Privacy Policy — Changelog

Effective date: May 27, 2026
Last modified: May 17, 2026
Version: v2.2

Privacy Policy changelog

This page tracks material changes to the Privacy Policy. Minor edits (typo fixes, link corrections, date refreshes) are reflected in the "Last modified" field on the main page and are not separately listed here.

v2.2 — 2026-05-17 — PostHog autocapture named explicitly (post-merge audit)

Post-merge audit (2026-05-17) of the v2.1 changes called out that the §3.2 row covering usage events did not name PostHog's autocapture SDK feature, which captures clicks + form submits + scroll depth + rage/dead clicks automatically once consent is granted. The data classes were already disclosed in aggregate ("Usage events: pages viewed, clicks, scroll depth, rage/dead clicks"), but naming the specific SDK feature is the gold-standard disclosure pattern under GDPR Art. 13 (right to know how data is collected).

Change: §3.2 row now reads "captured via PostHog's autocapture feature on the post-consent client" with form submits added to the visible-event list.

No new data classes, no new processors, no behavioural change to consent prompts.

v2.1 — 2026-05-17 — Lead attribution + Vercel observability disclosures

Two new categories of automatic data collection shipped in May 2026 and are now explicitly disclosed:

§3.2 — Lead-source attribution. UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content), the first landing-page path, and the HTTP referrer are now captured at first touch to attribute the user-acquisition channel. Captured ONCE per user (never overwritten); requires consent in EU/UK/Brazil, legitimate- interest basis for US visitors. Server-derived first-touch country (from the IP) and first-touch device-type (from the user agent) are likewise enumerated.
§3.2 + §6 — Vercel Analytics and Vercel Speed Insights. Two new sub-processors added to the processor table, both consent-gated. Vercel Analytics receives anonymous page-view + custom-event data; Vercel Speed Insights receives Core Web Vitals (LCP/FID/CLS/INP/TTFB) sampled per page-load. Both fire ONLY after a user accepts the analytics category in the cookie banner.
§11 — Cookie list updated. _vercel_* cookies added to the Analytics row; the row's purpose now enumerates all three Core Web Vitals sinks (Sentry, PostHog, Vercel Speed Insights) and clarifies Vercel Analytics captures page views + custom events.

No behavioural changes to consent prompts, no rights changes, no processor removals.

v2.0 — Pre-launch rewrite

Comprehensive update to the Privacy Policy for the Artifio.ai launch. This version is a full rewrite of v1.0 (December 2024) and addresses every gap identified in the April-2026 compliance audit:

Dollar-denominated wallet model. The previous "credits" terminology has been replaced throughout with Balance / Top-Up / Platform Fee language that matches the live product.
Global compliance. GDPR, UK GDPR (as amended by the Data (Use and Access) Act 2025), LGPD (Brazil), CCPA / CPRA (California), TDPSA (Texas), and the analogous state privacy laws of 17 additional US states.
EU AI Act Article 50. Transparency disclosure about AI generation, provenance marks (including C2PA), and the deepfake-disclosure duty that rests with the user.
TAKE IT DOWN Act. Notice-and-takedown process for non-consensual intimate imagery, with a 48-hour removal commitment.
DSA notice-and-action. Statement-of-reasons, appeal, and out-of-court-dispute-settlement rights for EU users.
Global Privacy Control (GPC). Explicit recognition as a legally-binding opt-out for California, Colorado, Connecticut, Texas, Oregon, Montana, New Jersey, Delaware, New Hampshire, Maryland, Minnesota, and Nebraska residents.
Complete processor list. Every third-party service that processes user data — Clerk, Neon, Upstash, Cloudflare R2 + CDN, Vercel, Dodo Payments, Stripe, Resend, PostHog, Sentry — named with data-sharing, location, and transfer-mechanism details.
Full third-party AI provider list with data-training-opt-out status per provider.
Automated decision-making disclosure per GDPR Article 22, UK GDPR, and LGPD Article 20.
Data breach notification with jurisdiction-specific timelines (72h GDPR/UK, 3 working days LGPD, per-state US).
Contact matrix. Nine dedicated email aliases (privacy@, copyright@, abuse@, dsa@, appeal@, billing@, security@, legal@, hello@) with published response times.

v1.0 — Initial version (December 2024)

Original Privacy Policy published with the Artifio.ai private beta. Superseded by v2.0.

Change: §3.2 row now reads "captured via PostHog's autocapture feature on the post-consent client" with form submits added to the visible-event list.

No new data classes, no new processors, no behavioural change to consent prompts.

Two new categories of automatic data collection shipped in May 2026 and are now explicitly disclosed:

§3.2 — Lead-source attribution. UTM parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content), the first landing-page path, and the HTTP referrer are now captured at first touch to attribute the user-acquisition channel. Captured ONCE per user (never overwritten); requires consent in EU/UK/Brazil, legitimate- interest basis for US visitors. Server-derived first-touch country (from the IP) and first-touch device-type (from the user agent) are likewise enumerated.

§3.2 + §6 — Vercel Analytics and Vercel Speed Insights. Two new sub-processors added to the processor table, both consent-gated. Vercel Analytics receives anonymous page-view + custom-event data; Vercel Speed Insights receives Core Web Vitals (LCP/FID/CLS/INP/TTFB) sampled per page-load. Both fire ONLY after a user accepts the analytics category in the cookie banner.

§11 — Cookie list updated. _vercel_* cookies added to the Analytics row; the row's purpose now enumerates all three Core Web Vitals sinks (Sentry, PostHog, Vercel Speed Insights) and clarifies Vercel Analytics captures page views + custom events.

No behavioural changes to consent prompts, no rights changes, no processor removals.

Comprehensive update to the Privacy Policy for the Artifio.ai launch. This version is a full rewrite of v1.0 (December 2024) and addresses every gap identified in the April-2026 compliance audit:

Dollar-denominated wallet model. The previous "credits" terminology has been replaced throughout with Balance / Top-Up / Platform Fee language that matches the live product.

Global compliance. GDPR, UK GDPR (as amended by the Data (Use and Access) Act 2025), LGPD (Brazil), CCPA / CPRA (California), TDPSA (Texas), and the analogous state privacy laws of 17 additional US states.

EU AI Act Article 50. Transparency disclosure about AI generation, provenance marks (including C2PA), and the deepfake-disclosure duty that rests with the user.

TAKE IT DOWN Act. Notice-and-takedown process for non-consensual intimate imagery, with a 48-hour removal commitment.

DSA notice-and-action. Statement-of-reasons, appeal, and out-of-court-dispute-settlement rights for EU users.

Global Privacy Control (GPC). Explicit recognition as a legally-binding opt-out for California, Colorado, Connecticut, Texas, Oregon, Montana, New Jersey, Delaware, New Hampshire, Maryland, Minnesota, and Nebraska residents.

Complete processor list. Every third-party service that processes user data — Clerk, Neon, Upstash, Cloudflare R2 + CDN, Vercel, Dodo Payments, Stripe, Resend, PostHog, Sentry — named with data-sharing, location, and transfer-mechanism details.

Full third-party AI provider list with data-training-opt-out status per provider.

Automated decision-making disclosure per GDPR Article 22, UK GDPR, and LGPD Article 20.

Data breach notification with jurisdiction-specific timelines (72h GDPR/UK, 3 working days LGPD, per-state US).

Contact matrix. Nine dedicated email aliases (privacy@, copyright@, abuse@, dsa@, appeal@, billing@, security@, legal@, hello@) with published response times.

Original Privacy Policy published with the Artifio.ai private beta. Superseded by v2.0.