Privacy Policy

The data controller responsible for your personal data is:

For all data protection inquiries, please contact us at hello@craftprompt.studio.

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

• Performance of a Contract (Art. 6(1)(b)): Processing is necessary to provide you with the Service, including account creation, prompt generation, image and video generation, and subscription management. When you create an account and use our Service, we process your data to fulfill our contractual obligations to you.
• Consent (Art. 6(1)(a)): Where required by law, we obtain your consent before processing personal data, such as for setting non-essential cookies. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Legitimate Interest (Art. 6(1)(f)): We process certain data based on our legitimate interests, including maintaining the security and integrity of the Service, preventing fraud and abuse, improving our Service, and communicating with you about important account-related matters. We ensure that our legitimate interests do not override your fundamental rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): We may process your data when necessary to comply with legal obligations, such as tax and accounting requirements or responding to lawful requests from public authorities.

3.1 Account Information

When you register for an account, we collect:

• Full name
• Email address
• Password (stored in hashed, irreversible form using bcrypt)
• Avatar/profile image (if provided)

3.2 Payment Information

When you subscribe to a paid plan, the following payment-related data is stored:

• Stripe customer identifier (stripe_id)
• Payment method type (e.g., card brand)
• Last four digits of your payment method

Important: Full credit card numbers, CVVs, and other sensitive payment details are processed and stored exclusively by Stripe and are never transmitted to or stored on our servers. Please refer to Stripe's Privacy Policy for details on how they handle your payment data.

3.3 Usage Data

We track the following usage metrics to enforce plan limits and improve the Service:

• Daily prompt generation count
• Daily video generation count
• Daily image generation count
• Total tokens consumed

3.4 User-Generated Content

When you use the Service, we store:

• Scene descriptions and prompts you submit
• AI-generated prompts produced for you
• Generated images (stored on our local server filesystem)
• Generated videos (stored on our local server filesystem)
• Reference images you upload
• Prompt history and metadata (timestamps, model used, settings)

3.5 Session and Technical Data

When you access the Service, the following technical data is automatically collected:

• IP address
• User agent string (browser type, version, operating system)
• Session data (stored in our database, expires after 120 minutes of inactivity)

3.6 Data We Do Not Collect

We do not currently use any analytics or tracking services (such as Google Analytics, Facebook Pixel, or similar). We do not collect location data beyond what may be inferred from your IP address. We do not collect data from social media profiles.

We use your personal data for the following purposes:

• Service Delivery: To create and manage your account, authenticate your identity, generate prompts, images, and videos based on your inputs, and provide access to all features of the Service.
• Subscription Management: To process payments, manage your subscription status, enforce plan limits, and handle billing-related communications.
• Usage Enforcement: To track and enforce daily usage limits for prompt, image, and video generation according to your subscription plan.
• Service Improvement: To understand how the Service is used and to improve its features, performance, and user experience.
• Security: To protect against unauthorized access, fraud, and abuse, and to maintain the security and integrity of the Service.
• Communication: To send you important account-related notifications, including changes to our Terms, Privacy Policy, subscription status, and security alerts.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We share personal data with third-party service providers only as necessary to operate the Service. We do not sell your personal data to any third party. The following third parties may receive your data:

We may also disclose your data if required by law, court order, or governmental request, or if we believe in good faith that such action is necessary to protect the safety or rights of CraftPrompt, our users, or the public.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The following retention periods apply:

When you delete your account, all associated personal data and content is permanently removed from our systems through cascade deletion. Data that has been shared with third-party services prior to deletion is subject to those services' own retention policies.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation:

7.1 Right of Access (Art. 15)

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and where that is the case, to request access to the personal data and information about how it is processed. We are currently developing a data export feature to facilitate this right. In the meantime, you may request a copy of your data by contacting us at hello@craftprompt.studio.

7.2 Right to Rectification (Art. 16)

You have the right to obtain the rectification of inaccurate personal data concerning you. You can update your name, email, and avatar directly through your Profile settings. For other data corrections, please contact us.

7.3 Right to Erasure / Right to Be Forgotten (Art. 17)

You have the right to request the deletion of your personal data. You can delete your account at any time through your Profile settings, which triggers cascade deletion of all associated data, including your prompts, generated images, generated videos, reference images, and account information. We will process erasure requests without undue delay and within 30 days at most.

7.4 Right to Restriction of Processing (Art. 18)

You have the right to request the restriction of processing of your personal data in certain circumstances, including when you contest the accuracy of the data, when the processing is unlawful and you oppose erasure, or when we no longer need the data but you require it for legal claims.

7.5 Right to Data Portability (Art. 20)

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. We are actively developing a data export feature to facilitate this right. Until this feature is available, you may request a data export by contacting us at hello@craftprompt.studio, and we will provide your data in a standard format (JSON or CSV) within 30 days.

7.6 Right to Object (Art. 21)

You have the right to object to the processing of your personal data based on legitimate interests. Upon receiving your objection, we will cease processing the data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

7.7 Right to Withdraw Consent (Art. 7(3))

Where we process your personal data based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7.8 Right to Lodge a Complaint (Art. 77)

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement. A list of EU data protection authorities is available at edpb.europa.eu.

7.9 Exercising Your Rights

To exercise any of the above rights, please contact us at hello@craftprompt.studio. We will respond to your request within 30 days. We may request verification of your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

Several of the third-party services we use to operate the Service are based in the United States, which the European Commission has not recognized as providing an adequate level of data protection under Article 45 of the GDPR.

When your data is transferred to these services, we rely on the following safeguards to ensure adequate protection:

• EU-U.S. Data Privacy Framework: Where applicable, our third-party providers participate in and have certified their compliance with the EU-U.S. Data Privacy Framework.
• Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we rely on European Commission-approved Standard Contractual Clauses as the legal mechanism for data transfers to third countries.
• Data Minimization: We only transmit the minimum data necessary for each service to perform its function (e.g., only your scene description is sent to AI providers, not your full account information).

The third-party services receiving data transfers include: Anthropic (US), OpenAI (US), Google (US), xAI (US), fal.ai (US), and Stripe (US, with global infrastructure).

The Service is not intended for use by children. We require all users to be at least 18 years of age. In certain EU member states, the minimum age for consenting to data processing may be as low as 16 years under Article 8 of the GDPR; however, our Terms require users to be 18 or older regardless of local variations.

We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe that a child under 18 has provided us with personal data, please contact us immediately at hello@craftprompt.studio.

We use a limited number of strictly essential cookies that are necessary for the operation of the Service. We do not use any analytics, advertising, or tracking cookies.

For a detailed explanation of the cookies we use and how to manage them, please see our Cookie Policy.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
• Password Security: User passwords are hashed using bcrypt and are never stored in plaintext.
• CSRF Protection: All form submissions are protected by CSRF tokens to prevent cross-site request forgery attacks.
• Session Security: Sessions are stored in the database with automatic expiration after 120 minutes of inactivity.
• Access Control: User data is isolated by account, and access to server infrastructure is restricted to authorized personnel only.
• Payment Security: All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. We never store or handle full payment card details.

While we strive to protect your data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your data, but we are committed to taking all reasonable measures to protect it.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

• Notify the Supervisory Authority: We will report the breach to the relevant data protection supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.
• Notify Affected Users: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via email, in accordance with Article 34 of the GDPR. The notification will describe the nature of the breach, the likely consequences, and the measures we have taken or propose to take to address the breach.
• Document the Breach: We will maintain a record of all data breaches, including the facts, effects, and remedial actions taken.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this Policy.
• Notify you via email at least 30 days before the changes take effect.
• Post a prominent notice on the Service.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

We aim to respond to all data protection inquiries within 30 days of receipt.