines linked from Reports). Those sites operate under their own privacy policies; we are not responsible for their practices.
19. Do Not Track
Because we do not use tracking cookies for advertising, browser-level Do Not Track signals do not apply meaningfully to our Service. We do not respond to DNT signals because there is no consensus standard.
20. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes — for example, adding a new sub-processor, changing legal bases, or expanding the categories of data we collect — will be announced on this page at least 14 days before they take effect, and (if you have an account) we will email you. The date at the top of the page reflects the most recent update.
21. How to exercise your rights
To submit any privacy request:
- Email hello@aiimagedetector.info from the email address on your account, or include account-verifying information (account ID, last invoice ID).
- Tell us which right you are exercising and any details that help us locate the data (e.g. approximate sign-up date).
- We will respond within 30 days. If your request is complex we may extend by a further 60 days and we will tell you why.
- We may need to verify your identity to protect your data; we will not request more information than necessary.
- We will not discriminate against you for exercising your rights.
22. Contact
Questions, complaints, or requests regarding privacy:
- Email: hello@aiimagedetector.info
- Subject line: please prefix with
[Privacy]so we can route quickly.