Privacy Policy

Who we are

Slambot.app ("Slambot", "we", "us") is an AI car transformation platform operated from New South Wales, Australia. When you use Slambot, you're dealing with us directly — no third-party data brokers, no surprise selling of your information. This policy explains what we collect, why we collect it, and what you can do about it.

We comply with the Australian Privacy Act 1988 (including the Australian Privacy Principles) and the EU General Data Protection Regulation (GDPR) where applicable.

What we collect

• Account information— your email address and display name, collected via Clerk when you sign up. We don't store passwords ourselves; Clerk handles authentication.
• Photos you upload — your car photos are stored in Cloudflare R2 and processed by OpenAI to generate transformations. We do not use your photos for any purpose other than running the transformation you requested.
• Generated images — output transformations are stored in Cloudflare R2. Results are public by default when shared — accessible to anyone with the link and visible in the community feed. You can make results private at any time from your garage.
• Usage data — anonymised analytics via PostHog. This tells us things like which bots are popular and how long generations take. No individual profiling.
• Error reports — Sentry collects crash and error data to help us fix bugs. This may include your browser type, OS, and the action that triggered the error. No personal content is captured.
• Payment information — processed entirely by Stripe. We never see or store your card number. We receive a payment confirmation and your Stripe customer ID.

We do not train AI models on your photos

Your uploaded photos and generated images are neverused to train AI models — ours or anyone else's. Full stop.

We use OpenAI's API to run transformations. Their API data usage policy explicitly states that customer API data is not used for model training. Your images are processed to produce your result and nothing else.

Legal basis for processing (GDPR)

If you are located in the EU/EEA, we process your data under the following bases:

• Contract performance — processing your car transformations, managing your account and credits.
• Legitimate interests — platform security, abuse prevention, aggregated analytics to improve the service.
• Consent — analytics cookies (PostHog). You can withdraw consent at any time via the cookie banner.
• Legal obligation — retaining payment records as required by tax law.

How we use your data

• To run your car transformations — this is why you're here.
• To manage your account and credit balance.
• To send transactional emails via Resend: job completion notifications and payment receipts.
• To process payments via Stripe and track your credit balance.
• To moderate uploaded content for safety via Azure Content Safety.
• To monitor platform health, debug errors, and prevent abuse.
• To improve the platform via aggregated, anonymised analytics.

We don't sell your data. We don't send marketing emails unless you explicitly opt in.

Data processors

We use the following third-party services to operate Slambot. Each processes data on our behalf and under contract:

International data transfers

Most of our processors are based in the United States. Where data is transferred outside Australia or the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards provided by each processor. You can request details of the specific safeguards in place by contacting us.

Data retention

• Uploaded photos — stored while your account is active, accessible via your My Cars library. Deleted within 30 days of account closure or upon your request.
• Generated images — stored until you delete them or close your account. Deleted jobs are removed from our servers within 30 days.
• Account data — retained while your account exists. Deleted within 30 days of account closure.
• Payment records — retained for 7 years for tax and compliance purposes as required by Australian law.
• Analytics data — anonymised and aggregated. Retained for up to 2 years.
• Error logs — retained for up to 90 days in Sentry.

Your rights

Under Australian privacy law and (where applicable) the GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your account and all associated data (except payment records required by law).
• Portability — request a copy of your data in a machine-readable format.
• Restriction — request that we limit processing of your data in certain circumstances.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent (e.g., analytics cookies), you can withdraw at any time.

To exercise any of these rights, email ray@slambot.app. We will respond within 30 days.

Children

Slambot is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the site. The "effective date" at the top of this page indicates when the policy was last revised.

Complaints

If you are not satisfied with our response to a privacy concern, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC). EU/EEA residents may also contact their local data protection authority.

Contact

Privacy questions, data requests, or concerns: ray@slambot.app