Image Converter← Back to Image Converter

Privacy Policy

How AZINOVE SAS collects, uses, and protects your personal data.

Last updated: 2026-05-12DRAFT

Draft notice: This document is an honest baseline describing the technical reality of CleverAI services as of 2026-05-12. It has not been reviewed by qualified legal counsel. Until that review is complete, treat this as informational rather than a binding legal instrument.

1. Data controller

The data controller for Image Converter (and the broader CleverAI product family) is AZINOVE SAS, a French société par actions simplifiée registered with the Strasbourg RCS under SIREN 897 432 324, whose registered office is at 13 Rue de Dahlenheim, 67200 Strasbourg, France. Patrick Eiermann is the legal representative (Président).

Privacy contact: privacy@cleverai.ai. We have not formally appointed a Data Protection Officer (DPO) at this stage; we will do so as soon as the scope of our processing activities triggers GDPR Article 37(1).

2. What personal data we collect

We process the following categories of personal data:

  • Account information: name, email address, profile picture, organization membership — provided directly by you or retrieved from your identity provider (Google, GitHub, Microsoft). Authentication is delegated to Clerk.
  • Billing information: billing address, VAT number, payment method (card number, expiry, last 4 digits) — handled exclusively by Stripe; we never see full card numbers.
  • Content you create: prompts, chat messages, uploaded documents, generated images, workflow nodes, mindmaps, and any other inputs/outputs of the CleverAI tools.
  • Usage and telemetry: API call timestamps, model identifiers, token counts (for billing), feature interactions, IP address truncated for anti-abuse purposes.
  • Technical data: browser user agent, device type, language preference, server-side error logs (no third-party error-tracking processor).

3. Purposes and legal bases

PurposeLegal basis (GDPR Art. 6)
Provision of the CleverAI services to you(b) Performance of a contract
Billing, invoicing, accounting record-keeping(c) Compliance with a legal obligation
Security, fraud prevention, abuse detection(f) Legitimate interest
Product improvement (aggregated, non-identifying)(f) Legitimate interest
Marketing emails (newsletters, feature announcements)(a) Consent — opt-in required
Customer support requests you initiate(b) Performance of a contract

4. AI-generated content and model training

We do not train AI models on your content. Your prompts and the corresponding model outputs are not used to train, fine-tune, or improve any third-party model. We pass your content to model providers (OpenAI, Anthropic, Google, Mistral, etc.) only to obtain the completion you requested, and we have contractually opted out of any training-data use where the provider offers such an option (OpenAI zero-data-retention, Anthropic no-training-by-default).

Outputs generated by AI may be inaccurate, biased, or otherwise unsuitable for any particular purpose. You remain responsible for verifying outputs before relying on them — see also our Terms of Service.

5. Recipients and subprocessors

We share personal data with the following subprocessors, each acting under a contract that incorporates GDPR Article 28 obligations:

SubprocessorPurposeLocationTransfer mechanism
Clerk Inc.User authentication, session management, organization managementUSStandard Contractual Clauses (SCCs)
Stripe, Inc.Payment processing, subscription billing, invoice managementUS/IEStandard Contractual Clauses (SCCs)
Vercel Inc.Application hosting, edge runtime, CDNUSStandard Contractual Clauses (SCCs)
Neon Inc.Managed PostgreSQL database hostingUS/EU (Frankfurt)Standard Contractual Clauses (SCCs)
OpenAI, OpCo, LLCLarge language model inference (ChatGPT, GPT-4, DALL-E)USStandard Contractual Clauses (SCCs)
Anthropic, PBCLarge language model inference (Claude)USStandard Contractual Clauses (SCCs)
Google LLCLarge language model inference (Gemini), AI servicesUSEU-US Data Privacy Framework
Mistral AILarge language model inference (Mistral)FREU/EEA
xAILarge language model inference (Grok) — routed via AI GatewayUSStandard Contractual Clauses (SCCs)
DeepSeekLarge language model inference (DeepSeek) — routed via AI GatewayCNStandard Contractual Clauses (SCCs)
Groq, Inc.Low-latency LLM inference — routed via AI GatewayUSStandard Contractual Clauses (SCCs)
Cerebras SystemsLow-latency LLM inference — routed via AI GatewayUSStandard Contractual Clauses (SCCs)
Fireworks AILLM inference (open-weights models) — routed via AI GatewayUSStandard Contractual Clauses (SCCs)
Tavily Inc.Real-time web search (used by Findora for AI-augmented search)USStandard Contractual Clauses (SCCs)
Replicate, Inc.Image/video model inference (Flux, SDXL, etc.) — used by PixovaUSStandard Contractual Clauses (SCCs)
ElevenLabs Inc.Voice synthesis (text-to-speech, voice cloning) — used by PixovaUSStandard Contractual Clauses (SCCs)
Fal.aiImage/video model inference — used by PixovaUSStandard Contractual Clauses (SCCs)
Postmark / ActiveCampaign LLCTransactional email delivery (account, billing, notifications)USStandard Contractual Clauses (SCCs)

6. International data transfers

Some of our subprocessors are based in the United States. Where data is transferred outside the European Economic Area, we rely on either the EU-US Data Privacy Framework (for certified recipients such as Google) or the European Commission's Standard Contractual Clauses (Decision 2021/914) for all other US recipients, supplemented by appropriate technical and organizational measures.

For customers seeking strict EU jurisdiction, our CleverAI Vault product offers a private deployment in EU regions with no third-country transfer.

7. Retention

  • Account data — retained while your account is active, deleted within 30 days of account closure (90 days for encrypted backups).
  • Content (chats, images, documents) — retained until you delete it, or 30 days after account closure.
  • Billing records — retained for 10 years pursuant to French commercial law (Code de commerce Art. L123-22).
  • Usage logs — 12 months for security and abuse detection.

8. Your rights under GDPR

You have the right to:

  • Access your personal data (Art. 15)
  • Request rectification of inaccurate data (Art. 16)
  • Request erasure (Art. 17) — "right to be forgotten"
  • Restrict processing (Art. 18)
  • Receive your data in a portable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time (Art. 7(3))
  • Lodge a complaint with a supervisory authority — for France, the CNIL

To exercise any of these rights, contact privacy@cleverai.ai. We will respond within one month, extendable by two months for complex requests (GDPR Art. 12(3)).

9. Access by AZINOVE personnel

Authorized AZINOVE staff bound by written confidentiality obligations may access your personal data when strictly necessary for: (a) responding to a support request you initiate; (b) investigating suspected abuse, fraud, or security incidents; (c) legal compliance (subpoena, court order, regulatory request — where lawful, we will notify you); (d) operating, debugging, or maintaining the service. All such accesses are minimized to the data needed for the purpose and logged for audit.

10. Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS 1.3), encryption at rest (database-level), Clerk-managed authentication with MFA support, audit logging, and segregation of duties for production access. Despite these measures, no system is perfectly secure; if we become aware of a personal-data breach affecting you we will notify you and the CNIL within 72 hours as required by GDPR Art. 33-34.

11. Cookies

See our dedicated Cookie Policy for the complete cookie inventory and consent mechanism.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or in-product notice at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Image Converter-specific provisions

Image Converter — Zero-Retention Commitment

Image Converter is a public, unauthenticated utility. Uploaded images are processed in memory and immediately returned to you — they are never stored on our servers, never logged, never analyzed beyond the format conversion you requested. There is no account; we have no record of your uploads after the response completes.

We log truncated IP addresses for rate-limit enforcement only (to prevent abuse). These logs are aggregated, never linked to identity, and rotated after 30 days.

Do not upload images of identifiable persons without their consent. Facial biometric data is special-category data under GDPR Art. 9 and we ask that you not process it through this tool.