Privacy Policy

Last updated: April 14, 2026

Template Notice: This document is a generic GDPR-oriented template and is not a substitute for legal review. Have it reviewed by a privacy lawyer before production and fill in the placeholders marked [TO FILL].

1. Who We Are

ModelNexus (“we”, “us”) is a platform for sharing AI models, images, and videos. The data controller for the purposes of the EU General Data Protection Regulation (GDPR) is [TO FILL: legal entity name], based in [TO FILL: address]. Contact: [TO FILL: contact email].

2. Data We Collect

Information you provide

  • Account data: username, email, password (stored as a bcrypt hash), optional avatar and bio.
  • User Content: AI models, images, videos, and metadata you upload.
  • Payment data: handled by Stripe, Inc. We do not store card numbers. We retain subscription status and Stripe customer identifiers.
  • Communications: support emails, reports, comments, and messages you send us.

Information collected automatically

  • Log data: IP address (stored as a SHA-256 hash), user agent, timestamp, requested URL.
  • Session cookies: a secure, HttpOnly, SameSite=Strict cookie named MN_SESSION to maintain your login session.
  • Optional cookies: a MN_REMEMBER cookie if you check “Remember me” on login.
  • Rate-limiting data: hashed IP and route, retained for up to 24 hours to prevent abuse.
  • Audit logs: security-relevant events (login attempts, uploads, bans) retained for 90 days.

3. How We Use Your Data

We process your data for the following purposes and under the following legal bases (GDPR Art. 6):

  • Service provision (contract — Art. 6(1)(b)): creating your account, hosting your content, processing subscriptions, delivering downloads.
  • Security and fraud prevention (legitimate interest — Art. 6(1)(f)): rate limiting, CSRF protection, audit logging, abuse detection.
  • Legal compliance (legal obligation — Art. 6(1)(c)): responding to DMCA notices, court orders, and regulatory requests.
  • Communications (legitimate interest or consent): sending transactional emails, security alerts, and optional newsletters.

4. Data Sharing

We share data only with:

  • Stripe, Inc. — to process payments and creator payouts. See Stripe’s privacy policy.
  • Our infrastructure provider (Contabo GmbH, Germany) — for hosting.
  • Law enforcement or regulators — when legally compelled.

We do not sell your personal data to anyone.

5. International Transfers

Stripe may process payment data in the United States under Standard Contractual Clauses approved by the European Commission. All other processing occurs within the European Economic Area.

6. Data Retention

  • Account data: retained as long as your account exists. Deleted within 30 days after account closure, except where retention is legally required.
  • User Content: retained until you delete it or close your account.
  • Audit logs: 90 days.
  • Rate-limit records: 24 hours.
  • Payment records: retained for accounting purposes as required by law (typically 10 years in most EU jurisdictions).

7. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

  • Access the personal data we hold about you (Art. 15);
  • Rectify inaccurate data (Art. 16);
  • Erase your data (“right to be forgotten”, Art. 17);
  • Restrict processing (Art. 18);
  • Data portability in a machine-readable format (Art. 20);
  • Object to processing based on legitimate interest (Art. 21);
  • Withdraw consent at any time when processing is based on consent;
  • Lodge a complaint with your national data protection authority.

To exercise these rights, email [TO FILL: contact email]. We will respond within 30 days.

8. Security

We implement industry-standard security measures: password hashing (bcrypt cost 12), CSRF protection, strict Content Security Policy, HTTPS with TLS 1.2+, prepared statements for all database queries, EXIF stripping on uploaded images, and MIME-type verification on file uploads. However, no system is 100% secure — use a unique strong password and enable two-factor authentication.

9. Cookies

We use only strictly necessary cookies for authentication and security. We do not use analytics or advertising cookies. If advertising is introduced in the future, we will update this policy and request consent where required.

10. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact us and we will remove the account.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be announced via email or on the Service.

12. Contact

For any privacy-related question, contact us at [TO FILL: contact email].