Privacy Policy

The service

PrintFlow AI is available as a Free plan and paid Pro and Scale plans via Stripe Checkout. Stripe processes billing and subscription data when you start checkout, manage a subscription, or complete a purchase.

Controller

The controller of personal data (where the GDPR or similar law applies) is:

Email: Benuxa.Studio@gmail.com

Business and tax registration details for the operator will be updated on this page after registration, where relevant for transparency.

What the app does (summary)

Signed-in users can submit structured product briefs and receive AI-generated listing-related text. History, settings, usage limits, and plan status are stored in a database. Optional walkthrough or feedback requests may be collected through a form on the marketing site.

Optional guided walkthrough form

If you use the optional request form, we store the information you provide (email, optional Etsy shop URL, niche, free text) in our database (Supabase) to handle onboarding, interviews, or feedback. Public signup does not depend on this form.

Entries are kept only as long as needed for these purposes and reasonable follow-up, then reviewed and removed where appropriate.

Categories of personal data

Depending on how you use PrintFlow AI, we may process:

• Contact and account data: email address and authentication-related data (e.g. session information via Supabase).
• Product and app content: product briefs, generated listing packs and history, workflow mode selections, brand voice data, shop defaults.
• Usage and plan status: generation counts and plan metadata.
• Internal service notes: for service management purposes, the operator may keep internal administrative notes about accounts (for example support history or access changes). These notes are accessible to you under your right of access (GDPR Art. 15).
• Stripe-related metadata: customer and subscription metadata for paid subscribers.
• Technical logs: server and infrastructure logs for security and operations.
• Optional analytics & performance (after consent): in-app product events (PostHog), web analytics (Vercel Web Analytics), and performance signals (Vercel Speed Insights), only if you opt in via the cookie banner or preferences panel.
• Consent preferences: your analytics choice is stored in the browser under the key printflow-ai.consent.v1 (JSON in local storage, not only HTTP cookies).
• Error diagnostics: technical error reports (Sentry), including stack traces and request metadata as configured below. This is separate from the optional analytics category and may run to keep the service reliable.

Purposes of processing

• Account creation and login.
• Providing the generator and related features.
• Storing history and user settings.
• Enforcing usage limits and plan rules.
• Support communication.
• Security and abuse prevention.
• Product analytics and performance measurement when you consent(see Analytics & Performance section).
• Error monitoring and reliability (Sentry).
• Billing and subscription management (Stripe).

OpenAI (AI generation)

To generate text, the portions of your brief and related inputs needed for a given run are sent to OpenAI. Do not enter special categories of personal data or sensitive information in briefs unless it is truly necessary for your listing draft.

Analytics & Performance (optional)

These tools load and run only after you acceptoptional "Analytics & Performance" in the cookie banner, save that choice in preferences, or use an equivalent "Accept all" flow. If you reject optional analytics or never opt in, we do not initialize these products in your browser for that session (subject to normal browser caching behavior after you later change your mind).

• PostHog — custom in-app product events (for example generation and billing flows). PostHog may use cookies and local storage on your device once enabled.
• Vercel Web Analytics — privacy-oriented, aggregated web analytics provided by Vercel.
• Vercel Speed Insights — Real User Monitoring style performance metrics (for example Core Web Vitals signals), provided by Vercel.

Session replay: PostHog session replay can run only after optional analytics consent and is configured with strict input/text masking.

Server-side PostHog: where server-side analytics are used, only safe operational identifiers such as Supabase user id and Stripe customer id are sent. We do not send email addresses, card data, billing address, prompts, or generated copy to PostHog.

We still process personal data elsewhere when you use the product (for example account email in Supabase, briefs you submit, and AI processing). Analytics consent only controls the optional tools listed above.

Sentry (error monitoring)

We use Sentry to capture and diagnose technical errors (for example error types, stack traces, and request metadata). This helps us keep the service stable and investigate incidents. Sentry is not used for marketing attribution, and we do not enable Sentry Session Replay in this codebase.

• Default PII: Sentry is initialized with sendDefaultPii: false so the SDK does not automatically attach categories of personal identifiers Sentry treats as default PII.
• Scrubbing: we apply a beforeSend hook to strip query strings from request.url, redact common sensitive HTTP headers (including Cookie, Authorization, and Set-Cookie), redact cookie payloads on the request object where present, and apply best-effort redaction of obvious email-like strings in some event fields. This is not a guarantee that no personal data ever appears in an error payload (for example if an error message itself contains data you entered).
• User linkage: we do not call Sentry.setUser in our application code.

See Sentry's privacy documentation for how Sentry processes data on their side, and consider this policy together with your own device and network environment.

Processors and services

The following providers are involved in delivering the service (each has its own privacy terms):

• Vercel — hosting and application delivery; optional Vercel Web Analytics and Vercel Speed Insights when you consent
• Supabase — authentication, database, user-related storage
• Stripe — payments and subscriptions once paid checkout is enabled
• OpenAI — AI text generation
• PostHog — product analytics (client-side), after consent only
• Sentry — error tracking
• Resend — transactional and marketing email delivery (welcome, first-pack, and other service emails)
• Upstash Redis — temporary storage of rate-limit counters (user identifiers stored for short durations to enforce generation limits)
• Google / Gmail — support email communication where used

Personal data may be processed outside the European Economic Area where providers operate globally. Appropriate safeguards (such as standard contractual clauses) may apply as required by law; see each provider's documentation.

Cookies, local storage, and similar technologies

We use necessary cookies and similar technologies to operate PrintFlow AI, including authentication and session management (for example via Supabase), security, and core app functionality. We also store your analytics consent choicein your browser's local storage under printflow-ai.consent.v1 (JSON). That entry is not the same thing as an HTTP cookie, but it is still local storage on your device and can be cleared with other site data.

If you enable optional Analytics & Performance, PostHog may persist client identifiers using local storage and cookies as configured in our PostHog client setup. Vercel Web Analytics and Speed Insights are loaded from your browser only after that consent path.

Stripemay set cookies or use similar technologies when you use billing flows (for example Checkout or the customer portal), consistent with Stripe's own policies.

You can reopen and change optional analytics choices using Cookie settings in the site footer (marketing and legal pages) and in the signed-in app footer (dashboard sidebar on large screens, or the mobile menu).

We do notclaim that "no personal data is processed" simply because analytics are optional — account, product, AI, billing, and error data may still be processed as described elsewhere in this policy.

Retention

Data is retained only as long as needed for the purposes described in this policy. The following indicative periods apply:

• Account and profile data: retained while your account is active; deleted within 30 days after account deletion (except where retention is required by law or for dispute resolution).
• Generated content and history: retained while your account is active; deleted with your account on request or after account deletion.
• Billing and subscription records: retained for 7 years from the date of the relevant transaction, as required under Austrian and EU tax and accounting law.
• Rate-limit counters (Upstash): temporary; automatically expire within minutes to hours depending on the window.
• Error and security logs: typically retained for up to 90 days.
• Analytics data (PostHog, after consent):subject to PostHog's own retention settings and your right to withdraw consent.

You can request deletion of your account data at any time as described under Account and data deletion below. Statutory retention obligations may prevent immediate deletion of some records.

Your rights

Where applicable law provides them, you may have the right to:

• access your personal data;
• rectify inaccurate data;
• request erasure;
• request restriction of processing;
• object to certain processing;
• data portability;
• lodge a complaint with a supervisory authority — in Austria, the Austrian Data Protection Authority (Datenschutzbehörde).

Account and data deletion

You can delete your account directly in the app under Settings → Account. Alternatively, you can request deletion of your account or personal data by emailing Benuxa.Studio@gmail.com from or clearly identifying your account email. We will respond subject to technical and legal constraints (for example statutory retention once billing is active).

Support

General support: Support.

This deployment also exposes a public support email: benuxa.studio@gmail.com (may differ from the address above).