Privacy Policy

Last updated: October 29, 2025

Welcome to Crafiq! This Privacy Policy explains how Crafiq ("us", "we", or "our") collects, uses, shares, and protects information in relation to our website, application, and services (collectively, the "Service"). This policy applies to all visitors, users, and others who access the Service ("Users", "you", or "your"). By using the Service, you agree to the collection and use of information in accordance with this policy.

Our Terms of Service, available here, are incorporated by reference into this Privacy Policy. Please read both documents carefully.

For users in the European Economic Area (EEA), UK, and Switzerland, please pay special attention to the sections regarding your rights under the General Data Protection Regulation (GDPR).

1. Data Controller

The entity responsible for the processing of your personal data (data controller) is:

Crafiq.ai

Contact Email: contact@crafiq.ai

You can find our full legal information in our Impressum/Imprint.

2. Information We Collect

We collect different types of information for various purposes to provide and improve our Service to you.

a) Information You Provide Directly

Account Information: When you register for an account via email or social login (Google, Microsoft), we collect information necessary to create and manage your account, such as your name (optional, may come from social login), email address, chosen username (if applicable), and encrypted password or authentication tokens.
Input Data: We collect the text, images, audio, or other media files you upload or submit to the Service ("Input") to process your requests for generating assets.
Payment Information: When you purchase a subscription or credits, our payment processor, Stripe, collects your payment details (like credit card number, billing address). We do not directly store your full payment card details but may receive transaction confirmation information from Stripe.
Communications: If you contact us directly (e.g., for support), we collect the information you provide in your communications, such as your name, email address, and the content of your message.

b) Information Generated or Collected When You Use the Service

Output Data: We store the AI-generated images, 3D models, or other media ("Output") created using the Service. This Output is associated with your account.
Usage and Technical Data: We automatically collect certain information when you access and use the Service. This may include:
- Log Data: IP address, browser type, operating system, access times, pages viewed, and the page you visited before navigating to our Service. This data is collected primarily for security, troubleshooting, and service operation.
- Device Information: Information about the device you use to access the Service (e.g., device type, operating system version).
- Interaction Data: Information about how you interact with the Service, such as features used, content liked, packs created, or assets downloaded (excluding specific content details unless necessary for service provision).

c) Information from Third Parties

Social Logins: If you register or log in using a third-party service like Google or Microsoft, we receive certain information from that service as permitted by your privacy settings on that service, typically including your email address and potentially your name or profile picture.

3. How We Use Your Information

We use the information we collect for the following purposes:

To Provide and Maintain the Service: To operate the Service, authenticate users, process transactions, generate Output based on your Input, store your Content (Input and Output), allow you to organize Content in Packs, and provide customer support.
To Manage Your Account: To administer your account, including processing subscriptions and credit purchases via Stripe.
To Improve and Develop the Service:
- To analyze usage patterns and site performance using cookie‑free, privacy‑friendly analytics and Web Vitals (aggregated or anonymized).
- To potentially use Output data that you have set public (possibly in anonymized or aggregated form) to improve the Service, including potentially fine-tuning or training the AI models we utilize or develop in the future. Uploaded files are not used for model training beyond fulfilling your generation request.
To Communicate With You: To send you service-related communications (e.g., account verification, technical notices, security alerts, changes to terms or policies) and respond to your inquiries. We will only send marketing communications if you explicitly consent.
For Security and Fraud Prevention: To monitor for and prevent fraudulent activity, security incidents, and abuse of the Service.
To Comply with Legal Obligations: To comply with applicable laws, regulations, legal processes, or governmental requests.

4. Legal Basis for Processing (EEA/UK/Swiss Users)

If you are located in the EEA, UK, or Switzerland, our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the specific context in which we collect it:

Performance of a Contract: Much of our processing is necessary to perform our contract with you (the Terms of Service), such as creating your account, providing the core generation features, processing payments, and storing your Content as directed by you.
Legitimate Interests: We process some data based on our legitimate interests, provided these interests are not overridden by your data protection interests or fundamental rights and freedoms. This includes:
- Improving the Service using Output data that you have made public.
- Ensuring the security of our Service.
- Measuring usage and Web Vitals via cookie‑free analytics to understand and improve performance.
- Responding to your inquiries and providing non-essential service communications.
Legal Obligation: We may process data when necessary to comply with legal requirements.
Consent: We will rely on your consent for specific activities like sending marketing emails (if any) or using certain types of non-essential cookies. You can withdraw your consent at any time if you have previously given it.

We do not sell your personal data. We may share your information in the following circumstances:

With Service Providers: We share information with third-party vendors and service providers who perform services on our behalf, such as:
- Cloud hosting, database, and storage providers (e.g., Supabase, Google Cloud).
- Payment processors (e.g., Stripe).
- Infrastructure providers (e.g., Vercel).
- These providers are contractually obligated to protect your data and use it only for the services we request.
With Third-Party AI Model Providers: To generate Output, we send your Input to third-party AI service providers (e.g., OpenAI, Google, Replicate, fal, Deep Infra ). These providers process your Input according to their own terms and privacy policies. We only send the necessary Input for generation. Your use of the Service implies acknowledgment that this processing occurs.
With Other Users (Public Content): If you set assets to "public" (either individually or by making a Pack public), these assets become permanently accessible to other Users according to the license terms specified in our Terms of Service. This status is irreversible; making a Pack private again does not revert the public status of assets already shared. Your username may be associated with this public Content unless you choose to anonymize it upon account deletion.
For Legal Reasons: We may disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
Business Transfers: In connection with a merger, acquisition, bankruptcy, reorganization, sale of assets, or other corporate change, your information may be transferred as part of the transaction.

6. Third-Party AI Services

As mentioned, the core functionality of our Service relies on sending your Input to, and receiving Output from, third-party AI model providers. Your interaction with these models through our Service is subject to the terms and privacy policies of those respective providers. We encourage you to review their policies to understand how they handle your data. Crafiq is not responsible for the data processing practices of these third-party AI providers.

We currently use:

OpenAI — https://openai.com/api/
Google Cloud — https://cloud.google.com/vertex-ai
Replicate — https://replicate.com/
fal — https://fal.ai/
Deep Infra — https://deepinfra.com/

7. Cookies and Similar Technologies

We use only essential cookies (if any) for authentication, session security, and required preferences.

We also collect privacy-friendly analytics and performance metrics to operate and improve the Service. These measurements are cookie‑free and do not use cross‑site tracking or advertising identifiers. The data captured may include page views, referrer, page URL/path, device and browser type, approximate location (country/region), and Web Vitals (e.g., LCP, INP, CLS, TTFB). We receive aggregated or de‑identified reports and do not build profiles for advertising or behavioral tracking. Because these analytics do not rely on cookies or similar tracking technologies, we do not display a cookie banner for them.

8. Data Security

We run the Service on reputable managed cloud providers and apply appropriate technical and organizational measures proportionate to the nature of the data we process. These include:

Encryption in transit (TLS/HTTPS) and encryption at rest provided by our hosting and database providers.
Access controls and least‑privilege permissions; operational access is limited to the service operator and is logged. We do not routinely view your content; any access is only for support, security, or legal reasons.
Secrets management for API keys and credentials.
Basic network and application protections (e.g., environment isolation, rate limiting, and abuse detection).
Backups and disaster‑recovery procedures with periodic restore checks.
Data minimization and retention/deletion practices as described in Section 9.
Contracts with our processors that require appropriate security measures.

No method of transmission or storage is 100% secure. If we become aware of a security incident affecting your personal data, we will notify you and, where required, regulators. You are responsible for safeguarding your account credentials and notifying us of any suspected unauthorized use.

9. Data Retention

We keep personal data only as long as necessary to provide the Service, comply with legal obligations, and prevent abuse. When it is no longer needed, we delete or anonymize it.

Account data: Kept while your account is active.
On account deletion: We immediately delete your profile data and private content (e.g., private packs and generated assets) and cancel any active subscriptions. Content you set to public remains available to others; we anonymize it by removing your username and profile association. Copies shared or embedded by others may persist.
Content housekeeping: Input and Output not organized into Packs may be automatically deleted after longer duration of inactivity. You can delete items at any time.
Fraud/abuse prevention: We retain your email address (or a hashed form) and limited security logs for up to 6 months after account deletion to prevent fraud, abuse, and chargebacks.
Payments and records: We keep transaction and invoicing records as required by applicable law (e.g., tax and accounting).
Backups: Deleted data may remain in encrypted backups for up to 30 days and is removed through routine rotation. Backups are not used for active processing.

10. International Data Transfers

Your information, including personal data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction. Our primary service providers (Supabase, Stripe, Vercel, and major AI API providers) are typically based in the United States.

If you are located in the EEA, UK, or Switzerland, this means your personal data will be transferred outside of these regions, primarily to the United States. We rely on appropriate safeguards for such transfers, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable, as implemented by our service providers. By using the Service, you acknowledge these transfers.

11. Your Data Protection Rights (EEA/UK/Swiss Users)

If you are a resident of the EEA, UK, or Switzerland, you have the following data protection rights:

Right to Access: You can request copies of your personal data.
Right to Rectification: You can request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
Right to Erasure ('Right to be Forgotten'): You can request that we erase your personal data, under certain conditions.
Right to Restrict Processing: You can request that we restrict the processing of your personal data, under certain conditions.
Right to Object to Processing: You can object to our processing of your personal data based on legitimate interests, under certain conditions.
Right to Data Portability: You can request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
Right to Withdraw Consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority.

To exercise any of these rights, please contact us at contact@crafiq.ai. We will respond to your request in accordance with applicable data protection laws. We may need to verify your identity before processing your request.

12. Children's Privacy

Our Service is not intended for use by anyone under the age of 18 ("Children"). We do not knowingly collect personally identifiable information from Children. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. If the changes are significant, we may provide a more prominent notice (like an email or in-app notification). You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

14. Contact Us

If you have any questions about this Privacy Policy, please contact us:

By email: contact@crafiq.ai