privacy

what we
collect, and why.

plain language. no dark patterns.
last updated · 2026-05-25

1. the short version

amige. is an AI content detector. you give us an image, video, or piece of text; we run it through a panel of detection models and show you what they say. to do that we need to store your account, your uploads, and your scan history. we do not sell your data. we do not run ad trackers. we do not train AI models on your uploads. we share uploads only with the detection vendors required to produce a verdict, and with the service providers we use to run the site (hosting, database, payments).

if you only read one section, read this one and the your rights section.

2. who runs amige.

amige. is operated from Vietnam by the individual / entity listed in the terms page (see who this is between). that operator is the data controller under EU/UK GDPR — the party that decides why and how your data is processed.

amige. does not currently have a designated EU representative under GDPR Article 27. EU/UK users and supervisory authorities can reach us directly at [email protected]; we respond within the timelines listed in section your rights. if amige.'s EU/UK footprint grows past the Article 27 de-minimis threshold, we will appoint a representative and publish their details here.

3. what we collect and why

we collect only what we need to run the service. each category below lists what we collect, why, and how long we keep it. EU/UK users — the lawful basis under GDPR Article 6 is included for each.

account info

whatemail address (used for sign-in), plan status, scan credit balance, account creation timestamp.

whyto let you sign in, run scans, and apply your plan.

EU lawful basiscontract (Art 6(1)(b)) — necessary to provide the service you signed up for.

retentionuntil you close your account, then deleted within 30 days. inactive accounts (no sign-in for 24 months) get a deletion warning email and are purged 30 days later.

your uploads

whatthe image, video, text, or pasted URL you submit for scanning. for videos we also store a first-frame thumbnail so the share card has something to display.

whywe need the bytes to run them through the detector ensemble and to let you revisit the verdict later in history.

EU lawful basiscontract (Art 6(1)(b)).

retentionuntil you delete the scan or close your account. deletion request via email today; in-product delete button is on the v1.1 roadmap. detector vendors retain inputs per their own policies (see section 4).

scan results

whatthe verdict (likely AI / uncertain / likely human), aggregate confidence, per-detector scores, model-attribution guesses, and the raw JSON each detector returned.

whyso you can revisit a scan, share a permalink, and so we can debug detector regressions.

EU lawful basiscontract (Art 6(1)(b)) for your access; legitimate interest (Art 6(1)(f)) for our debugging — internal logs are pseudonymized after 30 days.

retentionsame as the parent scan.

payment metadata

whatPolar customer id, subscription state (active / canceled / past-due), order ids for credit-pack purchases, plan tier. amige. never sees your card number — Polar handles all card data as the merchant of record.

whyso we apply the right plan, grant credits on purchase, and end access when you cancel.

EU lawful basiscontract (Art 6(1)(b)).

retentionkept while the subscription / credit balance is active. order records retained for 7 years as required by accounting rules in most jurisdictions Polar operates in; amige. holds the bare minimum (Polar id + plan), the rest lives with Polar.

technical / server logs

whatIP address, request path, status code, user-agent, timestamp. for paste-link requests, also the URL you pasted. for anonymous scans, we store a salted hash of your IP (HMAC-SHA256 with a salt rotated weekly) — never the raw IP.

whysecurity, abuse prevention, and the anonymous daily-scan quota (1 scan/day per IP).

EU lawful basislegitimate interest (Art 6(1)(f)) — running the service securely and preventing abuse.

retention~30 days for raw logs; the IP hash itself rolls over weekly when we rotate the salt, so it is effectively unlinkable after 7 days.

email auth tokens

what6-digit one-time codes (OTP) and magic-link tokens, sent by Supabase Auth to your email.

whypasswordless sign-in.

EU lawful basiscontract (Art 6(1)(b)).

retentiontokens expire in ~10 minutes; the audit log Supabase keeps of authentication attempts follows their own retention policy.

what we do NOT collect: we don't collect precise geolocation, contact lists, advertising identifiers, biometric data for identification, behavioral profiles, or data from any source other than what you give us directly (uploads, pasted URLs, your email at sign-up).

sensitive categories under CCPA/CPRA: we don't ask for and don't intentionally collect government IDs, precise location, biometric identifiers, health data, or financial-account details. payment processing is done by Polar. if your upload happens to contain sensitive material (a photo of an ID, a medical scan), that content is treated like any other upload — stored privately, transmitted to detectors, deletable on request — but you should think twice before uploading something like that to any AI detector.

4. who we share data with

amige. uses third-party providers to run the service. under GDPR they are processors — they act on our instructions and are bound by data-protection terms in their contracts with us. each one is named below with the data it touches and why. links go to each provider's privacy policy so you can read the source.

roledatabase + authentication + private file storage + cron

dataemail, account row, scan rows, detector_results rows, uploaded media bytes, session cookies.

regionus-east (primary region for this project, configurable).

roleweb hosting + edge functions

dataserver logs (IP, path, status), runtime request data in-flight (not persisted by us beyond the 30-day log window).

regionglobal edge; the function instances handling your request run in the region closest to you.

roleAI / deepfake content detection for images and video frames

dataupload bytes (base64 or signed URL), inferred labels, NSFW flag. Hive caches inputs server-side per their terms.

regionUnited States.

rolealternate AI-image / video detector

dataupload bytes, returned label.

regionUnited States.

roleAI-text detection (phase 2)

datathe text string of a text scan, returned classification.

regionUnited States.

rolepayments — merchant of record. Polar is the seller of record for amige. subscriptions and credit packs.

dataname, email, country, billing address, card data (handled by Polar's PCI-DSS processor), order history.

regionUnited States. payouts to amige. via Stripe Connect.

rolehosts the yt-dlp sidecar that resolves pasted video URLs (YouTube, TikTok, IG reels, FB / X video)

datathe URL you pasted; the resulting media bytes flow through this service briefly before reaching our scan pipeline.

regionUnited States.

roleresidential-IP proxy for paste-link fetches on Instagram, X / Twitter, Facebook, Threads (only) — bypasses the auth wall those platforms put on datacenter IPs

datathe URL you pasted; the HTML / og:image response transits this proxy.

regionglobal proxy network.

nobody else. we do not sell or rent personal information, and we do not share it for cross-context behavioral advertising. we do not have advertising partners. if that ever changes we will update this section and notify users before the change takes effect.

practical implication: some of the detector vendors above retain uploaded content on their servers per their own terms. that's outside our control once we send them the bytes. don't upload content you would not be comfortable having a third-party AI vendor examine.

5. you are interacting with an AI system

EU AI Act Article 50 notice. amige. is an AI system. the verdict on every scan is the output of statistical models — primarily the third-party detectors named in section 4 — combined by our aggregation logic. it is not a human judgment.

GDPR Article 22 (automated decisions). the verdict is an automated decision in the technical sense, but it does not by itself produce legal or similarly significant effects on you. we publish confidence, per-detector spread, and the disagreement signal so you can read past the headline. if you believe an automated verdict has had a significant impact on you and want human review, contact us at the address in section 11 and we will look at the scan personally.

limits of accuracy. detection is probabilistic. false positives (real content flagged as AI) and false negatives (AI content missed) both happen, especially with content that has been compressed, cropped, re-encoded, or generated by very recent models. amige. is a research aid, not a verdict. do not use amige. as the sole basis for legal, employment, academic-misconduct, or other consequential decisions about a person or their work.

6. your rights

you have the following rights wherever you live. some are region-specific; see sections California and EU/UK for the specifics where you are.

  • access. ask us what data we hold about you and we will provide it in a portable format (JSON + signed URLs to your media).
  • correction. ask us to fix anything that's wrong. for email changes, sign in and follow the in-app flow when it ships; in the meantime, email us.
  • deletion. delete individual scans or your entire account. today: email us. roadmap: in-product buttons on history and account settings. account deletions complete within 30 days (Supabase storage + Postgres + auth row, plus a request to Polar to detach our customer id).
  • portability. get a machine-readable copy of your account and scan history.
  • objection. object to processing based on legitimate interest (our logs and abuse-prevention path). we will stop unless we have an overriding lawful ground.
  • restriction. ask us to pause processing while a dispute is open.
  • withdraw consent. where we rely on consent (e.g. future opt-in analytics), withdraw it at any time. withdrawing does not affect prior lawful processing.
  • complain to a regulator. for EU/UK users, file with your supervisory authority; for California users, with the California Privacy Protection Agency or the Attorney General.

to exercise any of these: [email protected]. include the email you signed up with. we will respond within 30 days (EU/UK) or 45 days (California), extendable once if the request is complex — we'll tell you if we need the extension.

we do not charge a fee unless your requests are manifestly unfounded or excessive (e.g. repeated identical requests), in which case we may charge a reasonable admin fee or decline — and we will tell you why if we do.

7. California rights (CCPA / CPRA)

if you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the rights in section 6 plus these specifics. this section is the CCPA-mandated disclosure for the past 12 months.

  • categories of personal information we collected: identifiers (email, IP), commercial information (subscription and credit-pack purchase records held by Polar), internet activity (server logs, scan history), audio/visual content (your uploads), inferences (the verdict). we have not collected categories listed in CalCivCode §1798.140(v)(1) that we don't name here.
  • sources: directly from you (uploads, sign-up), from your browser or device when you visit the site (logs), and from Polar (payment status).
  • business purposes: to provide the service, run the detector ensemble, process payments, prevent abuse, secure the platform, and respond to legal requests.
  • recipients: the processors named in section 4.
  • retention: as described per category in section 3.
  • sale or sharing: we do not sell personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under CCPA. you do not need to opt out because there is nothing to opt out of.
  • sensitive personal information: we do not use sensitive PI for purposes other than providing the service and the security functions permitted under CCPA §1798.121(a). you do not need to limit our use because we're already inside the limit.
  • Global Privacy Control. we honor the GPC signal sent by your browser as a request to opt out of any future sale/share. since we don't sell or share, the signal is effectively a no-op today; if that ever changes, the signal will already be on file.
  • non-discrimination. we will not charge you more, give you worse service, or deny features for exercising your CCPA rights.

authorized agents may submit requests on your behalf with written authorization. we will verify the request against the email on file.

8. EU / UK rights (GDPR / UK GDPR)

if you are in the EEA, UK, or Switzerland, you have the rights in section 6 plus the ones listed below. the lawful basis for each processing purpose is in section 3.

  • international transfers. our processors (section 4) are mostly US-based, and our operator is in Vietnam. transfers from the EU/UK to those countries are covered by the EU Standard Contractual Clauses (Module 2: controller-to-processor) we have in place with each processor, supplemented by transfer impact assessments where required. for processors offering the EU-US Data Privacy Framework (Supabase, Vercel, Polar where applicable), we rely on the Framework as the primary mechanism. copies of the SCCs are available on request.
  • supervisory authority. you have the right to lodge a complaint with the data protection authority in the EU/EEA member state where you live or work. the list is at edpb.europa.eu. in the UK, the regulator is the ICO at ico.org.uk.
  • age. under GDPR member-state rules the minimum age for consent to information-society services ranges from 13 to 16. amige. requires users to be 16 or older in the EU/EEA. parents/guardians of children anywhere can contact us to delete an account.

9. cookies + local storage

we use the minimum cookies needed to keep you signed in. no analytics, no marketing pixels, no third-party trackers. this is why you don't see a cookie banner.

namepurposelifetime
sb-<project>-auth-tokenSupabase session — keeps you signed in. strictly necessary. HttpOnly, SameSite=Lax.~1 hour (refreshed)
sb-<project>-auth-token-code-verifierPKCE flow during email sign-in. strictly necessary.sign-in completion
theme (localStorage)remembers your light/dark preference. set by next-themes.persistent

if we ever add analytics, we will pick a cookieless tool (Plausible or similar) so the banner-free experience stays. if the analytics needs anything that meets the legal definition of a tracker, we will publish a cookie notice with the choice up-front before the tracker fires.

11. security

full security model lives in our engineering docs, but the short version:

  • uploads land in a private storage bucket. the bucket is not publicly readable; the only ways in are signed URLs we issue for upload, or our serve routes which check ownership before returning bytes.
  • row-level security on every user-data table. browsers holding the publishable API key can only read rows they own or rows explicitly marked public.
  • cross-site request forgery protection via SameSite cookies + JSON-only state-changing routes.
  • rate limits on auth and abuse-prone routes. SSRF defence on any URL you paste (private-IP resolution blocked, redirects re-validated, body capped).
  • payments handled by Polar (PCI-DSS); we never see card data.
  • we run a security review (vbsec scan) before significant releases. the latest reports are not public but available to auditors on request.

if you find a vulnerability, please report it to [email protected] with reproduction steps. we don't pay bounties at our stage but we will credit responsible disclosure publicly with your permission.

data breach. if a breach affects your data and is likely to result in risk to your rights, we will notify the relevant supervisory authority within 72 hours where required, and notify you without undue delay where the breach is high-risk to you.

12. how long we keep things, in one place

  • scans, uploads, results: until you delete them or close your account.
  • account row: until you close the account; inactive accounts (no sign-in for 24 months) get an email and are deleted 30 days later.
  • server logs: ~30 days, then pseudonymized or rolled off.
  • anon IP hash: hash rolls over weekly when we rotate the salt — unlinkable after that.
  • payment / order records held by amige.: kept while the subscription or credit balance is active. Polar holds the seller-of-record records on its own retention schedule.
  • backups: Supabase keeps point-in-time backups per their plan. deletion requests propagate to backups within 30 days as backups expire.

13. kids

amige. is not directed at children. the minimum age to use the service is 13 globally and 16 in the EU/EEA. we don't knowingly collect data from anyone under those ages. if you believe a child has created an account, contact us and we will delete it. parents and guardians can request deletion of any account they believe belongs to their child.

we don't use children's data for marketing — we don't do marketing analytics on anyone.

14. changes to this policy

we will update this policy when our practices change. the last updated date at the top reflects the most recent revision. material changes (new processor, new data category, change in legal basis, change in retention) are announced in the product and via email to account holders at least 14 days before they take effect, so you have time to decide whether to continue using amige.

non-material edits (typo fixes, clearer wording, new clarifying example) get the date bump but no notification.

15. contact

privacy + data rights + security reports + copyright notices [email protected]. this is the formal channel for GDPR / CCPA requests, security vulnerability disclosure, and DMCA-style copyright notices.

billing [email protected]. refunds, plan changes, charge disputes.

general support [email protected]. everything else: account questions, scan issues, terms questions, account closure requests.

a real human reads these. usually within a day.