Privacy Policy
Last updated: 2026-06-17
1. Data we collect
- Account: email address, password (stored as a salted hash via werkzeug.security, never plaintext), optional TOTP secret.
- Usage: prompts, generation parameters, generated outputs, job timestamps, audit events for login / signup / verification / billing.
- Technical: IP address of login attempts and audit events, browser-reported timing for performance debugging.
- Crypto payments: derived deposit addresses (public on-chain), invoice records, transaction hashes.
We do not collect government identity documents, payment-card data, or third-party social-network identities.
2. How we use it
- Operate the Service: authenticate users, run generations, deliver outputs.
- Prevent abuse: rate-limiting, fraud detection, debugging.
- Process uploaded reference images locally — including automated face detection — solely to operate generation and content-safety features; this is not used to identify anyone and is not shared.
- Comply with law: respond to lawful legal requests, retain audit logs for a reasonable investigation window.
3. Sharing with third parties
- Third-party AI provider: we send your prompts and parameters to the provider that fulfills the generation. The provider may have its own retention policy.
- Email delivery (Resend): verification emails are sent through Resend; only your email address and the verification link are shared.
- Hosting infrastructure: standard cloud provider for the server. No third-party web analytics, no behavioural ad-tech, no cross-site trackers.
We do not sell user data. We do not run third-party trackers.
4. Retention
- Generated outputs: pruned automatically 30 days after creation.
- Audit events and login attempts: retained as long as needed for security, debugging, and abuse-prevention, and as required by law; may be removed earlier on an account-closure request.
- Account record: kept while the account exists.
5. Your rights
You can request:
- Export of the data tied to your account.
- Deletion of your account and associated data (audit and security logs may be retained for a limited period as required by law or to prevent abuse).
Send requests to owner@rendermix.app from the email associated with your account.
6. Security
Passwords are hashed with werkzeug's scrypt-based generate_password_hash. Sessions use Secure / HttpOnly / SameSite=Lax cookies plus server-side CSRF tokens on every state-changing request. The application is served over TLS with HTTP/2.
7. Children
The Service is not intended for users under 18. We do not knowingly collect data from minors.
8. Changes
Material changes to this policy will be posted on the dashboard. Continued use after notice constitutes acceptance.