Anumi
See pricing

Privacy Policy

Last updated: June 1, 2026

This Privacy Policy describes what personal information Anumi(“we”, “us”) collects when you use anumi.app, how we use it, who we share it with, and the rights you have over it. We try to keep this short and plain. If anything is unclear, email us at [email protected].

TL;DRWe collect your email (for sign-in), your selfies (for the AI to process), your generated images, and a hashed copy of your IP (for abuse prevention). We don’t sell anything. Source selfies are kept for up to 30 days; uploads blocked by content moderation are reviewed and removed by an admin within 5 days of the block decision. You can ask us to delete everything any time.

1. Information we collect

Information you provide

  • Email address— used to sign in via one-time code and to send transactional emails (purchase receipts, deliverables ready). Any email you give us at any surface (sign-in, trial “save my link”, refund form) is recorded in a single de-duplicated lead list along with which page first captured it, so we can answer support questions and contact you about your account. We only send marketing emails (newsletters, drips) to addresses that explicitly opted in, and you can unsubscribe at any time.
  • Uploaded selfies — the photos you give us as input for AI generation.
  • Quote text — when you enable the speech-bubble add-on, the text you type is embedded into the generated image.
  • Feedback — anything you write to us via the feedback widget or by email.

Information collected automatically

  • IP address (hashed) — we hash your IP with a server-side salt and store only the hash, used solely for rate limiting and detecting abuse. We never log the raw IP to persistent storage.
  • Generated images — your anime avatars, stickers, and bundled deliverables.
  • Moderation logs — when we run an uploaded photo through our automated content-safety check, we record the decision (allowed / blocked), the per-category scores returned by the moderation model, and the photo URL. See retention below.
  • Session cookies — a signed JWT to keep you logged in for 30 days, plus a locale cookie remembering your language choice. We do not use third-party advertising or tracking cookies.
  • Analytics events— when you take a key action (e.g. starting a free trial, viewing pricing, signing in), we record the action and a small amount of context (e.g. which style was selected) along with an anonymous device id stored in your browser’s localStorage. After you sign in, your wallet email is also attached so we can measure aggregate retention. These events are stored on our own servers (no third-party analytics provider) and automatically deleted after 90 days. The recorded payload does not include selfie contents, generated images, or your wallet balance.

Information we do NOT collect

  • We do not see, store, or process your payment-card details. Card processing happens entirely on Polar’s servers.
  • We do not run third-party advertising trackers, fingerprinting, or cross-site analytics.

2. How we use your information

  • To deliver the Service (generate avatars, send results).
  • To authenticate you (one-time codes, session cookies).
  • To enforce our acceptable-use rules (content moderation, rate limiting, abuse detection).
  • To process payments via Polar and reconcile credit balances.
  • To send transactional email.
  • To respond to support requests and improve the Service.

3. Who we share information with (sub-processors)

We use the following sub-processors to operate the Service. They are bound by data-processing agreements and may only use your data to provide their services to us.

  • OpenAI, L.L.C.— receives your uploaded selfie and our prompt to perform AI generation and moderation. Per OpenAI’s API data-usage policy, API inputs and outputs are not used to train their models.
  • Amazon Web Services, Inc. (S3) — stores uploaded selfies and generated images. Region: ap-northeast-1 (Tokyo).
  • MongoDB Atlas (MongoDB, Inc.) — stores wallet balances, generation history, moderation logs.
  • Polar Software Inc. — payment processing, merchant-of-record obligations, tax handling.
  • Amazon Web Services, Inc. (SES) — delivers transactional emails (sign-in codes, result-ready notifications, refund confirmations).
  • Cloudflare, Inc. — bot challenge on our free-trial form.

We do not sell your personal information to anyone, ever.

4. International transfers

Several of our sub-processors are based in the United States. By using the Service you consent to your data being transferred and processed in the US and other jurisdictions where our sub-processors operate, under the safeguards each of them maintains (Standard Contractual Clauses, etc.).

5. Retention

  • Uploaded selfies — stored for up to 30 days to allow result re-downloads and dispute investigation, then deleted from our bucket.
  • Selfies that fail moderation — flagged for admin review and removed from our bucket within 5 days of the block decision (sooner when an admin processes the queue in real time, automatically on day 5 at the latest). Manual review is intentional: it lets us catch false positives before irreversible deletion. We never retain confirmed acceptable-use violations beyond that window.
  • Generated avatars and stickers — stored as long as the wallet exists so you can re-download them. Deleted on request or on wallet deletion.
  • Moderation logs — 90 days, then automatically dropped via MongoDB TTL.
  • Email + wallet — for as long as your account is active. Deleted within 30 days of an account-deletion request, except where we are required by law (e.g. tax records) to keep certain transactional metadata longer.
  • Lead list (email-capture rows) — kept alongside your wallet. Removed in the same account-deletion request. Has no automatic TTL because operational continuity (support, billing, refunds) needs to reach you even years later if you ever come back.
  • Hashed IPs — 24-48 hours for rate-limit purposes, then dropped.
  • Analytics events — 90 days, then automatically dropped via MongoDB TTL.

6. Your rights

Depending on where you live, you may have the following rights over your personal information:

  • Access — receive a copy of the data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your account and associated data.
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to specific processing activities.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.
  • Complain to a regulator — EU residents may lodge a complaint with their national data-protection authority.

To exercise any of these rights, email [email protected] from the address associated with your wallet. We respond within 30 days.

7. Children

The Service is not directed at children under 13 (or under 16 in the EEA / UK). We do not knowingly collect personal information from anyone in that group. If you believe a child has provided us information, please contact [email protected] and we will delete it promptly.

8. Security

We use industry-standard measures including encrypted transport (TLS), encrypted storage at rest, signed-cookie authentication, rate limiting, and automated content moderation. No system is perfectly secure; if you suspect a vulnerability, please email [email protected] before disclosing publicly.

9. Changes to this Policy

If we make a material change we will update the “last updated” date above and, when feasible, email active users.

10. Contact

Data-protection questions and requests: [email protected].