MachGen AI, Inc.

Privacy Policy

Effective Date: June 29, 2026

MachGen AI, Inc. (“MachGen,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy (this “Policy”) describes how we collect, use, disclose, and protect personal information when you access or use our generative media platform, websites, application programming interfaces, software development kits, and related services (collectively, the “Services”), and the choices and rights available to you in connection with that information.

This Policy applies to personal information processed by MachGen as a controller, including information collected from visitors to our websites, account holders, developers, business users, and persons who interact with content generated through the Services. Where MachGen processes personal information on behalf of a business customer as a processor or service provider, that processing is governed by the data processing addendum (“DPA”) entered into with that customer rather than by this Policy. Capitalized terms used but not defined herein have the meanings given in our Terms of Service.

1. Notice at Collection

For California residents, the following is a summary of the categories of personal information we collect, the purposes for which we use that information, the categories of third parties to whom we disclose it, and the period for which we retain it. This summary is provided in compliance with the notice-at-collection requirement under the California Privacy Rights Act. The detailed disclosures appear in the sections that follow.

  • Categories collected: Identifiers; customer records; commercial information; internet or other electronic network activity; geolocation data (approximate); professional or employment-related information (if you provide it); inferences; the contents of Customer Content and Outputs (which may contain any category of personal information depending on what you submit).
  • Purposes: Providing, securing, and improving the Services; communicating with you; preventing fraud and abuse; complying with legal obligations; and the additional purposes described in Section 3.
  • Disclosure recipients: Service providers, third-party Model Providers, affiliates, professional advisors, and authorities, as described in Section 5.
  • Retention: As described in Section 7.
  • Sale or sharing:We do not sell personal information for monetary consideration. See Section 13 for information about “sharing” under the CCPA.

2. Information We Collect

We collect personal information in the following categories:

  • Account information. Name, email address, password (in hashed form), business or organization name, billing address, telephone number, and other information you provide when you create an account, contact us, or sign up for our communications.
  • Payment information. Payment card details, bank account information, billing address, and billing history. Payment card numbers are collected and processed directly by our third-party payment processor (currently Stripe, Inc.) and are not stored on MachGen systems.
  • Content you submit.Prompts, inputs, files, datasets, images, audio, video, and other content you upload to or generate through the Services (collectively, “Customer Content”), together with associated metadata.
  • Outputs.Text, images, video, audio, and other media generated by the Services in response to your prompts or inputs (“Outputs”), together with associated metadata, prompt history, and generation parameters.
  • Usage and device information. IP address, browser type and version, device identifiers, operating system, language preferences, referring and exit pages, pages and features accessed, time and duration of access, API endpoints called, error logs, performance metrics, and similar diagnostic and analytics data collected automatically when you use the Services.
  • Approximate location. Approximate geographic location derived from your IP address, which we use to provide localized content, enforce geographic restrictions, and detect fraud. We do not collect precise GPS-based location data without your explicit consent.
  • Communications. Records of your communications with us, including support tickets, emails, chat messages, and any feedback or survey responses.
  • Cookies and similar technologies. Information collected through cookies, pixels, tags, web beacons, mobile advertising identifiers, and similar tracking technologies, as described in Section 10.
  • Information from third parties. Information we receive from social media login providers (if you choose to use them), identity verification services, fraud-prevention services, marketing analytics providers, and our business partners.

We do not knowingly collect special categories of personal data (as defined in Article 9 of the General Data Protection Regulation) or sensitive personal information (as defined under U.S. state privacy laws) except where you voluntarily submit such information through Customer Content or where it is necessary to comply with applicable law. You are responsible for ensuring that any personal information you submit through the Services has been collected with appropriate notice and consent.

Biometric Information

Certain features of the Services may, with your express consent, process biometric identifiers or biometric information (for example, facial or voice characteristics in the course of generating synthetic media). Where we process such information, we will (a) provide a separate, written notice describing the categories of biometric data, the purposes of processing, and the retention period, (b) obtain your written, informed, opt-in consent before collection, (c) implement appropriate security safeguards, and (d) destroy the biometric data when no longer needed for the original purpose. This commitment is intended to align with the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, the Washington My Health My Data Act, and similar laws.

Health Information

The Services are not designed for the storage, processing, or transmission of protected health information governed by the U.S. Health Insurance Portability and Accountability Act (“HIPAA”). MachGen is not a HIPAA-covered entity or business associate and does not enter into business associate agreements. Do not submit protected health information through the Services unless we have entered into a separate written agreement permitting that use.

3. How We Use Personal Information

We use personal information for the purposes described below. Where the GDPR or UK GDPR applies, the relevant lawful bases under Article 6 are identified in parentheses.

  • Service provision. To provide, operate, maintain, and improve the Services, including authenticating users, processing transactions, generating Outputs, and providing customer support (performance of a contract; legitimate interests).
  • Communications. To send service-related communications, security alerts, technical notices, and administrative messages (performance of a contract; legitimate interests; legal obligation).
  • Safety and abuse prevention. To detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Acceptable Use Policy or applicable law, including by reviewing prompts and Outputs flagged by automated filters or reported by users (legitimate interests; legal obligation).
  • Product improvement and analytics. To analyze how the Services are used, identify usage trends, debug errors, and improve the Services (legitimate interests; consent where required).
  • Marketing. To send you information about our products, features, events, and offerings, subject to your preferences and applicable law. You may opt out of marketing communications at any time using the unsubscribe link in any marketing email or by contacting us. We may use tracking pixels in marketing emails to measure engagement; you may disable image loading in your email client to prevent this (consent; legitimate interests).
  • Personalization. To personalize your experience with the Services, including by remembering your preferences and suggesting relevant features (legitimate interests; consent where required).
  • Legal compliance. To comply with applicable laws, regulations, court orders, and lawful requests from public authorities, including law enforcement (legal obligation).
  • Corporate transactions. In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, in which case personal information may be transferred to the successor or acquirer (legitimate interests).
  • Establishment or defense of claims. To establish, exercise, or defend legal claims and to enforce our agreements (legitimate interests; legal obligation).
  • With your consent. For any other purpose disclosed to you at the time the personal information is collected and to which you have consented (consent).

We will not use your personal information for any new purpose that is materially incompatible with the purposes described above without first notifying you and, where required, obtaining your consent.

4. AI Models and Outputs

MachGen is an artificial intelligence infrastructure platform that hosts open models, licensed models or models on behalf of customers. The following describes how we handle prompts, inputs, and Outputs in relation to safety, third-party model providers, and AI transparency.

  • Free and trial tiers. If you use a free, trial, or evaluation tier of the Services, we may use a limited subset of prompts, inputs, and Outputs to investigate abuse, enforce our Acceptable Use Policy, and operate our safety and abuse-detection systems. Where applicable law requires consent for this use, we will obtain such consent or provide a clear opt-out at the point of collection.
  • Safety and abuse review. We may review prompts and Outputs flagged by automated safety systems or reported by users for the purposes of investigating abuse, operating our abuse-detection and enforcement processes, and complying with applicable law. This review is limited to the minimum content necessary and is subject to access controls and confidentiality safeguards.
  • Third-party Model Providers. Certain Services rely on artificial intelligence models provided by third-party Model Providers. Where you use such models, the Model Provider may process your prompts and Outputs in accordance with its own terms of service and privacy policy. We maintain a list of current Model Providers, together with links to their privacy practices, in our documentation.
  • AI transparency. In compliance with Article 50 of the EU AI Act and similar laws, Outputs generated by the Services may be marked or watermarked as artificially generated. You agree not to remove, obscure, or alter any such marking, and to disclose to your end users that content has been artificially generated where required by applicable law.
  • Accuracy and bias. Outputs are generated using statistical models and may be inaccurate, incomplete, biased, or otherwise unsuitable for a particular purpose. You should not rely on Outputs as a sole basis for decisions affecting you or others without independent verification.
  • Automated decision-making. MachGen does not currently use personal information for fully automated decision-making that produces legal or similarly significant effects without meaningful human review. If we introduce any such processing in the future, we will provide you with the information required by Article 22 of the GDPR and applicable U.S. state privacy laws and, where required, give you the ability to opt out.

5. How We Share Personal Information

We share personal information in the following circumstances:

  • Service providers and processors. We share personal information with vendors, consultants, and other service providers that perform services on our behalf, including cloud hosting and infrastructure providers, payment processors, analytics providers, customer support tools, email delivery services, security and fraud-prevention services, and professional advisors. These parties are bound by contractual obligations to process personal information only for the purposes we specify and to implement appropriate security safeguards. A current list of categories of service providers is available upon request.
  • Third-party Model Providers. As described in Section 4, certain Services involve transmission of prompts and Outputs to third-party Model Providers.
  • Affiliates. We may share personal information with our affiliated entities for the purposes described in this Policy. Our affiliates are required to honor this Policy.
  • Business transactions. We may share or transfer personal information in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, subject to confidentiality safeguards.
  • Legal compliance and protection of rights. We may disclose personal information where we believe in good faith that disclosure is necessary to comply with applicable law, respond to lawful requests from public authorities, enforce our agreements, protect the rights, property, or safety of MachGen, our users, or others, or detect, prevent, or address fraud, abuse, security incidents, or technical issues.
  • Aggregated or de-identified information. We may share aggregated or de-identified information that cannot reasonably be used to identify you for any business purpose without restriction.
  • With your consent. We may share personal information for other purposes with your consent or at your direction.

We do not sell personal information for monetary consideration. For the limited purposes for which the term “sale” under the CCPA and the term “sharing” under the California Privacy Rights Act may apply, please refer to Section 13.

6. International Data Transfers

MachGen is headquartered in the United States, and we may transfer personal information to the United States and to other countries in which we, our affiliates, and our service providers operate, including India. These countries may have data protection laws that differ from those of your country of residence.

Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards, including the European Commission’s standard contractual clauses, the UK International Data Transfer Addendum, and the Swiss Federal Data Protection and Information Commissioner’s standard contractual clauses, as applicable. We also implement supplementary technical and organizational measures where required, including encryption in transit and at rest, access controls, and contractual restrictions on access by public authorities. A copy of the applicable transfer mechanism is available upon request to the contact address in Section 21.

7. Data Retention

We retain personal information for the periods set forth below and otherwise for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, enforce our agreements, and otherwise fulfill the purposes for which it was collected.

  • Account information: for the duration of your account, plus a reasonable period thereafter (typically 24 months) to comply with our legal obligations and enforce our rights.
  • Billing and transaction records: for at least seven (7) years to comply with tax and accounting obligations.
  • Customer Content and Outputs: for the period specified in your account settings, our documentation, or the applicable order. Customer Content from free or trial accounts may be retained for a shorter default period, after which it is deleted or de-identified.
  • Usage logs and security logs: for up to 24 months for security, abuse-detection, and compliance purposes.
  • Support and communications records: for up to 36 months.
  • Marketing data: until you withdraw consent or unsubscribe, plus a reasonable suppression-list retention period.
  • Aggregated and de-identified data: indefinitely, provided it cannot reasonably be used to identify an individual.

We may retain personal information for longer periods where required by applicable law, regulatory obligation, litigation hold, or other legitimate business purpose. After the applicable retention period, we will delete, anonymize, or aggregate the relevant personal information.

8. Security

We implement administrative, technical, and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption of personal information in transit and at rest where appropriate, access controls, multi-factor authentication for administrative access, network segmentation, vulnerability management, penetration testing, employee training, vendor risk management, and incident response procedures. However, no method of transmission over the internet or method of electronic storage is fully secure, and we cannot guarantee absolute security.

Data Breach Notification

If we become aware of a personal data breach affecting your personal information, we will notify you and the relevant supervisory authorities as required by applicable law and within the timeframes prescribed by such law (for example, within 72 hours of becoming aware of the breach where required under the GDPR or UK GDPR, and without unreasonable delay where required under U.S. state breach-notification laws).

9. Children's Privacy

The Services are not directed to, and we do not knowingly collect personal information from, children under the age of 18 (or such higher minimum age as may apply in your jurisdiction). We do not knowingly collect personal information from children under the age of 13 in any case. If we become aware that we have collected personal information from a child under the age of 13 without verifiable parental consent (where required under the U.S. Children’s Online Privacy Protection Act), or from a child under the age applicable under the GDPR (typically 16, subject to Member State variation), we will take steps to delete that information promptly. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at the address in Section 21.

We do not offer the Services to children. We do not engage in targeted advertising to known minors and will not sell or share the personal information of any consumer who is under 16 years of age unless we receive affirmative authorization from the consumer (if between 13 and 16) or from the parent or legal guardian (if under 13).

10. Cookies and Tracking Technologies

We and our service providers use cookies and similar technologies (such as pixels, tags, web beacons, and mobile advertising identifiers) to operate the Services, recognize you across sessions, remember your preferences, analyze usage, and support marketing. The categories of cookies we use include:

  • Strictly necessary cookies, which are required to operate the Services and cannot be disabled.
  • Functional cookies, which remember your preferences and choices.
  • Analytics cookies, which help us understand how the Services are used.
  • Advertising cookies, which support marketing and measurement of advertising effectiveness, where applicable.

Where required by applicable law, we obtain your consent before placing non-essential cookies. You may control cookies through your browser settings or, where available, through the cookie preference center on our website. We honor the Global Privacy Control (“GPC”) signal as a request to opt out of the sale or sharing of personal information under applicable U.S. state privacy laws. We also use third-party analytics providers (such as Google Analytics and Segment) and tracking pixels in marketing emails; you may opt out of those by following the instructions provided by the relevant provider or in the marketing email.

11. Your Privacy Rights

Subject to applicable law and certain exceptions, you may have the following rights with respect to your personal information:

  • Access. To request a copy of the personal information we hold about you, including specific pieces (where required under the CCPA) and the categories described in Section 2.
  • Correction. To request that we correct inaccurate or incomplete personal information.
  • Deletion. To request that we delete personal information, subject to certain exceptions (for example, where retention is required by law).
  • Portability. To receive your personal information in a structured, commonly used, machine-readable format and to transmit it to another controller, where technically feasible.
  • Objection and opt-out.To object to the processing of your personal information on the basis of legitimate interests, to opt out of direct marketing, and to opt out of any “sale” or “sharing” of personal information or profiling for targeted advertising as defined under U.S. state privacy laws.
  • Restriction. To request that we restrict the processing of your personal information in certain circumstances.
  • Limit use of sensitive personal information. To request that we limit our use and disclosure of sensitive personal information to certain permitted purposes (a California right).
  • Withdrawal of consent. Where we rely on your consent, to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Automated decision-making. Not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, where applicable law so provides.
  • Non-discrimination. Not to be discriminated against for exercising your privacy rights.
  • Complaint. To lodge a complaint with the data protection supervisory authority in your jurisdiction. We would, however, appreciate the opportunity to address your concerns directly before you contact a regulator.

Submitting a Request

To exercise any of these rights, please contact us at legal@machgen.ai. We will respond to verifiable consumer requests within the time required by applicable law (generally 45 days for U.S. state privacy law requests and one (1) month for GDPR and UK GDPR requests, in each case subject to extensions where permitted by law).

Verification

Before fulfilling certain requests, we may need to verify your identity by matching information you provide against information we hold about you (such as your account email address, recent activity, or transaction history). For sensitive requests (such as deletion of an account or access to specific pieces of personal information), we may require additional verification steps. We will not use information collected for verification purposes for any other purpose.

Authorized Agents

You may designate an authorized agent to submit a request on your behalf. We will require the agent to provide written authorization signed by you, and we may require you to verify your identity directly with us or confirm that you provided the agent with permission to submit the request.

No Financial Incentives

We do not offer financial incentives or programs that involve different prices, rates, levels, or quality of service in exchange for personal information.

12. International Representatives and Other Jurisdictions

Where required under Article 27 of the GDPR or the UK GDPR, we have appointed representatives in the European Union and the United Kingdom.

If you are a resident of Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD). If you are a resident of Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws. If you are a resident of the People’s Republic of China, you have rights under the Personal Information Protection Law (PIPL). We honor the rights provided under these laws to the extent applicable, and you may exercise them by contacting us at legal@machgen.ai.

13. California Privacy Rights

This Section provides additional information for California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”).

Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information from California residents, as those categories are defined under the CCPA:

  • Identifiers (such as name, email address, IP address, and account identifiers);
  • Customer records (such as billing and contact information);
  • Commercial information (such as transaction and subscription history);
  • Internet or other electronic network activity (such as usage data, API logs, and device information);
  • Geolocation data (approximate location derived from IP address);
  • Professional or employment-related information (where you provide it);
  • Inferences drawn from the foregoing to create a profile reflecting preferences, characteristics, or behavior; and
  • The contents of any Customer Content or Outputs you submit through the Services, which may include any other category of personal information depending on what you submit.

Sources, Purposes, and Recipients

The sources from which we collect personal information, the business and commercial purposes for which we use it, and the categories of third parties with whom we share it are described in Sections 2, 3, and 5 of this Policy.

Sale or Sharing of Personal Information

MachGen does not sell personal information for monetary consideration. To the extent that the use of certain advertising or analytics cookies on our website may constitute “sharing” of personal information for cross-context behavioral advertising under the CCPA, you may opt out by adjusting your cookie preferences, by enabling the Global Privacy Control signal in your browser, or by contacting us at legal@machgen.ai. We do not knowingly sell or share the personal information of consumers under the age of 16.

Sensitive Personal Information

We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA without offering you the right to limit such use. The categories of sensitive personal information that we may collect are limited to account credentials (such as your account password in hashed form) and, where you voluntarily submit it through Customer Content, other categories you choose to provide.

Shine the Light

Under California Civil Code Section 1798.83 (the “Shine the Light” law), California residents with an established business relationship with us may request information once per calendar year about our disclosures of certain categories of personal information to third parties for their direct marketing purposes. To make such a request, please contact us at legal@machgen.ai. We do not currently disclose personal information to third parties for their own direct marketing purposes.

California Rights for Minor Users

California Business and Professions Code Section 22581 allows California residents under the age of 18 who are registered users of online services to request removal of content or information they have publicly posted. To request such removal, please contact us at legal@machgen.ai.

14. Other State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Minnesota, Tennessee, Maryland, Indiana, Kentucky, Rhode Island, and other U.S. states with comprehensive privacy laws have additional rights under those laws, including rights similar to those described in Section 11. We honor these rights to the extent applicable, and you may exercise them by contacting us at legal@machgen.ai. Residents of Nevada have the right to opt out of certain sales of personal information by contacting us at the same address. Residents of Washington with respect to consumer health data may have additional rights under the Washington My Health My Data Act.

15. Do Not Track and Global Privacy Control

Our Services do not respond to legacy Do-Not-Track browser signals. We do, however, honor the Global Privacy Control signal as a request to opt out of sale and sharing of personal information under applicable U.S. state privacy laws.

16. Workplace and Employer Use

If you access the Services through an account provided to you by your employer or another organization, that organization may have administrative rights with respect to your account and may have visibility into your use of the Services. Your employer’s or organization’s privacy practices, rather than this Policy, may govern its handling of your personal information in those circumstances. You should consult your employer’s or organization’s policies for additional information.

17. Third-Party Websites and Services

The Services may contain links to, or interoperate with, third-party websites, services, and applications that are not operated by MachGen. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party website or service before providing it with personal information.

18. "Do Not Sell or Share My Personal Information"

Although we do not sell personal information for monetary consideration, you may exercise your right to opt out of any “sale” or “sharing” of personal information under the CCPA and similar state laws by enabling the Global Privacy Control signal in your supported browser or by contacting us at legal@machgen.ai.

19. Service Providers and Sub-processors

We engage trusted service providers and sub-processors to perform services on our behalf. Categories of service providers include cloud hosting and infrastructure (for example, providers of compute and storage services), payment processors, customer support tools, communications and email delivery, analytics, security and abuse detection, and professional advisors. Each service provider is bound by contractual obligations consistent with this Policy. A current list of categories of service providers and Model Providers is maintained in our documentation and is available upon request to legal@machgen.ai. We notify business customers of changes to our sub-processors as required by the applicable DPA.

20. Changes to this Policy

MachGen may update this Policy at any time in its sole discretion. Updates are effective immediately upon posting the updated Policy on the MachGen website with a revised Effective Date, and MachGen is not required to provide any other notice except as required by applicable law. Your continued use of the Services after the revised Effective Date constitutes acceptance of the updated Policy.

21. Contact Us

If you have questions about this Policy or our privacy practices, or if you wish to exercise any of your privacy rights, please contact us at legal@machgen.ai, or by mail at:

MachGen AI, Inc.
Attn: Privacy Officer
5201 Great America Parkway, Suite 320
Santa Clara, California 95054
United States of America