# Privacy Policy **Effective**: 2026-05-09 **Version**: 1.0 (Wave 4 Ciclo 7 — Spriteoven) **Operator**: Fer Gonzalez Llanos, persona física, Ciudad Autónoma de Buenos Aires (CABA), República Argentina. > Spriteoven is operated as a personal project by an individual, not a > corporation. This document describes — in plain language — what data > Spriteoven collects, how it is stored, what it is used for, and what > rights you have over it. --- ## 1. Who we are Spriteoven is a web tool that helps you generate, edit, and export pixel art sprite sheets using third-party AI providers. The service is operated by **Fer Gonzalez Llanos** as a sole individual based in CABA, Argentina. There is no parent company, holding entity, or external investors. References below to "we", "us", or "Spriteoven" refer to that single operator. **Contact**: fergonllan@gmail.com --- ## 2. What data we collect We collect the **minimum data** required to make the product work. ### 2.1 Account data When you sign up: - **Email address** — used to authenticate you (password, magic link, or Google OAuth) and to send transactional messages (sign-up confirmation, magic link, account-recovery). Stored in Supabase Auth (managed identity provider). - **User ID** — an opaque UUID issued by Supabase. We use this ID to scope every row you create in the database (Row-Level Security). We **do not** ask for your real name, billing address, phone number, or government ID. ### 2.2 Project and asset data When you use the app: - **Projects** — name, description, configuration (palette, naming convention, etc.). - **Assets** — sprite-sheet files you generate or upload, plus metadata (prompt text, generator settings, tags, dimensions). - **Asset versions** — historical versions of each asset, retained per the limits documented in `getting-started.md`. All of the above are stored in **Supabase Postgres** (database) and **Supabase Storage** (binary files). Access is enforced by **Row-Level Security policies** keyed on your user ID — you can only read or write your own rows. Spriteoven personnel (i.e. Fer) have administrative access to the underlying database for operational reasons (debugging, backups, restoring deleted data on user request). ### 2.3 BYOK (Bring Your Own Key) credentials Spriteoven supports BYOK for premium AI providers (OpenAI, xAI, Google Gemini, Imagen 4 if enabled). Your API key is: - **Held in browser session storage** (cleared when you close the tab). - **Sent to Spriteoven only as a per-request HTTP header** when you ask the server to call a provider on your behalf. - **Used as a transit-only credential** — the server forwards it to the provider, returns the provider's response, and **does not log, store, cache, persist, or echo the key** in any database, file, or response body. See `byok-disclaimer.md` for the technical detail and the residual risks you should be aware of. ### 2.4 Operational telemetry Server logs include the **timestamp, HTTP method, path, status code, response size, and the operator-issued user ID** of authenticated requests. They **do not** include API keys, prompt content, asset binaries, or email addresses. Logs are retained for up to 30 days for debugging and rate-limit enforcement and then rotated. We do **not** load Google Analytics, Meta Pixel, Mixpanel, Hotjar, or any other third-party analytics or session-replay script during Wave 4. --- ## 3. Cookies Spriteoven uses the **minimum** cookies required for the app to work: - **Supabase Auth session cookie** — keeps you signed in. First-party, HttpOnly, Secure, SameSite=Lax. Deleted when you sign out. There are no advertising cookies, no cross-site tracking cookies, and no consent-banner cookies because we do not load tracking scripts. If this changes in a future version we will publish an updated policy and add a consent UI. --- ## 4. Email We use **Resend** (resend.com) to deliver transactional email: - Sign-up confirmation. - Magic-link sign-in. - Account-recovery messages. - Optional product update emails (**opt-in** at sign-up, can be turned off any time from your account settings). Resend processes your email address on our behalf as a sub-processor. Spriteoven does not run marketing email campaigns. --- ## 5. Third-party AI providers When you generate a sprite, your prompt and (optionally) your reference image are sent to the AI provider you selected: - **Google Gemini / Imagen** — generative-language.googleapis.com. - **OpenAI gpt-image-2** — api.openai.com. - **xAI Grok Imagine** — api.x.ai. Each provider has its own privacy policy, retention rules, and training-data policy. Spriteoven does **not** add prompts, images, or generations to any training corpus. We forward, we receive, we return. If you bring your own API key (BYOK), you are interacting with that provider under **your own account and your own billing**, governed by **that provider's** terms. --- ## 6. Storage location and retention - **Database and Storage**: Supabase project `spriteoven-prod`, region **South America (São Paulo, sa-east-1)**. - **Email delivery**: Resend (United States — Frankfurt edge as fallback). - **Server (web app)**: Vercel (global edge). - **Asset retention**: assets and asset versions are retained until you delete them. Asset version history is capped per the limits in `getting-started.md` (oldest unpinned versions are pruned first). --- ## 7. Your rights (Argentina LFP 25.326 + GDPR alignment) Spriteoven aligns voluntarily with **Argentina's Ley de Protección de los Datos Personales 25.326** and, for users located in the EU/UK, the **General Data Protection Regulation (GDPR)**. You have the right to: 1. **Access** the personal data we hold about you. 2. **Rectify** inaccurate data (e.g. update your email). 3. **Delete** your data ("right to be forgotten") — this purges your account, projects, assets, and versions. 4. **Export** your data in a machine-readable format. 5. **Object** to processing or **restrict** it. 6. **Withdraw consent** for opt-in email at any time. To exercise any of these rights, write to the contact address in §1. We aim to respond within **10 business days** (Argentina LFP standard). The Argentine supervisory authority is the **Agencia de Acceso a la Información Pública (AAIP)** — you may file a complaint there if we fail to respond in time. --- ## 8. Children Spriteoven is **not directed to people under the age of 13**. If you believe a minor has signed up, contact us and we will delete the account. --- ## 9. Security - TLS 1.2+ for all traffic between your browser and Spriteoven. - Row-Level Security on every table that holds user data. - Supabase service-role keys are kept in environment variables on the server only and never exposed to the browser. - BYOK keys are not logged. See `byok-disclaimer.md` for the full threat model and residual risks. No system is perfectly secure. If you find a vulnerability, please report it to the contact email in §1. --- ## 10. Changes to this policy If we make material changes we will publish an updated version at this URL and bump the version number. Non-material wording fixes (typos, clarifications) may be applied without a version bump. --- ## 11. Contact For privacy questions, data-rights requests, or security reports: - **Email**: fergonllan@gmail.com - **Operator**: Fer Gonzalez Llanos, CABA, Argentina.