Privacy Policy

STZ Solution, a sole proprietorship registered in Poland, is the controller of personal data processed through Clipap.

We process the following categories of personal data:

• Account data — email address, display name, and (for Google sign-in) the Google account ID. For email/password accounts we store a bcrypt hash of your password, never the plaintext.
• Workspace data — project names, store-listing copy, screenshots and other assets you upload, locale lists, font and brand selections, and the workspace’s token-wallet balance.
• AI input/output — the prompts and project context you submit to AI features, plus the model output we receive back. We retain a short request log for debugging and billing reconciliation.
• Billing metadata — subscription status, plan, and token-pack purchases. We do not store payment card details; those are held by Paddle (see §5).
• Operational data — limited server logs (timestamps, IP address, user-agent, error traces) needed to keep the Service running and to detect abuse.

We process the data above for these purposes:

• Providing the Service — authenticating you, storing your projects, generating assets on demand. Legal basis: performance of the contract (GDPR Art. 6(1)(b)).
• Billing — recording what you bought and reconciling Paddle transactions. Legal basis: performance of the contract; legal obligation for tax records (GDPR Art. 6(1)(b) and (c)).
• Security and abuse prevention — rate-limiting, fraud detection, audit logs. Legal basis: legitimate interest in keeping the Service safe (GDPR Art. 6(1)(f)).
• Service communications — password-reset emails, billing receipts, security notices, and material changes to these policies. Legal basis: performance of the contract and our legitimate interest in keeping you informed.

We rely on the following sub-processors. Where they store data outside the European Economic Area, transfers are covered by the European Commission’s Standard Contractual Clauses or an equivalent adequacy mechanism.

• Cloudflare, Inc. — hosting (Cloudflare Pages), database (D1), object storage (R2), edge security. Stored primarily in the EU region where available.
• Google LLC — Google Sign-In identity provider when you choose “Continue with Google”.
• Anthropic, PBC — AI model provider for listing copy and editorial features. Your prompts and project context are sent at request time. Anthropic does not use your data to train its models when accessed through the API.
• OpenAI, OpCo, LLC — AI model provider for logo generation. Prompts and (where applicable) reference images are sent at request time. OpenAI does not use API data to train its models by default.
• Paddle.com Market Limited — merchant of record for payments. Paddle collects the payment instrument, billing address, and tax information directly from you and acts as an independent controller for that data.
• MXroute (Hostwerks LLC) — outbound transactional email (password resets, billing receipts).

When you buy a subscription or token pack, the transaction takes place between you and Paddle.com Market Limited (Paddle), acting as merchant of record. Paddle collects the payment details, the billing address you provide, and the tax information needed to issue you an invoice. We receive only the resulting subscription metadata (status, plan, renewal date) and the transaction ID. For the data Paddle controls directly, see Paddle’s own privacy policy at paddle.com/legal/privacy.

We keep account and workspace data for as long as your account is active. If you delete your account, we erase your projects, assets, and personal data within 30 days, except for records we are legally required to retain (for example, invoices needed to satisfy Polish tax-law retention obligations, which we keep for five years from the end of the calendar year in which the invoice was issued). Server logs and AI request logs are kept for up to 90 days.

Under the GDPR you have the right to (a) access the personal data we hold about you, (b) ask us to correct inaccurate data, (c) ask us to erase your data, (d) restrict or object to processing, (e) receive your data in a portable format, and (f) withdraw consent where we are relying on it. To exercise any of these rights, email contact@clipap.com. We will respond within one month.

You can also lodge a complaint with the Polish Personal Data Protection Office (UODO) at uodo.gov.pl, or with the supervisory authority in your country of residence.

We protect data in transit with TLS, hash passwords with bcrypt, and store assets under access-scoped presigned URLs. Sessions are signed JWT cookies with a 7-day rolling expiry. We are a small team and apply reasonable, industry-standard security measures; no system is perfectly secure.

We use one strictly necessary cookie to keep you signed in (the Auth.js session cookie). We do not use third-party advertising or tracking cookies. If we add analytics in the future we will either use a privacy-preserving, cookieless tool or update this policy and seek your consent first.

Clipap is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us and we will delete it.

If we change this policy materially we will email registered users and post a notice on this page before the change takes effect. The “Effective” date at the top reflects the current version.

For any privacy question, email contact@clipap.com. See also the Terms of Service and the Refund Policy.