Privacy Policy

Last updated: March 26, 2026

1. Introduction

JourneyAPI (“we,” “us,” or “our”) is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding that data. By accessing or using JourneyAPI, you agree to the practices described in this Policy.

This Policy applies to all users of our website, dashboard, and API services.

2. Information We Collect

Account information: When you register, we collect your email address and, if you sign in via Google, your Google account name and profile picture. We do not collect passwords — authentication is handled via Google OAuth or magic link emails.

API usage data: We log request metadata including timestamps, API endpoints called, HTTP response codes, credit consumption, task IDs, and IP addresses for operational, security, and billing purposes. We do not persistently store the content of generated images on our own servers beyond CDN caching by our upstream providers.

Prompt data: Prompts and generation parameters you submit via the API are transmitted to upstream AI model providers to fulfil your requests. We may retain prompt metadata (excluding image content) for up to 90 days for debugging, abuse prevention, and compliance purposes.

Billing data: Payment processing is handled entirely by Stripe, Inc. We do not receive, collect, or store your full payment card number, CVV, or bank details on our servers. We receive only limited billing metadata from Stripe (such as the last four digits of your card, card brand, and billing country) sufficient to display your subscription status. JourneyAPI is not a PCI DSS merchant of record for card data.

Communications: If you contact us via email or a support channel, we retain that correspondence to resolve your inquiry and improve our services.

Cookies and analytics: We may use cookies and similar technologies for session management and basic analytics. You can control cookie settings through your browser. We do not use cookies for cross-site behavioural advertising.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the JourneyAPI service.
  • Process your subscription and credit purchases through Stripe.
  • Send transactional emails, including magic link authentication, billing receipts, and service notifications.
  • Monitor service health, debug issues, and investigate abuse.
  • Detect and prevent fraud, security incidents, or violations of our Terms of Service.
  • Comply with applicable legal obligations.
  • Respond to your inquiries and support requests.

We do not use your prompts or generated content to train AI models. We do not use your personal information for advertising or sell your data to data brokers.

4. Third-Party Data Processors

We share data with third parties only as necessary to operate the service. Our key sub-processors include:

  • Stripe, Inc. — payment processing and subscription management. Stripe processes your card details under their own PCI DSS-compliant infrastructure. See stripe.com/privacy.
  • Upstream AI model providers (including but not limited to BLTCY, Midjourney, and other providers accessible through our platform) — your prompts and generation parameters are transmitted to these providers to fulfil API requests. Each provider has their own privacy policy and data handling practices.
  • Infrastructure providers — our hosting, database, and CDN providers. Data is stored and transmitted securely using industry-standard encryption.
  • Email delivery providers — used to send transactional emails such as magic links and billing receipts.

We do not sell your personal information to any third party. We require all sub-processors to maintain appropriate security and confidentiality standards.

5. Data Retention

We retain your data for as long as your account is active or as necessary to provide the service. Specifically:

  • Account data — retained while your account is open and for up to 30 days following account deletion, after which it is purged.
  • Task and usage logs — retained for 90 days for debugging and analytics.
  • Billing records — retained for up to 7 years as required by applicable tax and financial regulations.
  • Generated image CDN cache — cached by upstream CDN providers; we do not control their retention policies independently.
  • Support correspondence — retained for up to 3 years unless deletion is requested.

6. Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • TLS encryption for all data in transit.
  • Cryptographically secure random generation for API keys.
  • Storage of only hashed API key values — raw API keys are never stored after initial display.
  • Access controls limiting internal access to personal data on a need-to-know basis.
  • Payment card data never touches our servers — handled entirely by Stripe.

No method of transmission or storage is 100% secure. In the event of a data breach that affects your personal information, we will notify you and applicable regulators as required by law.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request that we correct inaccurate or incomplete data.
  • Deletion — request deletion of your personal data, subject to legal retention obligations.
  • Portability — request your data in a structured, machine-readable format.
  • Restriction — request that we restrict processing of your data in certain circumstances.
  • Objection — object to certain types of processing, including direct marketing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdictions with applicable data protection laws, you may also have the right to lodge a complaint with your local supervisory authority.

8. International Data Transfers

JourneyAPI operates globally and your data may be transferred to and processed in countries outside your country of residence. Our upstream providers and sub-processors may be located in various jurisdictions. Where required by law, we rely on appropriate safeguards (such as standard contractual clauses) to govern international transfers of personal data.

9. Children's Privacy

JourneyAPI is not directed to children under the age of 13 (or 16 where applicable under local law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at [email protected] and we will take prompt steps to delete such information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 30 days before the changes take effect. Your continued use of JourneyAPI after that date constitutes acceptance of the updated Policy. We encourage you to review this page periodically.

11. Contact

For privacy-related inquiries, data subject requests, or concerns, contact us at:

[email protected]

For intellectual property or content takedown requests, see our Takedown Policy.