Privacy Policy
About this Privacy Policy
This Privacy Policy explains how Thumbo (thumbo.ai) ("we," "us," or "our") collects, uses, and protects your information when you use thumbo.ai. Thumbo is an AI tool that helps creators make YouTube thumbnails: you may upload photos of yourself and other images, choose styles, and we generate new thumbnails using AI. Since your thumbnails can feature your own face, we explain clearly below how we handle your photos and the consent we ask for — see "Your photos and your face." If anything here is unclear, contact us at [email protected].
Information we collect
Information you provide:
Your name and email when you sign up; the images you upload — including photos that may contain your face, likeness, or other people ("Reference Images"); the prompts, titles, and instructions you enter; and the thumbnails we generate for you.
Payment information:
We use Stripe to process payments. You enter your card details directly with Stripe — we never receive or store your full card number. We only receive limited billing data such as your subscription status, card brand, the last four digits, and billing country.
Usage and device data:
Features used, generations created, timestamps, IP address, browser and device type, and log data, collected automatically through cookies and similar technologies for authentication, security, and analytics.
How we use and share your information
We use your information to provide the Service (create your account and generate thumbnails from your uploads), process payments, keep the Service secure, prevent abuse, provide support, send you service messages, and comply with law. We do not sell your personal data. We share it only with service providers who process it on our behalf under contract, and where the law requires:
Stripe (payments):
Processes your billing information to run subscriptions and payments.
AI providers (e.g., Google):
Your Reference Images and prompts are sent to third-party AI providers, such as Google, to generate your thumbnails.
Hosting and infrastructure:
Providers that host the app and store your uploads and generated images. We may also disclose data to comply with law, or in connection with a merger or acquisition. We do not sell your data.
Legal bases for processing (EEA/UK)
Where the GDPR applies, we rely on: performance of our contract with you (to run your account and generate thumbnails); your consent (for processing photos that contain faces, and for any AI model training); our legitimate interests (security, fraud prevention, and improving the Service); and legal obligations (such as tax and accounting). You can withdraw consent at any time — see "Your rights."
Your photos and your face
Your photos are used for one thing: to create the thumbnails you ask for. When you upload a photo with your face, we process it only to place your likeness into your thumbnail — never to identify you, never to build any face-recognition database, and never to train an AI model unless you separately opt in below. Because this involves your face, we ask you to confirm a short consent prompt when you upload, so it is always your choice. Depending on where you live, face data like this can count as sensitive ("biometric") personal data, and your consent is what allows us to process it.
Please upload photos of other people only if they have agreed — do not upload images of celebrities, public figures, or anyone who has not said yes. We keep your photos only as long as needed to provide the Service, delete them when you remove them or close your account (or sooner if you ask), and we never sell them. If you would rather not have your face processed, simply do not upload photos that contain faces.
AI model training (opt-in only)
We may, in the future, use customer content to train or fine-tune AI models — for example, lightweight "persona" models that better reproduce your appearance, or "style" models learned from thumbnail aesthetics. This is strictly opt-in: we will not use your Reference Images, prompts, or generated thumbnails to train or fine-tune any model unless you have given separate, affirmative consent through a clearly labeled control in the app. If that training would include your face, your opt-in specifically covers that too. You can withdraw at any time; on withdrawal or account deletion we delete or de-identify your data from active training pipelines and delete any per-user model derived from it. We will never make opt-in a condition of using Thumbo. If you do not opt in, your content is used only to generate the thumbnails you request.
Data retention
We keep personal data only as long as necessary. Your uploads and generated thumbnails stay in your account until you delete them or close your account; we then delete them (including face data) within a limited period. Billing records are kept for as long as tax and accounting law requires. Training data (if you opted in) is kept until you withdraw consent or close your account, then deleted or de-identified. When retention ends, we delete or irreversibly anonymize the data.
Your rights
Depending on where you live, you may have the right to access, correct, or delete your data; to restrict or object to certain processing; to withdraw consent (including for how we use your face and for model training); and to data portability. If you are in California (CCPA/CPRA): we do not sell or share your personal information, and you can ask us to know, delete, or correct it — we will not discriminate against you for exercising these rights. To exercise any right, email [email protected] or use the controls in the app. You can also lodge a complaint with your local data protection authority.
Security
We use technical and organizational measures to protect your data, including encryption in transit, access controls, and limiting who can access your uploads. No method of storage or transmission is 100% secure, so we cannot guarantee absolute security — but if we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law.
International transfers and children
We and our providers (including Stripe and Google) may process data in the United States and other countries. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the EU Standard Contractual Clauses. Thumbo is not intended for anyone under 16 (or the minimum age in your country), and we do not knowingly collect data from children — if you believe a child has provided us data, contact us and we will delete it.
Changes to this policy and contact
We may update this Policy from time to time. If we make material changes — especially to how we use your photos or how we train AI models — we will notify you (by email or in-app) and, where required, ask for fresh consent. Questions, requests, or complaints: contact us at [email protected].