Your GDPR rights

The data controller for personal information you give Artinstring is Nik005566, the operator of artinstring.com. For any privacy or data-protection question, write to [email protected]. We aim to reply within seven days and will always respond within thirty.

• Account: email address, optional display name and avatar URL, your hashed password (if you used one), the date you signed up.
• Billing (Pro / Studio customers only): Stripe customer ID, subscription status, plan, and the renewal / cancellation timestamps. Card numbers and bank details are held by Stripe, never by us.
• Activity: prompts you ran and the inputs you supplied, runs you opted to share publicly, referrals you made, API tokens you minted (hash only, never the plaintext).
• Behavioural: aggregated, cookie-free analytics through Plausible — see the full event list at /docs/events.

Under GDPR Articles 15–22 you can ask us to do any of the following at any time, free of charge, without giving a reason:

• Access — get a copy of every piece of data we hold about you.
• Rectification — correct anything that's wrong or incomplete. Display name, email, and avatar can be edited from /me/profile without contacting us.
• Erasure — delete your account and the data attached to it. Use /me/settings for self-serve deletion, or email us. We retain the absolute minimum legally required (currently invoice records for seven years, per accounting law).
• Restriction — temporarily freeze processing while a complaint is resolved.
• Portability — receive your data in a machine-readable format. Email us and we'll send a JSON dump of your account, runs, and prompts.
• Objection — object to any processing we do on the basis of legitimate interest. We'll stop unless we can demonstrate compelling reasons that override your objection.
• Withdraw consent — wherever consent is the legal basis for processing (mainly product update emails), you can withdraw it at any time without affecting prior lawful processing.

Email [email protected] from the address attached to your account. Include the right you want to exercise (access, deletion, etc.). For deletion and portability we may verify identity via a short-lived link sent to your account email.

We process your data on these GDPR-recognised legal bases:

• Contract — running the prompts you submit and managing your subscription.
• Legitimate interest — preventing abuse, billing reconciliation, aggregated cookie-free analytics.
• Consent — any product-update emails you opt into.
• Legal obligation — invoice retention for tax purposes.

Some of our processors operate outside the EEA. Where they do, we rely on the European Commission's Standard Contractual Clauses (SCCs) and our processors' published GDPR commitments:

• Stripe (payments) — SCCs in place.
• Resend (transactional email) — SCCs in place.
• Plausible Analytics — EU-hosted (Germany), no transfer required.
• OVHcloud (hosting) — EU-hosted (France), no transfer required.
• Cloudflare (CDN, edge TLS) — SCCs in place.
• Inference providers (Replicate, OpenAI, Anthropic, Fal) — SCCs in place; only the prompt and inputs you submit for that specific run leave our infrastructure.

If you believe your privacy rights have been violated and we haven't resolved it, you can complain to your national data-protection authority. A directory of EU authorities is published by the European Data Protection Board.