GRPHIX // PRIVACY POLICY

// LAST UPDATED: MAY 2025 · GDPR COMPLIANT

// TL;DR — Your images never leave your browser. We only store your email, subscription status, and saved presets. We don't sell your data. Ever.

1. Who We Are

GRPHIX ("we", "us", "our") operates the website grphix.com. We are the data controller for personal data collected through this Service. For privacy questions contact support@grphix.com.

2. Data We Collect

Data	Why	Stored Where
Email address	Account & subscription management	Supabase (EU)
Subscription status	Access control	Supabase (EU)
Stripe customer ID	Payment management	Supabase (EU)
Saved presets	Cloud sync across devices	Supabase (EU)
Payment info	Billing	Stripe only — we never see card data

Images you process are never uploaded to our servers. All image processing happens entirely in your browser using JavaScript. We have no access to your images at any point.

3. How We Use Your Data

To create and manage your account
To process and verify your subscription payment
To sync your saved presets across devices
To send transactional emails (account setup, payment receipts)
To respond to support requests

We do not use your data for advertising, profiling, or any automated decision-making.

4. Legal Basis (GDPR)

We process your personal data under the following legal bases:

Contract — processing necessary to provide the Service you subscribed to
Legal obligation — retaining transaction records as required by law
Legitimate interests — security, fraud prevention, and service improvement

5. Third-Party Services

We use the following third-party processors:

Supabase — database and authentication (EU data centres)
Stripe — payment processing (they are the data controller for payment data)
Resend — transactional email delivery
Vercel — hosting and serverless functions

We do not sell, rent, or share your personal data with any other third parties.

6. Data Retention

Account data is retained while your account is active
When you delete your account, all personal data is permanently deleted immediately
Payment transaction records may be retained for up to 7 years for legal/tax compliance (held by Stripe)

7. Your Rights (GDPR)

As a user in the EU/EEA you have the following rights:

Access — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — delete your account and all associated data via account settings
Portability — receive your data in a machine-readable format
Objection — object to processing based on legitimate interests
Restriction — request we limit processing of your data

To exercise any right, email support@grphix.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Cookies & Local Storage

GRPHIX uses browser localStorage to store:

Your authentication session token (Supabase)
Locally saved presets and edit history
UI preferences

We do not use advertising cookies, tracking pixels, or analytics. No third-party cookies are set by our Service.

9. Security

We implement industry-standard security measures including encrypted connections (HTTPS), hashed passwords, and JWT-based authentication. Payment data is handled exclusively by Stripe and never touches our servers.

In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by GDPR.

10. Children's Privacy

GRPHIX is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it immediately.

11. Changes to This Policy

We may update this policy periodically. We will notify subscribers of material changes via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

// PRIVACY QUESTIONS: support@grphix.com