Last updated July 15, 2026
Privacy policy
This privacy policy explains how Endless Machine Corp., a Delaware corporation with registered address at 8 The Green STE 13642, Dover, DE 19901, United States (“Endless”, “we”, “us”), collects, uses, shares, and protects personal data when you use the Endless creative workspace and related sites, apps, and APIs (the “Service”).
For the personal data we process about you as an account holder or visitor, Endless acts as the data controller. Where you use the Service to process personal data contained in your own content, Endless acts as a processor on your behalf, and your workspace is the controller.
We aim to collect the minimum data needed to run the Service. This policy describes what we collect, why, how long we keep it, and the rights you have - including under the EU/UK GDPR.
1. Data we collect
- Account data - name, email, and profile details, handled through our authentication provider (Clerk). We store an internal user id, workspace memberships, and roles.
- Workspace and content data - the prompts, files, images, audio, video, transcripts, chats, and canvases you upload or generate, plus their metadata (titles, timestamps, visibility).
- Billing data - plan, subscription status, credit usage, and transaction records. Card details are collected and stored by our payments processor (Stripe), not by us.
- Usage and device data - log data, approximate location derived from IP, device and browser type, and product-analytics events about how the Service is used.
- Session activity - where you consent, we record replays of your interactions with the Service (clicks, navigation, and page content) through our product-analytics provider to diagnose issues and improve usability, with sensitive fields masked.
- Communications - messages you send us (for example, support requests) and transactional email delivery events.
2. How we use your data
We use personal data to:
- Provide, secure, and maintain the Service, including authentication, storage, and AI generation.
- Process payments, meter credits, and enforce plan and spending limits.
- Communicate with you about your account, security, and service changes.
- Understand and improve how the Service is used, and to build new features.
- Detect, prevent, and respond to fraud, abuse, and security incidents.
- Comply with legal obligations and enforce our terms.
We do not sell your personal data. We do not use your content to train our own models. To generate what you ask for, your content is processed by the third-party AI providers listed on our Subprocessors page under their own terms; we choose providers with privacy-protective terms and enable no-training or zero-retention options where they offer them.
3. Legal bases (GDPR)
Where the GDPR applies, we rely on the following legal bases:
- Performance of a contract - to provide the Service you have signed up for and to process billing.
- Legitimate interests - to secure, analyze, and improve the Service, provided your interests and rights do not override ours.
- Consent - for optional cookies and analytics where required, and for certain marketing communications; you can withdraw consent at any time.
- Legal obligation - to keep records (for example, tax and accounting) and respond to lawful requests.
4. How we share data
We share personal data with subprocessors that help us run the Service - for hosting, authentication, payments, storage, email, AI inference, and analytics. Each is bound by a data-processing agreement and may only process data on our instructions. The current list is on our Subprocessors page.
We may also share data with your workspace administrators (who can manage your membership and content in that workspace), and with authorities or advisors where required by law or to protect our rights, users, or the Service. If Endless is involved in a merger or acquisition, data may be transferred as part of that transaction, subject to this policy.
5. International data transfers
Endless and several of our subprocessors are located in the United States and other countries outside the EEA/UK. When we transfer personal data internationally we rely on appropriate safeguards - the EU-U.S. Data Privacy Framework where the provider is certified, and/or the European Commission’s Standard Contractual Clauses (with the UK Addendum where relevant) - together with additional technical and organizational measures.
6. Data retention and deletion
We keep personal data for as long as your account is active and as needed to provide the Service. You can move content to trash and restore it within a limited window; trashed assets are automatically purged after 30 days.
When you delete your account we apply a soft-delete: the account is disabled, reassigned a random anonymized identifier (a “del_” id), and personal data is deleted or irreversibly anonymized. We may retain limited records where required for legal, tax, or security purposes, and backups are cycled out on a rolling basis.
7. Your rights
Depending on where you live, you may have the right to:
- Access - obtain a copy of the personal data we hold about you.
- Rectification - correct inaccurate or incomplete data.
- Erasure - request deletion of your personal data (the “right to be forgotten”).
- Portability - receive your data in a structured, machine-readable format.
- Restriction and objection - limit or object to certain processing, including profiling and direct marketing.
- Withdraw consent - where processing is based on consent, without affecting prior processing.
To exercise any of these rights, contact privacy@endless.app. We will respond within the timeframe required by law. You also have the right to lodge a complaint with your local data-protection authority.
8. Cookies and analytics
We use strictly necessary cookies to keep you signed in and to secure the Service. With your consent, we also use analytics cookies - for product analytics and session replay (PostHog) and, where enabled, website and marketing measurement (Google Analytics). In regions where consent is required (such as the EEA, UK, and California) a banner lets you accept or reject non-essential cookies, or choose by category; everywhere, you can change your choice anytime from “Cookie settings” in the footer, and we honor Global Privacy Control as a request to reject non-essential cookies.
9. Security
We use technical and organizational measures to protect personal data, including encryption in transit, scoped access controls, and least-privilege service credentials. No system is perfectly secure, but we work to protect your data and to notify you and the relevant authorities of qualifying breaches as required by law.
10. Children
The Service is not directed to children under 16, and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.
11. Changes to this policy
We may update this policy as the Service evolves or the law changes. We will post the updated policy with a new effective date and, for material changes, provide additional notice in the Service.
12. Governing law
This policy and any dispute relating to it are governed by the laws of the State of Delaware, United States, without regard to its conflict-of-laws rules. This does not deprive you of any mandatory data-protection rights under the law of your country of residence, including your right to lodge a complaint with your local supervisory authority.
13. Contact us
For any privacy question or request, contact privacy@endless.app.