Privacy Policy

1. Data Controller

BLY Software Labs is the data controller for personal data collected through the Service. For all privacy-related enquiries, requests, or complaints, contact us at info@sexygen.io.

2. Information We Collect

A. Information you provide directly

• Account data: name, email address, hashed password.
• Waitlist data: name, email, agency size.
• Profile and content data: AI creator profiles, appearance parameters, generation prompts, uploaded audio recordings, and any other content you submit.
• Support communications: messages and attachments you send to us.

B. Information collected automatically

• Session data: JWT tokens stored in HTTP-only cookies (sg_access_token, sg_refresh_token).
• Log data: IP address, browser type, operating system, referring URLs, pages visited, and timestamps. Logs may be retained for up to 12 months for security and legal compliance purposes.
• Usage data: API calls made, generation jobs submitted, features used, error events.

C. Information from third-party sign-in providers

• If you sign in via Google or Discord, we receive your verified email address and display name. We do not receive or store your provider password.

3. Legal Bases for Processing

• Contract performance: processing necessary to provide the Service, maintain your account, and fulfil generation requests.
• Legitimate interests: improving the Service, detecting and preventing fraud and abuse, enforcing our Terms, maintaining security, and preserving evidence for legal proceedings.
• Consent: where you provide explicit consent (e.g., uploading biometric data for voice cloning). You may withdraw consent at any time; withdrawal does not affect the lawfulness of prior processing.
• Legal obligation: compliance with applicable UAE law, court orders, and requests from competent authorities.

4. How We Use Your Information

• Providing, operating, and maintaining the Service and your account.
• Authenticating your identity and maintaining secure sessions.
• Processing AI image, video, and voice generation requests.
• Sending transactional communications (account confirmation, billing notices).
• Detecting, investigating, and preventing fraudulent, abusive, or illegal activity.
• Enforcing our Terms of Service and other policies.
• De-identified and aggregated data: We may derive de-identified or aggregated insights from your usage and use them without restriction for any purpose, including product development and improvement, for as long as we choose. Such de-identified data is not personal data and is not subject to this Policy.
• Complying with applicable law and responding to lawful requests from authorities.
• Litigation hold: When we reasonably anticipate legal proceedings, we may preserve data beyond standard retention periods without notice to you.
• Business transfers: In connection with a merger, acquisition, financing, or sale of all or a portion of our assets, your data may be transferred to the acquiring or successor entity. We will notify you via email or a prominent notice on the Service before your data becomes subject to a materially different privacy policy.

5. Disclosure of Your Information

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We may share your data in the following circumstances:

Sub-processors

We use the following third-party sub-processors to operate the Service. We may add, replace, or remove sub-processors at any time; material changes will be notified with reasonable notice. We are not responsible for sub-processor breaches that occur despite our contractual safeguards, and we cannot guarantee that a sub-processor will delete your data after you request erasure from us.

Law enforcement and legal process

We will disclose data when required by law, subpoena, court order, or request from a competent governmental authority, including mandatory disclosures to report suspected child exploitation. We may make such disclosures without prior notice to you where permitted or required by law, and we will cooperate fully with resulting investigations.

Protection of rights

We may disclose data when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of BLY Software Labs, our users, or the public; to detect, prevent, or address fraud, security, or technical issues; or to enforce our Terms of Service.

6. Cookies and Tracking

We use HTTP-only, Secure cookies solely for session authentication. These cookies are not accessible to client-side JavaScript and are not used for cross-site tracking or advertising. We do not use analytics cookies, advertising pixels, or fingerprinting technologies. Disabling cookies in your browser will prevent access to authenticated areas of the Service.

7. Data Retention

We retain your personal data for as long as your account remains active or as needed to provide the Service. Upon account deletion, we will delete or irreversibly anonymise your personal data within 30 days, except:

• Where retention is required by applicable law (e.g., financial records, anti-money laundering obligations).
• Where data is subject to a litigation hold.
• Where retention is necessary to resolve disputes, enforce our Terms, or prevent fraud.
• Log and security data may be retained in anonymised or aggregated form for up to 12 months.
• We cannot guarantee that sub-processors will delete your data upon our instruction; their retention is governed by their own policies.

8. Security

We implement technical and organisational measures including TLS encryption in transit, bcrypt password hashing, per-user scoped API keys, HTTP-only Secure cookies, and staff access controls. We cannot guarantee absolute security and disclaim liability for any unauthorised access resulting from: (a) your own actions (e.g., credential sharing, use on unsecured devices); (b) a third-party sub-processor breach despite our contractual safeguards; or (c) events beyond our reasonable control. You are responsible for securing your own devices, credentials, and account.

9. International Data Transfers

BLY Software Labs is based in Dubai, UAE. Your data may be processed and stored in the UAE, the United States, and other jurisdictions where our sub-processors operate. Data protection laws in those jurisdictions may differ from those in your country. By using the Service, you consent to such transfers. Where required, we rely on appropriate transfer mechanisms to protect your data.

10. Your Rights

Subject to applicable law, our legitimate interests, and legal obligations, you may have the right to:

• Access a copy of the personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure of your personal data, subject to our retention obligations and litigation hold rights.
• Restriction of processing in certain circumstances.
• Data portability in a structured, machine-readable format, where technically feasible.
• Objection to processing based on legitimate interests.
• Withdrawal of consent where processing is based on consent.

To exercise any right, email info@sexygen.io. We will respond within 30 days. We may require identity verification before fulfilling any request and reserve the right to charge a reasonable administrative fee for requests that are manifestly repetitive or excessive. We reserve the right to deny requests that are manifestly unfounded, excessive, or in conflict with our legal obligations or legitimate interests.

11. Children's Privacy

The Service is strictly for users aged 18 or older. We do not knowingly collect data from any person under 18. If we discover data was collected from a minor, we will delete it immediately and terminate the account. Contact info@sexygen.io immediately if you believe a minor has submitted data to us.

12. Limitation of Privacy-Related Liability

To the fullest extent permitted by applicable law, our liability for any breach of this Privacy Policy or applicable data protection law is subject to the limitations set out in the Terms of Service. Specifically, we are not liable for breaches caused by: (a) your own actions or failure to secure your account; (b) a sub-processor's independent breach despite our contractual safeguards; or (c) any event outside our reasonable control. Our maximum aggregate liability for any privacy-related claim is capped at the same limit set out in the Terms of Service.

13. Changes to This Policy

We may update this Policy at any time. Material changes will be notified via email or a prominent in-Service notice at least 14 days before taking effect. The "Last updated" date reflects the most recent revision. Continued use after the effective date constitutes acceptance of the revised Policy.

14. Governing Law and Disputes

This Privacy Policy is governed by the laws of the Emirate of Dubai and the applicable federal laws of the United Arab Emirates, including UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection. Disputes arising under this Policy are subject to the dispute resolution provisions of the Terms of Service, including binding arbitration and the one-year limitation period.

15. Contact