Back to Home

Privacy Policy

Last updated: January 11, 2025

Privacy Policy

Last Updated: January 11, 2025

Data Controller

Tinkershop OÜ Private Limited Company registered in Estonia Registration Number: 12487237 VAT Number: EE102201642 Registered Address: Hiiu maakond, Hiiumaa vald, Riidaküla, Papli, 92015, Estonia Contact: vibesprite@vibesprite.com

What Data We Collect

Account Information

  • Email address (required for account creation)
  • Display name (optional, via Google OAuth)
  • Profile picture URL (optional, via Google OAuth)

Usage Data

  • IP address (for security and rate limiting)
  • Browser user agent
  • Generation requests (prompts, generated images)
  • Credit transactions (amounts, timestamps)

Authentication Data

  • OAuth tokens (Google sign-in)
  • WebAuthn credentials (passkeys, if used)
  • Magic link tokens (temporary, email-based login)

Personal Photos (User-Uploaded Content)

  • Reference images you upload for sprite generation
  • These images may contain personal identifiable information
  • Stored securely on our servers for sprite generation purposes
  • Retained for up to 1 year after your last credit purchase
  • Processed in accordance with GDPR Article 6(1)(a) (consent) and Article 9 (special categories of personal data)

Why We Process Your Data

Legal Basis (GDPR Article 6 and Article 9)

1. Contract Performance (Article 6(1)(b)) - To provide the sprite generation service you've signed up for 2. Legitimate Interest (Article 6(1)(f)) - For security, fraud prevention, and service improvement 3. Consent (Article 6(1)(a) and Article 9) - For: - Optional features like Google OAuth (can be withdrawn) - Processing personal photos you upload for sprite generation - Storage and use of your uploaded images for AI processing

Important: When you upload personal photos (e.g., selfies, photos containing identifiable individuals), you explicitly consent to Tinkershop OÜ processing these images for the purpose of generating sprites. This consent can be withdrawn at any time by contacting vibesprite@vibesprite.com, though this will prevent sprite generation from those images.

How We Use Your Data

  • Service Delivery: Process generation requests, manage credits
  • Authentication: Verify your identity and maintain sessions
  • Security: Prevent abuse, detect fraud, rate limiting
  • Support: Respond to inquiries and resolve issues
  • Legal Compliance: Comply with Estonian and EU law

Third-Party Services

We share data with:

  • Stripe (payments) - Credit card details, transaction amounts
  • Google (OAuth, Gmail API) - Email address, profile info (if you use Google sign-in)
  • RunPod (AI generation) - Your generation prompts and reference images

Each processor has their own privacy policy and GDPR compliance.

Data Retention

  • Account data: Retained while your account is active
  • Generated sprites and uploaded images: Retained for up to 1 year after your last credit purchase. After this period, all your generated content and uploaded reference images are automatically deleted from our servers. This policy helps us manage storage costs while giving you time to download your content.
  • Generation metadata (prompts, timestamps): Retained for 2 years or until account deletion
  • Payment records: Retained for 7 years (Estonian legal requirement for financial records)
  • Logs: Retained for 90 days

Important: You can download your generated content at any time. To retain your content beyond 1 year, simply make any credit purchase (even a small one) which resets the 1-year retention timer.

Your Rights (GDPR)

You have the right to:

  • Access your data (free, within 30 days)
  • Rectification of incorrect data
  • Erasure ("right to be forgotten")
  • Data portability (machine-readable format)
  • Object to processing
  • Withdraw consent at any time
  • Lodge a complaint with Estonian Data Protection Inspectorate

Contact us at vibesprite@vibesprite.com to exercise these rights.

Data Security

We implement appropriate technical and organizational measures:

  • Encrypted credentials (Rails credentials)
  • HTTPS/TLS encryption
  • Rate limiting and abuse prevention
  • Regular security updates

Cookies

We use essential cookies only:

  • Session cookie: Required for authentication
  • CSRF token: Required for security

No tracking or analytics cookies.

International Data Transfers

Data may be processed outside the EU by our service providers (Stripe, RunPod, Google). These transfers are covered by Standard Contractual Clauses or adequacy decisions.

Children's Privacy

Our service is not directed at children under 16. We do not knowingly collect data from children.

Changes to This Policy

We will notify you of material changes via email or prominent notice on the website.

Contact & Complaints

For data protection inquiries, please contact:

Tinkershop OÜ Email: vibesprite@vibesprite.com Address: Hiiu maakond, Hiiumaa vald, Riidaküla, Papli, 92015, Estonia

Supervisory Authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Website: www.aki.ee Email: info@aki.ee

Terms of Service