Rubick
← Back to home Legal · Privacy

Privacy
Policy

Rubick Effective May 2026 Last updated June 2026

Overview

Rubick ("we", "us", "our") is a generative photo studio that creates AI-produced images from your reference photos. This policy explains what personal data we collect, how we use it, who we share it with, and your rights over it.

By creating an account or using Rubick, you agree to the practices described here. If you do not agree, please do not use the service.

Short version: We collect your email, the photos you upload, and the images we generate for you. Your photos are processed by Google Gemini to create the output. We send you service emails (which you can opt out of). We do not sell your data. You can delete your entire account and all its data yourself at any time from Settings.

Data we collect

Type What exactly Why
Account Email address, display name, Google profile photo Sign-in via Google OAuth (Supabase Auth)
Uploaded photos The reference photos you choose to upload before generating Sent to Google Gemini to produce the generated image
Generated images The AI-produced output images Stored so you can view and download your results
Usage events Page views, button clicks, generation attempts, errors Product analytics via PostHog to improve the service
Payment data Credit pack purchased, transaction reference Fulfilling your purchase — card details handled entirely by Polar
Email preferences Whether you've opted out of notifications or in to product updates Respecting your email choices
Technical IP address, browser User-Agent, request timestamps Security, abuse prevention, debugging

We do not collect: your card number or payment credentials (handled by Polar), biometric identifiers, or any data from sources other than your direct interaction with Rubick.

How we use your data

We use your data only to operate and improve Rubick:

Generating your images. When you submit a generation request, your uploaded photos and a system prompt are sent to Google Gemini API. The resulting image is returned and stored in your account. Your photos are not used to train AI models.

Running your account. Your email is used to identify you and to send service emails: a welcome message when you join, purchase confirmations, and a notification when a generation is ready. You can opt out of the non-essential notifications at any time via the unsubscribe link or in Settings. We only send product updates or announcements if you opt in. Transactional email is delivered through Resend; we never use your email for advertising.

Processing payments. When you buy credits, the transaction is processed by Polar. We record the credit pack and amount against your account to provision your balance.

Analytics and improvement. We use PostHog to understand how the product is used in aggregate — which templates are popular, where errors occur, how long generation takes. Events are linked to a pseudonymous user ID, not your email or name.

Security and abuse prevention. IP address and User-Agent are stored for up to 90 days to detect and block abuse, investigate incidents, and comply with legal obligations.

Third-party services

Running Rubick requires the following third parties. Each processes only the data described.

Service Purpose Data shared
Google (OAuth) Sign-in with Google Your Google account email and profile
Google Gemini API AI image generation Your uploaded reference photos + generation prompt
Supabase Database and file storage All account, photo, and generation data (hosted on Supabase's infrastructure)
Polar Payment processing (Merchant of Record) Your email address and credit pack selected
PostHog Product analytics Pseudonymous usage events (no photos, no email)
Vercel Hosting and serverless functions Request IP and headers (standard web hosting)
Resend Sending transactional and notification emails Your email address and the message content
Inngest Background job processing (image generation, email delivery) Internal job data (account id, generation id); no photos

We do not sell, rent, or share your personal data with any party not listed above. We do not run advertising or use your data for ad targeting.

Photo data and AI processing

Your uploaded photos are sent to Google Gemini API solely to generate the image you requested. Google's use of data submitted via the API is governed by Google's Generative AI API Terms and their data processing policies. As of the date of this policy, Google states that data submitted via the API is not used to train their models unless you have opted in.

Temporary staging storage. Before generation, photos are uploaded to temporary storage under your account. If a generation attempt fails, these staging files remain for up to 24 hours so the retry can reuse them, after which they are automatically deleted.

Permanent storage. After a successful generation, your input photos are moved to a permanent path under your account and stored alongside the output image. Both are only accessible to you via your authenticated session.

Data retention

Photos and generated images are retained while your account is active. When you delete your account (Settings → Delete account), your photos and generated images are permanently deleted immediately.

Usage analytics are retained for up to 2 years in anonymised form to allow historical product analysis.

Payment records may be retained for up to 7 years for tax and legal compliance purposes, even after account deletion.

Security logs (IP, User-Agent) are retained for 90 days then automatically purged.

Your rights

You have the right to:

Access your data. Request a copy of all personal data we hold on you.

Delete your data. Delete your account and all associated photos, generated images, and profile data yourself at any time from Settings → Delete account — this happens immediately. You can also email us to do it for you.

Correct inaccuracies. If any data we hold about you is wrong, ask us to fix it.

Export your images. Download any generated image directly from the app at any time.

To exercise any of these rights, email us at legal@rubick.art. We will respond within 30 days.

Cookies and local storage

Rubick uses a single session cookie managed by Supabase Auth to keep you signed in across page loads. We also store your language preference in a cookie (rubick_locale) for up to one year.

We do not use advertising cookies, cross-site tracking, or third-party cookies beyond what Supabase and PostHog require for their core functionality. PostHog uses a first-party cookie to distinguish unique sessions for analytics purposes.

Security

All data is transmitted over HTTPS. Photos and generated images are stored in Supabase Storage with Row-Level Security policies that restrict access to the owning account only. Authentication tokens expire automatically and are validated server-side on every request.

No security measure is perfect. If you discover a vulnerability, please disclose it responsibly by emailing security@rubick.art.

Changes to this policy

We may update this policy when we add new features or third-party services. The "Last updated" date at the top reflects the most recent revision. For significant changes, we will notify you via the email address on your account.

Contact

Questions about this policy or how we handle your data? Reach us at legal@rubick.art. We are based in Ulaanbaatar, Mongolia.