Privacy Policy

This Privacy Policy explains what personal data the HexGen team ("we", "us") collects when you use HexGen (the "Service"), how we use it, and the choices you have. We are the data controller for the data described below.

We collect only what we need to run the Service for you.

• Account data. Your email address and the sign-in identifier from the auth provider you choose. We do not store passwords for accounts that use social sign-in.
• Generation data. The prompts you write, references and other media you upload, the model you choose, generation parameters, the outputs we render, and your HGcoin balance and ledger.
• Payment metadata. Top-up amount, currency, status, and a transaction ID from our payment provider. We never see your full card number. Card and banking details are handled directly by the payment provider.
• Usage telemetry. Page views, feature interactions, request timings, and errors. We use this to keep the Service stable and to spot bugs.
• Device data. IP address, browser type, language, and operating system, which we use for security, rate limiting, and basic analytics.

• To provide the Service: render your generations, manage your HGcoin balance, show your gallery, and process top-ups.
• To keep the Service safe: prevent abuse, enforce our Terms, and respond to security incidents.
• To improve the Service: fix bugs, measure performance, and understand which features are useful.
• To communicate: send transactional emails (sign-in, receipts, important account notices). Marketing emails are opt-in.
• To meet legal obligations: tax records, fraud prevention, lawful requests from authorities.

Your prompts, uploads, and generations are not used to train AI models. HexGen does not train its own models, and we do not grant third-party model providers the right to train on your content. Each generation is sent to the provider only for the purpose of producing the output you requested, and is governed by that provider's own data-handling terms (see Subprocessors below).

We rely on a small set of trusted vendors to run HexGen. Each one only sees the data it needs to do its job.

• Model providers (Google, OpenAI, ByteDance, Kuaishou, and others we add later). They receive the prompt, reference media, and parameters for the generations you run on their models, and return the output.
• Cloudflare R2. Stores your uploads and generated outputs as objects.
• Hetzner Cloud. Hosts our application servers, database, and queue in Germany.
• Stripe. Processes payments. They handle the card data directly under their own privacy policy.
• Sentry. Receives client and server error reports to help us debug crashes.
• PostHog. Receives product analytics events so we can understand feature use. EU-hosted instance.
• Axiom. Receives operational metrics and logs from our servers.
• Email delivery. Sends sign-in and transactional emails on our behalf.

This list may change as we add or replace providers. Where required by law we will obtain consent or update this policy before introducing a new category of subprocessor.

• Account data is kept for as long as your account is active.
• Generations and uploads are kept until you delete them or close your account. After deletion, copies may persist in encrypted backups for up to 30 days before being purged.
• Payment records are retained for the period required by tax and accounting law in our jurisdiction (typically 7 to 10 years).
• Operational logs and analytics are retained for up to 90 days, after which they are aggregated or deleted.

Depending on where you live, you have the right to access, correct, export, restrict, or delete your personal data, and to object to certain processing. You can:

• Download your data and generations from inside the app.
• Delete individual generations and uploaded files at any time.
• Close your account from the settings page; this triggers a full data deletion within 30 days, subject to legal retention rules above.
• Email support@hexgen.app if you'd like us to help with any of the above.

If you believe we have mishandled your data you have the right to lodge a complaint with your local data-protection authority.

We use a small number of first-party cookies (and similar local-storage items) for things like keeping you signed in, remembering your locale, and preventing abuse. Product analytics (PostHog) and error reporting (Sentry) are loaded with minimal IDs that let us correlate sessions without identifying you personally. You can clear these from your browser at any time.

HexGen is hosted in the European Union. When you use a model provider whose infrastructure is outside the EU, your prompt and the related media are transferred to that provider's region for processing. Where required, those transfers rely on Standard Contractual Clauses or equivalent safeguards.

HexGen is not directed to children and is not intended for users under 18. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us and we will remove it.

We will update this policy as the Service evolves. When changes are material we will update the "Last updated" date above and, where appropriate, notify you inside the app or by email before they take effect.

For any privacy question or request, email support@hexgen.app.