Privacy Policy
Last updated: 2 July 2026
This policy explains what data InkEngine collects, why, who it is shared with, and the rights you have over it. Short version: we collect what the product needs to work, we run no advertising or analytics trackers of any kind, and we never sell your data.
1. Who we are (data controller)
InkEngine is operated by Moneytise Ltd (company no. 16803031), registered office 17 Green Lanes, London, England, N16 9BS, which is the data controller for personal data processed through InkEngine under the UK GDPR and the Data Protection Act 2018. Contact: maydin@moneytise.co.
For payments, Stripe acts as merchant of record and is an independent controller of your payment data (see Sections 7 and 14).
2. Data we collect
- Account data — your email address, password (stored only as a salted hash by our authentication provider, Supabase), and display name. If you sign in with Google, we receive your Google account email and name.
- Profile and settings — your subscription tier, preferred model quality, and Google Drive folder settings.
- Content — the prompts you enter, inspiration images you upload, and the images generated, upscaled, and edited for you (stored in Supabase Storage), plus project metadata.
- Google Drive tokens — if you connect Google Drive, we store the OAuth access and refresh tokens needed to upload your images to your Drive (see Section 4).
- Billing identifiers — your Stripe customer ID, subscription ID, and subscription status. We never receive or store your card number — Stripe collects payment details directly.
- Usage records — your credit ledger (grants, spends, refunds, expiry) and generation/upscale counts.
- Technical data — standard server logs (IP address, browser user agent) from our hosting infrastructure, kept on a short rotating basis.
We use no analytics, advertising, or tracking scripts of any kind.
3. How we use your data, and our legal bases
| Purpose | Data | Legal basis (UK GDPR Art. 6) |
|---|---|---|
| Provide the Service — accounts, image generation, storage, credits | Account, content, usage records | Contract (6(1)(b)) |
| Send your prompts and images to AI providers to generate your images | Prompts, uploaded and generated images | Contract (6(1)(b)) |
| Upload your images to your Google Drive | Generated images, Drive tokens | Consent (6(1)(a)) — withdraw by disconnecting Drive |
| Sync your subscription and billing state with Stripe | Billing identifiers | Contract (6(1)(b)); legal obligation (6(1)(c)) for transaction records |
| Prevent abuse, fraud, and credit-limit circumvention; secure and debug the Service | Account, usage, technical data | Legitimate interests (6(1)(f)) — protecting the Service; balanced against your rights |
| Send service emails — receipts (via Stripe), security and account notices, changes to terms | Email address | Contract / legitimate interests |
We do not send marketing emails without your consent.
4. Google user data (Drive and Google sign-in)
InkEngine's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In practice:
- Drive access uses only the restricted drive.file scope — InkEngine can only see files and folders it creates itself, never your wider Drive.
- Drive data is used solely to upload your generated images to your Drive and to create or list your chosen export folder — never for advertising, and never sold.
- No humans read your Google data except with your consent for support, for security purposes, or where required by law.
- Your Drive tokens are deleted when you disconnect Drive in Settings. You can also revoke InkEngine's access at any time at myaccount.google.com/permissions.
- Google sign-in data (email, name) is used only to authenticate you.
5. AI processing
To generate your images, your prompts and any inspiration images are transmitted to third-party AI provider partners (such as Google and Replicate). These providers process the data to produce your images; their API terms state that API inputs are not used to train their models. We recommend not including personal data about other people in prompts.
6. Cookies
InkEngine sets only strictly necessary cookies: the Supabase authentication cookies that keep you signed in. There are no advertising, analytics, or third-party cookies. Because strictly necessary cookies are exempt from consent requirements under PECR, we do not show a cookie banner.
7. Who we share data with
| Provider | Role | Data | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account data, content, usage records | EU (AWS eu-west-1, Ireland) |
| Sign-in, AI image generation, Drive export | Auth profile; prompts and images sent for generation; Drive tokens and uploads | US / global | |
| Replicate | AI image generation, upscaling, background removal | Prompts and images for those jobs | US |
| Stripe (privacy policy) | Merchant of record: payments, tax, invoicing | Payment and billing data (independent controller) | US / global |
We may also disclose data where required by law (courts, regulators), and in a merger or acquisition your data may transfer to the successor with notice to you. We do not sell personal data and share nothing for advertising.
8. International transfers
Some providers above process data in the United States. Where personal data leaves the UK/EEA, transfers are protected by appropriate safeguards — the UK Extension to the EU-US Data Privacy Framework where the provider is certified, and otherwise the UK International Data Transfer Agreement or Standard Contractual Clauses. Copies of the relevant safeguards are available on request.
9. How long we keep data
- Account data — for the life of your account, then deleted within 30 days of closure.
- Images and prompts — until you delete them or your account is closed (plus up to 30 days in backups).
- Google Drive tokens — until you disconnect Drive or close your account; deleted promptly.
- Credit ledger and billing-related records — up to 6 years after the transaction, for accounting and legal record-keeping, even after account closure.
- Server logs — short rotating retention.
10. Security
Data is encrypted in transit (TLS). Database access is protected by row-level security so users can only reach their own records; passwords are hashed; OAuth tokens are stored server-side and never exposed to the browser; access to production systems is limited. No method of transmission or storage is 100% secure, but if a breach affects your rights we will notify you and the ICO as required by the UK GDPR.
11. Share links
If you create a share link for an image, anyone with that URL can view or download the image without logging in. The link may redirect to the copy in your Google Drive if Drive export is enabled. Only create share links for images you are comfortable making public; deleting the image disables its link.
12. Your rights
Under the UK GDPR you can ask us to:
- access the personal data we hold about you;
- correct inaccurate data;
- delete your data ("right to be forgotten");
- restrict or object to processing, including processing based on legitimate interests;
- receive your data in a portable format;
- withdraw consent at any time (for example, by disconnecting Google Drive) — this does not affect processing before withdrawal.
To exercise any right, email maydin@moneytise.co. We may need to verify your identity, and we respond within one month. You also have the right to complain to the Information Commissioner's Office (ico.org.uk) or, if you are in the EEA, your local supervisory authority.
13. Children
InkEngine is for adults aged 18 and over. We do not knowingly collect data from children; if you believe a child has created an account, contact us and we will delete it.
14. Payments and Stripe
Stripe is the merchant of record for InkEngine subscriptions and an independent controller of the payment data it collects (card details, billing address, tax location) — see Stripe's Privacy Policy. We receive only customer and subscription identifiers and subscription status.
15. Changes to this policy; contact
If we make material changes to this policy we will notify you by email or a prominent in-app notice before they take effect; the "Last updated" date above always reflects the current version.
Contact: maydin@moneytise.co · Moneytise Ltd (company no. 16803031), 17 Green Lanes, London, England, N16 9BS.