Privacy Policy

Effective: 2026-05-09 Version: 1.0 (Wave 4 Ciclo 7 — Spriteoven) Operator: Fer Gonzalez Llanos, persona física, Ciudad Autónoma de Buenos Aires (CABA), República Argentina.

Spriteoven is operated as a personal project by an individual, not a corporation. This document describes — in plain language — what data Spriteoven collects, how it is stored, what it is used for, and what rights you have over it.

1. Who we are

Spriteoven is a web tool that helps you generate, edit, and export pixel art sprite sheets using third-party AI providers. The service is operated by Fer Gonzalez Llanos as a sole individual based in CABA, Argentina. There is no parent company, holding entity, or external investors. References below to "we", "us", or "Spriteoven" refer to that single operator.

Contact: legal@spriteoven.com

2. What data we collect

We collect the minimum data required to make the product work.

2.1 Account data

When you sign up:

• Email address — used to authenticate you (password, magic link, or Google OAuth) and to send transactional messages (sign-up confirmation, magic link, account-recovery). Stored in Supabase Auth (managed identity provider).
• User ID — an opaque UUID issued by Supabase. We use this ID to scope every row you create in the database (Row-Level Security).

We do not ask for your real name, billing address, phone number, or government ID.

2.2 Project and asset data

When you use the app:

• Projects — name, description, configuration (palette, naming convention, etc.).
• Assets — sprite-sheet files you generate or upload, plus metadata (prompt text, generator settings, tags, dimensions).
• Asset versions — historical versions of each asset, retained per the limits documented in getting-started.md.

All of the above are stored in Supabase Postgres (database) and Supabase Storage (binary files). Access is enforced by Row-Level Security policies keyed on your user ID — you can only read or write your own rows. Spriteoven personnel (i.e. Fer) have administrative access to the underlying database for operational reasons (debugging, backups, restoring deleted data on user request).

2.3 Operational telemetry

Server logs include the timestamp, HTTP method, path, status code, response size, and the operator-issued user ID of authenticated requests. They do not include API keys, prompt content, asset binaries, or email addresses. Logs are retained for up to 30 days for debugging and rate-limit enforcement and then rotated.

We do not load Google Analytics, Meta Pixel, Mixpanel, Hotjar, or any other third-party analytics or session-replay script during Wave 4.

3. Cookies

Spriteoven uses the minimum cookies required for the app to work:

• Supabase Auth session cookie — keeps you signed in. First-party, HttpOnly, Secure, SameSite=Lax. Deleted when you sign out.

There are no advertising cookies, no cross-site tracking cookies, and no consent-banner cookies because we do not load tracking scripts. If this changes in a future version we will publish an updated policy and add a consent UI.

4. Email

We use Resend (resend.com) to deliver transactional email:

• Sign-up confirmation.
• Magic-link sign-in.
• Account-recovery messages.
• Optional product update emails (opt-in at sign-up, can be turned off any time from your account settings).

Resend processes your email address on our behalf as a sub-processor. Spriteoven does not run marketing email campaigns.

5. Third-party AI providers

When you generate a sprite, your prompt and (optionally) your reference image are sent to the AI provider you selected:

• Google Gemini / Imagen — generative-language.googleapis.com.
• OpenAI gpt-image-2 — api.openai.com.
• xAI Grok Imagine — api.x.ai.

Each provider has its own privacy policy, retention rules, and training-data policy. Spriteoven does not add prompts, images, or generations to any training corpus. We forward, we receive, we return.

Provider API keys live in server environment variables only — Spriteoven holds the relationship with each provider on its account. BYOK ("Bring Your Own Key") was retired 2026-05-19; see docs/archive/byok-disclaimer.md for the historical policy.

6. Storage location and retention

• Database and Storage: Supabase project spriteoven-prod, region South America (São Paulo, sa-east-1).
• Email delivery: Resend (United States — Frankfurt edge as fallback).
• Server (web app): Vercel (global edge).
• Asset retention: assets and asset versions are retained until you delete them. Asset version history is capped per the limits in getting-started.md (oldest unpinned versions are pruned first).

7. Your rights (Argentina LFP 25.326 + GDPR alignment)

Spriteoven aligns voluntarily with Argentina's Ley de Protección de los Datos Personales 25.326 and, for users located in the EU/UK, the General Data Protection Regulation (GDPR).

You have the right to:

1. Access the personal data we hold about you.
2. Rectify inaccurate data (e.g. update your email).
3. Delete your data ("right to be forgotten") — this purges your account, projects, assets, and versions.
4. Export your data in a machine-readable format.
5. Object to processing or restrict it.
6. Withdraw consent for opt-in email at any time.

To exercise any of these rights, write to the contact address in §1. We aim to respond within 10 business days (Argentina LFP standard).

The Argentine supervisory authority is the Agencia de Acceso a la Información Pública (AAIP) — you may file a complaint there if we fail to respond in time.

8. Children

Spriteoven is not directed to people under the age of 13. If you believe a minor has signed up, contact us and we will delete the account.

9. Security

• TLS 1.2+ for all traffic between your browser and Spriteoven.
• Row-Level Security on every table that holds user data.
• Supabase service-role keys are kept in environment variables on the server only and never exposed to the browser.
• Provider API keys (OpenAI, xAI, Gemini) live in the same server env store; we never expose them in responses or logs.

No system is perfectly secure. If you find a vulnerability, please report it to the contact email in §1.

10. Changes to this policy

If we make material changes we will publish an updated version at this URL and bump the version number. Non-material wording fixes (typos, clarifications) may be applied without a version bump.

11. Contact

For privacy questions, data-rights requests, or security reports:

• Email: legal@spriteoven.com
• Operator: Fer Gonzalez Llanos, CABA, Argentina.