Privacy Policy for Todo AI

Last Updated: February 2026

This Privacy Policy explains how Todo AI, operated by Todo AI Technologies Ltd. ("we," "us," or "our"), collects, uses, discloses, and safeguards your information when you use our platform and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understand this Privacy Policy. If you do not agree, please do not use the Service.

Key Points

  • You own all content you generate through our AI tools
  • We don't sell your personal information
  • Your images and prompts are sent to third-party AI providers to generate your content
  • We don't train on your outputs for other users
  • You can request deletion of your data and account at any time
  • Your data is processed in Israel (EU-adequate) and may be processed in other countries where our AI providers operate

1. Information We Collect

Information You Provide:

  • Name and email address
  • Profile preferences and language setting
  • Billing and payment information (processed securely by our payment provider — we never see or store your card details)
  • Images you upload, text prompts you write, and the images and videos generated for you

Information Collected Automatically:

  • IP address, browser type, operating system, device type
  • Pages visited, features used, session duration
  • Cookies and similar technologies (see Section 4)

Information from Third Parties:

  • If you sign in via Google: name, email, and profile picture as provided by Google

2. How We Use Your Information

  • Provide, maintain, and improve our Service
  • Process your images and prompts through AI models and deliver generated outputs
  • Process payments and send transaction confirmations
  • Communicate with you (support, updates, security alerts)
  • Send marketing and promotional communications (only with your opt-in consent)
  • Analyze usage patterns to improve the Service
  • Display free-plan creations in the Community Gallery (see Section 3)
  • Maintain the security of the Service
  • Comply with legal obligations

Biometric Data — Voice & Face

Two of our generation flows process special-category personal data under GDPR Article 9 and Section 17 of the Israeli Privacy Protection Law (5741-1981):

  • Talking Avatar — voice clone: when you upload a voice sample we (a) send it to ElevenLabs to create a voice fingerprint, and (b) store the raw audio in our private storage so we can re-clone after deletion. The voice fingerprint and the raw sample are both deleted when you remove the cloned voice, and the raw sample is permanently removed when you delete your account.
  • Profile Photo / Talking Avatar — face image: when you upload a photo of a person, we send it to our image models (Nano Banana, GPT-Image, Kling Avatar) for generation. We retain the source upload to power "regenerate" actions. All uploads under your account are permanently deleted when you delete your account.

By starting a voice clone or uploading a face photo you give us explicit consent to process this special-category data for the purpose of producing your requested generation. You can withdraw consent at any time by deleting the relevant clone or by deleting your account from your profile page.

3. Sharing Your Information

We do not sell your personal information. We share data only in these situations:

  • AI providers: Your uploaded images and prompts are sent to the third-party AI providers powering the feature you use, in order to generate your outputs. Each provider's own privacy policy also applies. We select providers that commit to not using API customer data for model training, but we cannot guarantee their internal practices
  • Service providers: Cloud hosting, payment processing, analytics, and email communications
  • Community Gallery: Images generated on the free plan are displayed publicly in our Explore gallery. Only the generated image and your display name are shown — never your email, account details, or original uploads. You can remove your content from the gallery at any time through your account settings
  • Legal requirements: When required by law, court order, or by the Israel Privacy Protection Authority (PPA)
  • Business transfers: In connection with a merger, acquisition, or sale of assets — with prior notice to you
  • With your consent: For any purpose not described in this Policy

We may share non-personally-identifiable, aggregated data for analytics and improvement purposes. For a current list of sub-processors or more details, contact [email protected].

4. Cookies and Analytics

We use cookies and similar technologies to personalize your experience and understand usage patterns:

  • Essential cookies — Required for the Service to function (authentication, session management, and language preferences). These cannot be disabled.
  • Analytics cookies (PostHog) — Help us understand how visitors use the Service, including page views, feature usage, and performance. We may also collect your user ID, email, display name, and subscription type for analytics purposes. You can opt in or out of analytics cookies at any time via the cookie consent banner.

When you first visit, we display a cookie consent banner where you can accept, reject, or customize your preferences. You can change your cookie settings at any time via the "Manage Cookies" link in the footer. Declining analytics cookies does not affect core functionality.

5. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit and at rest, access controls, and monitoring.

No system is perfectly secure, and we cannot guarantee absolute security. In the event of a data breach, we will notify the Israel Privacy Protection Authority and affected users as required by the Protection of Privacy Law.

6. Data Retention

  • Account data: Retained while your account is active
  • Uploaded images and generated content: Retained while your account is active; deleted within 30 days of account deletion
  • Financial records: 7 years as required by Israeli tax law (held by our payment provider)
  • Usage and analytics data: Up to 24 months, then anonymized
  • Server logs: 90 days

You may request deletion of your data at any time by contacting us. Some data may be retained where required by law.

7. Your Rights

Under the Protection of Privacy Law, 5741-1981 (as amended by Amendment No. 13) and, where applicable, the GDPR, you have the right to:

  • Access, correct, or delete your personal data
  • Restrict or object to certain processing
  • Request data portability
  • Withdraw consent for non-essential processing
  • Lodge a complaint with the Israel Privacy Protection Authority (PPA): 66 Kanfei Nesharim St., Jerusalem; Phone: *3450

Providing your information is voluntary. However, without an email and name you cannot create an account, and without uploading images the AI generation features cannot function.

Contact [email protected] to exercise your rights. We respond within 30 days.

8. AI Content and Ownership

Ownership:

You own the images and videos you generate through our AI tools. We do not claim ownership of your content.

How it works:

When you use our generation features, your uploaded images and text prompts are sent to third-party AI model providers to generate your requested output. The results are returned to our servers and delivered to you.

Your content is yours:

Your images, prompts, and generated outputs are not used to train AI models for other users. We may use anonymized, aggregated usage statistics for platform improvement.

No automated decisions:

We do not use automated decision-making for decisions that produce legal or similarly significant effects on you. AI is used solely to generate content at your request.

9. International Data Transfers

Todo AI is operated from Israel. Your data is primarily processed in Israel, and may also be processed in other countries where our service providers and AI providers operate.

Israel has been recognized by the European Commission as providing adequate data protection (Decision 2011/61/EU). For transfers to countries without an adequacy decision, we rely on contractual safeguards as implemented by our service providers.

10. Children's Privacy

Our Service is intended for users who are at least 16 years old. We do not knowingly collect information from children under 16. If we discover we have collected such data, we will delete it promptly. Contact [email protected] if you believe a child has provided us with personal information.

11. California Privacy Rights (CCPA/CPRA)

California residents have additional rights: the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell personal information or share it for cross-context behavioral advertising. We will not discriminate against you for exercising these rights. Contact [email protected] to exercise your California privacy rights.

12. Links to Other Sites

Our Service may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

13. Email Communications

By signing up, you may receive marketing and promotional emails from us. You can unsubscribe at any time via the link in any email. Transactional emails (receipts, credit notifications, security alerts) will continue regardless.

14. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or a notice on the Service. Continued use after changes constitutes acknowledgment of the updated policy.

15. Contact

Todo AI Technologies Ltd. Ramat Gan, Israel Website: app.todowith.ai Email: [email protected]