Create Your Desire - AI-Powered Content Creation

Your privacy is important to us. This Privacy Policy explains what information Create Your Desire collects, how we use and share it, and your rights regarding your personal data. By using the Service, you consent to the data practices described in this Policy. If you do not agree, please do not use the Service.

1. Information We Collect

We collect various types of information in order to provide and improve our Service. This includes:

Account Information: When you create an account, we collect your email address (required for login and communication). You may also choose to provide your first name, last name, or a display name, and an avatar image URL for your profile (these are optional). We store a hashed version of your password via our authentication provider (Supabase Auth) — we never store your raw password. We also assign you roles within the platform (such as platform_admin, operations_manager, ai_model_manager, or analyst) based on your account and organization. If you register on behalf of an organization (tenant), we link your account to an Organization ID and record your subscription tier (e.g. Starter, Pro, Enterprise).
Self-Model Photos and Biometric Data: If you use our "Self Model" feature to create an AI persona of yourself, you will upload 3–5 photos of yourself. These photos may contain biometric identifiers (your facial image and characteristics). We temporarily process these photos to analyze features using computer vision (for example, via Google's Gemini Vision API) to create your AI model persona. Storage and Deletion: Uploaded photos for a self model are stored temporarily (up to 24 hours) during the AI analysis process. After the process, the original photos are deleted from our storage (unless you explicitly select one as a reference image for your AI persona). If you choose a reference photo (an avatar) to represent your AI persona, that image will be retained in your account until you remove it. We also keep the AI model data or characteristics derived from your photos (which may include biometric data in a technical form) as part of your persona configuration, so the AI can generate content resembling you. These derived data are stored as long as your persona or account exists (unless you delete the persona or account).
AI-Generated Content: We generate text and images based on your inputs. The text prompts you provide to the AI (for generating captions, posts, DMs, story scripts, etc.) and any parameters or configurations for personas are collected. We also store the AI-generated outputs (text responses or images) that are created for you, so that you can view or reuse them. This generated content is kept in your account until you delete it or delete your account. Note that AI-generated content itself may not always be considered personal data (it could be fictional), but if it is based on your personal information (like your persona), it could be related to you.
Usage Data and Analytics: When you use the Service, we automatically collect certain information about your activity:
- Session and Device Information: We assign a unique session ID for each user session (stored in your browser's local storage as analytics_session_id) to help us analyze usage patterns. We log information about your use of the Service, such as pages or screens viewed, features used, links clicked, and the time and duration of your activities. We also collect standard technical information sent by your browser or device: your IP address, browser type, operating system, device type, and referring URL (if you clicked a link to come to our site). We may also record your user agent string (which may include device and browser info).
- Analytics Events: Our platform records custom analytics events (in an analytics_events database table) for actions taken in the app (for example, creating a model, generating content, etc.). These events may include a description of the action, timestamps, your user ID or organization ID, and context (e.g., which page in the app triggered the event). This is used to understand feature usage and improve the user experience. Most analytics are done in-house through our own systems.
- Vercel Analytics & Speed Insights: We use Vercel Analytics and Speed Insights (provided by our hosting platform, Vercel) to understand site usage and monitor performance. These tools are privacy-focused: Vercel Analytics collects basic usage data (page views, referrers, device types) without cookies or personal identifiers, and Speed Insights measures page load performance (Core Web Vitals such as Largest Contentful Paint, First Input Delay, and Cumulative Layout Shift). This data is processed by Vercel solely for our site analytics and is not shared with third parties for advertising or tracking purposes. For more information, see Vercel's Privacy Policy.
Cookies & Local Storage: We use cookies and local storage to keep you logged in and to track preferences (see our Cookie Policy for details). For instance, when you log in, our authentication system may set a secure session cookie or token. We also store a flag in local storage (cookie-consent-given) to remember if you've given consent for optional analytics tracking, and the analytics_session_id as mentioned above. These help run the site and gather usage data.
Payment and Subscription Data: If you subscribe to a paid plan, we collect information related to your subscription and payments. We integrate with Stripe for payment processing. When you enter your credit/debit card information at checkout, that information is sent directly to Stripe; we do not see or store your full card details (though we may store a token or an identifier for your payment method provided by Stripe). Stripe shares with us limited information needed to manage your subscription, such as your Stripe customer ID, the last four digits of your card (for display/reference), card expiration date, and your subscription status (active, trial, canceled, etc.). We also receive payment transaction records (e.g., that a payment of $X on date Y succeeded or failed). Our database keeps track of your subscription tier, pricing, next billing date, and whether you are in a trial period. We may also retain records of your purchase history and any invoices or receipts issued. Note: All financial transactions are handled by Stripe on our behalf, and your use of payment info is also subject to Stripe's Privacy Policy.
Support and Correspondence: If you contact us for support or communicate with us (via email or other channels), we will collect the information you provide in those interactions. This may include your contact information, the content of your messages, and any attachments or screenshots you send. We use this information to assist you and to improve the Service.
Sensitive Personal Data: As noted, some data we handle could be considered sensitive (for example, biometric data from photos). We treat such data with extra care and only collect it when necessary (and with your consent, such as when you choose to use the Self Models feature). We do not collect any government-issued IDs, social security numbers, or financial account numbers. We also do not intentionally collect any information about your health, genetic or biometric identifiers for identification (our biometric use is only for creating your persona, not to identify/verify you), or precise geolocation. The Service is also not intended to collect any special categories of personal data under GDPR (like political opinions, religious beliefs, etc.) and you should refrain from providing those in the content you generate or upload.

2. How We Use Your Information

We use the collected information for the following purposes:

To Provide and Operate the Service: We process your personal data to create your account, authenticate you at login (e.g., using your email and password), and enable core Service features. For example, we use your photos and prompts to generate AI content for you, use your account info to display your profile and manage your workspace, and use your payment info to manage subscriptions and access levels. Without this information, we cannot deliver the Service functionality you expect.
Content Generation and Personalization: Your inputs (prompts, photos, persona settings) are used to generate the AI content you request. We may also use your past usage and content to personalize your experience – for instance, remembering your persona configurations or frequently used prompts.
Content Moderation and Safety: We use automated tools and human review to monitor and moderate content as described in our Terms. This means we may process your prompts and AI outputs (which could contain personal data) through our moderation systems (like OpenAI's moderation API) to detect prohibited content. We also keep logs of moderation actions linked to user accounts to enforce our community standards and handle any appeals or reviews.
Improvement and Analytics: Internal analytics data (usage logs, event data, session IDs) are used to understand how our users interact with the platform, which features are popular, and where issues may be occurring. This helps us improve the Service's functionality, UI/UX, and performance. For example, we might analyze that a certain feature is rarely used and decide to enhance or simplify it. We might also track error logs or crashes to debug and increase stability. Analytics are done in aggregate or pseudonymized form wherever possible. We do not use personal data for automated profiling or decision-making outside the scope of providing the Service (i.e., we're not evaluating you as a consumer, we're just analyzing how the product is used).
Customer Support: Information you provide in support requests (like your email or problem description) is used to help solve your issue and communicate with you. We may also use support correspondence to improve our support processes or fix underlying problems.
Communication: We may send you service and transactional emails. For example, email verification messages, password reset emails, billing receipts, subscription renewal notices, or important updates about your account or the Service (these are not promotional in nature, and you cannot opt out of such essential communications while you have an active account except by closing the account). We might also send you product updates, newsletters or promotional offers if you have opted in to such communications. You can unsubscribe from marketing emails at any time by following the link in those emails.
Security and Fraud Prevention: We use data (like IP addresses, logs, and other usage info) to monitor for suspicious or fraudulent activity. This helps protect our platform and users from breaches, misuse, and other harmful activities. For instance, we may detect multiple failed login attempts or unusual generation activity and take steps to secure the account. We also verify Stripe webhooks (payment events) using signatures to ensure they are authentic, protecting against fraud in subscription handling.
Legal Compliance: In certain cases, we may need to process personal data to comply with legal obligations. For example, retaining transaction records for financial regulations and audits, or responding to lawful requests by public authorities. We also process age confirmation records to demonstrate compliance with age restriction laws for adult content. If necessary, we may use or disclose information to enforce our Terms of Service, to meet our reporting obligations (e.g., in the event of certain security breaches, or content that requires reporting), or to protect our rights and the rights of others.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another related reason and that reason is compatible with the original purpose. If we need to use your information for an unrelated purpose, we will notify you and seek any necessary consent or legal basis.

3. How We Share or Disclose Information

We value your privacy and do not sell your personal information to third parties. However, we do share information in the following circumstances to run our business:

With Service Providers (Processors): We use trusted third-party companies to help us deliver the Service. These providers only receive the information necessary for them to perform their functions, and they are contractually obligated to protect it and use it only for our purposes, consistent with this Policy. Our key service providers include:
- Supabase (Database, Authentication, Storage): Our platform is built on Supabase, which provides our PostgreSQL database, user authentication, and file storage. All of your account data, content, and images are stored in databases or storage buckets hosted by Supabase. Supabase acts as a data processor, storing and retrieving data as we instruct. They may have incidental access to data for maintenance or support, but they do not use your data for their own purposes. See Supabase's privacy policy for more on how they handle data.
- Stripe (Payment Processing): When you enter payment details, that information goes directly to Stripe. Stripe processes your payments and stores your billing information (such as your card details, billing address, and payment history) on our behalf. We share with Stripe your email, and possibly name or organization name, to create a customer record, as well as information about your subscription plan and charges. Stripe is a PCI-DSS compliant payment processor. We do not have access to your full credit card number; Stripe provides us with a token or ID for the transaction and confirmation of payment. Stripe may also handle recurring billing and will notify us (via secure webhooks) of payment events. Please review Stripe's privacy policy for details on their practices.
- OpenAI (AI Text Generation and Moderation): Portions of your data may be sent to OpenAI's API when you use text-generation features or when content moderation checks are performed on text. Specifically, your text prompts and any context necessary for the AI to generate a response are sent to OpenAI's GPT-based models to produce the output. Additionally, content (either your prompt or the AI's output) might be sent to OpenAI's Moderation API to check for disallowed content. OpenAI will process this data to return the AI results or moderation flags. According to OpenAI's policy, they may retain API data for a limited time (e.g., 30 days) for abuse monitoring, but they no longer use it to train their models by default. We do not allow OpenAI to use your data for model training. Nonetheless, any data sent to OpenAI is subject to OpenAI's terms and privacy commitments.
- Replicate / Stability AI (AI Image Generation): When you request AI-generated images, we may use third-party AI model services such as Replicate (which hosts various AI models) or Stability AI's Stable Diffusion models. For example, if you create an AI persona image or other visual content, your text prompt (and possibly an embedding or representation of your self-model, if applicable) is sent to these image-generation services, and an image is returned. These providers process the data only to generate the image. They might log requests or outputs for a short period, but like OpenAI, they have policies regarding user data (we encourage you to check their privacy terms). We do not share your personal identity information with these services beyond what is in the prompt or image data necessary for generation.
- Google Cloud (Photo Analysis via Gemini Vision API): If you upload photos for a self-model, those images are sent to Google's Vision AI (Gemini) for analysis (such as detecting facial features or generating an AI representation). Google will process the images to return analysis results (e.g., biometric embeddings or descriptions). We do not store the photo on Google's servers beyond the processing; the image is sent and the result is received, then the image is deleted per our retention policy. Google might retain some data for a short period or for improving their services, as per their privacy policy, but this usage is governed by our agreement with Google. No personal identification like your name is sent with the image — only the raw image data.
- OnlyFansAPI (Third-Party Integration): Our platform offers an optional integration with OnlyFans via a third-party service (OnlyFansAPI.com) that allows you to publish AI-generated content or send messages to your OnlyFans account. This is entirely optional and disabled by default. If you choose to link your OnlyFans account, we will ask for your authorization and necessary credentials (such as an API token or login via the OnlyFansAPI service) to post content on your behalf. The data shared in this process will include the content you choose to publish (e.g., captions, images, messages) and possibly your OnlyFans account identifier or authentication token. We do not share other personal data with OnlyFans, only the content and necessary auth data you provide to facilitate the integration. Any content posted to OnlyFans is also subject to OnlyFans' own Privacy Policy and terms. We recommend reviewing their policies when you use that integration. We are not responsible for how OnlyFans handles data once it's published on their platform.
Within a Multi-Tenant Organization: If your account is part of an organization (tenant) with multiple authorized users (for example, in an Enterprise tier where a team works together), certain data may be shared with other users in your organization. For instance, if you are an ai_model_manager in your company's workspace, other members of your organization (with appropriate roles) may see content generated or uploaded in that workspace. However, each organization's data is isolated from other organizations via strict access controls (row-level security in our database). Users from one tenant cannot access data from another tenant's workspace.
Legal Requirements and Protection: We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to (a) comply with a legal obligation, such as a subpoena, court order, or other process; (b) protect and defend the rights or property of Create Your Desire; (c) act in urgent circumstances to protect the personal safety of users or the public; or (d) protect against legal liability. If we receive law enforcement requests for user data, we scrutinize them carefully and only comply if they are valid and required by applicable law.
Business Transfers: If Create Your Desire is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of that transaction. We will ensure that any successor entity honors the commitments in this Privacy Policy or provides notice and obtains consent if required by law for any material changes in data handling.
With Your Consent: In cases where you have given us explicit consent to share your information, we will do so in accordance with that consent. For example, if we ever want to use your testimonial or story on our website, we would ask for your permission. Or if you opt-in to a feature that involves sharing data with a third party not otherwise described (like a new integration), we will do so only with your knowledge.

We do not share or disclose your personal information to third parties for their own marketing or advertising purposes.

4. Cookies and Tracking Technologies

Our platform uses cookies and similar technologies sparingly and primarily for functionality. For detailed information, please review our separate Cookie Policy. In summary:

We use an authentication cookie or token to keep you logged in (an essential cookie).
We use local storage to remember your cookie consent choice (cookie-consent-given) and to store an analytics session identifier (analytics_session_id) for internal analytics.
We do not use any third-party advertising or tracking cookies (no Google Analytics, no ad networks). All analytics are done through our own systems.
We may use cookies to remember preferences or settings on the site (like if you dismiss a notification, we might set a flag so it doesn't show again).
Because we use some third-party services, they might set their own cookies when those services are loaded. For example, Stripe might set cookies to remember your session during the checkout process or to prevent fraud, and the OnlyFans integration (if used) might set cookies for authentication. Those cookies are controlled by the third parties and are governed by their policies.
You have choices to manage cookies: you can configure your web browser to refuse some or all cookies, or to alert you when cookies are being set. However, please note that if you block cookies, certain essential features (like staying logged in) may not work properly. On our site, we provide a cookie consent banner for any non-essential cookies; you can choose to opt out of analytics tracking and we will honor that choice by not setting the analytics local storage or events.

For more details or to change your preferences, see the Cookie Policy section below.

5. Data Storage and Security

Storage Locations: Your data is primarily stored in cloud data centers via our providers. Supabase (which hosts our Postgres database and file storage) may store data on servers in various regions. We aim to select server regions that are efficient for our user base; currently, our services are hosted in reliable data centers (the exact location may be subject to Supabase's infrastructure, but likely within regions that comply with strong security standards; for instance, Supabase uses AWS or Google Cloud under the hood). Stripe and other processors similarly store data on their secure servers. By using our Service, you acknowledge that your data may be transferred to and stored in servers located in countries different from your own.

Security Measures: We implement a variety of security measures to protect your personal information:

All network communication with our Service is encrypted via TLS/SSL (HTTPS) to prevent eavesdropping.
Passwords are hashed and salted using secure algorithms and never stored in plain text.
Our database access is protected by row-level security, meaning each user and organization can only access their own data; requests are authenticated with JSON Web Tokens (JWTs) provided by Supabase Auth.
Internally, we restrict access to personal data. Only authorized personnel (for example, a limited number of administrators or operations managers) have access to production databases or storage, and even then, they use it only for legitimate administrative purposes. Access logs are maintained.
We utilize API keys and secret credentials for third-party integrations, which are stored securely and rotated as needed. For example, we verify Stripe webhooks with a signing secret to ensure they truly come from Stripe.
We regularly update our software dependencies and apply security patches to address vulnerabilities. Our backend (NestJS on Node.js) and frontend (Next.js) frameworks are kept up-to-date.
We use cloud security best practices (firewalls, limited network access, principle of least privilege for accounts).
Files (such as user-uploaded images) in storage have access controls; only authenticated requests with proper tokens can retrieve them.
We may conduct periodic security audits and/or employ tools to scan for security issues.

Despite our efforts, no system can be 100% secure. Therefore, we cannot guarantee absolute security of your data. You also play a role in security: protect your account credentials and notify us if you suspect any unauthorized access to your account.

6. Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, or as required for legitimate business or legal purposes. Here are our general retention practices:

Account Data: For active accounts, we retain your personal information for as long as your account is in use. If you delete your account or request deletion, we will initiate deletion of personal data associated with your account. However, we may keep a record that you had an account (email, basic info) in our archives for a short period in case you change your mind or for auditing and fraud prevention. Account data may also persist in backups for a period (see below).
Analytics Events: Data in our analytics_events logs are automatically purged after 90 days. We only keep recent analytics to analyze trends; older event data is deleted on a rolling basis beyond the 90-day window.
Self-Model Photos: As noted, original photos you upload for AI model creation are deleted within 24 hours once they have been processed. We retain one reference photo if you choose it, until you remove that persona or delete your account. The biometric analysis data derived from the photos is kept as part of your persona profile for as long as the persona or account exists, since it's needed for the AI to generate images resembling you. If you delete the persona or your account, this derived data will be deleted.
Generated Content: AI-generated text and images in your account are retained until you delete them or delete your account. You have the ability to delete specific generated items (for example, clearing a conversation or removing a generated image from your gallery). If you delete such content, it will no longer be accessible to you, but residual copies might remain briefly in database backups.
Payment Records: We retain payment and transaction records as long as required by tax law and financial regulations. Typically, financial records must be kept for a number of years (for example, Australia requires keeping transaction records for at least 5-7 years for tax purposes). This means that even if you delete your account, we might retain invoice records or basic subscriber information in our financial system to comply with those laws. However, these would be isolated and not used for any other purpose.
Communications: If you contacted support, we may retain those communications for a time to ensure we have context for any further issues and to improve our services. These will usually be kept for as long as your account is active, and a period after in case you reactivate or if needed for legal reasons.
Backups: Our databases and storage may be routinely backed up for disaster recovery. Backup files are encrypted and stored securely. They are retained for a limited time (often 7-30 days rolling) before being overwritten. Thus, even after data is "deleted" from our live systems, it might remain in encrypted backups for a short period until those backups cycle out. We will ensure that any restoration from backups (e.g., during a recovery) re-deletes information that was supposed to be deleted, if applicable.
Deletion Requests: If you exercise your right to deletion (see Your Rights below), we will delete your personal data from our active systems (and confirm to you once completed). We will also instruct our processors to delete any data they hold that they are not otherwise obligated to retain. As mentioned, certain information may be retained if required (e.g., payment records) or if in backup, but such data will remain securely stored and eventually purged in the normal backup deletion cycle.

In summary, we aim not to keep personal data longer than necessary. When data is no longer needed, we either anonymize it (so it can no longer be associated with you) or securely delete it.

7. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal data. We provide all users, regardless of location, with the ability to exercise the following core rights:

Access and Portability: You have the right to request a copy of the personal data we hold about you. This includes information in your account and possibly data you've provided or that has been generated about you. We provide tools in the Service for you to review much of this data directly (for example, you can view your profile info, your content, etc.). For a complete export, you can contact us or use available export features. We offer user data export tools (in compliance with GDPR's data portability requirement) that allow you to download your content and relevant data in a common format. If you need a comprehensive data export, email us and we will provide your data in a machine-readable format (such as JSON or CSV) for portability.
Rectification (Correction): If any of your personal information is inaccurate or outdated, you have the right to correct it. You can update most of your profile information directly in your account settings (e.g., change your name, avatar, email – note changing email may require re-verification). If you need to correct something you can't change (or if a self-model's data is somehow inaccurate), contact us and we will help correct it if possible.
Deletion (Right to be Forgotten): You have the right to request deletion of your personal data. You can achieve this by deleting your account in the settings if that option is provided. This will remove your profile and personal data from the active system as described in the Data Retention section. If you cannot self-delete, please contact us at info@createyourdesire.com.au to request account deletion. Upon verification of your identity and request, we will delete or anonymize your personal data, except for information we are required to retain (we will let you know if that is the case, e.g., "We have deleted everything except X which we must keep for legal reasons"). Once deleted, your account will no longer be accessible. Keep in mind that deletion is permanent; we cannot recover your account or content once it's removed. If there are pieces of content that are not stored in a way easily tied to your identity (for example, aggregated or anonymized data), we may not be able to specifically remove those from backup or logs, but we will purge what is identifiable. We will also notify third-party processors to delete data they hold on our behalf (unless retention is required). Note: If you have any ongoing subscription at the time of deletion, deleting your account will cancel the subscription going forward (with no refunds for the current period, per our Terms).
Withdrawal of Consent: In cases where we rely on your consent to process data (for example, using your biometric data, or using non-essential cookies/analytics), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal. For instance, if you no longer want us to use your data for analytics, you can opt out via the cookie settings or contact us. If you previously consented to an optional integration or feature, you can disable it (e.g., disconnect the OnlyFans integration if you enabled it). For biometric data (photos) used in the Self Model feature, your consent is given when you upload and proceed with that feature; if you withdraw consent, we will delete your photos (which we do automatically anyway after 24 hours) and any biometric templates, but note that doing so may mean we cannot provide the self-model functionality to you.
Restriction of Processing: You have the right to request that we restrict processing of your data in certain circumstances (for example, if you contest the accuracy of data, or if the processing is unlawful but you don't want it erased). This is typically applicable while a concern is resolved. Practically, if such a case arises, contact us and we can pause certain processing (for example, stop using your data in some way) until resolved.
Objection to Processing: You have the right to object to our processing of your data in some cases, particularly if we are processing it based on legitimate interests or for direct marketing. For example, you can object to receiving marketing emails – we will then cease marketing to you. You might also object to analytics tracking; in which case, we provide means to opt out as described. If you object to any processing necessary for the Service (like you don't want us to use your data for content moderation checks), we will explain if we cannot accommodate that (since such processing might be integral to providing a safe service).
Not to be Subject to Automated Decisions: Our platform does not make any legally significant decisions about you solely by automated means. The AI outputs and moderation might be automated processes, but they do not determine your access to a contract or service without human review in important matters. If ever in future we implement something like automated account banning by AI, we would provide an avenue for human review. At this time, decisions to terminate accounts are made with human involvement.

These rights may be subject to certain exemptions or limitations under applicable law. For example, we cannot provide data that includes other individuals' personal information without redaction, and we might refuse requests that are excessively repetitive or manifestly unfounded. If you are in the European Economic Area (EEA), United Kingdom, or similar jurisdictions, the above correspond to your GDPR rights. If you are in California, you have similar rights under the CCPA/CPRA (see below). We will not discriminate against you for exercising your privacy rights.

How to Exercise Your Rights: The easiest way for many requests is to contact us at info@createyourdesire.com.au with your request and sufficient information to verify your identity (we need to ensure the person making the request is the data subject or an authorized agent). If you have an account, using your registered email to contact us and specifying the request (access, deletion, etc.) is usually sufficient. We may ask for additional verification info if needed. We will respond to your request within a reasonable timeframe as required by law (typically within 30 days for GDPR, and 45 days for CCPA, with the possibility to extend as permitted). For data access or portability requests, we will provide the data in a commonly used electronic format.

8. Biometric Information

Because our Service processes photos of individuals to create AI models (which may involve biometric data, such as facial recognition vectors or characteristics), we want to address how we handle this sensitive information in compliance with applicable laws (like biometric privacy laws in some U.S. states, if they apply):

Consent: By uploading your photos and using the Self Model feature, you provide your explicit consent for us to process your biometric information for the purposes described (creating your AI persona and generating content). If you do not want us to analyze biometric data, you should not use this feature or upload your images. We do not collect biometric identifiers without user initiation and consent.
Limited Use: We will only use biometric data derived from your photos for the specific purpose of providing the Service to you – namely, generating AI content that resembles you and moderating that content as needed. We do not use your biometric data for any other purpose (such as identifying you in other images, or sharing with any third party for their own use, etc.). We do not sell or disclose your biometric identifiers to outside parties. The one exception is the processing by our service provider (Google's Vision API) as described, which is solely for generating the data for our use, under strict confidentiality.
Storage and Deletion: Original uploaded photos are deleted promptly (within 24 hours or sooner) after processing. Biometric templates or data (e.g., an encoded representation of your face used by the AI model) are stored in our system as part of your persona profile. If you delete your persona or your account, these biometric data are deleted along with it (or irreversibly anonymized). If you have not logged in or used your self-model for an extended period, we may also purge biometric data associated with inactive accounts as part of cleanup, but our primary trigger is account deletion or user request. (If required by certain laws like Illinois' BIPA, we would say we intend to delete biometric data within 3 years of your last interaction at the latest, but in practice we handle it on deletion of account.)
Protection: Biometric data, being sensitive, is protected with high security. It resides in our database just like other personal data, with access controls, encryption in transit and at rest, etc. Only a very limited set of employees or processors (e.g., the AI generation service) have access to it.
Notification and Destruction Policy: This Privacy Policy serves as notice of our biometric data practices. If any further specific notice or consent is required by law, we will provide it. We maintain a schedule for deletion as noted, and you can always request deletion sooner.

By using the Service's photo-based features, you acknowledge these practices. If you have questions or concerns about biometric data usage, please contact us.

9. International Data Transfers

Create Your Desire is an Australia-based service, but we operate online and work with providers in various countries (United States and others). This means your personal data may be transferred to, and processed in, countries other than your own. In particular, data may be stored on servers in the United States (since providers like Supabase, Stripe, OpenAI have infrastructure in the U.S.) or other jurisdictions. Australia, the US, and other countries may have different data protection laws than your country.

If you are located in the European Economic Area (EEA), UK, or Switzerland: whenever we transfer your personal data out of those regions, we take steps to ensure appropriate safeguards are in place to protect your information. This could include using specific contract clauses (Standard Contractual Clauses) approved by the European Commission, or transferring only to countries with adequate data protection levels, or other valid transfer mechanisms. Our major sub-processors like Stripe, Supabase, and Google have committed to compliance with GDPR transfer requirements (for example, Stripe and Google rely on SCCs for EU data transfer). By using our Service, you understand that your data may be transferred to our facilities and those third parties as described.

We will ensure that any international transfers are done in accordance with applicable privacy laws and that your data remains protected to the standards of your home jurisdiction. If such an arrangement is deemed inadequate, we will seek your consent for the transfer or cease the transfer.

10. Children's Privacy

As stated in our Terms, Create Your Desire is strictly 18+. We do not target or permit children to use our Service. We do not knowingly collect personal information from anyone under the age of 18. If you are under 18, you are not allowed to use the Service or provide any personal data to us. We explicitly require age confirmation during registration to enforce this.

If we become aware that we have inadvertently collected personal information from someone under 18, we will take steps to delete such information as soon as possible. If you are a parent or guardian and you believe we might have any information from or about a minor, please contact us immediately so that we can investigate and take appropriate action.

11. Additional Notices for California Residents (CCPA)

If you are a resident of California, you have specific privacy rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA. Many of these rights (access, deletion, etc.) are substantively the same as those described in Section 7 above. This section uses CCPA terminology to ensure compliance:

Categories of Personal Information Collected: In the preceding 12 months, we have collected the following categories of personal information (as defined by CCPA):
- Identifiers (real name, email address, IP address, account ID, etc.).
- Customer Records (payment information via Stripe, billing history).
- Characteristics of protected classifications (age — we collect confirmation that you are 18 or older).
- Biometric Information (photos and facial data for those who use that feature).
- Internet or other electronic network activity (usage data, analytics, log data, cookie identifiers).
- Audio/visual data (photographs you upload, generated images which may depict you).
- Inferences drawn from the above (e.g., preferences or persona traits you provide, or inferences for content personalization).
We do not collect education, employment, or credit information, nor geolocation at a precise level.
Business or Commercial Purpose for Collection: We collect and use this information for the business purposes outlined in Section 2 (to provide the service, maintain security, etc.), which align with the purposes specified in CCPA (such as performing services, advertising and marketing (though we don't do third-party advertising, only internal marketing if any), security detection, debugging/repair, and service improvements).
Categories of Sources: We collect information directly from you (e.g., when you fill in forms, provide content, or from your device automatically through interactions) and from service providers (e.g., payment info from Stripe, or results from OpenAI/Google which originate from processing your input).
Disclosure of Personal Info: We have disclosed the above categories of information to service providers or contractors for business purposes (as detailed in Section 3). For example, identifiers and financial info to Stripe (payment processor), internet activity and usage to our cloud hosts (Supabase) and analytics processing (our internal systems), etc.
Sale or Sharing of Personal Info: Create Your Desire does not sell personal information as defined by the CCPA (i.e., we do not exchange your personal data for money or other valuable consideration with third parties for their own use). We also do not "share" your personal information for cross-context behavioral advertising purposes. We do not allow third-party advertisers to collect information from our site for targeted ads. Therefore, the opt-out of sale/sharing is not applicable. We do not have any actual knowledge of selling or sharing personal info of consumers under 16, either, because we do not allow under 18 at all.
Your Rights (CCPA-specific): You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you (a "Request to Know"), the right to request deletion of your personal information, the right to correct inaccurate personal information, and the right to opt-out of the sale or sharing of personal information (though as stated, we do not sell or share in that manner). You also have the right to non-discrimination for exercising your CCPA rights. To exercise any of these rights, you or your authorized agent may contact us (see Contact section). We will need to verify your identity (such as by verifying control of your email address or other information) for Requests to Know or Delete. For an authorized agent request, we may require proof of the agent's registration or your written permission.
Sensitive Personal Information: We do collect what CCPA considers "sensitive personal information" (e.g., login credentials, biometric data in photos, etc.), but we only use it for necessary purposes (like authentication, providing the service) and not to infer characteristics about you. Therefore, under CPRA regulations, we treat it as required for service provision and do not offer a right to limit use of sensitive info beyond what is already described (since we're not using it for secondary purposes like marketing).
Retention: We have described our retention practices in Section 6. Generally, we keep data as long as needed for the purpose, and certain info for legally required durations. We do not keep personal information indefinitely; criteria involve account status, legal requirements, and business needs.

This California section is intended to comply with CCPA/CPRA. If any terms differ between this and the rest of the Privacy Policy, the interpretation that is more protective of personal data will control, unless otherwise directed by law.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we update the policy, we will change the "Last Updated" date at the top. If changes are significant, we will provide a more prominent notice (such as by email notification to account holders or a notice on our website). We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

Your continued use of Create Your Desire after any changes to this Privacy Policy constitutes your acceptance of the updated terms, to the extent permitted by law. If you do not agree with the changes, you should stop using the Service and may request deletion of your data.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: info@createyourdesire.com.au
Address: 17 Phar Lap Parade, Karalee QLD 4306, Australia

Attn: Privacy Officer, Create Your Desire

We will do our best to respond to you in a timely and helpful manner. If you are in the EEA/UK and feel your issue was not resolved, you have the right to lodge a complaint with your supervisory authority for data protection. In Australia, if you have raised a concern with us and are not satisfied, you can contact the Office of the Australian Information Commissioner (OAIC). We would, however, appreciate the chance to address your concerns first, so please reach out to us.

Thank you for trusting Create Your Desire with your personal information. We are committed to safeguarding your privacy as you enjoy our AI platform.