coub.ai

Privacy Policy

Effective date: June 16, 2026 Last updated: June 16, 2026

This Privacy Policy explains how Coub.AI ("Coub.AI", "we", "us", or "our") collects, uses, shares, and protects personal data when you use the coub.ai website, application, and related services (collectively, the "Service"). The Service is a multi-modal AI generation platform that lets you create images, video, audio, and 3D assets from text and media inputs.

The Service is currently offered as a closed beta. Features, sub-processors, and data flows described here may change as the Service develops, and this policy will be updated accordingly (see Section 16, "Changes to this policy").

We have written this policy to be aligned with the EU General Data Protection Regulation (GDPR) and the UK GDPR. Our audience is primarily in the EU, the CIS region, and Asia.

1. Who we are (Data Controller)

The data controller responsible for your personal data is:

[Coub.AI Ltd, Seychelles — confirm legal entity & registered address]

Coub.AI is incorporated in the Republic of Seychelles. Because we are established outside the European Union but offer the Service to individuals in the EU, certain provisions of the GDPR apply to our processing of EU users' personal data, and we honor them as described in this policy.

You can reach us about privacy matters as follows:

  • General privacy questions / Data Protection contact: privacy@coub.ai
  • Legal notices: legal@coub.ai
  • Copyright / DMCA notices: dmca@coub.ai
  • Data subject requests (access, export, erasure, etc.): /privacy/data-request (see Section 11)
  • General support: through the in-product support channels

We have not appointed a GDPR Article 27 EU representative at this stage of the beta. If and when one is appointed, we will list their details here. Counsel should confirm whether an Article 27 representative is required.

2. Scope of this policy

This policy applies to personal data we process about:

  • Account holders and beta participants who register for and use the Service;
  • Visitors to the coub.ai website; and
  • People who contact us by email or support channels.

This policy does not govern third-party websites, AI model providers' own services, or any service that has its own separate privacy policy. Where we rely on third parties to process data on our behalf, we describe them in Section 8 ("Sub-processors").

3. What personal data we collect

We collect the following categories of personal data.

3.1 Account and identity data

  • Email address and display name.
  • Account credentials and authentication state.
  • Plan and entitlement status (Free, Lite, or Pro).
  • Credit balance and credit ledger (grants, deductions, and usage history). During the beta there is no live payment processor; credit top-ups are granted manually, so we do not collect or store card numbers or other payment-instrument data at this time.

3.2 Authentication identities (Google OAuth)

If you sign in with Google, we receive identity information from Google associated with your Google account — typically your email address, name, and a stable account identifier ("OAuth identity"). We use this to create and authenticate your account. We do not receive your Google password.

3.3 Generation inputs, prompts, and outputs

  • Prompts and other text you submit to generate content.
  • Input media you upload or reference (e.g., source images, audio, or video used for generation, editing, or extension).
  • Generated outputs (images, video, audio, 3D assets) and associated generation metadata (model used, parameters, timestamps, status, and error states).
  • See Section 6 for the important prompt PII caveat — prompts are transmitted to the AI generation provider as you write them.

3.4 Usage and analytics data

  • Pages and features you interact with, actions taken (e.g., generations started, downloads), session and event data, and performance/error telemetry.
  • Aggregated and event-level product analytics used to operate and improve the Service.

3.5 Device, network, and anti-abuse data

  • IP address, approximate location derived from IP (e.g., country, for region blocking), browser and device characteristics, and a device/browser fingerprint used for fraud and abuse prevention, rate limiting, and signup-abuse controls.

3.6 Cookies and similar technologies

  • See Section 13 ("Cookies and similar technologies") for the cookie categories we use.

3.7 Content moderation signals

  • Automated moderation results and classifications generated when your inputs and outputs are scanned (see Section 5.4). This may include flags, category labels, and confidence scores associated with your content.

We do not intentionally collect special categories of personal data (e.g., health, biometric, or political data). You should not submit such data in prompts or uploads. See Section 6.

4. Legal bases for processing (GDPR)

We process personal data only where we have a lawful basis to do so. Depending on the activity, we rely on:

  1. Performance of a contract (Art. 6(1)(b)) — to create and operate your account, authenticate you, run generations you request, manage your credit balance and plan, deliver outputs, and provide support. Most core Service functionality relies on this basis.

  2. Legitimate interests (Art. 6(1)(f)) — to secure the Service and prevent fraud, abuse, and signup abuse (including device/IP/fingerprint processing and rate limiting); to perform content moderation and protect users and third parties from illegal and harmful content; to maintain, debug, and improve the Service; and to enforce our terms. Where we rely on legitimate interests, we have assessed that these interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests (see Section 11).

  3. Consent (Art. 6(1)(a)) — for non-essential cookies and analytics that require consent, and for any optional marketing communications. You can withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

  4. Compliance with a legal obligation (Art. 6(1)(c)) and protection of vital interests / public interest — where required, including responding to lawful requests, addressing child sexual abuse material (CSAM), and meeting sanctions/region-blocking obligations.

5. How we use personal data

We use personal data for the following purposes.

5.1 To provide the Service

Create and authenticate your account; process the prompts, inputs, and parameters you submit; generate, store, host, serve, and let you download or share outputs; manage your plan, credits, and entitlements.

5.2 To apply the Free-tier watermark

Outputs generated on the Free tier are watermarked. We process the generation and account context needed to apply and enforce the mandatory watermark on Free-tier output.

5.3 To secure the Service and prevent abuse

Detect and prevent fraud, account/signup abuse, scraping, and misuse; apply rate limits; and investigate security incidents. This uses device, IP, fingerprint, and usage data.

5.4 To moderate content

We run automated content moderation on inputs and outputs to detect and block prohibited material. Our moderation stack includes:

  • Google Gemini and OpenAI omni-moderation for text and media classification; and
  • Cloudflare CSAM scanning on stored media in Cloudflare R2.

Prohibited content includes child sexual abuse material (CSAM); non-consensual intimate imagery; real-person impersonation; malware imagery; weapon-assembly instructions; and hate speech. We may block generations, remove content, suspend accounts, and — where legally required, in particular for CSAM — report to the appropriate authorities or hotlines.

5.5 To analyze and improve the Service

Understand how the Service is used, measure performance and reliability, fix bugs, and develop new features.

5.6 To communicate with you

Send transactional and service messages (e.g., account, security, beta, and support communications) and, where applicable and permitted, product updates. Email delivery is handled through our email sub-processor (see Section 8).

5.7 To comply with law and enforce terms

Meet legal obligations, enforce our Terms, respond to lawful requests, and apply sanctions/region-blocking controls (see Section 12).

6. Prompts, inputs, and the personal-data caveat (please read)

Your prompts and input media are sent to the AI generation provider to produce your outputs.

  • When you run a generation, the prompt text and any input media you provide are transmitted as-is to our AI generation provider (fal.ai) and, depending on the model, to the underlying model providers, in order to produce the result you requested. This is necessary to perform the service you ask for.
  • We redact personal data from our own logs and analytics on a best-effort basis, and we limit internal access. However, we cannot remove or protect personal data contained in the prompt or input itself from the generation provider, because the content must be sent to that provider to generate the output.
  • Do not paste personal data into prompts or uploads unless you have a lawful basis to do so and are comfortable with it being processed by our generation provider. In particular, do not submit other people's personal data, sensitive/special-category data, secrets, or confidential information.
  • Do not upload or generate content depicting real, identifiable people without their consent, and never content prohibited under Section 5.4.

By submitting a prompt or input, you confirm you have the right to submit that content for processing as described here.

7. Who can see your generated content; ownership and license

  • Ownership. As between you and Coub.AI, you own the content you generate, subject to the terms and license conditions of the underlying AI model/provider that produced it. Some model providers impose their own restrictions on outputs; those apply in addition to this policy and our Terms.
  • License to us. To operate the Service, you grant us a limited license to host, store, process, transmit, serve, and display your inputs and outputs as needed to provide the Service to you (for example, to show your generations in your account, deliver downloads, and apply moderation and watermarking). This license exists to run the Service, not to publicly exploit your content.
  • Beta and sharing. During the closed beta, generations are associated with your account. If features that publish or share content are introduced, we will update this policy and surface the relevant controls.

8. Sub-processors

We use the following third-party service providers ("sub-processors") to operate the Service. Each processes personal data only as needed for the stated purpose and under contractual confidentiality and data-protection obligations.

Sub-processorPurposePrimary region / notes
SupabaseDatabase, authentication, account storageEU — Frankfurt, Germany
CloudflareCDN, object storage (R2), WAF/security, and CSAM scanning of stored mediaGlobal edge network; storage configured for our deployment
fal.aiAI generation (runs prompts/inputs through models to produce outputs)See provider; may route to underlying model providers
GoogleContent moderation classification (Gemini) and embeddingsGlobal; see provider
OpenAIContent moderation (omni-moderation)Global; see provider
AnthropicPrompt enhancementGlobal; see provider
UpstashCaching and rate-limiting stateSee provider
InngestBackground job / workflow orchestrationSee provider
SentryError monitoring and diagnosticsSee provider
Better StackLogging and uptime/observabilitySee provider
PostHogProduct analyticsSee provider
LoopsTransactional and product email deliverySee provider

We may add, replace, or remove sub-processors as the Service evolves. Material changes will be reflected in an updated version of this policy. Counsel should confirm exact entity names, contracting regions, and data-transfer mechanisms for each provider before publication.

9. International data transfers

We are based in the Seychelles, and several of our sub-processors are located in or operate from the United States and other countries outside the European Economic Area (EEA), the UK, and your country of residence. This means your personal data may be transferred to, stored in, and processed in countries that may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal data of EEA/UK users to a country without an adequacy decision, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum where applicable), supplemented by additional measures as appropriate. Our primary database and authentication infrastructure (Supabase) is configured in Frankfurt, Germany (EU).

You may request information about the safeguards we use for a specific transfer via privacy@coub.ai. Counsel should confirm the transfer mechanism in place with each sub-processor.

10. Data retention

We keep personal data only as long as necessary for the purposes described in this policy, then delete or anonymize it. Specific periods:

  • Account and identity data: retained for the life of your account. When your account is deleted, we delete or anonymize account and identity data within 30 days, subject to the exceptions below.
  • Generation inputs, prompts, and outputs:
    • Free plan: retained while your account is active; we may apply shorter storage limits for Free-tier generations and prune older outputs. Deleted with your account (subject to backup cycles below).
    • Lite and Pro plans: retained while your account is active so your generation library remains available to you; deleted with your account.
    • You can delete individual generations from your account at any time; deletion propagates to active storage promptly and to backups within the backup cycle.
  • Usage and analytics data: retained in identifiable form for a limited period needed for product and reliability analysis, then aggregated or anonymized.
  • Device/IP/fingerprint and anti-abuse data: retained for a limited period necessary for security, fraud, and abuse prevention, and longer where needed to enforce bans, prevent ban evasion, or investigate incidents.
  • Moderation records: records of moderation actions and prohibited-content detections may be retained as needed for safety, enforcement, and legal compliance. CSAM-related records and reports are handled in accordance with legal obligations.
  • Logs: operational logs are retained on a rolling, short-term basis (with PII redacted from logs on a best-effort basis as described in Section 6).
  • Backups: residual copies in encrypted backups are overwritten on our normal backup rotation after active-system deletion.
  • Legal holds: we may retain data longer where required to comply with law, resolve disputes, or enforce our agreements.

Counsel should confirm exact day/month figures per category before publication.

11. Your rights and how to exercise them

Subject to applicable law (in particular the GDPR/UK GDPR), you have the following rights regarding your personal data:

  1. Right of access — obtain confirmation of whether we process your data and a copy of it.
  2. Right to data portability — receive certain data you provided in a structured, commonly used, machine-readable format, and where technically feasible have it transmitted to another controller.
  3. Right to rectification — correct inaccurate or incomplete data.
  4. Right to erasure ("right to be forgotten") — request deletion of your data where one of the legal grounds applies.
  5. Right to restrict processing — request that we limit processing in certain circumstances.
  6. Right to object — object to processing based on our legitimate interests (Section 4.2), and object at any time to any direct marketing.
  7. Right to withdraw consent — where processing is based on consent (e.g., non-essential cookies/analytics, marketing), withdraw it at any time.
  8. Rights related to automated decision-making — we do not make decisions producing legal or similarly significant effects about you based solely on automated processing without human involvement, other than automated content moderation and anti-abuse controls; you may contact us to contest a moderation or enforcement action.

How to exercise your rights. Submit a request through /privacy/data-request, or email privacy@coub.ai. Data export and erasure are already implemented in the Service. We aim to respond to and fulfill verified requests within 30 days (our service-level commitment). This period may be extended where permitted for complex or numerous requests, in which case we will inform you. We may need to verify your identity before acting, and we may decline or limit requests where an exception or legal obligation applies (we will explain why).

There is normally no fee, but we may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive, as permitted by law.

12. Region blocking and sanctions

The Service is not available to users in, or ordinarily resident in, jurisdictions subject to comprehensive sanctions, currently including Iran, North Korea, Cuba, and Syria (OFAC-restricted regions). We enforce this at signup and at content delivery, using IP and account location signals. We may block access, refuse registration, or suspend accounts to comply with applicable sanctions and export-control laws. This processing is necessary for compliance with legal obligations and our legitimate interest in lawful operation.

13. Cookies and similar technologies

We use cookies and similar technologies (such as local storage and device identifiers). We group them into categories:

  • Strictly necessary / essential — required for the Service to function, including authentication and session management, security and anti-abuse (e.g., bot/abuse protection), and load balancing. These do not require consent.
  • Functional / preference — remember settings and preferences to improve your experience.
  • Analytics / performance — help us understand usage and improve the Service (e.g., PostHog product analytics, and error/performance telemetry via Sentry/Better Stack). Where required by law, we set these only with your consent.

You can manage non-essential cookies through our cookie banner (see "Cookie banner microcopy" at the end of this policy) and through your browser settings. Blocking essential cookies may prevent the Service from working.

14. Security

We take technical and organizational measures designed to protect personal data, including:

  • Encryption in transit (HTTPS/TLS) and encryption at rest for stored data and backups;
  • Access controls and least-privilege internal access to production data;
  • A Web Application Firewall (WAF) and edge security via Cloudflare;
  • Rate limiting and anti-abuse controls (including device/IP/fingerprint signals);
  • PII redaction from logs and analytics on a best-effort basis (subject to the prompt caveat in Section 6);
  • Automated content moderation and CSAM scanning to detect and remove illegal content; and
  • Use of reputable, security-conscious sub-processors (Section 8).

No method of transmission or storage is completely secure. We cannot guarantee absolute security, but we work to protect your data and to respond appropriately to incidents. If a personal data breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority and affected users as required by law.

15. Children's privacy

The Service is not directed to children, and you must be at least 16 years old (or the minimum age of digital consent in your country, if higher) to use it. We do not knowingly collect personal data from children below that age. If you believe a child has provided us personal data, contact privacy@coub.ai and we will take steps to delete it. Counsel should confirm the minimum age across target jurisdictions (EU, CIS, Asia) before publication.

16. Changes to this policy

We may update this policy from time to time — for example, to reflect new features, new sub-processors, or changes in law. When we make changes, we will update the "Last updated" and "Effective date" lines above and, for material changes, provide additional notice (e.g., by email or an in-product notice) before the changes take effect where required. Your continued use of the Service after the effective date of an updated policy constitutes acceptance of the updated policy, to the extent permitted by law.

17. Contact and your right to complain

For any privacy question or to exercise your rights:

If you are in the EEA or the UK and believe we have not handled your personal data properly, you have the right to lodge a complaint with your local data protection supervisory authority. We would, however, appreciate the chance to address your concerns first — please contact us before doing so.

Governing law and venue: [governing law and venue — to be confirmed by counsel].

Cookie banner microcopy

Banner text: We use essential cookies to run coub.ai and keep it secure. With your consent, we also use analytics cookies to understand usage and improve the Service. You can change your choice anytime in settings. See our Privacy Policy.

Buttons:

  • Accept all
  • Reject non-essential
  • Manage preferences