Privacy Policy

1. Contact Details

For any questions, requests, or concerns about your personal data, please contact privacy@compassion.ink. General support: support@compassion.ink. Digital Services Act notices: dsa@compassion.ink.

We have not appointed a Data Protection Officer because the conditions under Article 37 GDPR are not met. The contacts above are the responsible point of contact for all data-protection matters.

2. Categories of Personal Data

Account data. When you create an Account, we collect: e-mail address; optional display name; authentication identifiers (such as a Google account ID if you sign in with Google); date of registration.

Billing data. When you purchase credits, we collect: amounts paid; transaction identifiers from our payment service provider; billing address (where required for invoicing or tax compliance); VAT identification number for business customers who choose to provide it. We do not store full payment-card numbers; payment-card details are entered directly into our payment service provider’s interface and are not transmitted to us.

Service usage data. When you use the Service, we record: images you generate (parameters, selected variant, timestamps, language of the rendered word, technical metadata); credit balance and ledger entries; Account events such as log-in, password change, and auto-recharge configuration changes.

Communications. When you contact us at any of the e-mail addresses listed in Section 1 (or reply to a service e-mail), we receive your e-mail address, the content of your message, and any attachments.

Technical data. When you visit the Website, we receive: IP address; user-agent string; basic device and browser characteristics; referrer URL; timestamps of requests. This data is automatically generated by your browser; we use the minimum necessary for security and operations.

3. Lawful Bases and Purposes

We process personal data only where we have a lawful basis under Article 6 GDPR. The principal bases and purposes for our processing are:

• Contract (Art. 6(1)(b)): creating and managing your Account, generating images you request, processing payments, operating the Public Gallery.
• Legal obligation (Art. 6(1)(c)): issuing receipts and tax documents, maintaining accounting records.
• Legitimate interests (Art. 6(1)(f)): detecting and preventing fraud and abuse, service security, monitoring, back-ups, resolving complaints, and pursuing legal claims.
• Consent (Art. 6(1)(a)): sending marketing communications, where given.

Where we rely on legitimate interests, you have the right to object on grounds relating to your particular situation; we will then balance our interest against your rights and inform you of the outcome.

4. Recipients and International Transfers

We share personal data only with parties who help us deliver the Service (processors), with parties to whom we are legally required to disclose data, or in connection with corporate transactions. We never sell personal data.

Our principal subprocessors include Stripe, Google Cloud Platform, OpenRouter, Cloudflare, and Brevo. The list with purposes and countries of processing is set out in the Subprocessors section below.

Public Gallery. Images you generate may be displayed publicly in the Public Gallery, as described in our Terms. The image itself is published; we do not publish your e-mail address or other Account identifiers alongside the image unless you voluntarily include such information in a caption.

International transfers. Some of our processors operate outside the European Economic Area. When personal data is transferred to a country outside the EEA, we rely on safeguards in accordance with Chapter V of the GDPR, primarily Standard Contractual Clauses approved by the European Commission, or an adequacy decision where one is in force. You may contact us at privacy@compassion.ink to request a copy of the relevant safeguards.

5. Subprocessors

The following processors and providers receive personal data in the contexts noted. The list is current as of the effective date of this policy and is updated when our service stack changes.

• Stripe Payments Europe, Limited — payment processing and fraud prevention. Data: billing data, transaction metadata. Country of processing: Ireland / EEA, with onward transfer to the United States under SCCs.
• Google Cloud EMEA Limited / Google LLC — backend hosting infrastructure (Cloud Run, Cloud SQL, Cloud Storage, Secret Manager) and authentication via Google Sign-In. Data: Account data, service usage data, technical data. Country of processing: Czech Republic (europe-west3) for hosting; some Google services in the United States under SCCs.
• OpenRouter, Inc. — access to AI image generation models. Data: image-generation parameters; no Account-identifying personal data is included in prompts. Country of processing: United States under SCCs.
• Cloudflare, Inc. — DNS, Email Routing, network protection, Pages hosting for the public Website, and R2 object storage for generated images. Data: Account data, service usage data, technical data, e-mail metadata, generated image files. Country of processing: multiple regions; SCCs where applicable.
• Brevo SAS — transactional and (where consented) marketing e-mail delivery. Data: Account e-mail address, message content. Country of processing: France / EEA.

6. Retention

We keep personal data only for as long as necessary for the purposes for which it was collected, including legal, accounting, and reporting requirements. Indicative periods:

• Account data — duration of the Account; up to 12 months after closure for security and dispute purposes.
• Billing data — 10 years from the end of the accounting period in which the transaction occurred (Czech Act on Accounting).
• Service usage data — 24 months for fraud detection and operational analytics; aggregated form thereafter.
• Communications — 24 months after the last contact, unless required to be retained longer for a legal claim.
• Server access logs and security events — 90 days, unless extended for an active investigation.
• Public Gallery images — indefinitely while published; back-ups for a reasonable period after takedown.

7. Your Rights

Under the GDPR you have the following rights, which you can exercise by contacting us at privacy@compassion.ink:

• Right of access to your personal data (Art. 15);
• Right to rectification of inaccurate or incomplete data (Art. 16);
• Right to erasure (“right to be forgotten”) in the cases listed in Article 17;
• Right to restriction of processing (Art. 18);
• Right to data portability of data you provided to us (Art. 20);
• Right to object to processing based on legitimate interests (Art. 21);
• Right to withdraw consent at any time, where processing is based on your consent (Art. 7(3)).

We will respond to a verifiable request without undue delay and in any case within one month, extendable by up to two further months for complex requests with prior notice.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for the Czech Republic is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Praha 7, Czech Republic, web uoou.gov.cz. You may also lodge a complaint with the supervisory authority of your EU member state of residence or place of work.

8. Cookies and Technical Storage

The Website uses a small number of strictly necessary cookies and local-storage entries to operate (such as authentication tokens and session state). These are set on a contractual / legitimate-interest basis and do not require consent under Czech and EU law because they are strictly necessary for the Service requested by the user.

We do not use third-party advertising cookies. If we add analytics or marketing technologies that require consent, we will introduce a cookie consent banner and update this policy.

9. Children

The Service is not intended for children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact privacy@compassion.ink and we will take appropriate steps to delete the data.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our processing, in legal requirements, or in our service stack. We will publish the updated policy on the Website with a new effective date and, for material changes, we will give Account holders advance notice by e-mail or in-app notification.