Privacy Policy
1. Introduction and Data Controller Identity
This Privacy Policy describes how Phlegethon ("Website," "we," "us," or "our") collects, uses, stores, shares, and protects personal data in connection with the website at phlegethon.icu and all associated services (the "Service").
Phlegethon operates under the laws of the State of Israel, including the Protection of Privacy Law, 5741-1981 ("PPL") and its Amendment No. 13 (effective August 14, 2025). Israel has been recognized by the European Commission as providing an adequate level of data protection equivalent to the EU GDPR, meaning that transfers of personal data from the European Economic Area (EEA) to Phlegethon are lawful without requiring additional transfer mechanisms.
For all privacy-related inquiries: [email protected]
2. Data We Collect
We collect only the minimum data necessary to provide, secure, and improve the Service.
We do not collect: government-issued identification numbers, biometric templates, precise geolocation data, or special categories of sensitive personal data beyond what is inherent in User Content you choose to submit.
3. Legal Bases for Processing
We process your personal data on the following legal bases under the PPL (as amended by Amendment 13) and, where applicable, the GDPR:
Performance of a contract: Processing your account data, usage data, and payment data is necessary to provide the Service you have contracted for.
Legitimate interests: Processing technical data for security, fraud prevention, ban enforcement, dispute resolution, and service integrity represents our legitimate business interests, including preventing chargebacks and credit abuse, enforcing permanent bans, and protecting the rights of third parties.
Legal obligation: We process and retain certain data where required by applicable Israeli law, including financial record-keeping obligations under Israeli tax law, and where required by valid court orders or law enforcement requests.
Consent: Where we rely on consent for any specific processing activity, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.
4. User Content: Images and Videos
Your uploaded images and videos ("User Content") receive the highest level of privacy protection we can provide.
Content access and handling. Phlegethon may, at its sole discretion and without obligation, access or review User Content for purposes including legal compliance, fraud prevention, enforcement of these Terms, and responding to law enforcement requests. Phlegethon's exercise or non-exercise of this right does not constitute endorsement of any User Content.
No AI training. We do not use your User Content to train, fine-tune, improve, benchmark, or develop any AI model, whether our own or any third party's.
No sharing. We do not share, sell, license, rent, or otherwise disclose your User Content to any third party, except as required by a valid legal order from a competent authority.
Storage and deletion. Processed outputs are stored in your account gallery. When you delete an item, it is removed from your visible dashboard. Phlegethon may, however, retain copies of any media submitted to the Service — including original uploads, processed outputs, videos, and any other content — for an unspecified period following dashboard deletion, where Phlegethon determines that retention may be necessary for legal compliance, investigation of potential violations, response to law enforcement, or any other legitimate purpose. Phlegethon is under no obligation to disclose whether copies have been retained or for how long. All User Content is additionally subject to purge after 30 days of account inactivity, subject to the foregoing retention rights.
Isolation. Your User Content is stored in access-controlled, isolated storage. No other user can access your content.
5. How We Use Your Data
We use your personal data exclusively for the following purposes: providing, operating, maintaining, and improving the Service; processing your image and video requests and delivering results; managing your account, credits, and payments; detecting, preventing, and investigating fraud, abuse, chargebacks, and security incidents; enforcing permanent bans and preventing re-registration by banned users; complying with legal obligations; communicating with you about your account; and enforcing our Terms of Service.
We do not use your personal data for: advertising to you, selling to data brokers, profiling for third-party marketing, or any purpose not listed above.
6. Data Sharing and Disclosure
We do not sell your personal data. We share data only in the following limited circumstances:
Service providers. We engage trusted third-party service providers for cloud infrastructure, payment processing, and email delivery. These providers act as data processors under our instruction and are contractually prohibited from using your data for any purpose other than providing services to us.
Legal requirements. We may disclose your data if required by applicable law, regulation, court order, subpoena, or governmental authority. Where legally permitted, we will attempt to notify you of such a request before complying.
Business transfers. In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the successor entity, subject to the same privacy protections described in this Policy.
Protection of rights and safety. We may disclose data where necessary to protect the rights, property, or safety of Phlegethon, our users, or the public, including to prevent fraud, abuse, or NCII.
We will not voluntarily disclose your User Content (images/videos) to any third party except as required by a valid legal order.
7. Data Retention and the Limits of Deletion Rights
7.1 Standard Retention Periods.
7.2 Retention Overriding Deletion Requests. Phlegethon does not process account closure or deletion requests submitted by users. Furthermore, under the PPL (as amended) and applicable international standards, Phlegethon retains the right — and in certain cases is legally obligated — to retain personal data indefinitely, including any media files submitted to the Service. Phlegethon does not guarantee full deletion of any personal data or media files upon any request. The following constitute lawful grounds for retaining data notwithstanding any deletion request:
You acknowledge that Phlegethon's legitimate interests in fraud prevention, financial compliance, dispute resolution, ban enforcement, and platform integrity constitute lawful grounds under applicable law for retaining your data notwithstanding any deletion request.
- Fraud prevention and security: Transaction records, IP addresses, device identifiers, and account metadata are retained to detect and prevent fraud, chargebacks, and abuse of the credit system;
- Financial and legal compliance: Billing records and payment data are retained for a minimum of 7 years as required by Israeli tax law;
- Dispute resolution: Any data relevant to a pending or reasonably anticipated legal dispute, chargeback, or regulatory investigation is retained for the duration of such proceedings plus applicable statutes of limitations;
- Law enforcement holds: Data subject to a court order, legal hold, or law enforcement request is retained for the duration required by such order;
- Ban enforcement: Identifiers associated with terminated or banned accounts (email addresses, IP addresses, payment fingerprints, device identifiers) are retained indefinitely to enforce permanent bans and prevent re-registration;
- NCII investigations: Data related to reported NCII incidents is retained for the duration of any investigation and any resulting legal proceedings.
8. Your Rights Under Applicable Law
Depending on your jurisdiction, you may have the following rights, all subject to the limitations described in Section 7.2 and applicable law: right of access; right to rectification; right to erasure (subject to legitimate retention grounds); right to restriction of processing; right to object to processing based on legitimate interests; and right to withdraw consent.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before processing your request. We reserve the right to deny requests that are manifestly unfounded, excessive, or that conflict with the retention grounds in Section 7.2.
EEA Users: If you are located in the EEA and believe we have not adequately addressed your request, you have the right to lodge a complaint with your local data protection supervisory authority.
9. Security
We implement industry-standard technical and organizational security measures to protect your personal data, including: encryption of data in transit (TLS 1.2+) and at rest (AES-256); access controls limiting data access to authorized personnel only; isolated, access-controlled storage for User Content; secure credential hashing; and regular security monitoring.
No method of transmission over the internet or electronic storage is 100% secure. While we implement all reasonable precautions, we cannot guarantee absolute security. In the event of a data breach that poses a material risk to your rights and freedoms, we will notify you and relevant authorities as required by applicable law.
10. Cookies and Analytics
We use only strictly necessary session cookies required for authentication and Service functionality. We do not use advertising cookies, third-party behavioral tracking cookies, or cross-site tracking technologies. We use privacy-respecting, anonymized analytics to understand aggregate usage patterns. This data is not linked to individual users.
11. International Data Transfers
Phlegethon is based in Israel. If you access the Service from outside Israel, your data will be transferred to and processed in Israel. Israel has been recognized by the European Commission as providing an adequate level of data protection equivalent to the EU GDPR, meaning that transfers from the EEA to Israel are lawful without additional safeguards.
12. Children's Privacy
The Service is strictly for individuals 18 years of age and older. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete that data immediately and terminate the associated account. If you believe we have inadvertently collected data from a minor, contact us immediately at [email protected].
13. NCII Reporting
If you believe that content processed through the Service depicts you without your consent, contact us immediately at [email protected] with the subject "NCII Takedown Request." We will investigate and take appropriate action, including content removal, within 48 hours of receiving a complete and verified notice. See our Terms of Service, Section 7, for full details.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address or by prominent notice on the Service at least 14 days before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
15. Contact
All inquiries including privacy, legal matters, NCII takedowns, and general support: [email protected]