Privacy Policy

1. Introduction

MALCOMSON BROTHERS LIMITED ("we", "us", "our") operates AvatarMill (the "Service"), an AI creative studio accessible at avatarmill.com. This Privacy Policy explains how we collect, use, share, and safeguard your information when you use the Service.

We are the data controller for personal data we collect about you as a Service user. Where you use the Service to process personal data of third parties (for example, uploading reference photographs of an identifiable person), we act as your data processor under our Data Processing Agreement.

By using the Service you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

• Account information: name, email address, and authentication credentials you submit at registration or via OAuth
• Workspace information: workspace name, member invitations, role assignments, and any settings you configure
• User content: reference photographs, prompts, character configurations, source media for editing or finishing, and any other input you submit to the Service
• Generated content: the images, videos, and analysis the Service produces in response to your requests
• Payment information: billing identifiers and payment method tokens held by Stripe; we never see or store full card numbers
• Communications: emails or messages you send to support, including any information you choose to share with us

2.2 Information We Collect Automatically

• Device and connection data: browser, operating system, device identifiers, and IP address
• Usage data: pages visited, features used, generation history, error reports, and interaction timing
• Cookies and session tokens: session cookies for authentication and a small number of functional cookies; we do not use third-party advertising cookies
• Server logs: request URLs, response codes, and timing for operational and security purposes

2.3 Reference Photos and Generated Media

When you upload reference photos or other source media:

• We store them in object storage so the Service can use them for generation, editing, and finishing
• We transmit them to the third-party AI inference providers we use, only as needed to fulfil your request
• We do not use your uploaded content to train our own models, and we do not authorise our providers to do so where they offer that option
• We retain your content for as long as the workspace it belongs to is active, plus a short window after deletion for backups
• You can delete uploaded assets and generated outputs from within the Service at any time

3. How We Use Your Information

We use the collected information to:

• Provide, maintain, and operate the Service
• Execute your generation, editing, finishing, and analysis requests
• Authenticate you, manage your account, and enforce role permissions in your workspaces
• Process payments and manage credit balances
• Send transactional email (verification, password reset, invitations, billing receipts)
• Respond to your support requests
• Detect, prevent, and respond to abuse, fraud, security incidents, and Acceptable Use Policy violations
• Improve the Service, including aggregate performance and reliability analysis
• Comply with legal obligations and respond to lawful requests

We do not sell your personal data, and we do not show third-party advertising on the Service.

4. Legal Basis for Processing (UK GDPR / EU GDPR)

Where the UK GDPR or EU GDPR applies, we process your personal data on the following bases:

• Contract: processing necessary to deliver the Service to you under our Terms
• Legitimate interests: operating the Service securely and improving it, where this does not override your fundamental rights
• Legal obligation: retaining records for tax, accounting, or other compliance purposes
• Consent: for any processing where we explicitly ask for it (you can withdraw consent at any time)

5. Sharing and Disclosure

We share information only as described below.

5.1 Service Providers (Sub-processors)

We use third-party providers to operate the Service, including for:

• AI inference (executing your generation and analysis requests)
• Payment processing
• Hosting and content delivery
• Object storage for uploaded and generated media
• Transactional email delivery
• Error and performance telemetry

These providers process data only on our instructions and under contractual confidentiality and security obligations. We can supply the current list of sub-processors on request to hello@avatarmill.com.

5.2 Within Your Workspace

Other members of a workspace you belong to may see content you create within that workspace, your name and email, and your role. Workspace owners and admins may have permission to remove your content or remove your access.

5.3 Community Sharing

Generated content you choose to share to the community feed is visible to other AvatarMill users. You can withdraw it at any time.

5.4 Legal and Safety

We may disclose information if required by law, court order, or lawful government request, or where we believe in good faith that disclosure is necessary to protect our rights, the safety of users, or to investigate fraud or security incidents.

5.5 Business Transfers

In a merger, acquisition, financing, or sale of assets, your information may be transferred to the successor entity. We will notify you of any change in data controllership.

6. Data Retention

We retain your information for as long as necessary to operate the Service:

• Account information: while your account is active and for a short period thereafter to handle disputes and legal obligations
• Workspace and generated content: while the workspace exists; deleted content is removed from active systems immediately and from backups within 30 days
• Payment records: as required by tax and accounting law (typically 6 years in the UK)
• Server logs: typically 30–90 days for operational and security purposes
• Anonymous usage statistics: indefinitely, in aggregate form

7. Your Rights

Depending on where you live, you may have rights over your personal data. Where the UK or EU GDPR applies, these include:

• Access: request a copy of the personal data we hold about you
• Rectification: ask us to correct inaccurate or incomplete data
• Erasure: ask us to delete your data, subject to our legal retention obligations
• Restriction: ask us to limit how we process your data
• Portability: request your data in a structured, machine-readable format
• Objection: object to processing based on our legitimate interests
• Withdraw consent: at any time where processing is based on consent
• Complain to a supervisory authority: in the UK, the Information Commissioner's Office (ICO)

To exercise these rights, email hello@avatarmill.com. We may need to verify your identity before responding.

8. International Data Transfers

Our service providers may process data in countries outside the UK and the European Economic Area, including the United States. Where data is transferred outside the UK or EEA, we rely on appropriate safeguards including the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or adequacy decisions where applicable.

9. Security

We use industry-standard administrative, technical, and physical safeguards to protect your information, including encryption in transit, encryption at rest where supported, access controls, and audit logging. No system is perfectly secure; please use a strong, unique password and notify us at hello@avatarmill.com if you suspect unauthorised access to your account.

10. Children

The Service is not intended for use by anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will indicate updates by revising the "Last updated" date and, for material changes, by sending notice to your account email. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

12. Contact

For privacy questions or to exercise your rights, contact us at: