Privacy

Privacy & Encryption Policy

How goongen.ai protects your data through zero-knowledge encryption and minimal data collection.

Last updated: March 2026

What we collect

  • User ID - a randomly generated UUID, not linked to any personal information
  • Public encryption key - your RSA-2048 public key, generated in your browser
  • Payment info - only if you pay (PayPal email or Bitcoin transaction ID)
  • Contact form data - only if you submit the contact form (name, email, message)

We do not collect your email, real name, IP address, or any other identifying information during normal use.

What we cannot see

The following data is encrypted with your public key before it ever reaches our storage. We do not hold your private key and have no way to decrypt it.

  • Your uploaded images
  • Your generated output images
  • Your prompts (encrypted before database storage)
  • Your private key (for password-based accounts, stored encrypted on the server with a key derived from your password - we cannot decrypt it; for key-file-only users, exists only in your browser's sessionStorage)

How encryption works

  • We use RSA-OAEP + AES-256-GCM hybrid encryption
  • Your RSA-2048 keypair is generated client-side using the Web Crypto API
  • Your private key lives in your browser's sessionStorage - it is never sent to our servers
  • Every image and prompt is encrypted with a unique AES-256 key, which is itself encrypted with your RSA public key
  • This is a technical guarantee, not a policy promise - even if we wanted to, we could not access your content

GPU processing

During image generation, your images are briefly decrypted in memory on GPU instances for processing. These GPU pods are ephemeral - created on demand and terminated after your session ends. No data is persisted to disk on the GPU. Once the pod is terminated, all data is wiped.

Data deletion

  • You can delete your images at any time from the editor
  • Administrators can revoke public keys, which makes all associated encrypted data permanently inaccessible - no one can decrypt it
  • No backups of decrypted content exist at any point in the pipeline

Cookies & local storage

  • sessionStorage - private key and user UUID (cleared when you close the tab; password-based accounts can restore these by logging in, key-file-only users should download their .pem backup)
  • localStorage - disclaimer acceptance and UI preferences only
  • No tracking cookies, no analytics cookies, no ad cookies
  • Rybbit analytics - cookieless, privacy-friendly page view analytics (see Third parties below)

Third parties

  • GPU infrastructure - trusted providers for ephemeral GPU instances (no persistent storage)
  • PayPal / BTCPay - payment processing (only if you choose to pay)
  • Rybbit - open-source, cookieless web analytics (rybbit.io). Collects anonymous page views, referrer, device type, and country only. No cookies, no fingerprinting, no personal data. User IDs are salted so we cannot identify individual visitors - we only see which pages are visited and where traffic comes from. GDPR and CCPA compliant. IP addresses are used only for geolocation and are never stored.
  • No ad networks, no data brokers

Questions

If you have questions about our privacy practices, reach out via our contact page.