Privacy Policy — HIBR 3D

Last updated: 30 May 2026. Draft for counsel review. Align with Hibr's PDPL (UAE Federal Decree-Law 45/2021) + GDPR posture. Placeholders in .

1. Who we are

HIBR 3D is operated by Hibr AI ("we"). Data controller: Hibr AI, Dubai, United Arab Emirates. Contact: info@hibr.ai.

2. Data we collect

• Account data: email, password (hashed), locale, age confirmation, plan.
• Content: prompts you enter and images you upload (inputs); 3D models we generate (outputs).
• Payment data: processed by Stripe; we store limited billing identifiers, not full card numbers.
• Usage & device data: logs, IP address, generation/usage events, cookies/analytics.
• Moderation data: safety-scan results and, where applicable, records required by law.

3. How we use data

• To provide the Service (generate, store, display, deliver models).
• To process payments and manage subscriptions/credits.
• To enforce safety (content moderation, abuse/fraud prevention, legal compliance).
• To improve the Service using aggregated, de-identified data. We do not train models on paid users' content without consent.
• To communicate (receipts, service notices, with consent: marketing).

4. Legal bases (GDPR/PDPL)

Contract performance (providing the Service), legitimate interests (security, improvement), legal obligation (e.g., CSAM reporting, tax), and consent (marketing, certain cookies).

5. Sharing & sub-processors

We share data with service providers under data-processing agreements, including: Stripe (payments), fal.ai / Tripo / Tencent / other model providers (generation), OpenAI / Google / Hive (moderation), PhotoDNA/Cloudflare (CSAM detection), hosting (Hostinger/Netlify/CDN). Some providers are outside your country; we use appropriate transfer safeguards. We may disclose data to authorities where legally required (including mandatory CSAM reporting to NCMEC).

6. Retention

• Inputs (uploaded images) are retained for 30 days then purged.
• Generated assets are retained while your account is active / per your plan.
• Moderation/CSAM records are retained as required by law (e.g., ≥1 year for reported CSAM).
• On account deletion, we delete or de-identify your data except where retention is legally required.

7. Your rights

Subject to your jurisdiction (GDPR/PDPL), you may access, correct, delete, port, or restrict processing of your data, and object or withdraw consent. Contact info@hibr.ai. You may complain to your data protection authority.

8. Children

The Service is not for children under 13. We do not knowingly collect data from under-13 users; if discovered, we delete it. (COPPA-aligned.)

9. Security

We use industry-standard measures (encryption in transit, access controls, audit logging). No method is 100% secure.

10. Cookies

We use necessary and (with consent) analytics cookies. See our cookie banner/settings.

11. Changes & contact

We may update this Policy with notice. Contact: info@hibr.ai.