# 07F Provider Retention / Privacy Compliance Recheck — aieditorrsp - task_id: t_e3b86e02 - tenant: site-aieditorrsp-20260528 - project_slug: aieditorrsp - domain: https://aieditorrsp.net - checked_at_utc: 2026-05-29T08:02:38Z - prepared_by: 墨盾 - repo_commit_checked: ca5e9d3e846a069bc44c162a0b05090f652001d3 - deployment_version_checked: 4230b57f-f7d3-4459-93c6-315f68287e89 ## Verdict NO_GO for public compliance copy. Backend/provider implementation is materially compliant for this scope, but public legal copy is stale and overstates/contradicts the implemented data flow. Do not unlock final launch QA until Privacy, Terms, Refund, Pricing, and Cookie copy are aligned with the now-enabled fal provider state. ## Required gate results | Gate | Result | Evidence | Compliance decision | | --- | --- | --- | --- | | Privacy/Terms disclose fal server-side image editing provider | FAIL | `/privacy` only says "third-party APIs" / "third-party inference processing" and does not name fal. `/terms` does not disclose provider processing. | P0 copy fix required. | | Upload/result retention matches implemented state | FAIL | API returns `site_storage=none`, `result_cache_ttl_hours=24`, and fal-hosted result URL. `/privacy` says prompt history is stored, account outputs are kept 30 days, and temporary mirror copies/cloud sync exist. | P0 copy fix required. | | Unsafe prompts blocked before provider call | PASS | Source `src/app/api/generate-image/route.ts:101-103` returns `UNSAFE_PROMPT_BLOCKED` before env/provider lookup. Production smoke returned HTTP 400 `UNSAFE_PROMPT_BLOCKED`. | OK. | | Paid checkout remains disabled | PASS | Production `/api/credits` returned `paid_enabled:false`. Pricing/refund pages still state paid checkout disabled. | Runtime OK; copy needs provider-enabled wording cleanup. | | No secrets in client bundle or public reports | PASS_WITH_CAUTION | Searched repo and public reports for `FAL_KEY` / likely secret patterns. Only variable names and model id found; no secret value found. `FAL_KEY` is referenced server-side only. | OK; clean old `.wrangler/tmp` artifacts before packaging if shipping source archives. | ## Production smoke evidence ### Unsafe prompt block ```json { "http_status": 400, "body": { "ok": false, "code": "UNSAFE_PROMPT_BLOCKED", "message": "This request matches a blocked safety category." } } ``` ### Credits / paid checkout ```json { "http_status": 200, "body": { "plan": "free", "daily_limit": 2, "remaining": 2, "paid_enabled": false } } ``` ### Safe provider generation ```json { "http_status": 200, "ok": true, "provider": "fal", "model": "fal-ai/flux-pro/kontext", "image_url": "https://v3b.fal.media/...png", "preview_url": "https://v3b.fal.media/...png", "download_url": "https://v3b.fal.media/...png", "compliance": { "unsafe_prompt_blocked_before_provider": true, "site_storage": "none", "result_cache_ttl_hours": 24, "training_opt_out": "Provider request configured for one-off image editing; site does not use uploads/results for model training." } } ``` ## Material copy defects ### 1. Privacy policy conflicts with implemented storage Current `/privacy` says: - "Assets are deleted after the retention period or upon manual workspace clearing." - "We store prompt history to enable Undo/Redo states and library persistence for authenticated users." - "We maintain temporary mirror copies to facilitate multi-format downloads and cloud-sync across editor sessions." - Retention table: `Anonymous Uploads — 24 Hours`, `Account Outputs — 30 Days`. - Data flow: "TEMP OUTPUT / Mirroring for UI Presentation". - Status badge: "ENCRYPTED AT REST". These are not aligned with implemented state: - Site storage is `none` for uploads/results. - Result URL is fal-hosted and returned to user as preview/download URL. - Anonymous result TTL is 24h per API compliance object. - No account output storage / authenticated prompt history was verified in this provider implementation. ### 2. Terms do not disclose provider dependency clearly Current `/terms` covers acceptable use, blocked categories, and disabled paid tiers, but it does not clearly say user uploads/prompts are sent server-side to fal for one-off image editing. It also says "Our system tracks source provenance for all industrial-grade transformations," which implies tracking beyond the verified implementation. ### 3. Refund/Pricing/Cookie pages still say provider generation is disabled Now false or stale: - `/refund`: "Provider generation is currently disabled." - `/pricing`: "Private preview: generation provider is not enabled yet." - `/pricing`: "Provider generation and paid credits are disabled until the final provider/model and billing settings are verified." - `/cookie-policy`: `credits_remaining` purpose says "paid credits and provider generation are disabled in preview." Paid checkout is still disabled, but provider generation is now enabled. These pages must distinguish: provider generation enabled; paid checkout/subscriptions/credit packs disabled. ## Exact copy changes required ### Privacy — replace Executive Summary / Uploaded Images paragraph Replace: > Images uploaded for processing are held in volatile memory during the transformation cycle. We do not use your source imagery for model training. Assets are deleted after the retention period or upon manual workspace clearing. With: > Images uploaded for processing are transmitted from our server-side Worker to fal for one-off image editing using `fal-ai/flux-pro/kontext`. AI Editor RSP does not store source uploads in D1, R2, or a site-owned media bucket. We do not use your source imagery or generated result for our own model training. Also replace badge: > STATUS: ENCRYPTED AT REST With: > STATUS: SITE STORAGE NONE ### Privacy — replace Prompts paragraph Replace: > User-input strings are processed via third-party APIs. We store prompt history to enable "Undo/Redo" states and library persistence for authenticated users. With: > User-input prompts are validated by AI Editor RSP safety filters first. If allowed, the prompt is sent server-side to fal with the uploaded image for one-off editing. The current preview does not provide authenticated prompt-history storage or persistent library sync. ### Privacy — replace Outputs paragraph Replace: > Generated imagery ownership remains with the operator (user). We maintain temporary mirror copies to facilitate multi-format downloads and cloud-sync across editor sessions. With: > Generated imagery ownership remains with the user, subject to rights in the source image and applicable law. The current implementation returns a fal-hosted generated image URL as the preview and download URL. AI Editor RSP does not maintain a separate site-hosted mirror copy or cloud-sync copy for anonymous preview results. ### Privacy — replace Data Flow labels Replace: > NODE CALL — Third-party Inference Processing With: > SERVER-SIDE FAL CALL — One-off image editing via fal-ai/flux-pro/kontext Replace: > TEMP OUTPUT — Mirroring for UI Presentation With: > FAL-HOSTED RESULT URL — Returned to user for preview/download Replace: > Download & Memory Purge With: > Download / 24h Anonymous Result Window Replace note: > Note: AI Editor RSP utilizes high-availability servers located in secure jurisdictional regions. All traffic is routed through encrypted nodes. With: > Note: AI Editor RSP is hosted on Cloudflare and calls fal server-side for image editing. We do not commit provider secrets to the client bundle, and we do not store anonymous source uploads or generated images in site-owned storage. ### Privacy — replace Retention Schedule rows Replace table rows with: | DATA ENTITY | RETENTION PERIOD | PURGE PROTOCOL | | --- | --- | --- | | Anonymous source uploads | Processing window only | Sent server-side to fal for one-off editing; not stored by AI Editor RSP in D1/R2/site media storage. | | Anonymous generated results | 24 hours result URL window | A fal-hosted result URL is returned for preview/download; AI Editor RSP does not keep a separate site-hosted mirror copy. | | Prompts | Request processing window only in current preview | Used for safety filtering and provider request; no authenticated prompt-history storage is enabled in current preview. | | System/security logs | 30–90 days where generated by hosting/security providers | Used for security, abuse prevention, debugging, and aggregate reliability monitoring. | | Payment records | Not collected while paid checkout is disabled | If payments are enabled later, Stripe will process card data and transaction/subscription records may be retained for accounting, tax, disputes, and fraud prevention. | ### Terms — add Provider Processing section after Acceptable Use Protocol Add: > Provider Processing. When you submit an allowed image-editing request, AI Editor RSP sends your uploaded image and prompt from our server-side Worker to fal using `fal-ai/flux-pro/kontext` for one-off processing. We return the provider-hosted generated image URL for preview and download. We do not store your anonymous source upload or generated result in site-owned D1/R2/media storage. Do not upload images unless you own them or have permission to edit and process them through a third-party AI provider. ### Terms — replace provenance overclaim Replace: > Use AI Editor RSP only with images you own or have permission to edit. Our system tracks source provenance for all industrial-grade transformations. With: > Use AI Editor RSP only with images you own or have permission to edit. You are responsible for keeping any source-rights records needed to prove that permission. ### Terms — keep safety/payment paragraph, but add provider-before-charge clarity After current `UNSAFE PROMPTS REJECTED` paragraph, add: > Safety filters run before provider processing. Requests blocked by these filters are not sent to fal by AI Editor RSP and are not charged by this site. Provider failures or timeouts after a request is accepted by the provider do not enable paid checkout or paid credit consumption in the current preview. ### Refund — update provider-enabled / payment-disabled wording Replace: > Preview-mode refund policy. Provider generation, paid checkout, subscriptions, and credit packs are disabled until provider, Stripe, and tax settings are verified. With: > Preview-mode refund policy. Server-side provider generation is enabled for limited preview through fal, but paid checkout, subscriptions, and credit packs remain disabled until Stripe, tax, and billing settings are verified. Replace: > Provider generation is currently disabled. After launch, failed generations that are not delivered and are not automatically recovered may receive credit restoration after technical review. With: > Provider generation is enabled for limited preview. Because paid checkout and paid credits remain disabled, provider failures currently do not create paid refund obligations. After paid launch, failed generations that are not delivered and are not automatically recovered may receive credit restoration after technical review. ### Pricing — update hero / FAQ wording Replace: > Private preview: generation provider is not enabled yet. Paid checkout and credits remain disabled until provider, Stripe, and tax settings are verified. With: > Private preview: server-side provider generation is enabled for limited testing through fal. Paid checkout and paid credits remain disabled until Stripe, tax, and billing settings are verified. Replace: > Provider generation and paid credits are disabled until the final provider/model and billing settings are verified. With: > Provider generation is enabled through fal for limited preview, while paid credits remain disabled until billing settings are verified. ### Cookie Policy — update stale provider-disabled references Replace: > Reserved for future editor limits; paid credits and provider generation are disabled in preview. With: > Reserved for future editor limits; paid credits are disabled in preview. Provider generation is handled server-side and does not rely on this cookie. ## Non-blocking cleanup - Remove or rebuild stale `.wrangler/tmp/dev-*` artifacts before distributing source archives. They appear to contain older generated worker code with provider stub strings, not secrets, but they are noisy and can mislead reviewers. - Footer copyright year mismatch in `/terms` says `© 2024 RSP INDUSTRIAL AI`; align to `© 2026 AI Editor RSP`. - Privacy metadata still says "provider-pending preview mode"; update to "limited provider preview mode". ## Final decision NO_GO until P0 public legal copy is updated and redeployed. Implementation-specific compliance state is acceptable: fal call is server-side, unsafe prompts are blocked before provider call, site storage is none, result TTL is 24h, paid checkout remains disabled, and no exposed secret value was found in checked source/public reports. The blocker is public copy accuracy, not backend provider behavior.