Public Beta — reserve early accessJoin Waitlist
ThumbAPI logoThumbAPI

Privacy Policy

Last updated: April 27, 2026

ThumbAPI ("we," "us," or "our") operates the thumbapi.dev website and the ThumbAPI thumbnail generation API (together, the "Service"). This Privacy Policy explains what information we collect, how we use it, and what choices you have.

By using the Service you agree to the collection and use of information described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create a ThumbAPI account we collect the information you provide during registration, which typically includes:

  • Email address
  • Name (if provided)
  • Password (stored in hashed form only)
  • Billing information (processed and stored by our payment provider; we do not store full card numbers)

1.2 API Usage Data

Each time you make a request to the ThumbAPI API we automatically log:

  • The API endpoint called and request parameters (format, image style, title text)
  • Timestamp of the request
  • IP address of the requesting server or client
  • Response status code and latency
  • Your API key identifier (not the key itself)

We use this data for rate limiting, abuse prevention, usage metering for billing, and to improve the quality of generated thumbnails.

1.3 Images You Provide

If you use the with-image or with-logo image styles, you send us image data (a person photo or a logo) as part of your API request. We process this image solely to generate your thumbnail. We do not store uploaded images beyond the duration required to complete the request unless you explicitly opt in to image storage for caching purposes.

1.4 Website Analytics

When you visit thumbapi.dev we collect standard web analytics data including pages viewed, referral source, browser type, device type, and approximate geographic location (derived from IP address). We use this to understand how visitors interact with our website and to improve it.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process your API requests and generate thumbnails
  • Authenticate your identity and authorize API access
  • Track usage against your subscription plan and enforce rate limits
  • Process payments and manage billing
  • Send transactional emails (account confirmation, password resets, usage alerts, billing receipts)
  • Detect, prevent, and address abuse, fraud, and technical issues
  • Improve the quality and performance of generated thumbnails
  • Respond to your support requests
  • Comply with legal obligations

We do not sell your personal information. We do not use your uploaded images or generated thumbnails to train machine learning models unless you explicitly opt in.

3. Data Storage and Security

Your account data and API usage logs are stored on servers located in the United States and the European Union. We use industry-standard encryption (TLS 1.2+) for all data in transit. Data at rest is encrypted using AES-256.

We retain account data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we are required to retain it for legal, tax, or auditing purposes. Aggregated, anonymized usage statistics may be retained indefinitely.

API usage logs are retained for 90 days for operational purposes, after which they are deleted or anonymized.

4. Third-Party Services

We share data with the following categories of third-party providers:

  • Payment processing: We use Stripe to process payments. Stripe receives your billing information directly. Their use of your data is governed by Stripe's Privacy Policy.
  • Cloud infrastructure: We host the Service on cloud infrastructure providers who process data on our behalf under data processing agreements.
  • Email delivery: Transactional emails are sent through a third-party email service provider.
  • Analytics: We use privacy-focused analytics tools to understand website usage patterns.

We do not share your API request content (titles, images) with any third party except the AI model providers necessary to generate your thumbnails, and only for the purpose of fulfilling your request.

5. Cookies

We use the following types of cookies:

  • Essential cookies: Required for authentication and session management. These cannot be disabled without breaking core functionality.
  • Analytics cookies: Used to understand how visitors use our website. You can opt out of these through your browser settings or our cookie consent banner.

We do not use advertising cookies or tracking pixels. We do not participate in cross-site tracking networks.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete data.
  • Deletion: Request that we delete your personal data, subject to legal retention requirements.
  • Export: Request your data in a portable, machine-readable format.
  • Restriction: Request that we limit our processing of your data in certain circumstances.
  • Objection: Object to our processing of your data where we rely on legitimate interests as the legal basis.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

For European Economic Area (EEA) Residents

If you are located in the EEA, our legal bases for processing your personal data are: performance of a contract (providing the Service), legitimate interests (improving the Service, preventing abuse), and compliance with legal obligations. You have the right to lodge a complaint with your local data protection authority.

For California Residents

Under the California Consumer Privacy Act (CCPA), California residents have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information. To submit a request, contact us at the email above.

7. Children

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will promptly delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If we make material changes, we will notify you by email or by placing a prominent notice on our website. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

9. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: