Privacy Policy

Effective date: May 17, 2026 Last updated: May 17, 2026

This Privacy Policy is published in plain language and intended to be read in full. Items in [brackets] are open questions that will be resolved before the Service exits beta. This document should be reviewed by qualified legal counsel before being relied upon.

1. Who we are

This Privacy Policy describes how Inktag ("Inktag," "we," "us," or "our") collects, uses, and discloses information when you visit inktag.io, use our APIs, SDKs, dashboards, or any related services (collectively, the "Service").

Inktag is an independent project operated by an individual sole operator (the "Operator"). It is not a registered company. For all privacy correspondence — including questions, complaints, and data-subject requests — please contact us by email:

Email: hi@inktag.io

We do not publish a postal address. If we are required by applicable law to identify a data-protection representative or DPO, contact details will be added here.

2. Scope

This Policy applies to data we collect from:

Visitors to inktag.io and any subdomains we operate.
Users who sign up for the private beta, an account, or our newsletter.
Developers who use our API, SDK, or dashboards.

This Policy does not apply to third-party websites or services that link to, or integrate with, the Service. Those have their own privacy practices.

3. Information we collect

3.1 Information you provide

Account and beta-signup data — name, email address, company or website, and your free-text description of intended use ("what will you generate").
Brand configuration data — color palette, style descriptors, aspect/format preferences, "never include" lists, and any other settings you submit to your brand profile.
Prompts and inputs — the prompts, parameters, and reference inputs you submit to generate images through the Service.
Communications — support requests, feedback, and any other content you send us.

3.2 Information collected automatically

Usage data — API call volumes, latencies, error rates, feature usage, render counts, cache hit rates.
Device and log data — IP address, browser type and version, operating system, referring URL, pages viewed, timestamps, crash logs.
Cookies and similar technologies — see Section 8.

3.3 Information from third parties

Analytics and advertising partners — aggregated and pseudonymous data from our analytics and ad partners (see Sections 7 and 8).
Image-generation providers — we do not collect end-user data from these providers, but we receive the generated output and processing metadata (latency, cost, model identifier).

3.4 Sensitive data

We do not intentionally collect special categories of personal data (race, religion, health, biometric data, etc.). Please do not submit such data to the Service. If you do, you authorize us to process it for the purposes set out in this Policy.

4. How we use information

We use the information above to:

Provide the Service — authenticate you, render images from prompts, deliver assets, apply your brand configuration, and operate our cache.
Improve and develop the Service — debug routing, measure latency, evaluate model quality, build new features.
Communicate with you — send transactional emails (beta invitations, account updates, security notices) and, with your consent or where permitted, product updates.
Personalize dashboards, default settings, and onboarding.
Prevent abuse — detect fraud, enforce our Terms, secure the Service, and comply with law.
Comply with legal obligations and protect our rights and the rights of others.

We do not sell your personal data, as that term is defined in applicable U.S. state privacy laws (including the CCPA/CPRA).

5. AI-generation specifics

Because the core of the Service is AI image generation, we want to be explicit:

Prompts and brand configuration are sent to third-party model providers (see Section 7) for the purpose of generating images at your request.
We do not use your prompts, brand configuration, or generated images to train our own foundation models.
Our model providers may temporarily process your prompts to generate outputs. We select providers whose terms commit to not training their foundation models on customer prompts, where available. We rely on provider representations and cannot independently verify all provider practices.
Generated images are cached in our object storage according to the cache TTL you configure. After expiration, they are deleted in the ordinary course.
You are responsible for the prompts you submit and for ensuring they do not violate intellectual-property, privacy, or other rights. See our Terms for prohibited uses.

6. Legal bases (EU/UK/Swiss users)

If you are in the EU/EEA, UK, or Switzerland, we process your personal data on one or more of the following bases:

Purpose	Legal basis (GDPR Art. 6)
Providing the Service to you	Contract (Art. 6(1)(b))
Security, fraud prevention, abuse detection	Legitimate interests (Art. 6(1)(f))
Service improvement and analytics	Legitimate interests (Art. 6(1)(f))
Marketing emails to existing customers	Legitimate interests (Art. 6(1)(f)) / soft opt-in
Marketing emails to prospects	Consent (Art. 6(1)(a))
Cookies that are not strictly necessary	Consent (Art. 6(1)(a))
Legal and regulatory compliance	Legal obligation (Art. 6(1)(c))

You can withdraw consent at any time without affecting prior processing.

7. Sharing and disclosure

We disclose information only as described below.

7.1 Service providers (processors / sub-processors)

We share information with vendors that help us run the Service, subject to contractual confidentiality and data-protection obligations:

Hosting and infrastructure — Railway
Database and auth — Supabase
Analytics — PostHog
Advertising and measurement — Google Ads (conversion tracking via the gtag.js script)
AI model providers — OpenAI, fal.ai, Replicate, and others added from time to time

A current list of sub-processors and model providers is available on request to hi@inktag.io.

7.2 Legal and safety

We may disclose information when we believe in good faith that disclosure is necessary to:

comply with a law, regulation, subpoena, or court order;
protect the rights, property, or safety of Inktag, our users, or others;
enforce our Terms or investigate violations;
detect, prevent, or respond to fraud, abuse, or security issues.

7.3 Business transfers

If the Service is transferred or sold (for example, to a company later formed by the Operator, or to a third party), information may be transferred as part of that transaction. We will notify you (e.g., by email or a notice on the Service) before your information becomes subject to a materially different privacy policy.

7.4 Aggregate and de-identified data

We may share aggregated or de-identified data that cannot reasonably be used to identify you for any lawful purpose, including marketing, analytics, and research.

8. Cookies, analytics, and tracking

We use cookies and similar technologies for:

Strictly necessary purposes — authentication, security, load balancing.
Functional purposes — remembering preferences (e.g., theme, locale).
Analytics — measuring usage of inktag.io and the Service (PostHog).
Advertising and conversion measurement — Google Ads conversion tag (loaded on inktag.io to measure ad campaign performance via URL-based conversion events).

You can manage cookies through your browser settings. Where required by law, we will request your consent for non-essential cookies and provide an interface to manage your choices.

Do Not Track: the Service does not respond to "Do Not Track" signals because no common standard has been agreed.

9. International transfers

The Operator is based in Chandigarh, India, and the Service relies on hosting and processing infrastructure in multiple countries, including India, the United States, and the European Union. Where personal data is transferred out of the EU/EEA, UK, or Switzerland to a country that has not been deemed adequate, we rely on appropriate safeguards — including the European Commission's Standard Contractual Clauses and equivalent UK and Swiss mechanisms — as flowed through to us by our hosting and processing vendors. A copy of the safeguards used is available on request to hi@inktag.io.

10. Data retention

We retain personal data for as long as necessary to provide the Service and fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

Account data — for the life of the account, plus a reasonable period for backups, dispute resolution, and accounting obligations.
Beta application data — if you are not accepted into the beta and do not opt into other communications, we delete or anonymize your application within 12 months of the close of the beta program.
Prompts and generated images — retained per the cache TTL you configure; otherwise deleted in the ordinary course.
Log and analytics data — typically retained for 13 months, after which it is aggregated or deleted.
Marketing data — until you withdraw consent or unsubscribe.

We may retain de-identified or aggregated data indefinitely.

11. Your privacy rights

11.1 EU/EEA, UK, and Swiss residents

You have the right to:

access your personal data;
request correction of inaccurate data;
request deletion ("right to be forgotten");
restrict or object to processing;
request portability of data you provided;
withdraw consent at any time (without affecting prior processing);
lodge a complaint with your local supervisory authority.

11.2 California residents (CCPA/CPRA)

You have the right to:

know what personal information we collect, use, disclose, and (where applicable) sell or share;
request deletion of personal information;
request correction of inaccurate personal information;
opt out of "sale" or "sharing" of personal information (we do not sell or share as those terms are defined);
limit use of sensitive personal information (we do not knowingly process sensitive personal information for purposes that would trigger this right);
non-discrimination for exercising your rights.

11.3 Other U.S. state residents

Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws have similar rights. We honor those rights to the extent required by applicable law.

11.4 How to exercise your rights

Email hi@inktag.io with your request. We will verify your identity before responding, generally within 30 days (or 45 days where permitted, with notice). We will not discriminate against you for exercising your rights. An authorized agent may submit a request on your behalf with written authorization.

12. Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, access controls, and provider hardening. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

13. Children

The Service is not directed to children under 16 (or the age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have collected personal data from a child, contact hi@inktag.io and we will delete it.

14. Third-party links

The Service may contain links to third-party websites or services we do not operate. Their privacy practices are governed by their own policies. We are not responsible for their content or practices.

15. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or by a prominent notice on the Service). The "Last updated" date at the top of this Policy indicates when it was last revised. Continued use of the Service after the effective date of any update constitutes acceptance of the updated Policy.

16. Contact

All privacy questions, requests, and complaints can be sent to:

Email: hi@inktag.io

Email is the appropriate channel for all privacy correspondence; we do not publish a postal address.