Privacy Policy

SIA ClefDev ("ClefDev", "we", "us") operates Aduarius by ClefDev (the "Service"). This Privacy Policy explains how we collect, use, and protect your personal information.

We are committed to compliance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.

1. Data Controller

The data controller for personal information collected via the Service is:

SIA ClefDev
Brīvības iela 103 - 12A
Rīga, Latvia
Email: design@clefdev.com

2. Information We Collect

2.1 Account Information

• Email address (required for magic link authentication)
• Display name (optional)
• Account creation date and login activity

2.2 Usage Data

• Prompts you submit to the Service
• Reference images you upload (when feature available)
• Generated images created via the Service
• Generation metadata: model used, style preset, format, timestamps
• Credit balance and transaction history

2.3 Technical Data

• IP address (collected by hosting provider Netlify for security and abuse prevention)
• Browser type, device type, operating system
• Session cookies (for authentication)
• Error logs (when something goes wrong, for debugging)

2.4 Communication Data

• Feedback you submit via the in-product feedback widget
• Emails you send to us

We do not knowingly collect data from anyone under 18.

3. How We Use Your Information

We process your information for the following purposes, with the legal basis indicated under GDPR:

• Provide the Service (generation, history, accounts) - Contract performance
• Send transactional emails (magic link, receipts) - Contract performance
• Send feedback notifications to internal team - Legitimate interest
• Fraud prevention and abuse detection - Legitimate interest
• Improve the Service (analytics, debugging) - Legitimate interest
• Process payments (when applicable) - Contract performance
• Comply with legal obligations - Legal obligation
• Marketing communications (only with consent) - Consent

We do not sell your personal information to third parties.

4. Third-Party Processors

We share data with the following processors who help us deliver the Service:

• Supabase (EU, Ireland) - Database, authentication. Receives: all account and usage data.
• Netlify (Global CDN) - Hosting. Receives: IP, browser data, requests.
• Replicate (US) - AI model inference. Receives: prompts, reference images.
• Resend (Global) - Transactional emails. Receives: email address, name.
• Stripe (Global, when active) - Payments. Receives: email, billing data.

All processors are bound by data processing agreements consistent with GDPR requirements. Cross-border data transfers (notably to Replicate in the US) rely on Standard Contractual Clauses approved by the European Commission.

5. Data Retention

We retain your personal information for as long as necessary to provide the Service and comply with legal obligations:

• Account data: until you delete your account
• Generated images: until you delete them or your account
• Prompts: 1 year after creation, then automatically purged from our database
• Aggregated usage metrics (anonymized): retained for service improvement
• Logs: up to 90 days
• Payment records: 7 years (legal requirement)

After 1 year, prompt text is automatically purged. This does not affect generated images you have downloaded to your own device or storage. You may also request earlier deletion at any time (see Section 8).

6. Reference Images

When you upload a reference image to influence generation, the file is stored in our Supabase Storage infrastructure (hosted in the EU) in a private bucket scoped to your user account. Reference images are:

• Accessible only to you via signed URLs valid for one hour
• Linked to the specific generation row that used them
• Retained for the same duration as the associated generation (one year, per our prompt retention policy)
• Deleted when you delete the associated generation, or after the retention period expires, whichever comes first

We do not use uploaded reference images to train any AI models. Reference images are passed to the third-party generation provider (Replicate / Google) solely for the purpose of producing your requested output, and are not retained by the provider beyond the duration of the generation request.

7. Cookies

We use minimal cookies, essential for the Service to function:

• Authentication session: keeps you logged in
• CSRF tokens: security protection

We do not use third-party tracking cookies, advertising cookies, or analytics cookies at this time. If we add such cookies in the future, we will request your explicit consent first.

8. Your GDPR Rights

If you are in the EU/EEA, you have the following rights:

• Right of access: request a copy of your personal data
• Right to rectification: correct inaccurate data
• Right to erasure ("right to be forgotten"): delete your data
• Right to data portability: receive your data in a machine-readable format
• Right to restrict processing: limit how we use your data
• Right to object: object to processing based on legitimate interest
• Right to withdraw consent: where processing is based on consent
• Right to lodge a complaint: with your local data protection authority. The Latvian DPA is Datu valsts inspekcija

To exercise these rights, contact design@clefdev.com. We will respond within 30 days.

9. Data Security

We implement reasonable technical and organizational measures to protect your data, including:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest (Supabase database)
• Row-level security (RLS) ensuring users can only access their own data
• Limited internal access on a need-to-know basis
• Regular security review

No system is 100% secure. In the event of a data breach affecting your personal data, we will notify you and the relevant authorities as required by GDPR (within 72 hours).

10. International Data Transfers

Your data may be processed outside the EU/EEA, notably:

• Replicate (US) for AI model inference
• Some Netlify CDN edge locations

These transfers are governed by Standard Contractual Clauses (SCCs) per the European Commission's adequacy framework.

11. Children's Privacy

The Service is not intended for users under 18. We do not knowingly collect data from minors. If you become aware that a minor has provided us with personal data, contact design@clefdev.com and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-product notice. The "Last updated" date at the top reflects the latest version.

13. Contact

For privacy questions or to exercise your GDPR rights:

SIA ClefDev
Brīvības iela 103 - 12A
Rīga, Latvia
Email: design@clefdev.com