Privacy Policy
Last updated: 2026-05-20
This Privacy Policy explains what personal data we collect when you use pixmoly.com and the related products, APIs and downloads (the “Service”), why we collect it, how we use it, and the choices you have. The data controller is Pixmoly, a Delaware company (“we”, “us”).
1. Data we collect
1.1 Account data (from Google sign-in)
- Your Google account email, name, and avatar URL.
- A persistent account identifier from Google so we can recognize you on return visits.
1.2 Order & payment metadata (via PayPal)
- Internal order ID, product, amount, currency, status, timestamps.
- PayPal order ID and capture ID returned to us by PayPal.
- We do not receive or store your card number, bank account, or PayPal password. Payment is handled entirely by PayPal under their privacy notice.
1.3 Product data
- License keys we generate for you and their activation count.
- Download events: order ID, timestamp, IP address, User-Agent (used for abuse detection and audit).
- API tokens issued to your desktop clients: name, creation/last-used timestamps. The token value itself is stored only as a SHA-256 hash.
- Credit balance and ledger entries (each credit grant or consumption, with a short reason string like
ai-translate:en->ja).
1.4 Technical data
- IP address, User-Agent, and request timing for security logging. We use Cloudflare in front of the Service; their edge sees your IP and request metadata under their privacy notice.
- Session cookies set by our authentication system (NextAuth). These are strictly necessary to keep you signed in and are not used for tracking or advertising.
1.5 Email content you send us
If you email [email protected], we keep the message to handle your request.
2. Why we use your data (lawful basis under GDPR)
| Purpose | Lawful basis |
|---|---|
| Create your account, let you sign in | Contract |
| Take payment, deliver software / credits, send receipts | Contract |
| Protect the Service from abuse and fraud | Legitimate interest |
| Keep tax / accounting records | Legal obligation |
| Respond to your support requests | Legitimate interest |
| Send service-related emails (e.g. license, security) | Contract |
We do not send marketing email unless you separately opt in, and you can unsubscribe at any time.
3. Who we share data with (sub-processors)
- Google LLC — sign-in (OAuth) and website analytics (Google Analytics 4).
- PayPal (Europe) S.à r.l. et Cie, S.C.A. — payment processing.
- Resend, Inc. — transactional email delivery.
- Cloudflare, Inc. — DNS, CDN and tunnel.
- AI / model providers used by paid features — only the request inputs needed to fulfill the call are sent. The provider for each feature is disclosed in the feature’s documentation.
We do not sell your personal information and we do not share it for cross-context behavioral advertising (relevant to CCPA/CPRA users).
4. International transfers
Our sub-processors operate in the United States and other countries. Where data is transferred outside the EEA/UK, we rely on the sub-processor’s appropriate safeguards (e.g. Standard Contractual Clauses, EU-U.S. Data Privacy Framework adherence).
5. How long we keep data
- Account & license records: while your account exists, plus up to 7 years afterwards if required for tax/accounting.
- Order & payment metadata: 7 years (tax recordkeeping).
- Download / API access logs: 90 days.
- Support emails: up to 3 years after the last interaction.
- Revoked API tokens: kept (hash only) for audit purposes; you can ask us to delete them sooner.
6. Your rights
Depending on where you live (in particular EEA/UK under GDPR, or California under CCPA/CPRA) you have the right to:
- access the personal data we hold about you;
- correct inaccurate data;
- delete your data (subject to legal retention obligations);
- port your data in a machine-readable format;
- object to or restrict certain processing;
- withdraw consent where processing is based on consent;
- not be discriminated against for exercising these rights (CCPA).
To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to complain to your local data protection authority.
7. Security
We use HTTPS end-to-end, hash API tokens with SHA-256, sign download links with HMAC and expire them after 24 hours, verify PayPal webhooks cryptographically, and run backups encrypted at rest. No system is perfectly secure; if you spot an issue, please email us.
8. Children
The Service is not directed to children under 16. If you believe a child has provided us with personal data, email us and we will delete it.
9. Cookies & analytics
We use two categories of cookies / similar technologies:
- Strictly necessary — your authentication session (NextAuth). These are required for the Service to work and cannot be turned off.
- Analytics — Google Analytics 4 helps us understand which pages are used and how to improve the Service. We have IP anonymization enabled, Google Signals disabled, ads-personalization signals disabled, and data retention set to the minimum allowed. We do not use Google Analytics for advertising or for cross-context behavioral profiling.
You can opt out of analytics by enabling “Do Not Track” / “Global Privacy Control” in your browser, by installing the Google Analytics opt-out browser add-on, or by emailing us at [email protected]. Our site honors the Global Privacy Control (GPC) signal — when GPC is detected, analytics is not loaded.
California residents: we do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA.
10. Changes
We may update this Policy. Material changes will be announced on the site and, where appropriate, by email at least 14 days before they take effect.
11. Contact
Questions or requests: [email protected].