2. Legal
  3. Política de privacidad
SweetBun

Vive la experiencia de personajes de IA personalizados con personalidades únicas, identidades visuales y conversaciones atractivas.

OneClick AI Solutions s.r.o.

Sokolovská 428/130, Karlín, 186 00 Praha

IČ: 23948353

DIČ: CZ23948353

Producto

  • Chats
  • Colección
  • Generar imagen
  • Generar video
  • Mi IA
  • Crear personaje

Funciones

  • Todas las funciones
  • Chat grupal con IA
  • Novia IA
  • Novio IA
  • Personajes de IA
  • Amigo IA
  • Apoyo para rupturas
  • Padre IA

Legal

  • Política de privacidad
  • Términos y condiciones
  • Política de cookies
  • Otras políticas

© 2026 SweetBun. Todos los derechos reservados.

VisaMastercardBitcoin

PRIVACY POLICY

Effective Date: June 6, 2026 Version: 2.0

1. INTRODUCTION

OneClick AI Solutions s.r.o. ("we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy (hereinafter referred to as the "Policy") explains how we collect, use, share, and protect your personal data when you use our services at www.sweetbun.ai (hereinafter referred to as the "Service").

This Policy is in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and relevant legal regulations of the Czech Republic.

By using the Service, you confirm that you have read this Policy. This Policy forms an integral part of our Terms of Service:

  • Terms and Conditions

2. DATA CONTROLLER

The controller of your personal data is:

OneClick AI Solutions s.r.o. with its registered office at Sokolovská 428/130, Karlín, 186 00 Prague 8 ID No. (IČO): 23948353 Tax ID (DIČ): CZ23948353 registered with the Municipal Court in Prague under file no. C 435717

Contact for privacy matters: support@sweetbun.ai

Data Protection Officer (DPO) Statement: The Company has not appointed a Data Protection Officer (DPO), as we do not conduct large-scale processing of special categories of data that would require this obligation.

3. WHAT DATA WE COLLECT

We process the following categories of data:

A. Data provided by you

  • Registration Data: Email address, password (stored in encrypted form), nickname, date of birth (to verify age 18+). If you sign in via a social identity provider (Google, Discord, X/Twitter), we receive the basic profile fields the provider returns instead of a password: email, display name, and a stable account identifier.
  • User Content: Text prompts, chat conversations with AI Characters, AI Character preference settings (appearance, voice, personality), uploaded images, or voice inputs.
  • Communication: Data from your communication with our support team (emails, bug reports).

B. Automatically collected data

  • Technical Data: IP address, browser type, operating system, time zone, access logs.
  • IP Address — specific handling:
    • Source: Your IP address is read from the standard x-forwarded-for HTTP header. We host on Vercel, which rewrites this header at the edge so the first address in it is the real client IP that we can trust.
    • Where it is stored:
      • Vercel platform access logs — Vercel's standard hosting retention applies.
      • Supabase Authentication — the last sign-in IP is recorded against your account for security and fraud detection.
      • Payment order records (FinbyOrder) — the IP captured at checkout is retained on the order row for the order lifecycle and, where the order produced a tax invoice, for the Czech VAT-law minimum (10 years, §35 zákona o DPH).
    • Recipients of the raw IP address: Meta (Conversions API) receives your raw IP — but only when you had granted marketing consent at the time of the action. Users who declined or had not yet granted marketing consent are never sent to Meta server-side. Dognet (our affiliate network) may receive your IP and User-Agent, but only when you land via an affiliate link and only for fraud and click-bot prevention (it is optional and not used for advertising). Google Analytics 4 does not store your IP at all.
    • Legal basis:
      • Storage and fraud prevention — Legitimate interest (Art. 6(1)(f) GDPR).
      • Transmission to Dognet for affiliate fraud prevention — (Art. 6(1)(f) GDPR).

C. Payment Data

To process payments, we use secure third-party payment gateways: Finby (for credit/debit card payments and subscriptions — Visa and Mastercard) and CoinGate (for cryptocurrency payments). We ourselves do not store your full payment card numbers or private keys of crypto wallets. We only retain necessary transactional data (payment ID, date, amount, method type, last 4 digits of the card, card expiry month/year for renewal notifications, and the billing name/address you enter at checkout for invoicing).

4. PURPOSES AND LEGAL BASIS FOR PROCESSING

We process your data for the following purposes:

Purpose of ProcessingLegal Basis
Provision of Service: Account creation, enabling AI chat, content generation, token management.Performance of Contract
Payments and Billing: Subscription processing, issuing tax documents.Performance of Contract / Legal Obligation
Security and Moderation: Fraud detection, prevention of illegal content (CSAM), ensuring platform security.Legitimate Interest / Legal Obligation
Service Improvement and AI Training: Analysis of anonymized interactions to improve models and fix bugs.Legitimate Interest
Marketing: Sending newsletters (only if you have consented or are a customer).Consent / Legitimate Interest
Legal Compliance: Bookkeeping, dispute resolution, responding to authority requests.Legal Obligation

4.1. Automated Decision Making and Profiling When providing the Service, we use automated processing (profiling) to personalize AI Character responses according to your preferences. Furthermore, we use automated tools to detect prohibited content. In the event of detection of a serious violation of terms (e.g., CSAM), automatic account blocking may occur. You always have the right to object to such a decision and request a human review at support@sweetbun.ai.

5. ACCESS TO DATA AND SHARING WITH THIRD PARTIES

5.1. Human Review: We want to assure you that your conversations with AI Characters are private. Our employees or contractors do not have regular access to them. Access to content occurs exclusively in the following specific cases:

  1. If you report the content yourself as erroneous or objectionable.
  2. If our automated security filters flag the content as high-risk (e.g., suspected child abuse, terrorism, or extreme violence). In such a case, a vetted moderator will review only the necessary section of the conversation to verify compliance with our Policies.

5.2. Sharing with Partners: We share your data only to the necessary extent with vetted partners who meet strict security standards (GDPR, SCCs, or Data Privacy Framework certification where applicable):

  1. AI Technology Providers (Processors):

    • xAI (Grok): For processing text conversations (chat), prompt translation, and SFW video generation.
    • ElevenLabs: For generating voice outputs and voice calls with AI Characters.
    • BytePlus ModelArk (ByteDance Seedream): For generating AI portraits and SFW images.
    • Note: Text or image inputs (prompts) are sent to these services to generate a response. According to the terms of these processors, your inputs are not used to train their general-purpose models.

  2. Infrastructure and Database:

    • Vercel: Hosting of the web application and serverless functions.
    • Supabase: User authentication and secure database storage (PostgreSQL). Data is stored encrypted at rest. Files (generated images/videos, uploads) are stored in Supabase Storage.
    • Upstash (Redis): Rate limiting and short-lived caches.

  3. Payment Gateways:

    • Finby (Finbyte UAB): For credit/debit card payment processing (Visa, Mastercard) and recurring subscription charges. We share the billing details you enter at checkout (name, address, country, email) and the order reference; Finby returns the card mask (last 4 digits, expiry) and a token used to charge future renewals.
    • CoinGate: For cryptocurrency payments. We share the order amount, currency, and an internal reference. We do not receive your wallet address or private keys.

6. INTERNATIONAL DATA TRANSFER

Our infrastructure is hosted primarily on servers in secure data centers (Vercel, Supabase). Due to the use of global service providers, some data (especially inputs for AI models, analytics events, and advertising signals) may be processed on servers outside the European Economic Area (EEA):

  • xAI and Meta process data primarily in the United States.
  • BytePlus ModelArk processes image-generation requests in the Asia-Pacific region (Singapore — ap-southeast-1).
  • Google Analytics / Google Ads rely on Google's global infrastructure.

We ensure that these partners meet GDPR requirements through Standard Contractual Clauses (SCCs) or, where applicable, the EU–U.S. Data Privacy Framework.

7. DATA RETENTION

We retain your data only for as long as necessary:

  • Account and Content (immediate deletion): Upon account deletion, your chat history, generated images and videos, custom AI characters, and AI memories are permanently deleted immediately. Files in our storage layer (Supabase Storage) and on third-party voice infrastructure (ElevenLabs) are removed as part of the same operation.
  • Account, Subscription, and Payment Records (24-month retention): Your account row (containing email and billing fields), subscription history, usage counters, and payment order history are retained for 24 months after account deletion. This retention is necessary for: (i) dispute resolution and refund eligibility verification under our Terms of Service §8.1; (ii) fraud prevention (detecting repeated abuse via account re-registration); and (iii) compliance with our legal obligations. After 24 months, these records are permanently deleted by an automated process. You may request expedited erasure by emailing support@sweetbun.ai, subject to legal retention requirements below.
  • Accounting Documents: Under Czech VAT law, we must retain billing data for 10 years. This obligation supersedes the 24-month retention above for the specific records required by tax law.
  • Logs and Technical Data: Usually deleted after 30–90 days.
  • Anonymized Data: Data that has been stripped of all identifiers (for model training) may be retained indefinitely.

8. YOUR RIGHTS

Under GDPR, you have the following rights:

  • Right of Access: To request a copy of the data we hold about you.
  • Right to Rectification: If the data is inaccurate.
  • Right to Erasure (Right to be Forgotten): You can request the deletion of your account and data if there is no legal reason for their further retention (e.g., billing).
  • Right to Restriction of Processing and Objection.
  • Right to Data Portability.

You can exercise your rights by emailing support@sweetbun.ai. You also have the right to lodge a complaint with the Office for Personal Data Protection (www.uoou.cz).

9. CHILD PROTECTION

Our Service is strictly intended only for persons over 18 years of age. We do not knowingly collect data from persons under 18 years of age. If we discover that a minor has registered with us, we will immediately delete their account and all data. More information:

  • Underage Policy

10. CHANGES TO THIS POLICY

We may update this Policy from time to time. We will inform you of material changes by email or a notification within the Service.

Contact: OneClick AI Solutions s.r.o. Email: support@sweetbun.ai

Legitimate interest
  • Transmission to Meta — Consent (Art. 6(1)(a) GDPR), withdrawable at any time via the Cookie Settings link in the footer.
  • Usage Data: How you interact with the Service, session duration, generation history, token status.
  • Analytics and Advertising Tools: We use Google Analytics 4 and Google Ads to analyze traffic and measure the effectiveness of advertising. We also use the Meta Pixel and the Meta Conversions API to measure conversions from advertising on Facebook and Instagram. Analytics and advertising tools are only activated after you grant consent in the cookie banner.
  • Cookies: More information can be found in our Cookie Policy:
    • Cookie Policy

  • Identity Providers (Single Sign-On):

    • Google Sign-In (Google Ireland Limited): used only when you click "Continue with Google".
    • Discord OAuth (Discord Netherlands B.V.): used only when you click "Continue with Discord".
    • X (Twitter) OAuth (Twitter International Unlimited Company): used only when you click "Continue with X".

    The chosen provider receives a redirect from us and returns an authorization code plus a minimal profile (email + display name + provider account ID). We do not push your activity on the Service back to these providers.

  • Analytics and Advertising (consent-based):

    • Google Analytics 4 / Google Ads (Google Ireland Limited): Traffic analysis, conversion measurement, and audience building. Google Analytics 4 does not log or store your IP address — it is used only momentarily to derive coarse geography and is then discarded. We additionally implement Google Consent Mode v2 so that, prior to your consent, Google receives only pseudonymous, cookieless signals. In addition to the in-browser tag, when you had granted analytics consent we send key conversion events (sign-up, purchase, renewal and refund) to Google Analytics 4 server-side via the Measurement Protocol, transmitting the pseudonymous _ga client identifier, the transaction value, the purchased product (plan or add-on name), and a new/returning customer indicator. We do not include your IP address in these server-side events.

    • Meta Pixel and Meta Conversions API (Meta Platforms Ireland Limited): Conversion measurement and re-marketing on Facebook and Instagram. The Meta Pixel script is not loaded until you grant marketing consent, and Conversions API events are only transmitted to Meta when you had granted marketing consent at the time of the underlying action (signup, purchase, renewal, refund). Declined-consent users are never sent to Meta server-side; we do not rely on Meta's Limited Data Use flag as a substitute for consent.

      When you complete a registration, purchase, renewal or refund with marketing consent granted, we send Meta the following data:

      • Hashed (SHA-256) customer parameters: email address, first name, last name, gender, city, postal code, country, and our internal user ID.
      • Browser-side Pixel identifiers: _fbp (Browser ID) and, if applicable, _fbc (Click ID).
      • Client signals: your IP address and User-Agent string.
      • Transaction details: the value and currency, the purchased product (plan or add-on name), and a new/returning customer indicator.

    • FirstPromoter: Affiliate referral tracking. If you arrived via an affiliate link, we share your email, internal user ID, and a referral identifier so the affiliate is credited for a signup or sale.

    • Dognet (QualityUnit, s.r.o.): Affiliate referral tracking via a server-to-server integration (no third-party scripts run in your browser). When you arrive via a Dognet affiliate link, we send the landing URL, referrer, the affiliate link parameters, and — for fraud and crawler filtering — your IP address and User-Agent to Dognet's track.php endpoint to obtain an affiliate visitor identifier. When you complete a purchase, we report the sale to Dognet's sale.php endpoint with the order value (net of VAT), currency, order reference, product label, the affiliate visitor identifier, and any coupon used; no name, email, or payment details are shared. We also store the affiliate visitor identifier (dognetVisitorId) on your user and order records so a later renewal can be attributed.

  • Transactional Email:

    • Resend: Sends operational emails such as renewal failure notifications. We share only the recipient email and the message content.

  • Public Authorities: In case of suspected criminal activity (especially regarding CSAM or terrorism), we are obliged to hand over data to law enforcement agencies.