Privacy Policy

Last updated: 14 April 2026

1. Data Controller

The data controller responsible for the processing of your personal data is:

HumanisArt, Inc.

United States

This Privacy Policy explains how we collect, use, share, and protect personal data when you use the HumanisArt platform (the “Service”), in accordance with applicable US privacy law — including the California Consumer Privacy Act (“CCPA”) for California residents — and the General Data Protection Regulation (“GDPR”) for users located in the European Economic Area.

2. Personal Data We Collect

We collect the following categories of personal data:

Account data: email address, display name, and profile avatar (uploaded or linked from a third-party provider).
User-generated content:images and artworks you upload as “creations”, along with titles, descriptions, and any tags you add.
Transaction data: payment method information is handled directly by Stripe; we receive confirmation of successful payments and associated Stripe session identifiers only — we do not store card numbers or full payment details.
Usage data: evaluation responses, token balance and transaction history, favourites, comments, follows, and other interactions with the Service.
Technical data: IP address (collected for anti-abuse purposes in the evaluation system and for rate-limiting), browser type, and approximate geolocation derived from IP. IP addresses are not stored in user profiles and are used only transiently for security purposes.

3. Purposes and Legal Bases

Purpose	Legal Basis
Providing and operating the Service (account management, content storage, evaluations)	Contract performance (GDPR Art. 6(1)(b))
Processing payments for creation publishing	Contract performance (GDPR Art. 6(1)(b))
Security, fraud prevention, and anti-abuse (rate-limiting, IP checks)	Legitimate interests (GDPR Art. 6(1)(f))
Compliance with legal obligations (e.g. retaining transaction records)	Legal obligation (GDPR Art. 6(1)(c))
Analytics and performance monitoring (if/when enabled)	Consent (GDPR Art. 6(1)(a)) / opt-in before enabling

4. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected:

Account and profile data: retained until you delete your account. Upon account deletion, your email, name, avatar, and profile data are erased.
Published creations: retained for the lifetime of the Service or until you delete them from your account, whichever comes first.
Transaction records: retained for 7 years in accordance with applicable US federal and state tax and accounting regulations.
Usage logs and evaluation data: retained for 12 months, then anonymised or deleted.

5. Third-Party Processors

We share your data only with the following trusted third-party service providers, each bound by data-processing agreements:

Supabase, Inc. (USA) — database hosting and authentication. Stores account data, creations, evaluation results, and all other platform data. For users in the EEA, cross-border data transfers are covered by Standard Contractual Clauses (SCCs).
Stripe, Inc. (USA) — payment processing. Receives payment method information and transaction data. Operates under its own privacy policy and PCI-DSS framework.
Vercel, Inc. (USA) — application hosting and serverless functions. Processes requests and may log IP addresses for security purposes.
Upstash, Inc. (USA) — Redis-based rate-limiting. Processes hashed user identifiers to enforce API rate limits. No personal data is stored permanently; keys expire automatically.

We do not sell your personal data to any third party and we do not share it with advertising networks.

6. Cookies and Similar Technologies

HumanisArt currently uses only strictly necessary cookies:

Supabase SSR session cookies — set automatically by the Supabase authentication library to keep you signed in across page loads. These are essential to provide the Service and cannot be disabled without logging you out.
Stripe cookies— set during the payment checkout flow by Stripe to prevent fraud and manage the checkout session. These are governed by Stripe's privacy policy.

We do not set any tracking, analytics, or advertising cookies without your prior consent. If we add optional analytics in the future, we will update this policy and request consent via our cookie banner.

7. Your Privacy Rights

Depending on your location, you may have the following rights with respect to your personal data:

California residents (CCPA/CPRA):

Right to know what personal information we collect, use, and disclose.
Right to delete your personal information (subject to certain exceptions).
Right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information.
Right to non-discrimination for exercising your privacy rights.

EU / EEA residents (GDPR):

Right of access (Art. 15): You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You may correct inaccurate personal data by updating your profile directly on the profile page.
Right to erasure (Art. 17): You may delete your account and all associated personal data at any time from your profile page. Certain data may be retained where required by legal obligation (see Section 4).
Right to data portability (Art. 20): You may request an export of the personal data you provided to us in a structured, machine-readable format by contacting us at privacy@humanisart.com.
Right to object (Art. 21): You may object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to restrict processing (Art. 18): In certain circumstances, you may request that we limit how we use your data.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@humanisart.com. We will respond within 30 days. EU/EEA residents also have the right to lodge a complaint with their local data-protection authority (e.g. the CNIL in France, the ICO in the UK, or the relevant DPA in their EU member state).

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include TLS encryption in transit, row-level security policies on the database, and access controls that limit which server-side processes can read sensitive data.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. In the event of a personal data breach that poses a material risk to your rights and freedoms, we will notify affected users and the relevant authorities as required by applicable law (including GDPR Art. 34 for EU/EEA users).

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised “Last updated” date and, where appropriate, by email. We encourage you to review this page periodically.

10. Contact

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us at:

HumanisArt, Inc. — Data Protection

United States

privacy@humanisart.com

Privacy Policy

Last updated: 14 April 2026

1. Data Controller

The data controller responsible for the processing of your personal data is:

HumanisArt, Inc.

United States

Email: privacy@humanisart.com

2. Personal Data We Collect

We collect the following categories of personal data:

Account data: email address, display name, and profile avatar (uploaded or linked from a third-party provider).
User-generated content:images and artworks you upload as “creations”, along with titles, descriptions, and any tags you add.
Transaction data: payment method information is handled directly by Stripe; we receive confirmation of successful payments and associated Stripe session identifiers only — we do not store card numbers or full payment details.
Usage data: evaluation responses, token balance and transaction history, favourites, comments, follows, and other interactions with the Service.
Technical data: IP address (collected for anti-abuse purposes in the evaluation system and for rate-limiting), browser type, and approximate geolocation derived from IP. IP addresses are not stored in user profiles and are used only transiently for security purposes.

3. Purposes and Legal Bases

Purpose	Legal Basis
Providing and operating the Service (account management, content storage, evaluations)	Contract performance (GDPR Art. 6(1)(b))
Processing payments for creation publishing	Contract performance (GDPR Art. 6(1)(b))
Security, fraud prevention, and anti-abuse (rate-limiting, IP checks)	Legitimate interests (GDPR Art. 6(1)(f))
Compliance with legal obligations (e.g. retaining transaction records)	Legal obligation (GDPR Art. 6(1)(c))
Analytics and performance monitoring (if/when enabled)	Consent (GDPR Art. 6(1)(a)) / opt-in before enabling

4. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected:

Account and profile data: retained until you delete your account. Upon account deletion, your email, name, avatar, and profile data are erased.
Published creations: retained for the lifetime of the Service or until you delete them from your account, whichever comes first.
Transaction records: retained for 7 years in accordance with applicable US federal and state tax and accounting regulations.
Usage logs and evaluation data: retained for 12 months, then anonymised or deleted.

5. Third-Party Processors

We share your data only with the following trusted third-party service providers, each bound by data-processing agreements:

Supabase, Inc. (USA) — database hosting and authentication. Stores account data, creations, evaluation results, and all other platform data. For users in the EEA, cross-border data transfers are covered by Standard Contractual Clauses (SCCs).
Stripe, Inc. (USA) — payment processing. Receives payment method information and transaction data. Operates under its own privacy policy and PCI-DSS framework.
Vercel, Inc. (USA) — application hosting and serverless functions. Processes requests and may log IP addresses for security purposes.
Upstash, Inc. (USA) — Redis-based rate-limiting. Processes hashed user identifiers to enforce API rate limits. No personal data is stored permanently; keys expire automatically.

We do not sell your personal data to any third party and we do not share it with advertising networks.

6. Cookies and Similar Technologies

HumanisArt currently uses only strictly necessary cookies:

Supabase SSR session cookies — set automatically by the Supabase authentication library to keep you signed in across page loads. These are essential to provide the Service and cannot be disabled without logging you out.
Stripe cookies— set during the payment checkout flow by Stripe to prevent fraud and manage the checkout session. These are governed by Stripe's privacy policy.

7. Your Privacy Rights

Depending on your location, you may have the following rights with respect to your personal data:

California residents (CCPA/CPRA):

Right to know what personal information we collect, use, and disclose.
Right to delete your personal information (subject to certain exceptions).
Right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information.
Right to non-discrimination for exercising your privacy rights.

EU / EEA residents (GDPR):

Right of access (Art. 15): You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You may correct inaccurate personal data by updating your profile directly on the profile page.
Right to erasure (Art. 17): You may delete your account and all associated personal data at any time from your profile page. Certain data may be retained where required by legal obligation (see Section 4).
Right to data portability (Art. 20): You may request an export of the personal data you provided to us in a structured, machine-readable format by contacting us at privacy@humanisart.com.
Right to object (Art. 21): You may object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to restrict processing (Art. 18): In certain circumstances, you may request that we limit how we use your data.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

8. Data Security

9. Changes to This Policy

10. Contact

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us at:

HumanisArt, Inc. — Data Protection

United States

privacy@humanisart.com