Skip to content

Legal

Privacy Policy

Last updated 2026-05-07

Artinstring is a one-person SaaS run by Kalin in Spain. This page explains what data we collect, why, who else sees it, and how to remove it.

Data we collect

  • Account data: email address (required for sign-in), an opaque user id, sign-up date.
  • Run data: the prompt you ran, the variables you supplied, the generated output, timestamps, and which model was used. Saved so you can revisit your library.
  • Billing data: Stripe customer id, subscription status, period end date. Card numbers are NOT stored on our servers — Stripe handles those.
  • BYO API keys: if you configure provider keys in /me/settings, we store them encrypted with AES-256-GCM. Decrypted in-memory only at the moment a run is dispatched.
  • Server logs: standard request logs (IP, path, status code) kept for 30 days for security and debugging.

Third parties we share data with

  • Stripe (USA, GDPR-adequacy via SCCs) — receives your email and subscription state for billing.
  • Resend (USA, GDPR-adequacy via SCCs) — sends sign-in emails. Receives your email address only.
  • Inference providers (Replicate, Fal.ai, OpenAI, Anthropic, all USA) — receive the prompt text and inputs for each run you submit. We don't forward your account info, only the prompt content.
  • OVH (France) — hosts the VPS and S3-compatible object storage where your generated outputs live.
  • Cloudflare (USA, GDPR-adequacy via SCCs) — fronts the public site and may temporarily cache static assets.

We don't sell or rent data. We don't use ad-tracking pixels or analytics beyond standard server access logs.

Cookies

Artinstring uses one essential cookie: a session token (Better-Auth) that keeps you signed in. No tracking cookies, no analytics cookies, no ad cookies.

Your rights (GDPR)

You have the right to:

  • Access your data — email [email protected] for a copy.
  • Correct your data — change your email by reaching out.
  • Delete your account — same email, with subject "delete account". Deletion cascades to all your runs, outputs, BYO keys, and quota records. Stripe customer record can also be removed on request.
  • Export your data — included in any access request.

Retention

  • Account + run data: until you delete your account.
  • Server logs: 30 days.
  • Stripe billing records: as long as Stripe's policies require, typically 7 years for tax purposes. Beyond our control.

Changes to this policy

We'll bump the effective date and email signed-in users when something material changes. The current version is always at this URL.

Contact

Questions, complaints, or data requests: [email protected].

Spanish data protection authority (AEPD) handles complaints if we don't resolve yours.