Privacy Policy

Information we collect

• Account information. The email address you use to sign up, and dashboard sign-in credentials managed via Amazon Cognito.
• API keys. When you mint an API key we show it once and store only a SHA-256 hash of it — we cannot recover the original key.
• Prompts & generation inputs. The text prompts, style/model selections, dimensions, seeds, and any reference images you submit to generate assets.
• Generated assets. The images you generate, stored in Amazon S3 and served to you via presigned URLs / CloudFront.
• Usage & billing data. Generation counts, timestamps, model and estimated cost, your USD credit balance, and tier.
• Payment information. Card payments are processed by Stripe. We do not store your full card number; we keep only a Stripe customer/identifier reference.
• Technical data. Standard request logs (IP address, user agent, timestamps) generated by API Gateway and CloudFront for security and operations.

How we use information

• To operate the Service — authenticate requests, generate and store assets, and maintain your account and balance.
• To process payments and credit top-ups, and to bill per generation.
• To provide support, prevent abuse and fraud, and secure the Service.
• To monitor cost and performance and improve the Service.
• To comply with legal obligations.

We do not sell your personal information, and we do not use your prompts or generated assets to train our own models.

AI generation & subprocessors

To generate assets, your prompts and any reference images are sent to Amazon Bedrock(running Stability AI models) for processing. We use the following service providers:

• Amazon Web Services — Bedrock (generation), S3 (asset storage), DynamoDB (account/usage), CloudFront (delivery), and Cognito (dashboard auth). Data is processed in the United States (us-west-2).
• Stripe — payment processing.
• Google — Google Analytics, for aggregate website-usage analytics.

These providers process data on our behalf under their own security and privacy commitments.

Cookies

We use a first-party session cookie to keep you signed in to the dashboard, and Google Analytics to understand how the site is used — which sets its own analytics cookies. We do not use advertising or cross-site ad-tracking cookies. You can decline non-essential cookies and clear cookies in your browser at any time.

Data retention

We retain account and usage data while your account is active. Projects and assets you archive are soft-deleted and remain recoverable from your dashboard; we may permanently purge archived data after a retention window. You can request deletion of your account and associated data at any time (see below). Operational logs are retained on a rolling basis for security and debugging.

Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. To exercise these rights, email support@hammermind.com. We will respond within the time required by applicable law.

Security

We protect data in transit with TLS, store only hashed API keys, and rely on AWS's managed infrastructure. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security.

Children

The Service is not directed to children under 13, and we do not knowingly collect their information.

Changes to this Policy

We may update this Policy from time to time. Material changes will be reflected by the "Last updated" date above, and where appropriate we'll notify you.

Contact

Questions about this Policy? Email support@hammermind.com.