Privacy Policy
Last updated: July 15, 2026
MadHatter is an independent project. It is not affiliated with, endorsed by, or connected to Higgsfield, Luma AI, ByteDance/Seedance, Google, OpenAI, or any other model provider. These documents are provided for general information only and do not constitute legal advice.
This Privacy Policy explains how MadHatter, registered in the Netherlands, Johan van Hoornstraat 19, 2595 HP Den Haag, Zuid-Holland, KvK 92761585, RSIN 866164194 (“MadHatter”, “we”) processes personal data when you use the MadHatter platform, website, apps and APIs (the “Service”). MadHatter is the controller for the processing described here. Privacy contact / Data Protection Officer: hello@madhatter.technology.
1. What Data We Process, Why, and On What Legal Basis
| Data | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account data (name, email, password hash, language, age confirmation) | Create and manage your account; authentication | Contract (Art. 6(1)(b)) |
| Your Content: prompts, uploaded images/video/audio, generated outputs | Provide the Service: generate, store and display your content | Contract (Art. 6(1)(b)) |
| Your Content (moderation signals) | Automated and human review for illegal content and Acceptable Use Policy violations | Legitimate interests (Art. 6(1)(f)) — platform safety; Legal obligation (Art. 6(1)(c)) for illegal content (DSA) |
| Your Content (model training) | Improving our AI models — only if you have opted in | Consent (Art. 6(1)(a)), withdrawable at any time |
| Your Content (promotion) | Featuring creations you make in MadHatter’s own marketing, social channels and screenings (see Terms §4.6) | Legitimate interests (Art. 6(1)(f)) — promoting the Service; opt-out at any time |
| Payment and billing data (via our payment processor; we do not store full card numbers) | Payments, invoicing, fraud prevention, tax compliance | Contract; Legal obligation |
| Usage and device data (IP address, device/browser type, logs, feature usage, approximate location from IP) | Security, abuse and fraud prevention, debugging, service analytics | Legitimate interests — running and securing the Service |
| Communications (support tickets, emails) | Support; quality assurance | Contract; Legitimate interests |
| Marketing data (email, preferences) | Newsletters and product updates to customers; ads measurement | Consent; Legitimate interests (soft opt-in for existing customers, with opt-out in every message) |
| Cookies and similar technologies | Strictly necessary cookies for the Service; analytics/advertising cookies only with consent | Consent (for non-essential); Legitimate interests (essential) — see our Cookie Policy |
We do not intentionally process special categories of personal data (Art. 9). Do not upload biometric, health or similar sensitive data of yourself or others unless you have a lawful basis to do so. Faces in images you upload are processed only transiently to generate your requested output and for safety moderation — we do not use them for identification and we prohibit use of the Service for facial-recognition purposes.
We do not sell personal data, and we do not use Your Content for third-party behavioural advertising. We may, however, feature creations made on MadHatter in our own promotional activities as described in Terms §4.6; you can opt out at any time by emailing hello@madhatter.technology.
2. AI Models and Your Content
- No training without opt-in. We do not use your prompts, uploads or outputs to train or improve AI models — ours or third parties’ — unless you expressly opt in. The toggle is off by default and can be withdrawn at any time in settings; withdrawal stops future use.
- Third-party model providers. Some generations are performed by third-party models under contracts (including GDPR Art. 28 processor terms) that (a) prohibit training on your data, (b) limit retention to a maximum of 30 days for abuse monitoring, and (c) include Standard Contractual Clauses where the provider is outside the EEA. A current list of sub-processors is available on request.
- Automated moderation. Prompts and outputs pass automated safety filters. Decisions with significant effects (e.g. account termination) always include human review, and you can contest them — see our Acceptable Use Policy appeals process. You will not be subject to a decision based solely on automated processing that produces legal or similarly significant effects without the safeguards of Art. 22 GDPR.
3. How Long We Keep Data (Retention)
| Data | Retention |
|---|---|
| Account data | Life of the account + 30 days after deletion (recovery window), then deleted or anonymized |
| Your Content | Until you delete it or your account; deleted content purged from production within 30 days and from backups within 90 days |
| Third-party model provider copies | Maximum 30 days after generation |
| Payment/invoice records | 7 years (Dutch tax law) |
| Security/abuse logs | 12 months (longer only for active investigations) |
| Support tickets | 24 months after closure |
| Marketing data | Until opt-out, or 24 months of inactivity |
| Evidence of serious violations (e.g. CSAM reports) | As required by law and reported to competent authorities |
4. Who We Share Data With
We share personal data only with: (a) processors acting on our instructions — hosting, third-party model providers, payment processing, email delivery, analytics, customer support tooling; (b) authorities where legally required (including reports of child sexual abuse material to law enforcement / relevant hotlines); (c) successors in a merger or acquisition, with notice to you; and (d) others with your consent (e.g. content you choose to make public is visible to other users).
5. International Transfers
We store data primarily in the EEA. Where data is transferred outside the EEA (for example to a model provider or infrastructure vendor in the United States or elsewhere), we rely on: an EU adequacy decision (including the EU-US Data Privacy Framework for certified US providers), or the European Commission’s Standard Contractual Clauses (Art. 46(2)(c)) plus transfer impact assessments and supplementary measures. Where the Service lets you choose which model processes your generation, we indicate the processing region so you can choose EEA-only processing. Copies of transfer safeguards are available on request via hello@madhatter.technology.
6. Your Rights
Under the GDPR you have the right to: access your data (Art. 15), rectify it (Art. 16), erase it (Art. 17), restrict processing (Art. 18), data portability (Art. 20), object to processing based on legitimate interests, including direct marketing (Art. 21), and withdraw consent at any time without affecting prior processing (Art. 7(3)).
Exercise these rights in your account settings or by emailing hello@madhatter.technology. We respond within one month (extendable by two months for complex requests, with notice). We may need to verify your identity. Exercising your rights is free of charge.
You also have the right to lodge a complaint with a supervisory authority — in the Netherlands, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) — or with the authority of your country of residence or place of work.
7. Non-EEA Users
- UK: the UK GDPR applies equivalently; complaints may go to the ICO.
- Switzerland: the revised FADP applies; complaints to the FDPIC.
- California: we do not “sell” or “share” personal information as defined by the CCPA/CPRA; you have rights to know, delete, correct and limit use, exercisable via hello@madhatter.technology, without discrimination.
- Other regions: we honor applicable local rights via the same contact.
8. Security
We apply technical and organizational measures appropriate to the risk (Art. 32 GDPR): encryption in transit (TLS 1.2+) and at rest (AES-256), access controls and least privilege, logging and monitoring, vendor due diligence, regular testing, and staff confidentiality obligations. Your Content is private by default; only content you explicitly publish is visible to others. We will notify the supervisory authority and, where required, affected users of personal-data breaches in accordance with Arts. 33–34 GDPR.
9. Children
The Service is not directed at children under 16. We do not knowingly process data of children under 16 without verified parental consent. If you believe a child is using the Service, contact hello@madhatter.technology and we will delete the account and its data.
10. Changes
We will announce material changes to this Policy at least 30 days in advance by email or in-app notice. The current version always applies and is dated at the top.
Contact: MadHatter, registered in the Netherlands, Johan van Hoornstraat 19, 2595 HP Den Haag, Zuid-Holland, KvK 92761585, RSIN 866164194 — hello@madhatter.technology