Privacy Policy
- Effective date
- May 27, 2026
- Last modified
- May 17, 2026
- Version
- v2.2
1. Introduction & Summary
Privacy at a glance. Artifio.ai is a platform that lets you create images, videos, audio, and text using AI models made by other companies (OpenAI, Google, Anthropic, Runway, ElevenLabs, and others). When you submit a prompt, we forward it to the AI provider you selected to process your request. We do not train our own AI models on your data, and we do not sell or share your personal information for advertising. You are in control of your account, your prompts, and your generations — you can view, export, or delete them at any time.
This Privacy Policy explains, in detail:
- What information we collect and why
- Which third parties we share it with and what they do with it
- Your legal rights (GDPR, UK GDPR, LGPD, CCPA/CPRA, TDPSA, and other state and national privacy laws)
- How to exercise those rights
We try to write in plain language where we can. Legal terms are used only when necessary. If anything is unclear, contact us at privacy@artifio.ai — we'll explain.
Controller. Artifio.ai (operated by Ampersands AI) is the data controller for personal data processed in connection with the Artifio.ai website, web app, and all related services. This Privacy Policy applies to all of those services. See §2 for our contact details.
2. Who we are & how to reach us
| Role | Contact |
|---|---|
| Legal entity | Artifio.ai, operated by Ampersands AI |
| Principal place of business | 539 W Commerce St, Ste 5263, Dallas, Texas 75208, USA |
| General contact | hello@artifio.ai |
| Privacy & data rights | privacy@artifio.ai (primary) |
| DMCA / copyright | copyright@artifio.ai |
| Security incidents | security@artifio.ai |
| NCII / TAKE IT DOWN Act reports | abuse@artifio.ai (48-hour removal commitment) |
| EU DSA notices | dsa@artifio.ai |
| Appeal a moderation decision | appeal@artifio.ai |
| Billing questions | billing@artifio.ai |
| Data Protection Officer (DPO) | To be appointed before launch. Contact privacy@artifio.ai in the interim. |
| EU Representative (GDPR Art. 27) | To be appointed before launch. Contact privacy@artifio.ai in the interim. |
| UK Representative (UK GDPR Art. 27) | To be appointed before launch. |
| DSA EU Legal Representative | To be appointed before launch. |
Response times. We respond within 30 days (GDPR / UK GDPR), 45 days extendable to 90 (CCPA / CPRA), 15 working days extendable to 30 (LGPD), and 45 days (Texas TDPSA).
3. Information we collect
3.1 Information you give us
| Data | Source | Purpose | Required? |
|---|---|---|---|
| Email address | Clerk signup (any provider) | Account access, transactional email | Yes |
| Display name | Clerk profile | Account display | Optional |
| Profile photo | Clerk profile | Account display | Optional |
| Payment method | Dodo / Stripe (we never store card numbers) | Processing wallet top-ups and Gold subscription | For paid actions only |
| Billing address | Dodo / Stripe | Tax calculation, fraud prevention, invoice compliance | For paid actions only |
| Prompts and uploaded media | Your input | Submitted to the AI provider you selected | Yes (for generations) |
| Support messages | Your contact | Responding to you | When you contact us |
Authentication is provided via Clerk and supports email/password, passkeys, magic links, Google, Apple, GitHub, Microsoft, and other social logins.
3.2 Information we collect automatically
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| IP address (full, then truncated to /24 IPv4 or /64 IPv6 after 30 days) | Security, fraud prevention, approximate geolocation for regional compliance, lead-source attribution (first-touch country) | Legitimate interest (Art. 6(1)(f)) |
| Device and browser characteristics (user agent, viewport, OS) | Compatibility, fraud signals, lead-source attribution (first-touch device type) | Legitimate interest |
| Approximate location (country + region, derived from IP) | Regional pricing, regional compliance (GDPR vs TDPSA vs LGPD), lead attribution | Legitimate interest |
UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content) — only when present in the URL when you first visit |
Lead-source attribution and marketing-funnel analysis. Captured ONCE per user (first touch) and never overwritten. | Consent for EU/UK/Brazil; legitimate interest for US |
| First landing page path and HTTP referrer | Understanding which entry surfaces convert. Captured ONCE per user (first touch). | Consent for EU/UK/Brazil; legitimate interest for US |
Usage events (pages viewed, clicks, form submits, scroll depth, rage/dead clicks) — captured via PostHog's autocapture feature on the post-consent client |
Product analytics, measuring funnels, detecting broken UX | Consent for EU/UK/Brazil; legitimate interest for US |
| Core Web Vitals (LCP/CLS/INP/FCP/TTFB) — collected by Sentry, PostHog, and Vercel Speed Insights in parallel for cross-tool corroboration | Performance monitoring | Consent (EU) / legitimate interest (US) |
| Page views and custom product events (Vercel Analytics, PostHog) | Funnel + retention analysis | Consent required (consent-gated; no events fire pre-opt-in) |
| Error reports (Sentry) | Reliability | Legitimate interest (PII redacted) |
3.3 Information from third parties
- Clerk returns your user ID, email verification status, and whatever profile fields you consented to share with Clerk from your chosen social provider. See Clerk's data handling.
- Dodo Payments / Stripe give us the last 4 digits of your card, cardholder name, transaction status, and invoice metadata. We never receive your full card number.
- No advertising networks, data brokers, or marketing-enrichment vendors supply us with personal data.
3.4 Prompts, uploaded media, and generated outputs
These need distinct treatment from the categories above:
- Prompts and uploaded media are forwarded to the AI provider you chose. Provider-specific retention varies (see §5).
- Generated outputs are stored in your library, encrypted at rest in Cloudflare R2, and auto-deleted after 14 days unless you download them. This is a product limitation, not a privacy feature; we disclose it so you know to save anything you want to keep.
- We do NOT use your prompts or generated outputs to train our own AI models.
4. How we use information (with legal basis)
Every processing activity has a documented legal basis. For GDPR, that basis is one of the six grounds in Article 6. The table below pairs each purpose with its GDPR basis, TDPSA basis, and LGPD Article 7 basis.
| Purpose | GDPR Art. 6 | LGPD Art. 7 | TDPSA |
|---|---|---|---|
| Providing the core service (auth, generation, wallet) | Art. 6(1)(b) — Contract | Art. 7, V — Contract | Performance of contract |
| Processing payments and taxes | Art. 6(1)(b) — Contract; Art. 6(1)(c) — Legal obligation (tax) | Art. 7, V, VI | Performance of contract + legal obligation |
| Sending transactional emails (receipts, security alerts, subscription notices) | Art. 6(1)(b) — Contract | Art. 7, V | Performance of contract |
| Product analytics and service improvement | Art. 6(1)(a) — Consent (EU/UK); Art. 6(1)(f) — Legitimate interest (outside EU/UK) | Art. 7, IX — Legitimate interest (LIA documented) | Legitimate purpose |
| Security, fraud prevention, abuse detection | Art. 6(1)(f) — Legitimate interest | Art. 7, IX | Security purpose |
| Content moderation (pre-generation and stored content screening) | Art. 6(1)(f) — Legitimate interest; Art. 6(1)(c) — Legal obligation (CSAM, NCII) | Art. 7, II — Legal obligation | Legal obligation + legitimate purpose |
| Marketing emails (product updates, newsletters) | Art. 6(1)(a) — Consent | Art. 7, I — Consent | Consent; honor opt-out |
| Complying with legal process (subpoenas, court orders) | Art. 6(1)(c) — Legal obligation | Art. 7, II | Legal obligation |
| Defending legal claims | Art. 6(1)(f) — Legitimate interest | Art. 7, VI | Establishing/defending legal claims |
We maintain documented Legitimate Interest Assessments (LIA) for product analytics outside EU/UK/Brazil, security/fraud prevention, content moderation, and legal-claim defense, per the ICO LIA guide.
5. Third-party AI providers
Artifio is an aggregator: when you select a model and submit a generation, we forward your request to a third-party AI model provider. This section explains what we send, what the provider does with it, and how your rights apply.
5.1 How routing works
When you submit a generation, Artifio forwards to the provider you selected:
- Your text prompt (or uploaded media input)
- Generation settings (resolution, duration, style, seed, etc.)
- A request identifier for billing reconciliation
- Technical metadata required by the provider's API (e.g. safety tier, response format)
Artifio does not forward: your email, your name, your IP address, your payment method, your device ID, or any account metadata.
5.2 Provider list
Current AI providers (as of the effective date — this list changes as we add or remove providers):
| Category | Provider | HQ | Privacy policy |
|---|---|---|---|
| Video | Google (Veo) | USA | Google privacy |
| Video | OpenAI (Sora) | USA | OpenAI privacy |
| Video | Runway | USA | Runway privacy |
| Video | Kling AI | China | Kling terms |
| Video | MiniMax (Hailuo) | China | MiniMax privacy |
| Video | Alibaba (Wan) | China | Alibaba Cloud privacy |
| Video | ByteDance (Seedance) | China | ByteDance privacy |
| Image | Midjourney | USA | Midjourney terms |
| Image | Black Forest Labs (FLUX) | Germany | BFL privacy |
| Image | Ideogram | USA | Ideogram privacy |
| Image | OpenAI (DALL-E) | USA | OpenAI privacy |
| Image | Google (Imagen) | USA | Google privacy |
| Image | Seedream | China | — |
| Image | xAI (Grok Imagine) | USA | xAI privacy |
| Image | HiDream | China | — |
| Image | Alibaba (Qwen) | China | Alibaba Cloud privacy |
| Image | Recraft | USA | Recraft privacy |
| Audio | ElevenLabs | USA | ElevenLabs privacy |
| Audio | Suno | USA | Suno privacy |
| Text | Anthropic (Claude) | USA | Anthropic privacy |
| Text | OpenAI (GPT) | USA | OpenAI privacy |
China-based providers. Prompts forwarded to providers headquartered in China are subject to Chinese data laws. If you prefer to avoid this, filter models by provider region in your account settings.
5.3 Controller / Processor characterization
Per the EDPB's June 2025 AI guidance:
- For inference-time processing (the generation itself), each AI provider acts as an independent controller for its own processing of the prompt (including any retention under their own terms). Artifio is the controller for the act of routing.
- For training, we instruct providers via contract not to train on user data where the provider offers that option. Providers that do not offer that option (or whose default is to train) are disclosed in §5.4.
5.4 Training opt-out status by provider
We maintain a live help-center page with each provider's current training stance, updated within 30 days of any change we become aware of. As of the effective date:
- OpenAI API (Sora, GPT, DALL-E): default not trained on API inputs. See OpenAI enterprise privacy.
- Anthropic API (Claude): default not trained on API inputs. See Anthropic privacy.
- Google (Veo, Imagen) via Vertex / Gemini API: default not trained on Vertex API inputs. See Google Cloud privacy.
- xAI (Grok): confirm current stance before launch.
- Midjourney: governed by standard terms; confirm current stance.
- Chinese providers: terms vary; users forwarding prompts to these providers should assume the provider may retain and use inputs under Chinese law.
5.5 Provider outages and model swaps
We reserve the right to re-route a request to a functionally equivalent model if your selected model is unavailable. If this happens, we will note it in the generation record and never charge you more than the price shown at the time you clicked Generate.
6. Other service providers
Complete list of processors, with the data they process, their location, and the transfer mechanism we rely on:
| Provider | Role | Data | Location | Transfer mechanism | DPA |
|---|---|---|---|---|---|
| Clerk | Authentication | Email, auth factors, session tokens | USA | DPF + SCCs | Clerk DPA |
| Neon | Database | All app data | USA | SCCs + DPF | Neon DPA |
| Upstash | Redis (rate limit, queues) | Ephemeral operational data | USA | SCCs + DPF | Upstash DPA |
| Cloudflare R2 | Object storage | Generated outputs, uploaded media | USA (multi-region) | SCCs + DPF | Cloudflare DPA |
| Cloudflare (CDN/WAF) | Edge delivery, security | IP, request metadata | Global | SCCs + DPF | same |
| Vercel | Application hosting + CDN | Runtime request data | USA | SCCs + DPF | Vercel DPA |
| Vercel Analytics | Page views + custom product events (consent-gated) | Visitor ID (server-hashed), page views, event names + properties | USA | SCCs + DPF | Vercel DPA |
| Vercel Speed Insights | Core Web Vitals real-user monitoring (consent-gated) | Request paths, LCP/FID/CLS/INP/TTFB, device class | USA | SCCs + DPF | Vercel DPA |
| Dodo Payments | Primary payment processor | Payment info, transactions | USA | Processor standard | Dodo privacy |
| Stripe | Backup payment processor | Payment info, transactions | USA | SCCs + DPF | Stripe DPA |
| Resend | Transactional email | Email, message content | USA | SCCs + DPF | Resend DPA |
| PostHog | Product analytics | Consent-gated analytics events | USA (EU option available) | SCCs + DPF | PostHog DPA |
| Sentry | Error monitoring | Runtime errors, stack traces, request metadata (PII scrubbed) | USA | SCCs + DPF | Sentry DPA |
We maintain signed Data Processing Agreements with every processor, executed before any user data is processed by that service. DPA copies are available to EU, UK, and Brazilian supervisory authorities on lawful request.
We do NOT sell or share personal information for cross-context behavioral advertising, and we do not engage data brokers, advertising networks, or third-party marketing-enrichment vendors.
7. How AI generation works (transparency)
This section exists because the EU AI Act Article 50 transparency regime takes effect August 2, 2026. We adopt the same transparency stance for users outside the EU as a matter of policy.
- You are interacting with AI. The service generates content using machine-learning models. Outputs are not human-authored and may contain errors, biases, or hallucinations.
- Provenance marking. AI-generated outputs may include machine-readable provenance marks (C2PA credentials, watermarks, or metadata) inserted by the underlying model provider. Artifio does not strip these. Where required by Article 50 of the EU AI Act, Artifio inserts its own machine-readable marker identifying the output as AI-generated. See the C2PA standard.
- Deepfake disclosure obligation (Article 50(4)). If you use Artifio to create content that would be a "deepfake" under the EU AI Act — AI-generated or AI-manipulated image, audio, or video resembling existing persons, objects, places, entities, or events and would falsely appear to a person to be authentic — you are required to disclose that the content is artificially generated or manipulated before you publish, share, or distribute it. Artifio provides tools (provenance metadata, downloadable disclosure badges) to help you meet this obligation; the legal duty rests with you.
- No training on your data by Artifio. We do not train our own models on your prompts, uploads, or generated outputs.
- Provider training policies vary. See the live help-center page described in §5.4.
- Content moderation. Prompts are automatically screened (OpenAI Moderation API plus internal filters) before being forwarded to the AI provider. This is automated processing; you have the right to contest a moderation decision by emailing appeal@artifio.ai.
- Quality disclaimer. We do not guarantee output quality, accuracy, or factual correctness. Review before use.
8. Data retention
| Data category | Retention |
|---|---|
| Account information (email, name, auth) | Until you delete your account, or 2 years after last sign-in (soft deletion → hard deletion 90 days later) |
| Prompts and generation records (metadata) | 12 months, then hashed / aggregated for analytics |
| Generated outputs (images, video, audio, text) | 14 days, then auto-deleted from R2 |
| Uploaded inputs (user-supplied media) | 14 days, then auto-deleted from R2 |
| Wallet transactions and invoices | 7 years (US/EU/UK tax and accounting law) |
| Payment method references (tokenized) | Managed by Dodo/Stripe; deleted on account deletion |
| Security and audit logs | 90 days |
| IP addresses (raw) | 30 days, then truncated to /24 or /64 |
| Rate-limit counters (Upstash) | Up to 24 hours, aggregated afterward |
| Customer support correspondence | 2 years from last message |
| Backups | Rolling 30-day window; user deletion is propagated to backups on the next full-backup cycle (≤30 days) |
| Analytics events (PostHog) | 12 months, then aggregated |
| Error reports (Sentry) | 90 days |
| Consent log | 7 years (proof-of-consent legal evidence; not subject to user-requested deletion) |
| Third-party provider data | Governed by each provider's retention policy (typically 30–60 days for inputs, none for outputs; see §5) |
Third-party retention note. When you delete content from Artifio, we delete our copy immediately. Copies at third-party AI providers may persist for up to 60 days under their own retention policies, which we cannot accelerate.
9. Your privacy rights
9.1 Universal rights (we offer these to everyone, regardless of where you live)
- Access a copy of your data
- Correct inaccurate data
- Delete your account and associated personal data
- Export your data in a portable format
- Stop marketing communications
9.2 GDPR / UK GDPR rights (EEA + UK residents)
- All universal rights above
- Object to processing based on legitimate interest (Art. 21)
- Restrict processing (Art. 18)
- Withdraw consent at any time
- Not be subject to solely automated decision-making with legal or similarly significant effects (Art. 22)
- Lodge a complaint with your national supervisory authority (EDPB member list)
- UK users: lodge a complaint with the ICO
9.3 LGPD rights (Brazilian residents)
Per LGPD Article 18:
- Confirmation of processing
- Access
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data
- Data portability
- Deletion of data processed on the basis of consent
- Information about shared and public use of data
- Information about the possibility of refusing consent and consequences
- Revocation of consent
- Right to lodge a complaint with ANPD
9.4 CCPA / CPRA rights (California residents)
- Right to know categories and specific pieces of personal information collected
- Right to delete
- Right to correct inaccurate information
- Right to opt-out of sale or sharing (Artifio does not sell or share, but we honor opt-out requests anyway)
- Right to limit the use of Sensitive Personal Information
- Right to non-discrimination
- Right to designate an authorized agent
Categories of personal information collected in the past 12 months (per Cal. Civ. Code §1798.140):
- Identifiers (email, IP address, device ID)
- Commercial information (wallet history, subscription status)
- Internet activity (usage events, page views)
- Geolocation (approximate, from IP)
- Professional/employment (if voluntarily provided)
- Inferences (preferences derived from usage)
We have not sold or shared personal information for cross-context behavioral advertising in the past 12 months.
9.5 TDPSA rights (Texas residents)
Under the Texas Data Privacy and Security Act:
- Right to confirm processing and access
- Right to correct
- Right to delete
- Right to portability (for data you provided)
- Right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions with legal/similarly significant effects
- Right to appeal a denial
Universal opt-out. Artifio honors the Global Privacy Control (GPC) signal as a valid opt-out request for Texas residents (required since January 2025).
9.6 Other US state rights
Residents of Colorado, Connecticut, Utah, Virginia, Oregon, Montana, Florida, Delaware, New Hampshire, New Jersey, Iowa, Indiana, Tennessee, Minnesota, Maryland, Rhode Island, and Kentucky have rights analogous to the TDPSA rights above under their respective state privacy laws. We honor valid requests under each.
10. How to exercise your rights
- In-app: Settings → Privacy → Request your data / Delete your account (primary channel; frictionless).
- Email: privacy@artifio.ai.
- Authorized agent: for CCPA/CPRA, provide a signed power of attorney and the requester's verification details.
- Response time: 30 days (GDPR / UK GDPR), 45 days extendable to 90 (CCPA/CPRA), 15 working days extendable to 30 (LGPD), 45 days (TDPSA).
- Identity verification: we match the email address on the request to the account email; for high-sensitivity requests (full export, deletion) we may require re-authentication.
- No fee unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse the request (GDPR Art. 12(5)).
- Appeal: if we deny a request under a state privacy law, you may appeal within 60 days by emailing privacy@artifio.ai with "APPEAL" in the subject line.
11. Cookies & tracking
Full details live in our cookie policy. Summary:
| Category | Purpose | Required? | Examples |
|---|---|---|---|
| Strictly necessary | Authentication, CSRF protection, session management, cookie-banner state | Always on | __clerk_db_jwt, __Secure-next-auth.session-token, artifio_cookie_consent |
| Functional | Remember UI preferences (dark mode, language) | Opt-in | artifio_ui_prefs |
| Analytics | Product analytics (PostHog), performance (Core Web Vitals via Sentry, PostHog, and Vercel Speed Insights), page views + custom events (Vercel Analytics) | Opt-in | ph_*, _vercel_* |
| Marketing | None currently used | — | — |
We do not use third-party advertising or tracking cookies.
Analytics cookies load only after you accept the analytics category in the cookie banner, or if you are in a jurisdiction where legitimate interest is a permissible legal basis for analytics (outside EEA, UK, Brazil, Switzerland).
You can change preferences at any time by clicking "Cookie preferences" in the footer.
12. Global Privacy Control (GPC)
We recognize and honor the Global Privacy Control browser signal. When our servers detect a GPC signal from your browser:
- For California, Colorado, Connecticut, Texas, Oregon, Montana, New Jersey, Delaware, New Hampshire, Maryland, Minnesota, and Nebraska residents, the GPC signal is treated as a valid opt-out of sale or sharing of personal data.
- For EEA, UK, and Brazilian users, we treat GPC as an indication that you have not consented to non-essential analytics or tracking cookies, and we suppress those cookies.
You do not need to do anything else to exercise this right — the browser signal is sufficient.
13. International data transfers
Artifio is based in the United States. Your personal data is transferred to and processed in the US and other countries where our service providers operate.
For EEA users (EU/EEA → US): transfers rely on one or more of:
- The EU–US Data Privacy Framework (DPF) for DPF-certified processors (e.g. Clerk, Neon, Stripe, Vercel, Cloudflare, Sentry, PostHog)
- The European Commission's 2021 Standard Contractual Clauses (Module 2 — controller-to-processor) for non-DPF providers
- Supplementary measures: encryption in transit and at rest, access controls, provider audit rights
For UK users (UK → US): transfers rely on one or more of:
- The UK Data Bridge (UK extension to DPF) for participating processors
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs for non-Data-Bridge providers
For Brazilian users (Brazil → US): transfers rely on Brazilian Standard Contractual Clauses adopted by ANPD Resolution CD/ANPD 19/2024 (mandatory since August 23, 2025), with encryption, access controls, and audit rights as supplementary safeguards.
For users elsewhere: transfers rely on your consent to the transfer as disclosed in this policy and/or the contractual necessity of providing the service you requested.
To request a copy of the transfer safeguards applicable to your data, email privacy@artifio.ai.
14. Security
We implement industry-standard security measures including:
- Encryption in transit: TLS/SSL for all data transmission
- Encryption at rest: sensitive data encrypted in storage
- Password security: managed by Clerk with modern hash functions; we never see your password
- Access controls: role-based access, principle of least privilege
- Row-level isolation: database queries scoped to the calling user's identity
- Regular audits: security assessments and vulnerability scanning
- Penetration testing: annual third-party penetration test (first one to complete before or within 90 days of launch)
- Vulnerability disclosure: security@artifio.ai; we follow coordinated-vulnerability-disclosure principles
- Secure infrastructure: cloud hosting with providers that maintain recognized security certifications where available
No method of transmission or storage is 100% secure. While we work to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.
15. Children & age gate
- Artifio is a service for users aged 18 and older. We do not knowingly collect personal information from anyone under 18.
- During signup, we collect affirmation of age. We do not use face-scan or ID verification at signup; we rely on user affirmation plus removal procedures on notice.
- If you believe a minor has created an account, email privacy@artifio.ai. We will suspend the account within 24 hours of receiving the report and delete it within 30 days.
- COPPA (US, children under 13): Artifio is not directed to children under 13 and does not knowingly collect personal information from children under 13. If we learn we have, we delete it.
- GDPR Article 8 (EU, 13–16 depending on member state): Artifio is not directed to users under 18 regardless of the member-state threshold.
- UK Age Appropriate Design Code (Children's Code): because Artifio is not designed for or directed at UK children, the Code's specific design standards do not apply; we nonetheless honor its underlying principles (data minimization, best interests, default-private).
- Suspected CSAM is reported immediately to the National Center for Missing & Exploited Children (NCMEC) CyberTipline per 18 USC §2258A.
16. Automated decision-making
Artifio uses automated processing in limited circumstances:
- Content moderation screening. Prompts and uploads are automatically screened before being forwarded to the AI provider. A block decision is based on policy categories (CSAM, NCII, hate, violence, etc.). You may appeal an incorrect block by emailing appeal@artifio.ai; a human reviewer will re-evaluate within 5 business days.
- Fraud and abuse detection. Signals including request volume, device fingerprints, and payment patterns may trigger automated account suspension. You may appeal by emailing appeal@artifio.ai; a human reviewer will re-evaluate within 5 business days.
- AI generation itself — the output of a generation is produced by an ML model, not a human. This is the service you requested; outputs are not "decisions" within the meaning of GDPR Art. 22. You may always review outputs, regenerate, or decline to use them.
You have the right to:
- Obtain human review of an automated decision affecting you
- Express your point of view
- Contest the decision
None of Artifio's automated processing has legal effects on users or similarly significant effects within the meaning of GDPR Article 22(1). We maintain this disclosure as best practice and in anticipation of future changes.
17. Data breach notification
- We maintain an incident response plan.
- GDPR: we notify our lead supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in risk to individuals, and notify affected individuals without undue delay where the breach is likely to result in high risk.
- UK GDPR: same 72-hour rule to the ICO.
- LGPD: we notify ANPD and affected data subjects within a reasonable period, which ANPD has interpreted as 3 working days for material breaches.
- CCPA/CPRA and US state laws: we notify California residents (and residents of other US states with breach laws) without unreasonable delay, following the statutory requirements of each state (typically 30–60 days).
18. State-specific notices (US)
Residents of the following US states have privacy rights analogous to those described in §9 under their respective state laws, and may exercise them through the mechanisms in §10:
California, Texas, Colorado, Virginia, Connecticut, Utah, Oregon, Montana, Florida, Delaware, New Hampshire, New Jersey, Iowa, Indiana, Tennessee, Minnesota, Maryland, Rhode Island, Kentucky.
19. Changes to this policy
- Material changes (new data uses, new categories of processors, changes to retention): 30 days' advance notice by email + in-app banner.
- Non-material changes (typo fixes, provider-list additions, minor clarifications): updated "Last modified" date, no individual notice.
- We maintain a changelog with each dated change.
20. Contact information
- Artifio.ai
- privacy@artifio.ai — data rights, privacy inquiries
- copyright@artifio.ai — DMCA
- abuse@artifio.ai — NCII / TAKE IT DOWN
- dsa@artifio.ai — EU DSA notices
- appeal@artifio.ai — moderation appeals
- security@artifio.ai — security incidents
- billing@artifio.ai — billing
- legal@artifio.ai — general legal
- 539 W Commerce St, Ste 5263, Dallas, Texas 75208, USA
We aim to respond to all inquiries within the statutory response times set out in §2.