Privacy Policy
Effective date: 17 April 2026 · Last updated: 17 April 2026
This policy explains what data Midgrounder ("we", "us") collects when you use the website at midgrounder.com and the editor application served from it, why we collect it, how long we keep it, who we share it with, and the rights you have over it.
Operator details — fill in before publishing: the legal entity operating Midgrounder is Gotoh Industries LLC, registered at 30 N Gould St Ste R, Sheridan, WY 82801, United States. Data-protection contact: krachu.psu@gmail.com. Governing jurisdiction for this policy: the State of Wyoming, United States.
1. What we collect
1.1 Account data
When you register an account we collect your email address, a salted bcrypt hash of your password (never the password itself), your display name if you provide one, and timestamps for account creation, last login, and email verification.
1.2 Image data
When you upload an image to be processed, the image bytes are temporarily stored in Redis with a 24-hour TTL so the worker can process them. Successful Pro-tier composites are written to local disk for download. Anonymous (signed-out) jobs are stored under a randomly generated UUID with no persistent link to a person.
1.3 Payment data
Payments are processed by Stripe. We never see or store your full card number, CVV, or expiry. We store only Stripe's references (customer id, payment intent id, charge id, dispute id) and the result fields (amount, currency, status, refund amount). See Stripe's privacy notice at stripe.com/privacy.
1.4 Usage and security telemetry
For every API request we log the timestamp, request id, HTTP method, path, response status, response duration, and the IP address presented by your immediate connection or by our trusted reverse proxy. Authentication failures, CSRF rejections, and rate-limit overflows are logged separately as security events with the same fields plus an event type.
1.5 Cookies and analytics
See our Cookie Policy for the full list and purposes. In short: a session cookie carries your auth token, a CSRF cookie carries a random anti-forgery token, and Google Analytics 4 (gtag G-MJ64EX869N) sets first-party cookies for aggregate usage analysis. Analytics cookies can be declined in your browser settings.
2. Why we collect it (legal bases)
- Performance of contract. We need your account, image, and payment data to provide the Pro-tier processing you've requested.
- Legitimate interest. Security telemetry and rate-limit IPs are kept to prevent abuse, debug failures, and protect the service against fraud and credit theft.
- Legal obligation. Payment records are retained for the period required by tax and consumer-protection law in
the State of Wyoming. - Consent. Analytics cookies are set on the basis of your consent (decline by clearing/blocking cookies for this domain).
3. How long we keep it
- Uploaded images: 24 hours, then automatically purged from Redis.
- Pro-tier composites: stored on disk for 30 days, then automatically purged.
- Account records: for the lifetime of your account, plus 30 days after you delete it (to handle accidental deletion).
- Payment records: retained for the statutory tax-and-bookkeeping period applicable in
the State of Wyoming(typically 5–7 years). - Security and request logs: 90 days for ingest, then aggregated and anonymised for trend reporting.
4. Who we share it with
- Stripe (payments) — Stripe receives the data needed to charge your card, refund you, and resolve disputes. Stripe is itself bound by its own privacy notice and PCI scope.
- Google Cloud Platform (Vertex AI / Gemini API for Pro tier) — Pro-tier separation sends the uploaded image to Google's image generation models for the duration of the request only. Google's terms for the Vertex AI API apply.
- Mailgun (transactional email) — your email address is sent to Mailgun when we deliver verification, password-reset, and receipt emails.
- Google Analytics (aggregate usage) — pseudonymised browser/device data.
We do not sell, rent, or trade personal data. We do not share data with advertising networks.
5. Your rights
Depending on your jurisdiction, you have the right to access the personal data we hold about you, correct it if it is wrong, delete it, restrict its processing, port it to another provider, and object to specific processing activities. You can exercise these rights by emailing krachu.psu@gmail.com; we'll respond within 30 days.
You also have the right to lodge a complaint with the data-protection authority in your country of residence. EEA / UK users can find their authority at edpb.europa.eu.
6. International transfers
Our servers are located in Ashburn, Virginia (United States), hosted by Hetzner Online GmbH. Stripe, Google, and Mailgun process data globally. When data is transferred outside your country we rely on the Standard Contractual Clauses (SCCs) and the providers' own adequacy mechanisms.
7. Security
Passwords are hashed with bcrypt at cost factor 12. JWT tokens are signed with a per-deployment secret and rotated on logout. Card data never touches our servers. Image data is stored in Redis with a TTL and on-disk results are scoped to the issuing user. Rate limits, CSRF protection, and email verification gate all paid actions.
If we discover a security incident affecting your data we will notify you within 72 hours of confirmation, in line with GDPR Article 33 timing.
8. AI-generated content
The Pro tier produces composite images using a generative AI model (Google Gemini 2.5 Flash Image). We do not train Google's models on your uploads, and per Google's Vertex AI terms your input is not used to retrain their models when delivered through the paid API path. Content you produce is marked in EXIF metadata as AI-edited; please disclose AI usage to your audience where required by platform policy or law.
9. Changes to this policy
If we make material changes we will notify registered users by email and post the updated policy here with a new "Effective date". Continued use after that date constitutes acceptance.
10. Contact
Email: krachu.psu@gmail.com
Postal: 30 N Gould St Ste R, Sheridan, WY 82801, United States