Effective Date: 1 June 2025
Second Enlightenment Limited (“SEL,” “we,” “us” or “our”) is a company registered in England and Wales (Company Number 16274940). We operate the AI-generation platform available at sunra.ai (the “Service”). SEL is the controller of the personal data described in this Privacy Policy, unless stated otherwise.
For any privacy-related questions, contact [email protected].
This Policy explains how we collect, use, store, share and secure personal data when you:
visit sunra.ai or any sub-domain;
create and manage an account;
use our web interface, API or SDKs; or
otherwise interact with SEL (for example, by email or social media).
It does not cover websites, apps or services that we do not own or control. We encourage you to review the privacy policies of any third-party services you use.
| Category | What We Collect | Source | Mandatory? |
|---|---|---|---|
| Account Information | Email address, password hash, authentication tokens, preferences. | You | Yes – required to create an account. |
| Billing & Payment | Payment card details (handled by our payment processor), billing address (if provided), transaction history, credit balance. | You / payment processor | Yes – required to purchase credits or subscriptions. |
| Service Usage Data | Generation requests (metadata such as prompt length, model selected, parameters, timestamps), API keys, IP address, browser/device type, log files, error reports. | Your device / automatically collected | Collected automatically for service delivery. |
| Communications | Messages or emails you send us, feedback, support tickets. | You | Voluntary. |
| Input Data | Text prompts, images, audio, video and other content you upload. | You | Necessary to perform the requested generation. |
| Output Data | AI-generated results delivered to you. | Generated by our system | N/A |
We designed the Service to minimise personal-data collection. We do not ask for your name, phone number or special-category data to operate your account.
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Provide and maintain the Service (account creation, authentication, generation requests, credit administration). | Performance of a contract (Art. 6 (1)(b)). |
| Process payments (charging your payment method, issuing invoices). | Performance of a contract; legitimate interests (Art. 6 (1)(b) & (f)). |
| Operate, secure and improve the Service (monitor usage, prevent fraud, debug, optimise performance, develop new features). | Legitimate interests (Art. 6 (1)(f)). |
| Communicate with you (respond to enquiries, send service emails, billing notices, changes to Terms). | Performance of a contract; legitimate interests (Art. 6 (1)(b) & (f)). |
| Limited marketing (if you opt-in, inform you about new features or offers). | Consent (Art. 6 (1)(a)); withdraw anytime. |
| Legal compliance (tax, accounting, lawful requests). | Legal obligation (Art. 6 (1)(c)). |
By default, no. We do not use the raw Input Data you upload (or the Output Data we deliver) to fine-tune or retrain our core models. Files are processed transiently and stored only as long as necessary to complete your request and allow you to download the result.
We may collect aggregate statistics (e.g., model latency, prompt-length distribution) to improve reliability and user experience. These statistics do not identify you or reveal prompt content.
If we ever introduce an opt-in programme for model improvement, we will request explicit consent and provide a way to withdraw consent at any time.
We use:
Essential cookies – to keep you signed in and process secure payments.
Analytics cookies – to understand basic traffic patterns (page views, feature popularity).
No advertising cookies – we do not run third-party ads.
You can control cookies in your browser, but disabling essential cookies may impair functionality.
We do not sell or rent your personal data. We share only as necessary:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Cloud hosting partners | Host servers, store logs, run compute for generation. | Confidentiality and security obligations. |
| Payment processors | Process card payments and detect fraud. | PCI-DSS compliant; we never store full card numbers. |
| Analytics providers | Aggregate, anonymised usage metrics. | Data minimised and pseudonymised. |
| Professional advisers | Legal, accounting or auditing services. | Bound by confidentiality duties. |
| Authorities | When required by law or to protect rights, property or safety. | Disclosure limited to lawful, proportionate requests. |
| Corporate transactions | In connection with a merger, acquisition or asset sale. | Data handled consistent with this Policy. |
Primary servers are in the United Kingdom and the European Economic Area. When personal data is transferred outside these regions, we rely on:
UK adequacy regulations (where applicable); or
Standard contractual clauses / International Data Transfer Agreements.
| Data Type | Retention Period |
|---|---|
| Account data | For as long as the account is active, then up to 12 months after deletion for security logs and audit. |
| Payment records | 7 years (statutory requirement). |
| Input & Output data | Typically deleted automatically within 30 days; you may delete sooner via your dashboard. |
| Service logs | Up to 90 days for diagnostics, then anonymised or deleted. |
| Marketing consents | Until you withdraw consent or unsubscribe. |
Longer retention may occur if required to establish, exercise or defend legal claims.
We implement technical and organisational measures to protect personal data, including:
TLS encryption in transit;
Encryption at rest where feasible;
Role-based access controls and multi-factor authentication;
Regular security testing and monitoring.
No internet service is completely secure, but we work diligently to safeguard your data.
Under the UK GDPR (and, where applicable, the EU GDPR) you have the right to:
Access – obtain a copy of personal data we hold.
Rectify – correct inaccurate or incomplete data.
Erase – request deletion in certain circumstances.
Restrict – limit processing in specific cases.
Portability – receive data in a machine-readable format.
Object – to processing based on legitimate interests or direct marketing.
Withdraw consent – where processing relies on consent.
To exercise these rights, email [email protected]. We may verify your identity before responding. You can also complain to the UK Information Commissioner’s Office or another supervisory authority.
The Service is intended for users 18 years and older. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us so we can delete it.
We may update this Privacy Policy occasionally. If we make material changes, we will notify you (e.g., by email or on the site) before they take effect. The “Effective Date” shows when the current version became active.
For questions, concerns or requests about privacy or your personal data, email [email protected].
We aim to respond promptly and within legal timeframes.