Privacy Policy

Last updated: May 7, 2026

1. Introduction

This Privacy Policy explains how Coomerang LTD collects, uses, shares, and protects personal information when you use Coomerang.

Coomerang LTD is a private limited company registered in England and Wales under company number 16557189, with registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. For UK GDPR purposes, Coomerang LTD is the controller for the personal data described in this policy unless stated otherwise.

We collect personal data to run the comic creation platform, manage accounts and subscriptions, provide AI image features, operate age assurance and moderation, keep the service secure, respond to contact requests, and comply with legal obligations.

2. Information We Collect

2.1 Account and Profile Data

  • Username, email address, password hash, account role, account status, and timestamps.
  • Email verification, password reset, recovery email, pending email change, and related security records.
  • Google account identifier, Google email, and Google profile information if you use Google Sign-In.
  • Profile picture, biography, profile moderation status, and profile-related admin messages where applicable.

2.2 Content and Community Data

  • Comics, comic data, pages, panels, images, videos, quizzes, cover images, titles, descriptions, categories, languages, publishing status, version data, and related metadata.
  • Published comic and profile information that is visible to other users or visitors, subject to mature-content filters and moderation state.
  • Likes, aggregate like counts, comic view records, reports, profile reports, moderation decisions, review notes, and enforcement records.
  • Images and video frames analysed for moderation, including SafeSearch categories, likelihoods, risk flags, timestamps, review status, and reviewer notes.

2.3 Mature Content and Age Verification Data

To enable mature-content access, we may use a third-party age assurance provider such as Didit. We do not intentionally store your identity documents in Coomerang. We may store verification session identifiers, session URLs, status, timestamps, verified or estimated age, last-check date, and related metadata needed to operate the age gate and maintain safety records.

2.4 Subscription, Billing, and AI Credit Data

  • Subscription plan, status, billing interval, currency, subscription start/end dates, cancellation status, Stripe customer ID, Stripe subscription ID, and related Stripe event identifiers.
  • AI credit balance, credit grants, credit cost settings, and credit usage connected to AI image generation.
  • Payment card data is handled by Stripe. Coomerang does not store full card numbers or card security codes.

2.5 AI Image Data

  • Text prompts, source images, generated images, generated image URLs, model name, operation type, size, quality, output format, usage metadata, and creation/deletion timestamps.
  • AI requests and outputs may be processed by OpenAI to provide image generation and editing features.

2.6 Technical, Security, and Contact Data

  • IP address, request metadata, user agent, browser and device information, security logs, rate-limit data, CSRF/session data, error logs, and operational diagnostics.
  • Approximate location or currency signals derived from IP address or Accept-Language headers for pricing currency selection.
  • Name, email address, subject, message, IP address, and message metadata when you contact us through the contact form.

2.7 Cookies and Browser Storage

We use cookies, localStorage, and similar browser storage for authentication, security, preferences, and editor functionality. See our Cookies Policy.

3. How We Use Personal Data

  • To create, authenticate, secure, and manage user accounts.
  • To provide the comic editor, uploads, storage, publishing, discovery, profiles, likes, reports, and related platform features.
  • To operate subscriptions, Stripe checkout, billing portal access, plan entitlements, and AI credit grants.
  • To provide AI image generation and editing features.
  • To operate mature-content access controls, age assurance, content labelling, moderation, reporting, appeals, and enforcement.
  • To prevent fraud, abuse, unauthorised access, scraping, spam, security incidents, and misuse of the service.
  • To send transactional emails, such as verification, password reset, subscription, age verification, moderation, and support messages.
  • To respond to contact requests, legal requests, regulatory duties, and user rights requests.
  • To maintain, debug, monitor, and improve the service.

4. Lawful Bases

  • Contract: account registration, authentication, editor features, storage, publishing, subscriptions, billing portal access, AI credit features, and support needed to provide the service.
  • Legitimate interests: security, abuse prevention, moderation, reporting, platform integrity, product maintenance, troubleshooting, and responding to non-marketing contact requests.
  • Legal obligation: tax and accounting records, responding to lawful requests, safety compliance, copyright processes, and records we must keep by law.
  • Consent: optional processing that legally requires consent, such as non-essential cookies or marketing if introduced in the future. We do not currently use advertising or behavioural tracking cookies.
  • Vital interests: rare cases where processing is necessary to protect someone from imminent serious harm.

5. Sharing Personal Data

We share personal data only where needed to run the service, comply with law, protect users, or complete transactions.

  • Cloudflare R2 and CDN: media storage, content delivery, security, and performance.
  • Hosting and database providers: application hosting, PostgreSQL database hosting, backups, logs, and infrastructure operations.
  • Stripe: checkout, customer portal, subscriptions, invoices, payments, billing events, and related fraud prevention.
  • Didit: age verification and identity/age assurance sessions for mature-content access.
  • OpenAI: AI image generation and editing using prompts, source images, generated images, and technical metadata.
  • Google services: Google Sign-In if selected, Google Cloud Vision SafeSearch for image/video moderation, and Google Fonts loaded by the frontend.
  • SMTP/email providers: transactional email delivery and contact-form responses.
  • ipapi.co: IP-based currency estimation when needed for pricing localisation.
  • Admins and moderators: internal review of reports, profile issues, moderation queues, billing support, and safety matters.
  • Authorities, courts, advisors, or counterparties: where required by law, to enforce our rights, protect users, respond to legal process, or handle a business transfer.

6. Public Visibility

Published comics, titles, descriptions, cover images, categories, language, author username, public profile information, and aggregate engagement counts may be visible to other users and visitors. Mature-labelled content is hidden from users who have not enabled mature-content access.

Reports, moderation notes, private account details, payment identifiers, age verification records, and security logs are not intended to be public.

7. International Transfers

We are based in the United Kingdom, but our providers may process personal data in the UK, the EEA, the United States, and other countries where they or their infrastructure operate. Where required, we rely on adequacy regulations, standard contractual clauses, international data transfer agreements, or other lawful transfer mechanisms.

8. Retention

We keep personal data only for as long as needed for the purposes described in this policy, unless a longer period is required for legal, safety, security, accounting, or dispute-resolution reasons.

  • Account data: kept while your account exists and for a reasonable period after closure where needed for legal, security, or enforcement reasons.
  • Published content: kept while published or stored in your account, unless removed by you, by moderation, or by legal process.
  • Temporary uploaded media: unreferenced temporary files are normally cleaned up after about 24 hours.
  • Comic view cooldown records: records used to avoid repeated view counts are normally deleted after about 7 days.
  • Refresh tokens and sessions: kept until expiry, logout, revocation, or replacement, subject to configured token lifetimes.
  • Subscription and tax records: normally retained for up to 7 years where needed for accounting, tax, and audit purposes.
  • Contact and support messages: normally retained for up to 3 years unless needed longer for a dispute or legal issue.
  • Moderation, report, copyright, and safety records: may be retained for up to 5 years or longer where needed for repeat-offender rules, legal claims, child safety, or regulatory compliance.
  • Age verification records: retained while needed to operate mature-content access and safety controls, and then deleted or minimised when no longer needed.
  • Backups and logs: may persist for limited rolling periods before deletion or overwriting.

9. Security

We use technical and organisational safeguards such as HTTPS, password hashing, signed authentication tokens, CSRF protection, rate limiting, security headers, access controls, moderation controls, and provider security features. No online service can guarantee absolute security.

10. Your Rights

Depending on your location and the processing involved, you may have rights to access, correct, delete, restrict, object to processing, obtain a portable copy of your data, and withdraw consent where processing is based on consent.

To exercise your rights, contact us through the Contact page or [email protected]. We may ask for information needed to verify your identity and protect your account. We normally respond within one month, subject to legally permitted extensions for complex requests.

You may lodge a complaint with the UK Information Commissioner's Office at ico.org.uk. If you are in the EEA, you may also have the right to complain to your local data protection authority.

11. Children

Coomerang is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided personal data, please contact us so we can take appropriate action.

Users under 18 must have parent or guardian permission to create an account and cannot enable mature-content access.

12. Automated Tools and Decision Support

We use automated tools to support moderation, security, age-gating workflows, and AI image features. These tools can help identify risky content, apply warnings, queue content for review, prevent abuse, and enforce credit or entitlement rules.

Automated tools do not remove your responsibility to follow the Terms, and they may produce false positives or false negatives. Where a decision materially affects your content or account, you can contact us to request review.

13. Third-Party Links

Coomerang may link to third-party websites or services. Their privacy practices are governed by their own policies, not this Privacy Policy.

14. Changes

We may update this Privacy Policy to reflect changes in our service, providers, legal obligations, or data practices. We will update the "Last updated" date and provide additional notice for material changes where appropriate.

15. Contact

Privacy questions or requests can be sent through our Contact page or to [email protected] with the subject line "Privacy Request".

This policy is intended to be clear about the data needed to run Coomerang, including user-generated comics, subscriptions, AI image features, mature-content controls, and safety moderation.