Legal
Privacy policy
Last updated: 25 May 2026
This policy explains what personal data heroink collects, what we do with it, how long we keep it, and the rights you have over it under UK GDPR and the Data Protection Act 2018. Plain English where possible.
1. Who we are
heroink is operated as a sole-trader service based in the United Kingdom. For the purposes of UK GDPR, the data controller is the operator of heroink. Contact details are at the bottom of this page.
2. What data we collect
| Data | Where it comes from |
|---|---|
| Email address, name, profile picture | Google when you sign in |
| Google account ID (stable identifier) | Google when you sign in |
| Uploaded photos | Provided directly by you when creating a comic |
| Comic wizard inputs | Provided by you — character names, story setting, free-text fields |
| Credit balance & purchase history | Generated by your activity on heroink |
| Generated comics & their metadata | Produced by our pipeline from your inputs |
| Contact-form submissions | Provided by you via our contact form |
| IP address (transiently) | Network logs; used for rate-limiting and abuse prevention |
| Session cookies | Issued by us to keep you signed in |
We do not use third-party advertising cookies, analytics SDKs that track across sites, or social-media tracking pixels.
3. Why we use your data
- · Generating your comic — the photo and wizard inputs feed our render pipeline.
- · Account management — signing you in, tracking your credit balance, listing your comics.
- · Service operation — emailing you when a comic is ready, surfacing your draft comics on the account page.
- · Content moderation — every uploaded photo is checked by OpenAI's moderation endpoint before storage to prevent harmful or non-consensual content.
- · Safety, abuse prevention, fraud detection — IP address logging, rate limits, anomaly detection on credit usage.
- · Statutory / accounting obligations — purchase records may be retained for the period required by HMRC (currently 6 years).
4. Legal basis
- · Contract (UK GDPR Art. 6(1)(b)) — generating, storing, and delivering your comic is the service you signed up for.
- · Legitimate interest (Art. 6(1)(f)) — security logging, rate-limiting, fraud detection, moderation, and ensuring the service runs safely.
- · Consent (Art. 6(1)(a)) — uploaded photos. You confirm consent at the upload step; you can withdraw it at any time by deleting your account.
- · Legal obligation (Art. 6(1)(c)) — retention of purchase records for tax purposes.
5. Photos and biometric considerations
Photos used to anchor character likeness include facial features. We do not generate or store biometric templates (vector embeddings of your face) for identification purposes. We do not match faces between users. The photo is used only to provide a visual reference to the image generation model.
- · Photos are encrypted at rest in our object store.
- · Photos are never used to train AI models, sold, or shared with third parties beyond the rendering pipeline (see §7).
- · Pre-upload moderation is applied to every photo before any storage. Flagged photos are rejected and never persisted.
- · You explicitly consent to upload at the wizard step. By ticking the consent box you confirm the photo is of you, or that you have permission from the person depicted.
6. How long we keep it
| Data | Retention |
|---|---|
| Uploaded photos (completed comic) | 60 days after comic completion, then auto-deleted |
| Uploaded photos (failed render) | Immediately on failure |
| Uploaded photos (no completed comic) | 60 days from upload, then auto-deleted |
| Generated comics | Until you delete your account or the comic |
| Account record + email | Until you request hard-deletion (immediate) |
| Purchase records (financial) | 6 years (HMRC requirement) |
| Contact-form tickets | 2 years from resolution |
| Server logs (IP, request data) | 30 days |
7. Third-party processors
We use the following processors to deliver the service. Each is covered by a written processing agreement and provides equivalent data protection safeguards:
| Processor | Purpose | Region |
|---|---|---|
| Account sign-in (OAuth) | EU / US | |
| OpenAI | Image generation, text generation, content moderation | US (with SCCs) |
| Cloudflare | Static site hosting (Pages), object storage (R2) | EU |
| Fly.io | Application hosting (API backend) | UK / EU |
| Email provider | Transactional email (comic-ready notifications) | EU / US (with SCCs) |
Cross-border transfers to the United States rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK addendum. We do not use processors outside the UK, EEA, or jurisdictions with an adequacy decision without an appropriate transfer mechanism in place.
8. AI model training — what we don't do
Your photos and the comics generated from them are not used to train any AI model, neither ours nor any third party's. OpenAI's API terms (effective for paid API customers) prohibit OpenAI from using submitted data to train their models, and we operate under those terms.
9. Your rights
Under UK GDPR you have the following rights regarding your personal data:
- · Right to be informed — what this page is for.
- · Right of access — request a copy of the data we hold about you (contact us).
- · Right to rectification — ask us to correct inaccurate data.
- · Right to erasure (Article 17) — delete your account from the account menu (hard-delete, irreversible). Removes your account record, all comics, and all uploaded photos.
- · Right to restrict processing — ask us to pause processing while a dispute is resolved.
- · Right to data portability — request your data in a machine-readable format.
- · Right to object — object to processing based on legitimate interest.
- · Right to withdraw consent — for processing based on consent, you can withdraw at any time (typically via account deletion).
We aim to respond to rights requests within one calendar month. For most requests you can self-serve via the account menu (delete) or contact us.
10. Cookies
We use a small set of strictly-necessary cookies:
- · Session cookie — issued at sign-in to keep you logged in.
- · Admin-mode cookie — for staff accounts only.
- · OAuth state cookie — transient, used during Google sign-in to prevent CSRF.
We do not set any advertising, analytics, or tracking cookies. No cookie banner is required for strictly-necessary cookies under PECR.
11. Security
- · All connections to heroink use TLS (HTTPS).
- · Photos and comic records are encrypted at rest in Cloudflare R2.
- · Session cookies are
HttpOnly,Secure, and SameSite-protected. - · Access to production data is limited to the operator on a need-to-know basis.
- · No payment-card details are processed by heroink directly; checkout is handled by Stripe (when enabled) — heroink never sees raw card data.
12. Children
heroink is not intended for children. Account holders must be 18 or older. Photos of children may appear in a comic produced by a parent or guardian (with their permission and supervision), but the surrounding story content must remain age-appropriate as set out in our terms of service.
13. Changes to this policy
We may update this policy. Material changes will be surfaced in-app or by email to signed-in users. The "last updated" date at the top of this page reflects the most recent revision.
14. Contact & complaints
Questions, rights requests, or complaints about how we handle your data — contact us here.
If you are not satisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113