Privacy Policy

• Account data. Email address you sign in with, account creation timestamp, and your credit balance. We use magic-link authentication only — we do not collect, store, or hash passwords for your BannerKit AI account.
• Generation inputs. Prompts you type and URLs you paste. URLs are scraped server-side; only the publicly visible content of the page is read.
• Generated banners. Static and animated banner files we render for you, plus metadata (size, preset, extracted headline, color palette, generation timestamp).
• Payment data. Payments are handled by Stripe. We store a Stripe customer ID and the credit packs you’ve purchased, but never your full card number.
• Anti-abuse signals. IP address, browser fingerprint, and CAPTCHA challenge results, used to prevent fraud and abuse of the free signup credits.
• Auth and session logs. Sign-in events, magic-link verifications, and basic auth telemetry to detect suspicious activity.

• We do not run third-party advertising trackers or analytics SDKs.
• We do not sell your data.
• We do not collect data from children under 13.

• To run the service: render banners, deduct credits, host completed assets.
• To send transactional email (magic link sign-in, receipts, important account notices).
• To detect and stop fraud, abuse, and disposable-email signup farms.
• To debug and improve the product. We may review prompts and rendered banners to investigate failed renders or policy violations.

We use the following processors. Each is a contractual data processor only — they do not own your data.

• Stripe — payments and customer billing.
• Resend — transactional email delivery (magic links, receipts).
• Google (Gemini API) — AI text and image generation. Prompts and source URLs are sent to Google for processing.
• DigitalOcean Spaces — public CDN that hosts your finished banners.

Generated banners are stored on a public-read CDN at non-expiring URLs while your account is active. If you close your account, we delete account-level personal data within 30 days, and queue generated banners for removal from the CDN. Aggregated, anonymized statistics may be retained.

Backups of the operational database may persist for up to 90 days after account deletion before being overwritten by routine rotation.

We set first-party cookies for: session authentication, referral attribution, and bot-challenge state. We do not use third-party advertising or analytics cookies.

Depending on where you live, you may have the right to access, export, correct, or delete your personal data, and to object to or restrict processing. To exercise any of these rights, email privacy@bannerkitai.com. We respond within 30 days.

Our infrastructure is hosted in the United States. By using the Service from outside the US, you consent to your data being transferred to and processed in the US under standard contractual safeguards.

We use TLS for all traffic, encrypted storage at rest, scoped credentials per service, and HMAC-signed internal API calls between our web and render services. Authentication is passwordless — we issue short-lived, single-use magic links by email instead of storing user passwords, which removes a major category of credential-theft risk. No system is perfectly secure; we will notify affected users in the event of a breach as required by law.

We may update this policy. Material changes will be reflected in the “Last updated” date above and, where appropriate, by email notice.

Questions or requests: privacy@bannerkitai.com.