The short version: we collect the minimum we need to run the product, we never sell anything, and we never train on what you make.
Dear customer,
We hate creepy data practices. We also hate writing dense privacy policies. Below is a plain-English breakdown — and if you need the formal version for compliance, we have it linked at the bottom.
If you ever want to know exactly what we have on you, email privacy@gpf.com. We'll send the full export within 72 hours.
We don't use Facebook Pixel, Google Analytics, Mixpanel, Segment, Heap, FullStory, Hotjar, or any other third-party tracker. We use one privacy-friendly analytics service (Plausible, self-hosted) that doesn't set cookies and doesn't follow you off the site.
Your business description, foundations, edits, and outputs are private. We do not use them to train the model, to fine-tune, or to share with model providers beyond the one-time call that generates your assets. We do not sell data to anyone, ever, for any reason. We do not share it without your explicit consent (e.g. when you publish a brand publicly).
Stored on AWS (us-east-1) with encrypted backups. EU customers get residency in eu-west-1. Available on request for compliance: SOC 2 Type II, ISO 27001 in progress.
No marketing automation. No CRM (we use a Notion table). No third-party analytics. Updated subprocessor list maintained at gpf.com/subprocessors.
You can request a full export of your data at any time. You can delete your account, which removes everything within 30 days (we keep backups for 30 days for restore-from-disaster reasons, then they're gone). Email privacy@gpf.com. We respond within 72 hours.
GPF is not directed at children under 13. We do not knowingly collect data from anyone under 13. If we discover we have, we delete it.
Full DPA, SOC 2 report, subprocessor list, and GDPR/CCPA disclosures.
Download compliance packv3.1 · 4 May 2026