Legal

Privacy Policy

Last updated Jul 13, 2026

This policy explains what personal data Popcorn Editor ("we", "us") collects when you use popcorneditor.com and the Popcorn Editor application (together, the "Service"), why we collect it, who we share it with, and the choices you have. It is written to describe what the product actually does, in plain language.

If anything here is unclear, or you want to exercise any of the rights below, contact us through the contact form.

What we collect

Account data. When you create an account we store your name, email address and a hashed password. If you sign in with Google, we store the name, email address and Google account ID that Google provides; we do not receive or store your Google password. We also record your account status (for example active or suspended) and, where the signup approval gate is enabled, who approved the account and when.

Your content. Designs you create (including their full editing state and version history), images and fonts you upload, brand kits, templates you save, and preview thumbnails. Files are stored on cloud object storage operated by our hosting providers.

Billing data. Payments are processed by Stripe. We never see or store your card number. We store the identifiers Stripe gives us (customer, subscription and payment references), your plan, seat count, and credit usage records for AI features.

Usage and credit records. When you use AI features we record the request metadata needed for metering and billing: which model was used, token or image counts, the credit cost, and timestamps.

Support messages. If you contact us through the contact form or in-app support, we store your name, email, your messages, and technical metadata (IP address and browser user agent) used for abuse prevention. This thread data is kept even if the associated account is later deleted, so that existing conversations remain intact and reply links keep working.

Technical data. Server logs, session records (for server-rendered pages), and, only after you consent, analytics data as described in the Cookie policy.

How we use your data

  • To provide the Service: hosting your designs, rendering exports, enabling collaboration and sharing.
  • To process AI requests you initiate (see next section).
  • To bill subscriptions and credit packs through Stripe and to meter credit usage.
  • To send transactional email: verification, password resets, support replies, and billing notices.
  • To keep the Service secure: abuse prevention, rate limiting, and audit of administrative actions.
  • With your consent only: analytics and advertising measurement via Google Tag Manager.

We do not sell your personal data, and we do not use your designs to train AI models.

AI features and your content

Popcorn Editor's AI features (design generation, the AI assistant, image generation) are powered by third-party model providers. When and only when you invoke an AI feature, the relevant content is sent to a provider to fulfil your request. Depending on the feature this can include your prompt, the current design's contents, and images you supply as references.

The providers we use include Anthropic, Google (Gemini), OpenAI, Cohere and Replicate; the exact provider depends on the model you (or the default settings) select. These providers process the data to generate the response. Their own terms govern any provider-side retention; we choose API access, not consumer products, so your content is not used to train their public models under their standard API terms.

If you connect an external AI agent to your account over MCP using an agent token, that agent acts on your behalf under your own agreement with its provider.

Real-time collaboration

When you edit with others, design content and presence information (your name, cursor and selection) transit our own collaboration server over an encrypted connection. This server is part of the Service, not a third party.

Who we share data with

We share personal data only with the processors needed to run the Service:

Processor Purpose Data involved
Stripe Payments, subscriptions, invoices Name, email, billing identifiers
Cloud object storage (S3-compatible) File storage Your uploads, design assets, exports
AI model providers (Anthropic, Google, OpenAI, Cohere, Replicate) AI features you invoke Prompts, design content, reference images
Google Sign-in with Google (OAuth); Tag Manager, Analytics and Ads measurement after consent OAuth profile (name, email, ID); analytics events after consent
Email delivery provider Transactional email Email address, message content

Some processors are located outside the European Economic Area. Where that is the case, transfers rely on the European Commission's Standard Contractual Clauses or an adequacy decision.

We may also disclose data where required by law, or to protect the Service and its users from fraud or abuse.

Cookies and local storage

Server-rendered pages set an essential session cookie and a CSRF token. The application stores functional values (your sign-in token, workspace choice, editor preferences, and your cookie consent choice) in your browser's local storage. Analytics and advertising cookies are set only after you choose "Accept all" in the consent banner. Full details, names and lifetimes are in the Cookie policy.

How long we keep data

  • Account and content data is kept while your account exists.
  • Deleted designs are removed from listings immediately; associated files (previews, exports, attachments) are cleaned up by a background job, which spares any file still referenced by another design or workspace.
  • Deleted or purged workspaces have their files removed and any Stripe subscription cancelled.
  • Support threads are retained after account deletion, as described above.
  • Billing records (Stripe event history, credit usage) are retained as long as needed for accounting and tax obligations.
  • Unreferenced uploads are automatically removed by a cleanup job after a minimum age.

Your rights (GDPR)

If you are in the EU or EEA you have the right to access, correct, delete and receive a copy of your personal data, to object to or restrict certain processing, and to withdraw consent at any time (for cookies, use the "Cookie settings" link in the footer).

There is currently no self-service account deletion in the product. To delete your account and data, or to exercise any other right, send a request through the contact form; we act on verified requests within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Children

The Service is not directed at children. You must be at least 16 years old (or the age of digital consent in your country) to create an account.

Changes to this policy

We may update this policy as the product evolves. The date above reflects the latest revision; material changes will be announced in the product or by email.