Privacy Policy — AimaginariA
Last updated: 2026-05-03 Effective date: 2026-05-03 Contact: privacy@aimaginaria.xyz
AimaginariA ("we", "our", the "Service") is a Chrome browser extension and accompanying web service that turns selected text on web pages into AI-generated illustrations. This policy describes what data we collect, why, how it is stored, and your rights.
This is a plain-language summary of what is implemented today. If anything here does not match the actual behaviour of the extension, treat the actual behaviour as a bug and contact us — the policy is the binding statement of intent.
1. Data we collect
1.1 Anonymous usage (no account)
When you install AimaginariA without signing in:
- Device ID — a random string generated locally in your browser the first time the
extension runs. Stored in
chrome.storage.local. Used to attribute usage and apply per- device daily quotas. Not derived from any hardware identifier. - Hashed IP address & User-Agent — when the extension calls our server, we compute a one-way HMAC-SHA-256 hash of your IP and User-Agent (using a server-side secret) and store the hash, not the originals. Used to enforce per-network rate limits and detect abuse.
- Selected text and page URL of the page where you clicked the illustration button — sent to our server only when you actively trigger a generation. We pass the text to the upstream AI provider to produce the prompt and image. We do not collect text you did not ask us to illustrate.
- Generation counters — a daily counter per device/IP, kept in Redis with a one-day expiration, used solely for quota enforcement.
1.2 Registered accounts
When you sign in with email (magic link via Firebase Auth), we additionally collect:
- Email address — used to identify the account, send the magic link, and contact you about subscription changes. Not used for marketing without explicit opt-in.
- Firebase user ID — issued by Google Firebase Authentication.
- A short server-generated user ID (
USR_…) used as the canonical key in our database. - Subscription tier and status (free / pro), and, for paid plans, the period end date.
We do not store passwords (Firebase magic-link auth has none).
1.3 Generated illustrations and cache
Illustrations created on your behalf are stored:
- In your browser's IndexedDB (
AimaginariAAnchorsdatabase) — the gallery you see in the extension popup. Fully under your control; clearing the extension's storage erases it. - On our server only as a Redis-backed counter / Supabase audit row referencing the generation event. Image bytes are hosted by the upstream image provider and we keep the URL only.
1.4 What we do NOT collect
- We do not read browsing history.
- We do not track which pages you visit.
- We do not collect text you select but do not illustrate.
- We do not run analytics scripts in the extension popup.
- We do not sell or share your data with third parties for advertising.
2. Third-party services we use
| Service | Purpose | Data sent |
|---|---|---|
| Google Firebase Authentication | Magic-link email sign-in | Email address |
| Pollinations.ai (or configured image provider) | AI image generation | The prompt derived from your selected text |
| Google Gemini (or configured LLM provider) | Prompt refinement | The selected text |
| Supabase (Postgres) | Account & audit storage | Account fields above |
| Upstash Redis | Quota counters and rate-limit buckets | Hashed device/IP keys with daily TTL |
| FastSpring (planned for paid plans) | Subscription billing | Email and billing details handled by FastSpring |
| Resend (planned, for transactional email) | Sending magic links / receipts | Email address |
| Vercel | Hosting our API | Standard server logs (IP, request path) |
Each provider operates under its own privacy policy. If you sign up for a paid plan, billing data (card number, address) is handled directly by FastSpring under their PCI-compliant infrastructure — we never see or store payment instruments.
3. Legal basis (GDPR)
If you are in the EEA / UK:
- Free tier and core functionality: legitimate interest in providing the service you installed.
- Account and subscription management: performance of a contract with you.
- Sending magic-link emails: consent (you initiated the sign-in).
- Quota enforcement and abuse prevention: legitimate interest.
4. How long we keep data
- Quota counters: 1 day (daily) or 1 month (monthly) TTL, then auto-deleted by Redis.
- Hashed IPs: rolling 90 days, oldest entries trimmed automatically.
- Account record: until you request deletion or 24 months after your last sign-in.
- Generated illustration metadata: until you delete it from your gallery, or your account is deleted.
- Server access logs: 30 days, then deleted by the hosting provider.
5. Your rights
You can:
- Sign out at any time, which leaves the local cache untouched.
- Clear the extension's local data via Chrome's extension settings (right-click → Manage extension → Site settings → Clear data).
- Request a copy of your account data, correction, restriction, or deletion by emailing privacy@aimaginaria.xyz. We respond within 30 days. For deletion, the account row, all associated counters, and audit logs are removed from Supabase and Redis.
- Object to processing, withdraw consent, or lodge a complaint with your data-protection authority.
6. Security
- All API traffic uses HTTPS.
- Server-issued JWTs are HMAC-signed with a secret rotated on a fixed schedule.
- Service-role keys for Supabase / Firebase Admin live only on the server side and are never shipped to the browser.
- The IP hashes use a separate server secret so a database leak does not reveal raw IPs.
We do not promise unconditional security — no service can. We do promise to disclose material breaches within 72 hours of confirmation.
7. Children
AimaginariA is not directed at children under 13. We do not knowingly process data of children under 13. If you believe we have, contact us and we will delete it.
8. International transfers
Our hosting (Vercel), database (Supabase), and Redis (Upstash) may store data in regions outside your country. Each provider implements Standard Contractual Clauses or equivalent legal mechanisms for international transfers.
9. Changes to this policy
We will update this document when we change practices. The "Last updated" date at the top reflects the most recent edit. Material changes (new third-party providers, new categories of data, new purposes) will be announced in the extension popup or by email to registered users at least 14 days before they take effect.
10. Contact
privacy@aimaginaria.xyz — for any privacy question, deletion request, or complaint.