What we collect, what we don’t.

This Privacy Policy explains how Carouzel AI (“Carouzel”, “we”, “us”) collects, uses, shares, and protects personal information when you visit our website, sign up for an account, or use our products and services (the “Service”).

For users in the European Union, the European Economic Area, the United Kingdom, and Switzerland, Carouzel acts as the data controllerfor personal information processed in connection with the Service, except where we act as a processor on behalf of a customer's own users (in which case the customer is the controller).

Information you give us

• Account data: name, email address, password (hashed), authentication identifiers from sign-in providers, profile preferences.
• Billing data: billing name and address, plan information, transaction history. Card numbers are processed directly by our payment provider; we never see or store them.
• Content: prompts you submit, files and images you upload, brand assets, and the carousels and drafts you create.
• Support data: the contents of messages you send to us and any information you include in surveys or feedback.

Information collected automatically

• Device and log data: IP address, browser type, language, operating system, device identifiers, referring URLs, timestamps, and crash diagnostics.
• Usage data: pages visited, features used, credits consumed, session duration, A/B test assignments, performance metrics.
• Cookies and similar tech: see the Cookies section. We use first-party cookies and a limited set of analytics cookies; we do not use cross-site advertising cookies.

Information from third parties

If you sign in through a third-party identity provider (such as Google) we receive your name, email, profile photo, and any other fields you authorize. If you connect an integration, we receive the data scopes you grant.

We process personal information for the following purposes and legal bases:

• Provide the Service— create accounts, authenticate sessions, process prompts, generate Output, deliver downloads. (Performance of contract.)
• Billing and fraud prevention— process payments, prevent chargebacks, detect abuse, enforce credit and rate limits. (Performance of contract / legitimate interest.)
• Improve and secure the Service— debug, monitor uptime, secure against attacks, evaluate feature performance using aggregated metrics. (Legitimate interest.)
• Communicate— send transactional emails, respond to support requests, notify you of changes. (Performance of contract / legitimate interest.)
• Marketing — send product updates and tips, where permitted. (Consent, or legitimate interest where applicable; opt out any time.)
• Legal compliance— comply with tax, accounting, and regulatory obligations and respond to lawful requests. (Legal obligation.)

To generate slides and copy, your prompt and the immediate context you provide are sent to one or more third-party AI inference providers (such as OpenAI). Those providers process the request to return Output to you.

We have contractual commitments with our inference providers that:

• they do not use your prompts or Output to train their models;
• data is retained by them only for the limited duration needed to deliver the response and for abuse-monitoring purposes consistent with their enterprise data policy;
• data in transit is encrypted using industry-standard TLS.

We share personal information only with vetted service providers, under written contracts requiring them to protect it and use it solely for the services they provide to us. Our current categories of sub-processors include:

• Backend & database— Convex (application backend and data store).
• Authentication— Better Auth (session management), third-party identity providers (Google) where you choose to sign in with them.
• Payments— Polar (subscription billing and merchant of record).
• AI inference— OpenAI and other model providers used to generate Output.
• Product analytics— PostHog (privacy-respecting event analytics, self-hostable; configured with reduced fingerprinting).
• Hosting & email delivery— Vercel (hosting) and our transactional email provider.

We may also disclose personal information: (a) to comply with applicable law or a valid legal request; (b) to protect the rights, safety, or property of Carouzel, our users, or the public; (c) in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this Privacy Policy or notify you of any material changes.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.

Carouzel and several of its sub-processors are located in the United States and other jurisdictions outside the European Economic Area and the United Kingdom. Where personal information is transferred internationally, we rely on:

• the European Commission Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable);
• supplementary technical measures such as encryption in transit and at rest;
• adequacy decisions issued by competent authorities, where they apply.

You may request a copy of the safeguards in place by emailing contact@carouzelai.com.

• Account data: kept while your account is active and for up to 30 days after closure (to allow recovery), then deleted or anonymized.
• Your Content (prompts, uploads, projects): kept until you delete it or close your account. Deleted content is removed from active systems immediately and purged from backups within 30 days.
• Billing records: retained for as long as required by applicable tax and accounting law (typically 7–10 years).
• Logs and security telemetry: retained for up to 90 days, then aggregated or deleted.
• Support correspondence: retained for up to 3 years from the last interaction.

Depending on where you live, you have some or all of the following rights with respect to your personal information:

• Access — a copy of the information we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure— ask us to delete data we no longer have a lawful basis to keep.
• Restriction— ask us to limit processing while we resolve a dispute.
• Portability— receive a machine-readable copy of the data you provided.
• Objection — object to processing based on legitimate interests.
• Withdraw consent— without affecting prior lawful processing.
• Non-discrimination— we will not penalize you for exercising these rights.

To exercise these rights, email contact@carouzelai.com from the address associated with your account. We will respond within 30 days (or sooner if required by law). You also have the right to lodge a complaint with your local supervisory authority.

We use a minimal set of cookies and similar storage:

• Strictly necessary— session, authentication, CSRF protection, and load balancing. These cannot be turned off.
• Preferences— remembering your theme, language, and recent projects.
• Analytics— aggregated, de-identified product metrics through PostHog. Where required by law, these are loaded only after you consent.

You can control cookies through your browser settings. Disabling strictly necessary cookies will break parts of the Service.

We implement technical and organizational measures designed to protect personal information against unauthorized access, loss, alteration, and disclosure. These include:

• encryption in transit (TLS 1.2+) and at rest;
• scoped access controls and audit logging for production systems;
• secret management, dependency scanning, and routine patching;
• password hashing using modern, salted, slow-by-design algorithms;
• vendor security reviews for sub-processors.

The Service is not directed to children under 16, and we do not knowingly collect personal information from anyone under that age. If you believe a child has provided personal information to us, contact contact@carouzelai.com and we will delete it.

For residents of California, Colorado, Connecticut, Virginia, Utah, Texas, and other U.S. states with comprehensive privacy laws, this section supplements the rights described above.

• We have not sold personal information or shared it for cross-context behavioral advertising in the preceding 12 months.
• Categories of personal information collected, the sources, purposes, and recipients are described in the What we collect, Why we process it, and Who we share it with sections.
• You may submit a request to know, delete, or correct your information at contact@carouzelai.com. We will verify your request by confirming control of the account email.
• You may designate an authorized agent to make a request on your behalf, subject to verification.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by an in-product notice at least fifteen (15) daysbefore they take effect, and we will update the “Effective” date at the top of the page. Past versions are available on request.

Questions, requests, or complaints about this Policy can be sent to contact@carouzelai.com. We aim to respond within five business days for routine questions and within the statutory deadline for rights requests.