This policy covers the website, dashboard, Nano Banana2 workbench, AI generation APIs, newsletters, and support channels. It applies to visitors, registered users, testers, and enterprise clients worldwide. By using Nano Banana2 you also acknowledge that this policy works alongside our Terms of Service (undefined capitalized terms adopt the meaning defined there). Continuing to use the service after an update means you accept the latest version.
Effective date: November 10, 2025.
- Name, display name, avatar, locale preference.
- Email, encrypted password (Better Auth) or OAuth IDs (Google, GitHub when enabled).
- Session tokens, impersonation metadata, fraud or abuse flags.
- Stripe / Creem customer, subscription, invoice, and checkout session IDs.
- Credit packages, transactions, remaining balance, expiration, dispute notes.
- Billing contact details required for invoicing or tax.
- Uploaded reference images, inpainting masks, brush strokes, and other source files you provide for editing.
- Text or negative prompts, style tags, seed values, camera/character parameters, output format, quantity, timestamps.
- Generated images, downloadable archives, preview thumbnails, signed URLs, and other delivery metadata.
- Guest IDs, batch IDs, runtime metrics, moderation flags, error logs, migration history.
- IP address, browser, operating system, locale, referrer, time-on-page, feature usage.
- Analytics events (PostHog, OpenPanel), crash dumps, storage upload quotas.
- Support or sales emails, Crisp chat transcripts, newsletter preferences, survey responses.
- Incident notifications routed through Feishu or Discord (limited to operations staff).
- Session cookies, CSRF tokens, locale and theme selectors, payment state, Turnstile captcha tokens, anti-abuse identifiers.
- Direct interactions: account creation, project setup, file uploads, credit purchases, support inquiries, surveys, beta feedback.
- Automated collection: server logs, device fingerprinting, cookies, SDK telemetry, usage analytics when you browse or call our APIs.
- Third parties: payment processors (Stripe, Creem), identity providers (Google), AI hosting partners (Kie.ai / Google Gemini and other opt-in providers), referral programs, social media platforms you connect.
| Purpose | Legal basis |
|---|
| Provide services, authenticate users, run the workbench, issue API tasks | Contractual necessity |
| Process payments, credits, invoices, refunds | Contract + legal obligation |
| Prevent abuse, enforce quotas, secure uploads, investigate incidents | Legitimate interest |
| Improve UX, analyze adoption, run beta programs | Legitimate interest (opt-out via analytics settings) |
| Send marketing, Crisp outreach, optional cookies | Consent |
| Comply with tax, accounting, legal or regulatory requests | Legal obligation |
Consent can be withdrawn at any time without affecting prior processing.
- Prompts, uploads, and generated assets are processed only to fulfill your requested AI generation or editing tasks, provide previews, and maintain your history.
- We do not use customer content to train or fine-tune our own or third-party AI models. Content remains private to your account unless you explicitly share or publish it.
- Automated safety systems (for example NSFW detection) may flag content; limited human review occurs only when necessary to enforce policies and is bound by confidentiality obligations.
- Strictly necessary cookies keep you logged in, remember locale, guard CSRF, and power uploads.
- Functionality cookies store layout preferences, last-used prompts, and UI state so your workspace remains consistent.
- Analytics / performance cookies stem from PostHog, OpenPanel, Google Analytics, Crisp. When required we display a consent banner or provide a toggle under Settings -> Privacy.
- Marketing cookies run on landing pages, referrals, or embedded media to measure attribution; you can disable them anytime.
- Blocking cookies in the browser may break certain features (for example login or checkout).
We share data only with vetted providers bound by data processing agreements:
- Infrastructure: Cloudflare / OpenNext (hosting), Neon (Postgres), S3-compatible object storage.
- Authentication: Better Auth, Turnstile captcha.
- AI execution: Kie.ai / Google Gemini APIs (task payloads and reference assets only). For opt-in labs or beta models we may route prompts to providers such as OpenAI or Replicate; those transfers are encrypted and limited to the content you submit.
- Payments: Stripe and Creem (payment methods, invoices, taxes).
- Messaging: Resend (transactional email), newsletter provider (Resend by default).
- Analytics & support: PostHog, OpenPanel, Crisp, Feishu / Discord for incident alerts.
We never sell personal data. Partners may operate outside your jurisdiction; see "International Transfers".
Data may be stored or processed in the EU, US, Singapore, or other regions where our vendors run infrastructure. When cross-border transfers occur, we rely on Standard Contractual Clauses or equivalent safeguards and apply encryption plus least-privilege access controls.
- Account profile data: stored while the account is active and for 90 days after deletion to resolve disputes.
- Payment and credit transaction records: retained for 7 years to satisfy accounting and tax requirements.
- AI task history and generated content: stored for 12 months (or shorter if you delete entries via Creations); archives may be removed sooner on request.
- Guest reference uploads: auto-deleted after 15 days unless migrated to an authenticated account.
- Logs and analytics: retained up to 24 months before aggregation or anonymization.
- Marketing preferences: stored until you unsubscribe or opt out.
Deletion requests are fulfilled within 30 days unless legal obligations or safety concerns require longer retention.
We enforce TLS in transit, encryption at rest (database + object storage), hardware-backed secret storage, granular IAM roles, multi-factor admin accounts, per-environment segregation, audit logging, intrusion monitoring, and periodic penetration testing. If a breach occurs, we will notify affected users and regulators as required.
If Nano Banana2 participates in a merger, acquisition, financing, bankruptcy, or sale of assets, personal data may be transferred to the new entity. The successor will be required to honor this policy or obtain your consent before applying new practices.
Depending on jurisdiction (GDPR, LGPD, CCPA, etc.) you may:
- Access, correct, or delete personal data.
- Receive a machine-readable copy (data portability).
- Restrict or object to processing based on legitimate interests.
- Withdraw consent and disable non-essential cookies.
- Opt out of marketing.
- Lodge a complaint with your supervisory authority.
Submit requests via support@nano-banana2.com. We respond within 30 days (extendable once with notice).
Services target users aged 16 or older. If we inadvertently collect data from a child, contact us for deletion. Do not upload sensitive information (health, financial, biometric) unless you are legally permitted and have protective controls in place.
- Nano Banana2 tasks rely on third-party AI models. Outputs may be mirrored or moderated for reliability, but we do not make solely automated decisions that produce legal or similarly significant effects.
- Generated content might include personal data if you supply it. Review outputs before sharing.
We will publish updates here, adjust the "date" field, and send email or in-product notices for material changes. Archived versions are available upon request.
- Send a request via email or the in-app support form, referencing your account email or ID.
- We verify ownership (login challenge, recent invoice, or signed request).
- We complete the action or explain why we cannot comply within the statutory window.
If you have questions about this Privacy Policy or your rights, contact us:
Nano Banana2
Email: support@nano-banana2.com
Site: https://nano-banana2.com/contact
Thank you for trusting Nano Banana2 to safeguard your privacy.
