Xite

Privacy Policy

Last updated: December 2024

1. Introduction

This Privacy Policy explains how Xite AI Image Editor ("we", "us", "our") collects, uses, and protects your personal data when you use our AI image editing service.

We are committed to protecting your privacy and handling your data transparently and securely. This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

The data controller responsible for your personal data is Xite AI Image Editor. For any privacy-related inquiries, contact us at: xiteimageeditor@gmail.com

3. Data We Collect

3.1 Account Information

  • Email address
  • Username
  • Password (stored securely using bcrypt hashing - we cannot see your password)
  • Age confirmation (we verify you are 18+, but do not store your date of birth)
  • Google account ID (if you sign in with Google)

3.2 Payment Information

  • Stripe customer ID and subscription ID
  • Purchase history (subscription tier, token purchases)
  • We do NOT store your credit card details - these are handled securely by Stripe

3.3 Usage Data

  • Token balance and transaction history
  • Storage usage
  • Job history (types of AI operations performed)

3.4 Your Images

  • Images you upload for editing
  • AI-generated images created using the Service
  • Images are stored for up to 48 hours, then automatically deleted
  • We do NOT manually view or monitor your images

3.5 Content Moderation Data

  • Image hashes (SHA-256) - only for flagged content, not the actual images
  • Moderation detection results (automated system outputs only)
  • Violation records if applicable

3.6 Technical Data

  • IP address
  • Browser type and user agent
  • Device information
  • Cookies (see our Cookie Policy)

4. How We Use Your Data

We use your data for the following purposes:

  • Service Provision: To provide the AI image editing service, process your images, and manage your account
  • Payment Processing: To process subscriptions and token purchases via Stripe
  • Content Safety: To automatically detect and prevent illegal content using AWS Rekognition and other automated tools
  • Security: To protect against fraud, abuse, and unauthorized access
  • Legal Compliance: To comply with legal obligations including tax record-keeping
  • Service Improvement: To improve and optimize the Service

5. Legal Basis for Processing

Under UK GDPR, we process your data based on:

  • Contract: Processing necessary to provide the Service you requested
  • Legal Obligation: Processing required by law (e.g., tax records, reporting illegal content)
  • Legitimate Interest: Security, fraud prevention, service improvement
  • Consent: Where you have given explicit consent (e.g., marketing emails, if offered)

6. Third-Party Services

We share data with the following third-party services:

Stripe (Payment Processing)

Processes payments securely. We do not store your card details.

Stripe Privacy Policy
Amazon Web Services (AWS)

S3 for image storage (EU region). Rekognition for automated content moderation.

AWS Privacy Policy
Google (Optional Sign-In)

If you choose to sign in with Google, we receive your email and profile info.

Google Privacy Policy
Modal (GPU Infrastructure)

Runs our AI processing. Images are processed ephemerally and not retained.

Modal Privacy Policy

7. Content Moderation & Your Privacy

We balance content safety with user privacy through automated systems:

  • No Human Monitoring: Your images are NOT viewed by any person. All content moderation is performed by automated AI systems (AWS Rekognition, NSFW detection models).
  • Metadata Only: For flagged content, we store only metadata (timestamps, detection confidence scores, image hashes) - not the actual images.
  • Immediate Deletion: Flagged content is immediately deleted from storage. Only the hash is retained to prevent re-upload.
  • Legal Reporting: In cases of detected CSAM, we are legally required to report to the Internet Watch Foundation (IWF). Only hashes and metadata are shared, not actual images.
  • CSAM: Permanent Ban: Any account associated with child sexual abuse material will be permanently banned without appeal. This is non-negotiable. We will cooperate fully with law enforcement in any investigation.

8. Data Retention

Data TypeRetention Period
User images48 hours (auto-deleted)
Account dataWhile account is active + 30 days after deletion request
Payment records6 years (UK tax law requirement)
Moderation logs (non-CSAM)90 days
CSAM detection logs2 years (legal compliance)
Hash blacklistPermanent (hashes only, no images)
Error logs7 days (auto-deleted)

9. Your Rights (UK GDPR)

Under UK GDPR, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Request limitation of how we use your data
  • Right to Data Portability: Receive your data in a portable format
  • Right to Object: Object to processing based on legitimate interests
  • Rights Related to Automated Decision-Making: Request human review of automated decisions that significantly affect you

To exercise these rights, contact us at xiteimageeditor@gmail.com. We will respond within 30 days.

10. Automated Decision-Making

We use automated systems for content moderation. These systems may:

  • Block uploads that are detected as containing prohibited content
  • Suspend or ban accounts based on violation patterns
  • Restrict AI editing features for images containing detected minors

You can appeal automated decisions by contacting us. All appeals are reviewed by a human.

11. International Data Transfers

Your data may be processed in countries outside the UK, including the EU and US, by our third-party service providers (AWS, Stripe, Modal). These transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) and adequacy decisions.

12. Data Security

We implement appropriate security measures including:

  • HTTPS encryption for all data in transit
  • Secure password hashing (bcrypt)
  • JWT-based authentication with secure cookies
  • Regular security updates and monitoring
  • Access controls limiting who can access data

13. Children's Privacy

Our Service is not intended for anyone under 18 years of age. We do not knowingly collect personal data from children. If we discover that a child has provided us with personal data, we will delete it immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

15. Complaints

If you have concerns about how we handle your data, please contact us first. If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint

16. Contact Us

For any privacy-related questions or to exercise your rights, contact us at: xiteimageeditor@gmail.com

← Back to Home