Privacy Policy
Last updated: June 6, 2026
1. Information We Collect
1.1 Account Information
When you sign in with Google, we receive:
- Email address
- Name (if provided by OAuth provider)
- Profile picture URL (if provided)
- OAuth provider user ID
1.2 Payment Information
Payments are processed by Stripe. We store:
- Stripe customer ID (linked to your account)
- Transaction history (amounts, dates, credit balance)
We never store credit card numbers. Stripe handles all payment data.
1.3 Usage Data
| Data | Purpose | Retention |
|---|---|---|
| API requests | Billing, abuse prevention | 90 days |
| Credit transactions | Billing history | 7 years |
| Error logs | Debugging | 30 days |
| IP addresses (raw) | Rate limiting | Not persisted beyond the request |
| Device fingerprints (SHA-256 of IP + browser prefix) | Sign-in anomaly alerts | Capped at the 25 most recent devices per account; persist until you delete your account or remove the device |
| Audit log entries (key revoke, GDPR events) | Compliance, fraud, dispute resolution | 7 years (cold storage in R2) |
| Passkey credentials (WebAuthn public key + metadata) | Sign-in and step-up authentication | Until you remove the device or delete your account |
1.4 BYOK API Keys
If you store your own API keys (BYOK):
- Keys are encrypted with AES-256-GCM before storage; per-user PBKDF2 salt
- We never log or view your decrypted keys
- Keys are deleted when you remove them or close your account
2. How We Use Your Information
- Provide the Service: Process API requests, manage credits, authenticate you
- Billing: Process payments, track credit usage
- Security: Prevent abuse, detect fraud, rate limiting
- Improvements: Aggregate analytics to improve the service
- Communication: Send service updates, security alerts (you can opt out of marketing)
3. Information Sharing
We share your information only with:
- Stripe (United States): Payment processing. Stripe receives your email, billing details, and transaction history under their privacy policy.
- Cloudflare (United States, with edge presence worldwide): Hosting, KV storage, R2 object storage, CDN, DDoS protection. Cloudflare may process IP addresses and request metadata at the edge.
- LLM Providers (Anthropic, OpenAI, Google, xAI): When you use our LLM features, we send the relevant prompt text, conversation context, system instructions, and a stable per-account identifier (for rate-limiting and abuse prevention) to the upstream provider. In BYOK mode, this traffic uses your own API key and is governed by that provider's terms. In credits mode, it uses our keys.
- Email provider (Resend, SendGrid, AWS SES, or Mailgun depending on configuration): For transactional emails such as sign-in alerts and invite notifications.
- Legal requirements: When required by law, valid legal process, or to protect rights, property, or safety.
We never sell your personal data and do not share it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.
4. Data Security
- All data transmitted over HTTPS (TLS 1.3)
- API keys encrypted with AES-256-GCM
- Session tokens use HMAC-SHA256
- Cloudflare DDoS protection
- Regular security audits
5. Your Rights
You have the right to:
- Access: Request a copy of your data
- Correction: Update inaccurate information
- Deletion: Close your account and delete your data
- Portability: Export your data in a standard format
- Opt-out: Unsubscribe from marketing emails
Contact support@pinepaper.studio to exercise these rights.
6. Cookies and Analytics
We use:
- Session cookies: To keep you logged in (HttpOnly, Secure)
- Google Analytics 4: Aggregate usage statistics (anonymized)
You can disable cookies in your browser settings, but this may affect functionality.
7. Children's Privacy
The Service is not intended for children. We do not knowingly collect data from anyone under 16 years of age. (This threshold is set above the COPPA floor of 13 to align with the higher of US and EU member-state requirements.) If you believe a minor has provided us with personal data, contact us immediately and we will delete it.
8. International Data Transfers
Your data may be processed in:
- Canada (operating entity)
- United States (Cloudflare, Stripe, certain LLM providers)
- European Union (Cloudflare edge servers)
- Wherever upstream LLM providers operate (when you use the LLM features)
For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States and other jurisdictions not deemed adequate, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss data transfer mechanisms with our processors. Copies of the SCCs as incorporated into our processor agreements are available on request to support@pinepaper.studio.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Credit balance | Until account deletion |
| Transaction history | 7 years (legal requirement) |
| Usage logs | 90 days |
| Error logs | 30 days |
| BYOK API keys | Until you delete them |
| Passkey credentials | Until you remove the device or delete your account |
| Device fingerprints (login alerts) | 25 most recent per account; cleared on account deletion |
| Audit log entries (R2 cold storage) | 7 years |
| Conversation storage | 30 days (configurable); deletable on demand |
10. Changes to This Policy
We may update this Privacy Policy. Material changes will be communicated via email or service notification. Continued use after changes constitutes acceptance.
11. Contact Us
Questions about this Privacy Policy?
- Email: support@pinepaper.studio
- Website: pinepaper.studio
12. GDPR Information (EU/UK/EEA Users)
For users in the EU, UK, or EEA, PinePaper Studio acts as the data controller. The legal bases for processing are:
- Contract (Art. 6(1)(b)): Processing necessary to provide the Service you sign up for
- Legitimate interest (Art. 6(1)(f)): Security, fraud prevention, abuse detection, sign-in anomaly alerts, service improvement
- Consent (Art. 6(1)(a)): Non-essential analytics cookies, marketing communications
- Legal obligation (Art. 6(1)(c)): Tax, accounting, and compliance retention
You may exercise your rights to access, rectification, erasure, restriction, portability, and objection by contacting support@pinepaper.studio. You may also lodge a complaint with your local data protection authority.
13. California Residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what categories of personal information we collect, the sources, purposes, and recipients
- Access the specific pieces of personal information we hold about you
- Delete your personal information (subject to legal retention exceptions)
- Correct inaccurate personal information
- Opt out of any sale or sharing of personal information for cross-context behavioral advertising
- Non-discrimination for exercising any of these rights
We do not sell personal information and do not share it for cross-context behavioral advertising as those terms are defined under California law. To exercise any right, email support@pinepaper.studio with the subject line "California Privacy Request". We will verify your identity using information already associated with your account.
14. India Residents (DPDPA 2023)
If you are in India, your rights under the Digital Personal Data Protection Act, 2023 include access, correction, completion, updating, erasure, and grievance redressal. To exercise these rights, contact our Grievance Officer:
- Grievance Officer: To be designated prior to general availability
- Email: support@pinepaper.studio (subject line: "DPDPA Request")
We respond to verified requests within 30 days. You may also approach the Data Protection Board of India if your request is not addressed.
15. Data Breach Notification
In the event of a personal data breach likely to result in a risk to your rights, we will notify the appropriate supervisory authority within 72 hours where required (e.g. GDPR Article 33), and notify affected users without undue delay where the breach is likely to result in a high risk to rights and freedoms. Where required by law (including the California CCPA and India's DPDPA), we will provide notice via email to the address on file and a notice posted at https://cloud.pinepaper.studio.
16. Cookie Consent
The cookie banner that appears on first visit lets you choose whether to allow non-essential cookies (currently: Google Analytics 4). Essential session cookies (authentication, CSRF, step-up) are set without consent because they are strictly necessary to provide the Service you requested.
17. Operating Entity
Entity placeholder. The legal entity operating PinePaper Cloud Studio, its registered address, and the contact details of any designated EU/UK representative or India grievance officer will be added here prior to general availability. Closed-beta users acknowledge that this information will be finalized before any non-deletable processing begins.