Legal

Privacy Policy

Effective date: April 10, 2026 | Last updated: May 14, 2026

1. Data Controller

The data controller for your personal data is MakerLabs SARL, a French limited liability company registered under SIREN 942 958 216, with its registered office in Paris, France.

For any questions or requests related to your personal data, you can reach our privacy team at privacy@miximodel.com.

2. What Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, username, password (hashed), date of birth, and account preferences.
  • Profile data: biography, profile photo, location, social media links, professional details (height, measurements, experience), and portfolio content.
  • Photos and media: images and videos you upload to your portfolio or share in posts.
  • Billing data: subscription plan, billing history, and payment status. Full payment card details are processed and stored exclusively by our payment processors (CCBill and SegPay) and are never stored on our servers.
  • Usage data: pages visited, features used, search queries, IP address, browser type, device information, and approximate geolocation.
  • Communications: messages sent through the platform's chat system and support correspondence.

We process your personal data under the following legal bases as defined by the GDPR:

  • Performance of contract (Art. 6(1)(b)): Account data, profile data, billing data, and communications are necessary to provide the Miximodel service as agreed in our Terms of Service.
  • Legitimate interest (Art. 6(1)(f)): Usage data and analytics are processed to improve the platform, ensure security, prevent fraud, and provide relevant search results.
  • Consent (Art. 6(1)(a)): Optional features such as geolocation sharing and marketing communications are only activated with your explicit consent. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Certain data may be retained to comply with tax, accounting, or regulatory requirements under French and EU law.

4. Third-Party Processors

We share your data with the following categories of third-party service providers, each acting as a data processor under our instructions:

  • Payment processors: CCBill LLC (USA) and SegPay Inc. (USA) process subscription payments. They receive only the data necessary to process your payment and are PCI DSS compliant.
  • Cloud hosting: Google Cloud Platform (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) hosts our application and stores your data.
  • Content delivery and security: Cloudflare Inc. (USA) provides CDN and DDoS protection services.
  • Messaging: Telegram Bot API is used for optional notification delivery to users who connect their Telegram account.
  • Creator Studio AI image generation (Google): Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) operates the Google Gemini image model used by Creator Studio. It processes the reference photos you provide, only on the basis of your explicit consent, to generate new images of your likeness.
  • Creator Studio AI image generation (OpenAI): OpenAI, LLC (USA) operates the gpt-image-2 model used by Creator Studio. It processes the reference photos you provide, only on the basis of your explicit consent. As OpenAI is based in the United States, this transfer is governed by the 2021 Standard Contractual Clauses (Module 2, Controller → Processor).
  • Creator Studio AI image generation (Recraft): Recraft, Inc. (USA) operates the Recraft V4.1 and V4.1 PRO image models available in Creator Studio. It processes the reference photos and text prompts you submit, only on the basis of your explicit consent, to generate new images. As Recraft is based in the United States, this transfer is governed by the 2021 Standard Contractual Clauses (Module 2, Controller → Processor) incorporated in Recraft’s Data Processing Agreement. Recraft does not use your API inputs to train its models.

5. International Transfers

Some of our processors are based in the United States. When your data is transferred outside the European Economic Area, we ensure adequate protection through:

  • 2021 Standard Contractual Clauses (SCCs), Module 2 (Controller → Processor) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), incorporated in our Data Processing Agreements with US-based processors including OpenAI, Recraft, CCBill, SegPay, and Cloudflare.
  • Processors that maintain equivalent security standards and privacy certifications.

6. Data Retention

We retain your personal data for as long as necessary to:

  • Provide the Miximodel service while your account is active.
  • Comply with legal obligations (e.g., tax records are retained for the legally required period under French law, typically 6 years).
  • Resolve disputes and enforce our agreements.
  • Content moderation decisions (the audit ledger that records why an uploaded image was classified, blocked, or removed) are retained for 24 months from the scan timestamp, in line with ARCOM expectations for online content moderation. After 24 months, the audit records are deleted by an automated retention job. The retained records do not contain the image bytes — only the per-stage decision lineage (verdict, confidence, timestamp, moderator action if any).
  • Evidence of content removed for trust & safety reasons. When a moderator removes content for a trust-and-safety violation (for example, content suspected to be unlawful), we preserve a tamper-evident copy of that content — the file, a snapshot of its metadata, the uploader’s username and email as they stood at removal time, and the moderation decision — in a separate, access-restricted evidence store. This evidence is retained for at least 7 years (and permanently for content suspected to be child sexual abuse material), even after the uploader deletes their account. The legal basis is GDPR Art. 17(3)(b) and (e) — compliance with a legal obligation and the establishment, exercise, or defence of legal claims. This evidence is held solely to answer law-enforcement requests, internal audits, and payment-processor inquiries; it is not included in your data-portability export (see Section 7).
  • Creator Studio consent records. When you consent to Creator Studio, we record a minimal proof of that consent (the consent version, the date, and your IP and browser at the time). When you close your account, the directly identifying parts of this record — your name, email, IP address, and browser — are erased, while a pseudonymous proof (the consent version, the date, and a non-reversible identifier) is retained for 5 years. The legal basis is GDPR Art. 7(1) (our obligation to demonstrate that consent was given) and Art. 17(3)(e) (establishment, exercise, or defence of legal claims, aligned with the 5-year French civil limitation period). After 5 years the record is permanently deleted.

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law. Your moderation audit records are soft-deleted in the same cascade so they cannot be linked back to you. The one exception is evidence of content removed for trust-and-safety reasons (described above): those records are retained beyond account deletion under GDPR Art. 17(3)(b)/(e). When your account is deleted, the live link between that evidence and your account is severed, but the username and email captured at removal time are kept as part of the preserved record.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): You can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): You can request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): You can request deletion of your personal data ("right to be forgotten").
  • Right to data portability (Art. 20): You can request your data in a structured, machine-readable format.
  • Right to object (Art. 21): You can object to processing based on legitimate interest.
  • Right to restriction (Art. 18): You can request that we limit the processing of your data in certain circumstances.

To exercise any of these rights, contact us at privacy@miximodel.com. We will respond to your request within 30 days as required by law.

8. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the French data protection authority:

Commission Nationale de l'Informatique et des Libertes (CNIL)
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr

9. Cookies

Miximodel uses essential cookies for authentication, session management, and age verification. We may also use analytics cookies to understand how users interact with the platform. You can manage your cookie preferences through your browser settings.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or by displaying a notice on the platform. Your continued use of Miximodel after the changes take effect constitutes acceptance of the updated policy.

11. Contact

For any questions about this Privacy Policy or your personal data:

Back to Legal