studio.aichathub.uk
✦ v1.0.0
← Legal

Privacy Policy

Last updated: 2026-06-14 · Version 1.0.0-draft

Effective date: 2026-06-14. This Privacy Policy explains how we collect, use, share, and protect personal data when you use aichat-studio.

1. Who is the data controller

The data controller for aichat-studio is zmuleyu, sole proprietor, contactable at [email protected]. Our registered postal address is available on request to the same email. We do not currently appoint a Data Protection Officer (DPO) because we do not meet the GDPR Article 37(1) thresholds; we will appoint one if our processing scope changes.

2. What personal data we collect

  • Account data — email address, display name, and OAuth provider identifier (Google), obtained via WorkOS at sign-in.
  • Wallet data — credit balance and a ledger of credit transactions (purchases, holds, settlements, refunds), stored in our Cloudflare D1 database.
  • Server access logs — IP address, user-agent, request path, and timestamps, retained for 90 days for security and debugging.
  • Payment data — billing email and the last four digits of the card, plus a Creem-issued charge identifier. Full card details are handled by Creem; we do not see them.
  • AI prompt data — the character card fields you submit to the AI enrich endpoint are forwarded to OpenRouter to produce the completion. We do not retain prompt bodies server-side beyond the hold-and-settle window and the 14-day refund window described in §6.

3. Why we collect it (legal basis under GDPR Article 6)

  • Performance of contract (Art. 6(1)(b)) — account, wallet ledger, AI enrichment, payment processing.
  • Legitimate interests (Art. 6(1)(f)) — server access logs for security, anti-fraud, and debugging. Our balancing test concludes these uses do not override your rights or freedoms.
  • Legal obligation (Art. 6(1)(c)) — retaining payment records for tax purposes.

4. Who we share data with

We use a small number of sub-processors strictly to deliver the Service. The full list, including their purpose, data categories, and regions, is at Sub-processors. We do not sell or share your personal data for advertising, profiling, or any unrelated purpose.

5. International transfers

Some sub-processors are located outside the European Economic Area (EEA) or the United Kingdom. Specifically: Cloudflare operates a global edge; WorkOS and OpenRouter are based in the United States; Creem is based in Estonia. Transfers rely on the European Commission's Standard Contractual Clauses (SCCs) where applicable, the UK International Data Transfer Addendum (IDTA), and the sub-processor's own DPA terms. We do not transfer data to jurisdictions without adequate safeguards.

6. How long we retain personal data

  • Account data — for the lifetime of your account plus six months after closure, to handle disputes and refunds.
  • Wallet ledger — seven years from the date of the transaction, to comply with tax record-keeping obligations.
  • Server access logs — 90 days.
  • AI prompts — not retained beyond inference and the 14-day refund window.

7. Your rights (GDPR + UK GDPR)

You have the right to: access the personal data we hold about you; have it rectified if inaccurate; have it erased; restrict processing; receive a copy in a structured, machine-readable format (portability); object to processing based on legitimate interests; withdraw consent where processing is based on consent; and lodge a complaint with your local supervisory authority. To exercise any of these rights, email [email protected] with subject DSAR. We respond within 30 days as required by GDPR Article 12; we may extend by two further months for complex requests, notifying you within the initial 30 days.

8. California rights (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, delete it (subject to legal retention obligations), correct inaccuracies, limit use of sensitive personal information, and opt-out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising, so there is no opt-out to file. You will not be discriminated against for exercising your rights.

9. Children

The Service is not directed to children under 13 (or under 16 in jurisdictions where that is the digital-consent age). We do not knowingly collect personal data from such children. If you believe a child has provided personal data, contact us and we will delete it.

10. Cookies

We use only strictly-necessary cookies (session, refresh token). We do not use analytics, advertising, or cross-site tracking cookies, and therefore do not display a cookie banner. Details and a complete cookie inventory are at Cookies.

11. Security

We use TLS for data in transit, Cloudflare D1's at-rest encryption for data at rest, and a least-privilege secret store on Cloudflare Pages for credentials. We do not maintain copies of full payment card numbers, CVVs, or other "highly sensitive" data.

12. Breach notification

If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours where required by GDPR Article 33. Where required by GDPR Article 34 we also notify affected individuals without undue delay. As a merchant on the Creem platform, we additionally notify Armitage Labs OÜ (Creem) within 24 hours per their Terms.

13. Changes to this policy

For material changes we give at least 14 days notice by email. We post the effective date at the top of this page on every revision.

14. Contact

Email [email protected]. See Contact for additional contact channels.