NGMC Privacy Policy

Last Updated: May 12, 2026

This Privacy Policy describes how TERRACY PICTURES B.V. ("NGMC", "we", "us", "our") collects, uses, and protects your personal information when you use the NGMC platform (the "Service"). NGMC is the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and the Dutch implementing law.

1. Information We Collect

1.1 Account Information

Email address, display name, and profile picture.
Authentication metadata for OAuth sign-in (e.g., Google). We do not store passwords.

1.2 Inputs

"Inputs" are anything you submit to the Service to drive a generation: text prompts, reference images, reference audio, video clips you upload, file attachments, and the parameters that configure each run.

1.3 Outputs

"Outputs" are the media (images, video, audio) generated by an AI model in response to your Inputs and returned to you through the Service.

1.4 Usage and Device Data

Pages visited, features used, and interaction patterns.
Device information: browser type, operating system, screen resolution, device language.
IP address and approximate geolocation (city / region level).
Timestamps of access and account activity.

1.5 Billing Information

Card numbers and full payment details are handled by Stripe and not stored on our servers. We retain the last four digits, card brand, billing country, VAT identifier (if you supply one), and invoice metadata required for accounting and tax law compliance.

1.6 Communications

Messages you send to support, plus any feedback, bug reports, or ratings you submit.

2. How We Use Your Information

We process your data for these purposes:

Purpose	Legal basis (GDPR Art. 6)
Operating the Service (account, billing, generation pipeline)	Contract
Sending transactional and account notifications	Contract
Improving the Service: aggregated analytics, debugging, performance monitoring	Legitimate interest
Detecting fraud, abuse, and Terms-of-Service violations	Legitimate interest
Complying with legal obligations (accounting, tax, AML)	Legal obligation
Marketing communications (only if you opt in)	Consent

We do not sell personal data, and we do not use your Inputs or Outputs to train AI models (see §4).

3.1 AI Model Providers

NGMC routes your Inputs to third-party AI providers to generate the Outputs you request. The provider that receives your data depends on the model you pick in the Service:

Model	Provider	Provider's privacy policy
Veo 3.1 / Veo 3.1 Fast	Google	https://policies.google.com/privacy
Nano Banana Pro / Nano Banana 2	Google	https://policies.google.com/privacy
Lyria 3 (Clip / Pro)	Google	https://policies.google.com/privacy
Seedance 2.0 / Seedance 2.0 Fast	BytePlus	https://www.byteplus.com/en/legal/privacy-policy
GPT Image 2	OpenAI	https://openai.com/policies/privacy-policy

When you submit a generation, the prompt and any reference media you attach are transmitted to the selected provider over an encrypted channel. Each provider operates under its own terms and privacy policy, which govern how it handles the data it receives. We surface the current provider for every model in the Model Guide.

3.2 Infrastructure and Service Providers

We use the following sub-processors to operate the Service:

Cloudflare R2 — object storage for generated media and uploaded references.
Amazon Web Services (AWS Frankfurt, eu-central-1) — application hosting and secrets management.
Stripe — payment processing and invoicing.
SendGrid — transactional email delivery.
Sentry — error reporting (excludes user-content payloads).

A current and complete sub-processor list is available on request via privacy@ngmc.ai.

3.3 Legal Compliance and Safety

We may disclose personal data when we are legally required to do so, when necessary to enforce our Terms of Service, to detect or prevent fraud, or to protect the rights, property, or safety of NGMC, our users, or the public.

3.4 Corporate Transactions

If NGMC is involved in a merger, acquisition, or asset sale, we will notify you before personal data is transferred and the new entity becomes subject to a different privacy policy.

4. AI Model Training

NGMC does not train its own AI models on user content. We are a downstream consumer of third-party AI APIs; Outputs come from upstream providers' pre-trained models.

Third-party AI providers we route your Inputs to (Google, OpenAI, BytePlus) may have their own training policies — please consult each provider's privacy policy linked in §3.1 for information on how they handle data they receive via API.

We may use aggregated, de-identified usage metrics (e.g., counts of generations per model per day) to plan capacity, debug failures, and improve the Service. These metrics never include the content of your Inputs or Outputs and are not linked to your identity.

5. Data Retention

Data	Retention
Account profile + billing records	While your account is active. Deleted within 30 days of account deletion (financial records may be retained for 7 years under Dutch tax law).
Generation history (prompts, Outputs, metadata)	While your account is active; immediately removable per-item via the Run History panel. Background purge within 30 days of account deletion.
Uploaded reference media	Stored until you delete the source project. Background purge within 30 days after project deletion.
Audit logs (sign-ins, billing events)	180 days for security forensics.
Aggregated, de-identified analytics	Indefinitely.
Backup copies	Up to 90 days after account deletion.

Where law requires longer retention (e.g., tax or accounting), we retain only the specific records subject to that legal obligation.

6. Data Security

TLS 1.3 in transit; at-rest encryption for all object storage and database backups.
OAuth 2.0 / OpenID Connect for sign-in; ES256 JWT session tokens with rotation.
Role-based access controls within NGMC; audit logging on privileged actions.
Regular security testing.
Sub-processor list audited yearly.

7. International Transfers

NGMC infrastructure is hosted in the European Union (Frankfurt, eu-central-1). However, the AI providers listed in §3.1 may process your Inputs in countries outside the EEA, including the United States. Where we transfer personal data outside the EEA we rely on:

Adequacy decisions issued by the European Commission, where they apply; or
Standard Contractual Clauses (SCCs) approved under GDPR Article 46(2)(c), supplemented by technical measures (encryption, access controls) per the EDPB recommendations.

You may request a copy of the SCCs in effect for a specific transfer by emailing privacy@ngmc.ai.

8. Your Rights

You have the following rights under the GDPR (subject to lawful exceptions):

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data. Note: it may not always be technically possible to correct content inside a previously generated Output; in that case we will delete the Output instead.
Erasure — delete your account and associated data ("right to be forgotten").
Restriction — limit how we process your data in specific circumstances.
Portability — receive your data in a machine-readable format and transmit it to another controller.
Objection — object to processing based on legitimate interests, including profiling.
Withdraw Consent — where processing relies on consent, withdraw it at any time without affecting prior lawful processing.
Complaint — file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, https://autoriteitpersoonsgegevens.nl) or the supervisory authority in your country of residence.

To exercise any of these rights, email privacy@ngmc.ai. We will respond within 30 days (extendable by 60 days for complex requests, with notice).

We do not engage in automated decision-making that produces legal or similarly significant effects on you under GDPR Article 22.

9. Cookies and Tracking

We use a minimal set of essential cookies for authentication, session integrity, and security. Analytics cookies (if any) are loaded only after explicit consent. See our Cookie Policy for the full list and your controls.

We honor Global Privacy Control signals and the browser's Do Not Track header — when sent, we treat them as a withdrawal of analytics and marketing consent.

10. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us with personal data, contact privacy@ngmc.ai and we will investigate and delete as appropriate.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes that affect your rights will be communicated by email and via in-app notification at least 30 days before the change takes effect. The "Last Updated" date at the top of this page indicates the most recent revision.

12. Contact

Data controller: TERRACY PICTURES B.V., a private limited company registered in the Netherlands.
Privacy inquiries and rights requests: privacy@ngmc.ai

1. Information We Collect​

1.1 Account Information​

1.2 Inputs​

1.3 Outputs​

1.4 Usage and Device Data​

1.5 Billing Information​

1.6 Communications​

2. How We Use Your Information​

3. Sharing With Third Parties​

3.1 AI Model Providers​

3.2 Infrastructure and Service Providers​

3.3 Legal Compliance and Safety​

3.4 Corporate Transactions​

4. AI Model Training​

5. Data Retention​

6. Data Security​

7. International Transfers​

8. Your Rights​

9. Cookies and Tracking​

10. Children's Privacy​

11. Changes to This Policy​

12. Contact​