← Back to home

Privacy Policy

Last updated: May 2026

The short version

We do not use your photos to train AI models, we don’t sell or share them, and we delete uploads from storage within 30 days. You can permanently delete your account at any time from the profile menu.

1. Who we are

BabyLumi (“we”, “us”) is an independent project that operates the Service at babylumi.app and the @BabyLumiBot Telegram bot. For GDPR purposes we act as the data controller for personal data processed through the Service. You can reach the controller at [email protected].

2. Data we collect

We collect only what is needed to run the Service:

  • Account identifiers — your Telegram user ID and/or email, optional display name and avatar.
  • Uploaded photos — the parent photos you submit for a generation. These are biometric data and are processed only with your explicit consent given for each upload.
  • Generated content — the photos, videos, traits prediction and storytelling we generate for you.
  • Usage and technical data — request timestamps, IP address, approximate country, browser/device type, and credit balance.
  • Payment metadata — order ID, amount, currency, status, and the last 4 digits of the card if applicable. We never see or store full card numbers.
  • Support correspondence — messages you send us via email or the Telegram bot.

3. How we use your data

We use your data to deliver the Service: generate baby photos and videos, manage your credit balance, process payments, prevent abuse, and provide support. Aggregated, non-identifying statistics (e.g. average generation time) may be used for monitoring and capacity planning.

4. Photo storage & retention

Photos and generated outputs are stored encrypted in Cloudflare R2 (EU jurisdiction). Retention rules are enforced automatically:

  • uploaded parent photos: deleted within 30 days after generation;
  • generated photos and videos: kept for 30 days, then deleted automatically;
  • encrypted backups: 30 days, rolling;
  • application logs: 3 days.

Account-level data (email, Telegram ID, credit balance, payment history) is kept for as long as your account is active and as required by accounting law after deletion.

5. We don’t train models on your photos

Your photos and the images we generate are never used to train, fine-tune, or evaluate AI models — by us or by our processors. Facial biometrics are processed for one purpose only — to generate your result — and are deleted immediately after.

6. Sub-processors

We rely on a small set of vetted providers. Each receives only the minimum data needed for its function:

  • Hetzner Online GmbH (Germany) — primary hosting and database.
  • Cloudflare, Inc. — DNS, CDN, bot protection, and R2 object storage (EU jurisdiction). Cloudflare Turnstile may receive your IP and a verification token during anti-bot checks.
  • Black Forest Labs (FLUX.2 Klein) — image generation. Receives the parent photos and a generation prompt for the duration of inference. No account identifiers are sent. Per provider policy, content is processed for inference only and is not retained or used for training.
  • Anthropic (Claude) — analysis of facial traits to build the generation prompt. Receives the parent photos for inference only; no account identifiers.
  • Kling AI — video generation, used only when you purchase a video pack. Receives the cover photo and a generation prompt for the duration of inference.
  • Whop, Inc. — payment processing for card checkout on the web. We receive only order metadata, never card details.
  • Telegram Messenger Inc. — when you authenticate via Telegram or pay with Telegram Stars, Telegram processes the corresponding identifiers and payment per its own policy.
  • Google Analytics 4 — only on the public landing page, only if you accept analytics cookies. See our Cookie Policy.

7. International transfers

Primary processing happens in the European Economic Area. Some sub-processors (Cloudflare, Black Forest Labs, Anthropic, Kling AI, Whop, Telegram, Google) operate globally, including in the United States. Where data leaves the EEA, we rely on EU Standard Contractual Clauses and the EU–US Data Privacy Framework where the receiving party is certified.

8. Cookies & local storage

We use a minimal set of cookies and browser localStorage entries — see the Cookie Policy for the full list and how to manage your consent.

9. Your rights (GDPR)

If you are in the EEA, the UK, or Switzerland, you have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — delete your account (see below) or ask us to remove specific data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection / restriction — object to or restrict certain processing.
  • Withdraw consent — at any time, without affecting earlier lawful processing.
  • Lodge a complaint with your local supervisory authority.

To exercise any right, write to [email protected]. We respond within 30 days. We may ask for additional information to verify your identity.

10. Account deletion · right to erasure

You can permanently delete your BabyLumi account at any time — there’s a “Delete account” button in the profile menu. On confirmation, within one minute we:

  • erase all uploaded photos from R2 storage;
  • delete all generations, videos, and trait predictions;
  • clear personal identifiers from your profile (email, Telegram ID, display name, avatar);
  • retain payment records in anonymised form, as required by accounting law, with no link to your identity.

Deletion is irreversible. The same Telegram ID or email can be used to register a new account, but the old data will not return.

11. Lawful bases

We process personal data on the following bases:

  • Contract — providing the Service, payments, support.
  • Consent — processing of biometric data (face features) for generation; analytics cookies. You can withdraw consent at any time.
  • Legitimate interest — preventing fraud and abuse, maintaining technical stability of the Service.
  • Legal obligation — accounting and tax law for payment records, responding to lawful requests.

12. Security

All traffic is encrypted in transit (TLS). Storage is encrypted at rest. Access tokens are short-lived JWTs with refresh-token rotation. We apply rate limiting, anti-enumeration on auth endpoints, and bot protection on payment forms. No system is perfectly secure, so we encourage you to use a unique password if you sign in with email.

13. Age requirement

The Service is for users aged 18 and over. We do not knowingly collect personal data from minors. If you believe a minor has used the Service, contact [email protected] and we will delete the account.

14. Changes to this Policy

We may update this Policy. Material changes will be announced on this page and, where appropriate, by email or in-app notice at least 14 days before they take effect.

15. Contact

Privacy questions and rights requests: [email protected]. General support: [email protected], or via the Telegram bot.