Skip to content
APED avatarAPED PFP
Animateaped.wtf

Privacy Policy

Last updated: 2026-03-05

Overview

The APED PFP Generator (https://pfp.aped.wtf) is a free AI-powered profile picture tool. It is designed with privacy as a core principle: no accounts, no cookies, no persistent tracking. This policy describes what data we collect, why, and how long we keep it.

What We Collect

  • IP address (hashed): Your IP is hashed with SHA-256 before storage. We never store raw IP addresses. The hash is used solely for rate limiting to prevent abuse.
  • Generation metadata: Style choice, aspect ratio, source type (preset/photo/custom), and timestamp. This helps us understand which styles are popular.
  • Custom prompts (optional): If you type a custom prompt, it is stored alongside your generation so you can see what you requested.
  • Uploaded photos (transient): If you use the APEDify feature, your photo is sent to Google Gemini for AI transformation. EXIF metadata is stripped before transmission. The photo is not stored on our servers after processing.
  • Generated images: Your AI-generated PFP is stored on our servers. It is private by default - only accessible via a unique link (128-bit UUID).

What We Do NOT Collect

  • No names, email addresses, or phone numbers
  • No user accounts or login credentials
  • No cookies (we use sessionStorage, which clears when you close the tab)
  • No persistent device fingerprints or cross-session tracking
  • No location data beyond what your IP address implies

Third-Party Services

  • Google Gemini API: Your generation prompts and optional uploaded photos are sent to Google for AI image generation. Google processes images in real-time and does not retain them after generation. See Google Gemini API Terms.
  • Analytics: We collect anonymous, session-scoped usage events (e.g., which styles are generated, download counts). Session IDs are random, stored in sessionStorage (cleared on tab close), and are not linked to any personal identity.

Data Retention

  • Private images: Automatically deleted after 90 days.
  • Public gallery images: Retained until you delete them.
  • Security events: Retained for 30 days for abuse prevention, then automatically deleted.
  • Challenge tokens: Single-use, expire after 10 minutes.

Your Rights

  • View: Your generated image is accessible via its unique share link.
  • Delete: You can delete your generation using the delete button on the result screen. This removes the image from our servers permanently.
  • No account needed:Since we don't create accounts, there is no profile data to export or modify.

Security

We protect your data with rate limiting, proof-of-work challenges, HMAC-signed tokens, parameterized database queries, Content Security Policy headers, and fail-closed error handling. All communications are encrypted via HTTPS. See our FAQ for more about our security practices.

Children

This service is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has used this service, please contact us.

Changes

We may update this policy as the service evolves. The "Last updated" date at the top will reflect any changes.

Delete Your Data

Under GDPR Article 17, you have the right to erasure. Use the button below to permanently delete all data associated with your current IP address - generations, votes, and activity logs.

Contact

For privacy questions or deletion requests, reach out via the $APED community on X.