Privacy Policy

QTPIE COM, LLC (“QtPie,” “we,” “us,” or “our”) is a limited liability company organized under the laws of the Commonwealth of Virginia. We operate the website QtPie.com and related services (collectively, the “Service”), which enables users to generate stylized AI gaming avatars from uploaded photographs.

Contact: QTPIE COM, LLC | Email: [email protected]

If you are located in the EEA or UK, our EU/UK GDPR Representative will be listed here once appointed prior to EU marketing launch.

This Privacy Policy explains what information QTPIE COM, LLC collects, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have. It applies to all users of QtPie.com regardless of location. It does not cover third-party websites or services linked from our Service.

3.1 Information You Provide Directly

Account Information: When you create an account, we collect your email address, chosen username, and password (stored in hashed form). If you sign in via Discord OAuth, we receive your Discord user ID, username, and email from Discord.

Face Photographs: When you use our avatar generation feature, you upload one or more photographs of your face. Your photographs are transmitted to our AI processing provider (fal.ai) to generate your avatar. Photos are stored securely in your account so you can reuse them for future avatar generations. You may delete a source photo at any time from your account settings; deletion takes effect within 24 hours. When your account is closed, all source photos are deleted. We do not use your photographs to train AI models without your separate explicit consent.

Payment Information: We use Stripe, Inc. to process payments. We do not receive, store, or have access to your full credit card number, CVV, or bank account details. We receive from Stripe only a tokenized reference, last four digits, expiration date, card type, and billing country.

Communications: If you contact us for support or feedback, we retain those communications and your contact details.

3.2 Information We Collect Automatically

We collect usage data (pages visited, features used, styles selected, session duration), device and technical information (IP address, browser type, operating system, device type), authentication tokens (strictly necessary, stored as first-party cookies), and transaction records (credit purchases, credit usage history).

3.3 Information We Do NOT Collect

We do not collect: your full credit card number or CVV; biometric templates or facial geometry stored beyond a single generation request; your face photographs after you have deleted them from your account settings or closed your account; precise geolocation; information from users under 16; or sensitive health, financial, or government ID information.

Processing Your Avatar Requests (Performance of Contract / GDPR Art. 6(1)(b)): We process your uploaded photographs and generation parameters to provide the avatar creation service you requested.

Account Management (Performance of Contract / GDPR Art. 6(1)(b)): We process your email, username, and authentication information to maintain your account.

Payment Processing (Legal Obligation and Legitimate Interests / GDPR Art. 6(1)(c) and 6(1)(f)): We process transaction records to fulfill legal obligations and maintain business records.

Service Improvement (Legitimate Interests / GDPR Art. 6(1)(f)): We analyze usage patterns to improve the Service. We do not use face photographs for model training without separate explicit consent.

Marketing Communications (Consent / GDPR Art. 6(1)(a)): If you opt in, we may send promotional emails. You can withdraw consent at any time.

Biometric Data — Special Category (Explicit Consent / GDPR Art. 9(2)(a)): To the extent our processing of your uploaded face photographs constitutes biometric data processing under applicable law (including GDPR Article 9), we rely on your explicit, freely given, informed consent obtained at account creation. You may withdraw this consent at any time in your account Settings.

We use the information we collect to: generate AI avatars from your uploaded photographs; create and manage your account; process payments and track credit balances; deliver your generated avatars; send transactional emails; respond to support requests; detect and prevent fraud and abuse; comply with applicable legal obligations; and (with your opt-in consent) send marketing communications.

We do NOT use your information to: train AI models using your photos without separate explicit consent; sell or rent your personal data; build advertising profiles; or make automated decisions with legal or significant effects about you.

We do not sell, rent, or trade your personal information. We share it only with:

fal.ai, Inc. (AI Processing Provider): Your uploaded photographs and generation parameters are transmitted to fal.ai for the sole purpose of generating your avatar under a contractual data processing agreement in compliance with applicable privacy regulations.

Stripe, Inc. (Payment Processor): Payment information is processed directly by Stripe under their own Privacy Policy.

Infrastructure Providers: Supabase (database/auth), Cloudflare R2 (avatar storage), Railway (hosting), and Upstash Redis (caching) access only the data necessary to operate the Service and are bound by data processing agreements.

Legal Requirements: We may disclose your information if required by applicable law, court order, or governmental request.

Business Transfers: If QTPIE COM, LLC is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

We do not share your information with advertisers, data brokers, or third-party marketing platforms.

Because the Service requires you to upload photographs of your face, we want to be especially clear about how we handle them.

Transmission: When you click “Generate,” your photograph is transmitted over an encrypted (TLS/HTTPS) connection to fal.ai’s servers.

Processing: fal.ai’s systems analyze the visual features in your photograph to generate a stylized avatar in your chosen art style.

Retention: Your photograph is stored securely in our systems for the lifetime of your account so you can reuse it for future generations. You may delete it at any time from your account privacy settings; we complete permanent deletion within 24 hours. Closing your account deletes all source photos. We retain generated avatars (not your photograph) in your account gallery until you delete them or close your account.

No Biometric Templates Stored Beyond Generation: We do not store facial geometry templates, biometric identifiers, or any derivative biometric data extracted from your photograph beyond the duration of a single generation request.

No Training Without Consent: Your photographs are not used to train any AI model without your separate explicit consent.

No Identification: We do not use your photographs for identification, verification, surveillance, or any purpose other than generating avatars you have requested.

This approach is designed to comply with the Illinois Biometric Information Privacy Act (BIPA), GDPR Article 9, Virginia VCDPA, Texas CUBI, and similar biometric privacy laws worldwide.

Face Photographs: Stored for the lifetime of your account or until you delete them from your privacy settings (hard deletion completes within 24 hours). Deleted with your account.

Generated Avatars: Stored in your account gallery until you delete them or your account is closed.

Account Information: Retained for the duration of your account plus 90 days after account closure, then deleted or irreversibly anonymized.

Payment Records: Retained for 7 years to comply with financial recordkeeping requirements.

Support Communications: Retained for 2 years after the last communication.

Usage Logs: Retained for 90 days, then deleted or aggregated.

Consent Records (biometric): Retained for the duration of your account plus 3 years, as required by applicable biometric privacy law.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information — including face photographs — from anyone under 16. If you are under 16, do not use the Service or provide any information. If you believe we have inadvertently collected information from a child under 16, please contact us immediately at [email protected] and we will promptly delete the information.

Users aged 16 to 17 and biometric processing. QtPie uses facial features from uploaded photos to generate avatars. Under GDPR Article 9, biometric data is a special category requiring explicit consent. The legal standing of consent given by a minor aged 16 or 17 for such processing is unsettled across EU case law. Additionally, EU member states set different digital-consent ages under GDPR Article 8 (ranging between 13 and 16 depending on jurisdiction, with some member states additionally requiring parental authorization for users under 18). If you are 16 or 17 and live in the EU, we recommend that you confirm with a parent or guardian before creating an account. If you are a parent or guardian and believe your child created an account without appropriate consent, contact us at [email protected] and we will delete the account and associated biometric data.

Separate age rule for photo subjects. The 16+ minimum above governs who may hold an account. A separate rule governs who may appear in any uploaded or generated image: regardless of the account holder's age, uploading or generating avatars that depict real minors (any person under 18 years old) is strictly prohibited. See our Terms of Service and Acceptable Use Policy for details.

We use cookies and similar technologies as described in our Cookie Policy at QtPie.com/legal/cookie-policy. We use strictly necessary cookies for authentication and session management. We use analytics tools with memory-only storage (no persistent cookies). We do not use advertising cookies.

QTPIE COM, LLC is based in the Commonwealth of Virginia, United States. If you access the Service from the EEA, UK, or other regions with data protection laws, your information may be transferred to and processed in the United States. For EEA and UK transfers, we rely on Standard Contractual Clauses approved by the European Commission, or equivalent mechanisms. Copies are available upon request at [email protected].

We implement reasonable and appropriate technical and organizational security measures, including TLS/HTTPS encryption for all data in transit, encryption of sensitive data at rest, and access controls limiting access to personal data. No method of transmission over the Internet is 100% secure. In the event of a data breach posing risk to your rights and freedoms, we will notify you and relevant authorities as required by applicable law.

13.1 Virginia VCDPA Rights

If you are a Virginia resident, you have the right to: confirm whether we process your personal data and access it; correct inaccuracies; delete your personal data; obtain a portable copy; opt out of the sale of personal data (we do not sell personal data); opt out of targeted advertising (we do not conduct targeted advertising); and appeal our decisions regarding your rights requests.

13.2 GDPR Rights (EEA/UK)

If you are located in the EEA or UK, you have the right to: access (Art. 15); rectification (Art. 16); erasure (Art. 17); restriction of processing (Art. 18); data portability (Art. 20); object to processing (Art. 21); withdraw consent (Art. 7(3)); and lodge a complaint with your local data protection authority.

13.3 CCPA Rights (California)

California residents have the right to: know what personal information is collected, used, shared, or sold (we do not sell it); delete personal information; correct inaccurate personal information; and opt out of the sale or sharing of personal information.

13.4 How to Exercise Your Rights

Contact us at [email protected]. We will respond within 30 days (45 days for complex requests). We do not charge a fee for rights requests unless they are manifestly unfounded or excessive.

For material changes, we will provide at least 30 days' notice by email and/or a prominent notice on the Service before changes take effect. Your continued use after the effective date constitutes acceptance.

QTPIE COM, LLC

Email: [email protected]

Website: QtPie.com/legal/privacy-policy