Last updated: June 4, 2026
Artiefax ("we," "us," or "our") operates the website at artiefax.app and the application at app.artiefax.app (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, your rights regarding that information, and our obligations under applicable privacy laws including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.
When you create an account, we collect your email address and, if you sign in via Google, GitHub, or Microsoft OAuth, the basic profile information those providers share (name, profile picture, email). We do not store passwords—authentication is handled by Supabase Auth using magic links or OAuth tokens.
When you save apps to your library, we store the app's source code, metadata (title, description, category, format), cover images, and any runtime data the app generates through the Artiefax storage API. This data is synced to our cloud infrastructure so it is available across your devices.
When you create a share link, we store the link configuration (access type, password hash, viewer data mode, expiration, notes) and associate it with your app. Passwords are stored as bcrypt hashes—we never store plaintext passwords.
If you subscribe to Artiefax Pro, payment processing is handled entirely by Stripe. We do not receive, store, or process your credit card number, bank account details, or other payment credentials. Stripe provides us with a customer identifier, subscription status, plan type, and billing email for the purpose of managing your subscription. See Stripe's Privacy Policy for details on how they handle payment data.
When you use the AI-powered transform features (Add Persistence, Optimize for Mobile), we record the number of tokens consumed for rate-limiting purposes. We send your app's source code to the Anthropic API for processing. We do not store the AI's output separately—it replaces your app's source code in your library only if you choose to save it. This processing is performed on your behalf and at your direction.
We use Google Analytics 4 (GA4) on our marketing site (artiefax.app) and app site (app.artiefax.app) to understand how visitors and users interact with the Service. GA4 sets cookies on your device, including _ga (used to distinguish users, expires after 2 years) and _ga_<ID> (used to maintain session state, expires after 2 years). These cookies are only set after you provide explicit consent via our cookie consent banner. If you decline cookies, GA4 does not load and no analytics cookies are set. We configure GA4 with IP anonymization enabled. We do not use Google Analytics data for advertising, remarketing, or user profiling. See Section 5 (Cookies and Tracking Technologies) for details on managing your preferences.
When a visitor views a shared app page, we log limited, non-identifying information server-side for the purpose of providing share analytics to the app owner. This includes the share link identifier, a timestamp, the visitor's country (derived from the Cloudflare CF-IPCountry HTTP header—not from the visitor's IP address, which is not stored), device type (parsed from the User-Agent header into broad categories such as "mobile" or "desktop"—the raw User-Agent string is not stored), and the referring domain. This data collection does not involve cookies or any client-side storage, does not identify individual visitors, and is processed under our legitimate interest in providing the Service (GDPR Article 6(1)(f)).
We collect automated error reports and Content Security Policy (CSP) violation reports to maintain the security and reliability of the Service. These reports may include the URL where the error occurred, error messages, browser type, and timestamp. They do not include personally identifiable information.
If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we process your personal data under the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Account creation and authentication | Performance of a contract (Article 6(1)(b)) |
| App storage, sync, and sharing | Performance of a contract (Article 6(1)(b)) |
| Payment processing via Stripe | Performance of a contract (Article 6(1)(b)) |
| AI transform processing via Anthropic | Performance of a contract (Article 6(1)(b)) |
| Analytics cookies (GA4) | Consent (Article 6(1)(a)) |
| Server-side share view analytics | Legitimate interest (Article 6(1)(f)) |
| Error and security reporting | Legitimate interest (Article 6(1)(f)) |
| Abuse prevention and rate limiting | Legitimate interest (Article 6(1)(f)) |
| Responding to legal requests | Legal obligation (Article 6(1)(c)) |
We use the information we collect to:
We do not sell, rent, or share your personal information with third parties for their marketing purposes. We do not display advertisements. We do not engage in behavioral profiling or automated decision-making that produces legal effects concerning you.
The Service relies on the following third-party providers, each acting as a data processor on our behalf or as an independent controller as noted:
We do not share your personal data with any third party beyond what is described above, except as required by law (see Section 11).
We use only the cookies that are strictly necessary for authentication and, with your consent, analytics cookies set by Google Analytics 4. We do not use advertising cookies, tracking pixels, social media widgets, or any form of cross-site tracking.
| Cookie | Purpose | Duration | Requires Consent? |
|---|---|---|---|
| Authentication session | Maintains your login session (set by Supabase Auth) | Session / 7 days | No (strictly necessary) |
_ga | Distinguishes unique visitors for Google Analytics | 2 years | Yes |
_ga_<ID> | Maintains session state for Google Analytics | 2 years | Yes |
artiefax_cookie_consent | Stores your cookie consent preference (localStorage, not a cookie) | Persistent until cleared | No (strictly necessary) |
When you first visit the Service, a cookie consent banner will ask whether you accept or decline analytics cookies. If you decline, Google Analytics will not load and no analytics cookies will be set. You can change your preference at any time by clicking the "Cookie Settings" link in the footer of any page, which will re-display the consent banner. You may also clear your cookie preferences by clearing your browser's localStorage for artiefax.app or app.artiefax.app.
When a visitor accesses a shared app page (URLs beginning with /s/), no analytics cookies are set and no cookie consent banner is displayed, regardless of prior consent status. Share page analytics are handled entirely server-side as described in Section 1.7.
Your data is stored in Supabase's cloud infrastructure in the United States. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access to your data is protected by Row-Level Security (RLS) policies enforced at the database level—even if application logic has a bug, the database will not return another user's data. Artifacts run in a cross-origin sandboxed iframe with a strict Content Security Policy and cannot access your account credentials, cookies, or other apps' data.
We implement industry-standard security measures including rate limiting on authentication and API endpoints, bcrypt password hashing for share link passwords, CSP violation monitoring, automated error tracking, and regular security reviews. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.
If you are located outside the United States, your personal data will be transferred to and processed in the United States, where our infrastructure providers are located. For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the EU-U.S. Data Privacy Framework (DPF) certifications of our processors (where applicable) and, where necessary, Standard Contractual Clauses (SCCs) approved by the European Commission. By using the Service, you acknowledge that your data will be processed in the United States, which may have different data protection standards than your jurisdiction.
We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods:
You can delete individual apps and their associated data (including share links, runtime data, and share view analytics) at any time from within the Service. To delete your entire account and all associated data, contact us at hello@artiefax.app. Account deletion is permanent and irreversible, and will be completed within 30 days of the request. Upon deletion, we will remove all personal data except where retention is required by law.
Regardless of your location, you have the right to:
If you are located in the EEA, UK, or Switzerland, you also have the right to:
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
To exercise any of these rights, contact us at hello@artiefax.app. We will respond to verifiable requests within 45 days (CCPA) or 30 days (GDPR). We do not charge a fee for processing reasonable requests.
The Service is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children under these ages. If you believe a child has provided us with personal information, please contact us at hello@artiefax.app and we will promptly delete it. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information as quickly as possible.
We may disclose your personal data only in the following circumstances:
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach (as required by GDPR Article 33). We will also notify the relevant supervisory authority where required. Notification will include the nature of the breach, the categories of data affected, likely consequences, and the measures taken to address it.
Some browsers transmit "Do Not Track" (DNT) signals. Because there is no industry consensus on how to interpret DNT signals, we do not currently respond to them. However, our cookie consent mechanism provides you with meaningful control over analytics tracking regardless of your DNT setting.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date and, for material changes that affect how we process your data, by sending an email to the address associated with your account. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy. If you disagree with any changes, you may delete your account as described in Section 8.
If you have questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, contact us at:
Artiefax
Email: hello@artiefax.app
Privacy inquiries: privacy@artiefax.app
Security issues: security@artiefax.app
If you are located in the EEA and are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.