YouThere Privacy Policy

1. Who we are

• Controller: Osprey Labs Limited (trading as YouThere)
• Address: 128 City Road, London, EC1V 2NX, United Kingdom
• Email: info@youthere.ai

If you have any questions about this Privacy Policy or want to exercise your rights, contact us at info@youthere.ai.

2. Scope

This Privacy Policy applies to:

• the YouThere website and web application;
• our support communications; and
• related services that link to this Privacy Policy.

It does not cover third-party sites or services you access via links from the Service (for example, Stripe checkout pages or third-party websites you may visit).

3. Age restriction

The Service is strictly for users aged 18+. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided personal data to us, please contact info@youthere.ai and we will take steps to delete it.

4. Personal data we collect

We collect personal data in the following categories (depending on how you use the Service):

A. Information you provide

• Contact details (e.g., email address) if you create an account, contact support, or otherwise communicate with us.
• Support messages you send to us (which may include personal data you choose to provide).
• User Content you upload or submit:
  • Prompts (text instructions you type)
  • Images you upload, paste, or reference (including image URLs)
  • Any other content you submit for generation/editing/merging

B. Information collected automatically when you use the Service

• Device and browser data, such as:
  • IP address
  • device type, operating system, browser type/version
  • language, time zone, and similar settings
• Usage data, such as:
  • pages/screens viewed, features used
  • timestamps, interaction data, performance metrics
  • error logs and crash reports
• Identifiers and anti-fraud signals, including device identifiers created using services such as FingerprintJS (or equivalent) to help:
  • prevent fraud and abuse,
  • enforce free-tier and credit rules,
  • maintain service integrity.

C. Payment and transaction data

If you purchase credits, payments are processed by Stripe (our payment provider). We may receive and store:

• purchase history (e.g., credit pack purchased, date/time, amount);
• limited payment metadata (e.g., payment status, last 4 digits, card brand may be provided by Stripe);
• billing-related details to the extent provided by Stripe.

We do not receive or store your full card number.

D. Stored content and history

Depending on your settings and how the Service is implemented, we may store:

• your generation/edit history;
• previously generated images;
• usage balances/credits associated with an account and/or device identifier.

5. How we use personal data (purposes)

We use personal data to:

1. Provide the Service
   • process your prompts and images to generate or edit images;
   • deliver outputs, maintain history (where enabled), and provide core functionality.
2. Manage credits, accounts and payments
   • allocate, track, and deduct credits;
   • provide receipts and manage purchases;
   • prevent duplicate free-credit abuse.
3. Security, fraud prevention and abuse detection
   • detect and prevent suspicious activity, spam, automated abuse, and fraudulent transactions;
   • protect users and the Service.
4. Operate, maintain, and improve the Service
   • monitor performance and reliability;
   • troubleshoot errors and improve user experience;
   • develop new features.
5. Customer support
   • respond to enquiries and support requests.
6. Legal compliance
   • comply with legal obligations and enforce our Terms;
   • respond to lawful requests and protect our legal rights.
7. Communications
   • service messages (e.g., important updates about availability or billing);
   • optional marketing communications if you opt in (where applicable).

6. Legal bases (UK GDPR / GDPR)

Where UK GDPR applies (and where relevant, EU GDPR), we rely on the following legal bases:

• Contract (Article 6(1)(b))

  To provide the Service you request (including processing your prompts/images, managing credits, and delivering outputs).

• Legitimate interests (Article 6(1)(f))

  To operate and secure the Service, prevent fraud/abuse (including device identification), improve performance, and maintain service integrity. We balance these interests against your rights.

• Legal obligation (Article 6(1)(c))

  For compliance duties (e.g., tax, accounting, responding to lawful requests).

• Consent (Article 6(1)(a))

  Where required, such as for non-essential cookies/technologies or certain marketing communications.

You can withdraw consent at any time where we rely on consent (this does not affect processing already carried out).

7. AI processing and third-party AI providers

To generate and edit images, the Service sends relevant inputs to our AI providers. This may include:

• your prompt text,
• your uploaded image(s) (including faces), and
• relevant instructions/settings needed to produce an output.

Google Gemini API

We use Google’s Gemini API via an AI gateway to generate/edit images.

• Data sent: prompts, images, and related request metadata required to process the request.
• How Google uses data: Our AI provider may process this data to provide the requested output and may temporarily log data for abuse detection, safety, and compliance in line with its terms and policies.

Your responsibilities when uploading images of people

If you upload images of identifiable individuals (including for face swap/merge features), you must ensure you have the necessary rights and consents, and that your use complies with applicable law.

8. Who we share personal data with

We may share personal data with trusted third parties, including:

• Hosting and delivery (e.g., Vercel and related infrastructure providers) to host and operate the web app.
• Database and storage (e.g., Supabase) to store account/credit data and (where applicable) history/content.
• Payments (e.g., Stripe) to process payments and prevent fraud.
• Device identification / anti-fraud (e.g., FingerprintJS) to help identify devices and prevent abuse.
• AI providers (e.g., Google Gemini API) to process prompts/images and generate outputs.
• Professional advisers (lawyers, accountants, auditors) where necessary.
• Authorities and regulators where required by law, or to protect rights, safety, and the integrity of the Service.

We do not sell your personal data.

9. International transfers

We are based in the UK, but our service providers may process data in other countries (including the United States and other jurisdictions). Where personal data is transferred internationally, we use appropriate safeguards, such as:

• the UK International Data Transfer Agreement (IDTA) and/or UK Addendum to EU Standard Contractual Clauses (SCCs),
• adequacy decisions where applicable, and
• vendor security and contractual controls.

10. Data retention

We keep personal data only as long as necessary for the purposes described above.

Typical retention periods (which may vary based on legal requirements and operational needs):

• Account/contact data: for as long as you maintain an account, and thereafter as needed for legal/compliance purposes.
• Generation history / stored content: for as long as the feature is enabled and associated with your account/device; you may be able to delete history from within the Service (where provided). Backups may persist for a limited period.
• Device identifiers (anti-fraud): retained for as long as necessary to prevent abuse and enforce credit rules.
• Payment and tax records: typically up to 6 years (UK accounting/tax norms), or longer where required.
• Logs/security records: retained for limited periods for security, debugging, and compliance.

If you request deletion, we will delete or anonymise data unless we must keep it for legal reasons.

11. Security

We use reasonable technical and organisational measures designed to protect personal data, such as:

• access controls and least-privilege permissions;
• encrypted connections (HTTPS);
• monitoring and abuse prevention measures.

No system is 100% secure. You are responsible for keeping your devices and credentials secure.

12. Cookies and similar technologies

We use cookies and similar technologies (including local storage) to:

• enable essential site/app functionality,
• remember preferences,
• support security and fraud prevention,
• and (if enabled) analytics.

Essential cookies/technologies

These are required to operate the Service (e.g., login sessions, security, and core functionality). They cannot usually be disabled without breaking the Service.

Device identification

We may use device fingerprinting or similar techniques (e.g., via FingerprintJS) to identify devices for fraud prevention and credit enforcement. This may involve collecting device/browser signals and generating an identifier.

Analytics cookies (optional)

If we use analytics tools, we will (where legally required) request your consent via a cookie banner or settings tool.

You can control cookies via browser settings. Some features may not function if you block certain technologies.

13. Your rights

Depending on your location, you may have rights under UK GDPR, EU GDPR, and/or other privacy laws. These may include:

• Access – request a copy of your personal data.
• Rectification – correct inaccurate or incomplete data.
• Erasure – request deletion in certain circumstances.
• Restriction – limit processing in certain circumstances.
• Portability – receive your data in a structured, commonly used format (where applicable).
• Objection – object to processing based on legitimate interests.
• Withdraw consent – where processing is based on consent.
• Complain – lodge a complaint with a data protection authority.

UK complaints

If you are in the UK, you can complain to the Information Commissioner’s Office (ICO). We encourage you to contact us first so we can try to resolve your concern.

To exercise your rights, contact: info@youthere.ai.

We may ask you to verify your identity before responding.

14. Automated decision-making

We may use automated tools to detect fraud, enforce rate limits, prevent abuse, and protect the Service (e.g., blocking suspicious usage patterns). Where this results in restrictions, you can contact us at info@youthere.ai to request review.

15. Third-party links and user actions

The Service may include links to third-party websites (e.g., source links, external image URLs, Stripe checkout). We are not responsible for third-party privacy practices. Please review their policies.

If you choose to share Generated Content publicly or with third parties, you do so at your own risk and are responsible for compliance with applicable laws and platform rules.

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version on our website and update the “Last updated” date. If changes are material, we may provide additional notice within the Service.

17. Contact us

For questions, requests, or complaints:

Email: info@youthere.ai