Privacy Policy — Changelog
- Effective date
- May 27, 2026
- Last modified
- July 13, 2026
- Version
- v2.4
Privacy Policy changelog
This page tracks material changes to the Privacy Policy. Minor edits (typo fixes, link corrections, date refreshes) are reflected in the "Last modified" field on the main page and are not separately listed here.
v2.4 — 2026-07-13 — Controller identification: brand-forward, entity on request
The data controller is still fully identifiable, as GDPR/CCPA require — the change is only how the controller is presented. §1 and the §2 contact table now identify the controller as Artifio.ai, a Texas company, with full legal-entity details available on request at privacy@artifio.ai. The prior text named the parent entity's registered name inline; that detail moves to on-request disclosure. No processors, data categories, retention periods, or user rights changed.
v2.3 — 2026-06-23 — Upload-agreement audit log disclosed
Discloses a new category of proof-of-consent data we now collect: the just-in-time "Media upload agreement" captured the first time a user uploads media for a generation (and on any version bump). §3.4 documents the affirmation and what we record (version, truncated IP, user-agent, approximate region); the §8 retention table adds the "Upload-agreement audit log" row (7-year retention, append-only, deleted with the account).
No new processors and no behavioural change to existing consent prompts.
v2.2 — 2026-05-17 — PostHog autocapture named explicitly (post-merge audit)
Post-merge audit (2026-05-17) of the v2.1 changes called out that
the §3.2 row covering usage events did not name PostHog's
autocapture SDK feature, which captures clicks + form submits +
scroll depth + rage/dead clicks automatically once consent is
granted. The data classes were already disclosed in aggregate
("Usage events: pages viewed, clicks, scroll depth, rage/dead
clicks"), but naming the specific SDK feature is the gold-standard
disclosure pattern under GDPR Art. 13 (right to know how data is
collected).
Change: §3.2 row now reads "captured via PostHog's autocapture
feature on the post-consent client" with form submits added to the
visible-event list.
No new data classes, no new processors, no behavioural change to consent prompts.
v2.1 — 2026-05-17 — Lead attribution + Vercel observability disclosures
Two new categories of automatic data collection shipped in May 2026 and are now explicitly disclosed:
- §3.2 — Lead-source attribution. UTM parameters (
utm_source,utm_medium,utm_campaign,utm_term,utm_content), the first landing-page path, and the HTTP referrer are now captured at first touch to attribute the user-acquisition channel. Captured ONCE per user (never overwritten); requires consent in EU/UK/Brazil, legitimate- interest basis for US visitors. Server-derived first-touch country (from the IP) and first-touch device-type (from the user agent) are likewise enumerated. - §3.2 + §6 — Vercel Analytics and Vercel Speed Insights. Two new sub-processors added to the processor table, both consent-gated. Vercel Analytics receives anonymous page-view + custom-event data; Vercel Speed Insights receives Core Web Vitals (LCP/FID/CLS/INP/TTFB) sampled per page-load. Both fire ONLY after a user accepts the analytics category in the cookie banner.
- §11 — Cookie list updated.
_vercel_*cookies added to the Analytics row; the row's purpose now enumerates all three Core Web Vitals sinks (Sentry, PostHog, Vercel Speed Insights) and clarifies Vercel Analytics captures page views + custom events.
No behavioural changes to consent prompts, no rights changes, no processor removals.
v2.0 — Pre-launch rewrite
Comprehensive update to the Privacy Policy for the Artifio.ai launch. This version is a full rewrite of v1.0 (December 2024) and addresses every gap identified in the April-2026 compliance audit:
- Dollar-denominated wallet model. The previous "credits" terminology has been replaced throughout with Balance / Top-Up / Platform Fee language that matches the live product.
- Global compliance. GDPR, UK GDPR (as amended by the Data (Use and Access) Act 2025), LGPD (Brazil), CCPA / CPRA (California), TDPSA (Texas), and the analogous state privacy laws of 17 additional US states.
- EU AI Act Article 50. Transparency disclosure about AI generation, provenance marks (including C2PA), and the deepfake-disclosure duty that rests with the user.
- TAKE IT DOWN Act. Notice-and-takedown process for non-consensual intimate imagery, with a 48-hour removal commitment.
- DSA notice-and-action. Statement-of-reasons, appeal, and out-of-court-dispute-settlement rights for EU users.
- Global Privacy Control (GPC). Explicit recognition as a legally-binding opt-out for California, Colorado, Connecticut, Texas, Oregon, Montana, New Jersey, Delaware, New Hampshire, Maryland, Minnesota, and Nebraska residents.
- Complete processor list. Every third-party service that processes user data — Clerk, Neon, Upstash, Cloudflare R2 + CDN, Vercel, Dodo Payments, Stripe, Resend, PostHog, Sentry — named with data-sharing, location, and transfer-mechanism details.
- Full third-party AI provider list with data-training-opt-out status per provider.
- Automated decision-making disclosure per GDPR Article 22, UK GDPR, and LGPD Article 20.
- Data breach notification with jurisdiction-specific timelines (72h GDPR/UK, 3 working days LGPD, per-state US).
- Contact matrix. Nine dedicated email aliases (
privacy@,copyright@,abuse@,dsa@,appeal@,billing@,security@,legal@,hello@) with published response times.
v1.0 — Initial version (December 2024)
Original Privacy Policy published with the Artifio.ai private beta. Superseded by v2.0.