Privacy Policy

Effective Date: 1 February 2026  |  Last Updated: 17 February 2026

1. Introduction

Fancygames Ltd ("we", "us", "our", or the "Company"), a company registered in England and Wales with its registered office at 3rd Floor, 86-90 Paul Street, London, United Kingdom, EC2A 4NE, operates the ToonStudio.ai platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the Data Protection Act 2018, and the California Consumer Privacy Act (CCPA), as applicable.

By accessing or using ToonStudio.ai, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller and B2B Relationship

ToonStudio.ai is a business-to-business (B2B) service. Our contractual relationship is with the subscribing organisation (the "Client"). Individual user accounts are created and managed by the Client organisation, which adds its employees, contractors, or authorised personnel as users.

For the purposes of applicable data protection legislation:

• Fancygames Ltd acts as a data processor when processing personal data of the Client's users on behalf of the Client organisation.
• The Client organisation acts as the data controller and is responsible for ensuring it has a lawful basis to provide its users' personal data to us, and for informing its users about how their data is processed through the Service.
• For data that we collect and process for our own purposes (such as account management, billing, and Service operation), Fancygames Ltd acts as a data controller.

If you have any questions about this Privacy Policy or our data practices, you can contact us at:

• Email: support@toonstudio.ai
• Address: 3rd Floor, 86-90 Paul Street, London, United Kingdom, EC2A 4NE
• Data Protection Officer: Dmitry Matyukhin — dmitry@toonstudio.ai

If you are an employee or contractor of a Client organisation using ToonStudio.ai, please contact your employer's privacy or legal team for information about how your organisation handles your data. You may also contact us directly with any questions.

3. Information We Collect

3.1 Account Information

When you create an account (via our authentication provider Auth0), we collect:

• Email address
• Display name
• Profile picture / avatar URL
• Authentication identifiers

3.2 Organisation Information

When an organisation is created on the platform, the following data may be collected:

• Organisation name
• Billing email address
• Organisation logo
• Subscription plan details

3.3 User-Generated Content

In the course of using the Service, you may upload or create:

• Images (PNG, JPEG, WebP)
• PDF documents
• Project templates
• Style reference images
• Project data including nodes, edges, pipelines, and configurations

3.4 Usage and Analytics Data

We automatically collect certain information about how you use the Service, including:

• AI generation usage metadata (number of generations, tokens consumed, models used). We do not collect, store, or access the AI-generated images or outputs themselves — these remain within your organisation's project data and are treated as confidential.
• Feature usage patterns and preferences
• Error reports and diagnostic data (via our error tracking service)

3.5 Payment Information

Payment processing is handled by our third-party payment provider(s), which may include Stripe and/or Paddle. We do not store your full credit card number or payment credentials. We may store a customer identifier and billing-related metadata from the payment provider. Please refer to Stripe's Privacy Policy and Paddle's Privacy Policy for details on how they handle payment data.

3.6 Third-Party Authentication Data

If you connect your Google account for the Google Drive / Google Docs integration, we store:

• OAuth access and refresh tokens (encrypted at rest)
• Google account email address

These tokens are used solely to access Google Drive and Google Docs on your behalf and can be revoked at any time.

3.7 Data We Do Not Collect

We do not knowingly collect:

• Sensitive personal data (e.g., racial or ethnic origin, political opinions, health data)
• Data from children under the age of 16

4. How We Use Your Information

We use the data we collect for the following purposes:

Purpose	Legal Basis (GDPR)
Providing and operating the Service	Performance of a contract
Authenticating users and managing accounts	Performance of a contract
Processing payments and managing subscriptions	Performance of a contract
Sending transactional emails (password resets, invitations)	Performance of a contract
Monitoring and improving Service performance	Legitimate interest
Error tracking and debugging	Legitimate interest
Usage metering and billing	Performance of a contract
Enforcing our Terms of Use and preventing abuse	Legitimate interest
Complying with legal obligations	Legal obligation

We do not use your uploaded content or generated outputs to train general-purpose AI models. The Service includes a "Styles" feature that analyses your reference images to learn visual patterns for consistent AI generation. This analysis is performed exclusively for your organisation's use — the resulting style data is scoped to your organisation, is not shared with other users or organisations, and is not used to improve or train any models outside of your organisation's context.

5. Third-Party Services and Data Sharing

We share data with the following categories of service providers, strictly as necessary to operate the Service:

5.1 Authentication

• Auth0 (Okta) — Identity and access management. Processes email, name, and authentication tokens. Auth0 Privacy Policy

5.2 AI Generation Providers

When you use AI generation features, your prompts, style references, and related inputs may be sent to:

• OpenAI — Image generation and prompt generation. OpenAI Privacy Policy
• Google (Gemini) — Image generation. Google Privacy Policy

We may integrate additional third-party AI providers at our discretion to enhance or expand the Service's capabilities. When we do, we ensure that appropriate data processing agreements are in place.

These providers process data on their own terms. We use API access tiers that do not permit these providers to use your inputs or outputs for training their models. However, we cannot guarantee how upstream providers handle data beyond our contractual agreements.

5.3 Payment Processing

• Stripe — Payment processing and subscription management. Stripe Privacy Policy
• Paddle — Payment processing, subscription management, and merchant of record. Paddle Privacy Policy

5.4 Email Delivery

• SendGrid (Twilio) — Transactional email delivery for invitations, password resets, and account notifications. Twilio Privacy Policy

5.5 Infrastructure and Hosting

• OVHcloud — Cloud hosting, database, object storage, and CDN (EU — France). OVH Privacy Policy

5.6 Analytics and Product Improvement

We may use third-party analytics tools to understand how the Service is used and to improve the user experience. These tools collect anonymised or pseudonymised usage data such as feature interactions, navigation patterns, and performance metrics. They do not collect or have access to your uploaded content, generated outputs, or project data.

5.7 Error Monitoring

We use industry-standard error tracking and application performance monitoring tools in our production environment to maintain Service reliability and diagnose issues. These tools may process limited technical and diagnostic data (such as error messages and stack traces) but do not process your uploaded content or generated outputs.

We do not sell, rent, or trade your personal data to any third party.

6. International Data Transfers

Our primary infrastructure is hosted in the European Union (OVHcloud, France). However, some third-party services (notably OpenAI) may process data in the United States or other countries.

Where personal data is transferred outside of the UK or EEA, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreements (IDTAs) where applicable
• Adequacy decisions where available

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: Retained until you request deletion of your account.
• Project data and uploaded content: Retained while your organisation's subscription is active. Deleted within 90 days of subscription termination, unless a longer retention period is required by law.
• Usage and billing records: Retained for up to 7 years for accounting and legal compliance purposes.
• Error and diagnostic logs: Retained for up to 90 days.
• Real-time collaboration data: Transient; not persisted beyond the active session.

8. Cookies and Local Storage

ToonStudio.ai uses minimal browser storage:

• Local Storage: Authentication tokens and user interface preferences. These are strictly necessary for the operation of the Service.
• Session Storage: Temporary data for OAuth callback flows.

We do not use third-party advertising or analytics cookies. We do not use tracking pixels or behavioural advertising technologies. Google Fonts are loaded from Google's servers, which may set cookies subject to Google's Privacy Policy.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of sensitive credentials at rest (API keys, OAuth tokens)
• Role-based access control (RBAC) with organisation-level isolation
• JWT-based authentication with secure token management
• Regular security assessments and monitoring
• Infrastructure hosted in certified data centres (OVHcloud, ISO 27001)

While we take every reasonable precaution, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. Your Rights

10.1 Rights Under UK GDPR / EU GDPR

If you are located in the UK or EEA, you have the following rights:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete data.
• Right to erasure — Request deletion of your personal data ("right to be forgotten").
• Right to restriction of processing — Request that we restrict processing of your data in certain circumstances.
• Right to data portability — Request a copy of your data in a structured, machine-readable format.
• Right to object — Object to processing based on legitimate interests.
• Right to withdraw consent — Where processing is based on consent, you may withdraw at any time.

To exercise these rights, contact our Data Protection Officer at dmitry@toonstudio.ai. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local data protection supervisory authority.

10.2 Rights Under the CCPA (California Residents)

If you are a California resident, you have the following rights under the CCPA:

• Right to know — Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete — Request deletion of your personal information.
• Right to opt-out of sale — We do not sell personal information. No opt-out is necessary.
• Right to non-discrimination — We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at support@toonstudio.ai.

11. Children's Privacy

ToonStudio.ai is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete such data promptly.

12. AI-Specific Disclosures

ToonStudio.ai integrates third-party AI models for image generation, prompt generation, style analysis, and background removal. Please be aware of the following:

• No general model training on your data: We do not use your inputs, uploads, or generated outputs to train general-purpose AI models. Our API agreements with providers (OpenAI, Google) prohibit the use of API data for model training. The "Styles" feature analyses your reference images solely to enable consistent generation within your organisation — this data is never shared with other users, organisations, or used for any purpose outside your organisation.
• Input responsibility: You are responsible for ensuring you have the necessary rights to any images, reference materials, or datasets you upload to the platform.
• AI output limitations: AI-generated content may not be unique or may resemble existing works. We make no independent guarantees regarding copyright or intellectual property status of AI-generated outputs. The intellectual property framework for AI-generated content is evolving and may vary by jurisdiction.
• Service availability: AI features depend on third-party providers. We use multiple providers to mitigate risk but are not liable for upstream provider outages, changes in service, or changes in provider terms.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page and updating the "Last Updated" date. For significant changes, we may also notify you via email or through the Service.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• General enquiries: support@toonstudio.ai
• Data Protection Officer: Dmitry Matyukhin — dmitry@toonstudio.ai
• Post: Fancygames Ltd, 3rd Floor, 86-90 Paul Street, London, United Kingdom, EC2A 4NE