Privacy Policy

Last updated: April 17, 2026

This Privacy Policy explains how Dreamlux AI, operated by Innomatrix Limited, a company registered in the United Kingdom ("we", "us", "our"), collects, uses, shares, and protects your personal data when you use the website https://dreamlux.ai and any associated service (together, the "Service").

For the purposes of the UK GDPR and the EU GDPR, we are the controller of your personal data. For the purposes of the California Consumer Privacy Act (CCPA/CPRA), we are the business.

Summary. We collect only what we need to run the Service, keep you safe, and comply with the law. We do not sell your personal data. We do not use your uploads to train our general AI models without your explicit opt-in. You can access, correct, delete, or export your data at any time by writing to [email protected].

1. Information We Collect

1.1 Information you provide

Account data: email address, display name, profile picture (if provided), password hash, and the identity provider used (Google, Facebook, Apple, email).
Purchase data: plan chosen, currency, amount, purchase timestamp, and the last four digits and brand of the payment instrument. Full card numbers and bank details are handled by our payment processors (Stripe, PayPal) and never reach our servers.
Uploads and prompts ("Your Input"): the images, videos, audio, and text prompts you submit to generate content.
Support and communication: any message you send us, including content of emails, attachments, and chat messages.

1.2 Information we collect automatically

Device and technical data: IP address, browser type and version, operating system, device type, screen size, language, and approximate region derived from IP.
Usage data: pages visited, features used, generation tasks created, credit consumption, error messages, and timestamps.
Cookies and similar technologies: see Section 6.

1.3 Information from third parties

Identity providers (Google, Facebook, Apple) pass us the name, email, and avatar you chose to share when signing in with their service.
Payment processors (Stripe, PayPal) pass us the result of each transaction, a transaction reference, and a fraud-risk signal.
Analytics and ads platforms may share aggregated insights about how visitors reached our site.

2. How We Use Your Data

Purpose	Categories of data used
Provide the Service (generate, store, and deliver your content; credit accounting).	Account, Uploads/Prompts, Usage.
Process purchases and prevent payment fraud.	Purchase, Device, third-party fraud signals.
Customer support.	Account, Communication, Usage.
Safety & AUP enforcement (detect and block prohibited content).	Uploads/Prompts, Generated Output, Device, Usage.
Legal compliance, audit, and enforcing our Terms.	All categories as needed.
Service improvement & analytics (aggregated metrics, debugging).	Usage, Device. Uploads are never used for this purpose without opt-in.
Marketing emails to existing customers about similar services (opt-out at any time).	Account, Communication.

3. Legal Bases (UK/EU)

Under the UK and EU GDPR we rely on the following lawful bases:

Performance of a contract — to deliver the Service you have purchased.
Legitimate interests — to keep the Service safe, prevent fraud, run analytics, and improve the product, balanced against your rights and freedoms.
Consent — for non-essential cookies, marketing to prospects, and any opt-in use of your uploads for model training.
Legal obligation — to respond to law-enforcement requests and comply with tax, accounting, and consumer-protection laws.

4. Sharing & Disclosure

We share personal data only with:

Hosting and infrastructure providers that run our databases, storage, and compute under our instruction.
Payment processors: Stripe, Inc. and PayPal (Europe) S.à r.l. et Cie, S.C.A. — to take payment and refund you.
AI inference providers that run the models producing your Output (see Section 5).
Analytics providers such as Google Analytics, used in aggregated, pseudonymised form.
Communication providers for transactional and support emails.
Fraud-prevention, anti-abuse, and safety-moderation partners.
Professional advisers (accountants, lawyers) under confidentiality.
Authorities when legally required (court orders, regulators, police) or to prevent imminent harm.
A successor in the event of a merger, acquisition, or corporate restructuring. Any such successor must honour the commitments in this Policy.

We do not sell personal data as that term is used under the CCPA/CPRA. We do not share personal data with advertisers for cross-context behavioural advertising without your opt-in.

5. AI Providers & Training

Dreamlux AI uses a mix of in-house systems and third-party AI providers (including ViDu, Flux, Stable Diffusion-family models, and similar) to generate Output. When you submit a prompt or an upload, the relevant data is routed to the provider that runs the chosen model, is processed to produce the Output, and the result is returned to you.

We select providers that contractually agree not to use your data to train their general models by default, and we configure the opt-out where available.
We do not use Your Input to train our own general models unless you explicitly opt in, for example by marking a generation as public in a training programme.
Uploads, prompts, and Output are retained on our infrastructure so that you can access your history, and so that we can enforce the Acceptable Use Policy. You can delete them individually at any time.

6. Cookies & Tracking

We use cookies and similar technologies for three purposes:

Strictly necessary — sign-in session, CSRF protection, language preference, fraud prevention. These are always active and cannot be disabled without breaking the Service.
Analytics — to measure how the Service is used. We only enable these after you consent via the cookie banner (where the banner is required).
Marketing — to measure the performance of ads that brought you to the Service. Only enabled after you consent.

You can withdraw consent at any time through the cookie banner. You can also disable or delete cookies through your browser settings, but doing so may affect essential features.

7. Data Retention

Data	Retention
Account profile	While the account is active, then 30 days after deletion (for reactivation and fraud checks), then anonymised or deleted.
Uploads and Output	Up to 180 days from creation by default, or as long as you keep them in your account, whichever is longer. You can delete individual items at any time.
Purchase records and invoices	7 years (tax and accounting requirement under UK law).
Support tickets	3 years.
Server logs	Up to 90 days.
Backups	Up to 35 days from the date of backup; overwritten on rotation.

Where we have a legal or regulatory reason to keep data longer (such as for an ongoing investigation), we will keep only the data strictly necessary for that purpose.

8. Data Security

We protect your data with measures appropriate to the risk, including:

Encryption in transit (TLS 1.2 or higher) for all network traffic.
Encryption at rest for sensitive data (passwords hashed with bcrypt/argon2, database storage encrypted).
Role-based access control, audit logging, and least-privilege principles for our staff.
Firewalls, rate limiting, and automated abuse detection.
Regular security reviews, dependency scanning, and prompt patching.

No system is 100% secure. If we become aware of a breach affecting your personal data we will notify you and the competent supervisory authority as required by law.

9. International Transfers

We are based in the United Kingdom. Some of our providers are in the United States, the European Economic Area, and elsewhere. When we transfer personal data out of the UK or EEA, we rely on:

UK adequacy regulations or EU adequacy decisions, where applicable;
Standard Contractual Clauses (including the UK International Data Transfer Addendum) supplemented by technical and organisational safeguards;
Your explicit consent for specific transfers where required.

You can request a copy of the relevant transfer safeguards by emailing [email protected].

10. Your Rights (UK / EU)

If you are in the UK or the EEA, you have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your data ("right to be forgotten") subject to legal retention obligations.
Restrict or object to processing, including objecting to direct marketing.
Data portability — receive your data in a commonly used machine-readable format.
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local EU supervisory authority.

To exercise a right, email [email protected] from the address associated with your account. We will respond within 30 days and will not charge you a fee for a reasonable request.

11. Your Rights (California & Other US States)

If you are a California resident, the CCPA/CPRA gives you the right to know what personal information we collect, to request deletion, to correct inaccurate information, to opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioural advertising), and to not be discriminated against for exercising your rights.

Residents of Virginia, Colorado, Connecticut, Utah, and other US states with similar laws have equivalent rights. Email [email protected] with the subject line US Privacy Request and we will verify your identity and respond within the statutory deadline.

12. Children's Privacy

The Service is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it. Safeguarding notes about AI-generated depictions of minors are set out in the Acceptable Use Policy.

13. Third-Party Links

The Service may contain links to third-party sites (for example, payment processors, social networks, and blog partners). We are not responsible for the privacy practices of those sites. Please read their privacy policies before providing personal data.

14. Changes

We may update this Privacy Policy to reflect changes in the Service, our operations, or applicable law. If a change is material we will notify you by email or in-product notice in advance. The "Last updated" date above always reflects the current version. If you do not agree with an update, please stop using the Service and contact us to close your account.

15. Contact & Complaints

For any privacy question, rights request, or complaint:

Email: [email protected] (please use subject Privacy Request)
Postal address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

If you are not satisfied with our response, you can lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or, for EEA residents, with the supervisory authority in your country of residence.