Privacy Policy

Last updated: 5/16/2026

1. Who we are

This Privacy Policy explains how Stancescu Marius, an individual sole trader trading as "Captioncraft" ("Captioncraft", "we"), collects and processes personal data when you use the Captioncraft service. Stancescu Marius acts as the data controller for personal data described here. For payment-related processing, our reseller Paddle.com acts as a separate controller — see "Sharing" below.

2. Data we collect

• Account data: email address, password hash, or Google sign-in profile (name, email, avatar) if you use Google.
• Usage data: the post topics/prompts you submit, generated outputs, and daily generation counts.
• Technical data: IP address, browser/device identifiers, basic log data, error reports.
• Support data: messages you send us.
• Payment metadata: subscription status, plan, and a customer identifier returned by Paddle. We do not see or store full card details.

3. How and why we use your data

• Provide the service (account creation, generating captions, enforcing free-tier limits) — legal basis: performance of a contract.
• Security and fraud prevention (rate limits, abuse detection, logs) — legal basis: legitimate interests.
• Service improvement and analytics (aggregate usage patterns, error monitoring) — legal basis: legitimate interests.
• Customer support — legal basis: legitimate interests / contract.
• Legal compliance (record-keeping, responding to lawful requests) — legal basis: legal obligation.
• Marketing emails, only with your consent and only where required by law — legal basis: consent.

4. Sharing

We share personal data only with the following categories of recipients:

• Lovable Cloud — hosting, database, and authentication infrastructure.
• Lovable AI Gateway (which routes to Google Gemini and OpenAI models) — the prompts you submit are sent to these AI providers to generate the requested captions and hashtags.
• Paddle.com Market Limited — our payment processor and Merchant of Record. Paddle handles checkout, billing, payment methods, subscription management, tax compliance, invoicing, and refunds, and acts as an independent controller for that data. See Paddle's privacy policy.
• Professional advisers (legal, accounting) where reasonably necessary.
• Authorities where required by law or to protect rights, property, or safety.

We do not sell your personal data and do not use it for cross-context behavioural advertising.

5. International transfers

The providers above may process data outside your country, including in the United States. Where data leaves the UK/EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent mechanisms.

6. Retention

We keep account data for as long as your account is active. Submitted prompts and generated outputs are retained for up to 90 days for service operation and abuse prevention, then deleted or anonymised. Billing records held by us are kept for the period required by applicable tax/accounting law (typically 6–10 years). On account deletion, we remove or anonymise data that is no longer needed.

7. Security

We apply appropriate technical and organisational measures to protect your data, including encryption in transit (HTTPS/TLS), encryption at rest for the database, scoped access controls, row-level security on user data, hashed passwords, and audit logging. No system is perfectly secure; we will notify affected users and authorities of qualifying breaches as required by law.

8. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict, or port your personal data, and to object to processing or withdraw consent. UK/EEA users have these rights under UK GDPR / EU GDPR and may complain to their local supervisory authority. We will respond to verified requests within one month. To exercise these rights, contact us using the details below. You can also delete your account at any time from your account settings; on deletion, your account and associated usage logs are permanently removed (subject to retention requirements above).

9. Cookies

We use strictly necessary cookies and local storage for authentication and to keep you signed in. We do not currently use third-party advertising cookies. If we add analytics or marketing cookies in the future, we will request consent first where required.

10. Children

The Service is not directed to children under 13 (or 16 in the EEA where applicable).

11. Changes

We may update this Policy. Material changes will be communicated by email or in-app notice.

12. Contact

To exercise your rights or ask any privacy question, contact Captioncraft via the contact details on our homepage.