Privacy Policy
This Privacy Policy explains how 30ohm L.P. ("we", "us", "our") collects, uses, stores, and protects your personal data when you use Depicta (depicta.ai). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), Greek data protection law (Law 4624/2019), and other applicable privacy legislation.
1. Who We Are
30ohm L.P. is the data controller responsible for your personal data.
- Company: 30ohm L.P., registered in Greece
- GEMI number: 186689603000
- Data protection contact: privacy@depicta.ai
- General contact: hello@depicta.ai
- Registration details: depicta.ai/about
2. What Data We Collect
2.1 Data You Provide
| Data | When Collected |
|---|---|
| Email address | Account registration |
| Name (if provided) | Account registration or OAuth sign-in |
| Password (hashed, never stored in plaintext) | Email/password registration |
| OAuth tokens | Google or GitHub sign-in |
| Prompts (text descriptions for image generation) | Each generation request |
| Uploaded images (for editing or processing) | When you upload images |
| Feedback submissions (voluntary "send as feedback") | When you explicitly share a prompt |
| Newsletter email (and name, if provided) | Newsletter signup form on website, or dashboard settings for registered users |
2.2 Data We Collect Automatically
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention, rate limiting |
| User agent and device information | Security, debugging |
| API call metadata (endpoint, timestamp, response status) | Audit logging, service monitoring |
| Generation metadata (operation type, model used, cost, API key used) | Billing, usage dashboards, service improvement |
| Classifier decisions (allow/deny and category) | Content safety auditing |
| Session data | Authentication, maintaining your login |
| Image hashes (SHA-256 fingerprint of each generated image) | Provenance verification, dispute resolution |
2.3 Data We Receive From Third Parties
| Source | Data | Purpose |
|---|---|---|
| Paddle (Merchant of Record; separate controller) | Transaction confirmations, transaction amounts, VAT collected, billing country | Recording completed purchases against your account; billing and tax records |
| Google / GitHub (OAuth providers) | Email, name, profile identifier | Account authentication |
2.4 Data We Do Not Collect
- We do not permanently store your generated images. They are delivered via temporary URLs (1-hour expiry) and deleted after. However, we retain a cryptographic hash (a non-reversible fingerprint) of each image for provenance verification — see Sections 3 and 6 for details. The hash cannot be used to reconstruct the image.
- We do not collect special category data (health, biometric, political opinions, etc.) intentionally. If you include such data in prompts, it is processed solely to generate the requested image and retained only in encrypted form per our retention schedule.
3. How and Why We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Provide the service — process your requests, generate images, deliver results | Account data, prompts, uploaded images, generation metadata | Contractual necessity (Art. 6(1)(b)) |
| Account management — registration, authentication, session management | Email, name, password hash, OAuth tokens | Contractual necessity (Art. 6(1)(b)) |
| Billing and payments — credit purchases, usage tracking, invoicing | Transaction data, billing country, credit balance | Contractual necessity (Art. 6(1)(b)) |
| Content moderation — screen prompts and uploads for prohibited content | Prompts, uploaded images, classifier decisions | Contractual necessity (Art. 6(1)(b)) — enforcing our Acceptable Use Policy; Legal obligation (Art. 6(1)(c)) — CSAM prevention and other mandatory content restrictions |
| Human content review (sampling) — verifying classifier effectiveness on a random subset of requests | Pseudonymized prompts, generated images, classifier decisions, uploaded images | Legitimate interest (Art. 6(1)(f)) — ensuring content moderation quality and platform safety |
| Prompt retention (12 months) — safety auditing, legal defense, law enforcement cooperation | Encrypted prompts, generation metadata, classifier decisions | Legitimate interest (Art. 6(1)(f)) — maintaining platform safety and defending against legal claims; Legal obligation (Art. 6(1)(c)) — cooperation with law enforcement |
| Security and fraud prevention — detecting abuse, unauthorized access, and anomalous usage | IP address, usage patterns, API call metadata, audit logs | Legitimate interest (Art. 6(1)(f)) — protecting our service and users |
| Automated bot protection — verifying that submissions to specific forms (signup, newsletter subscription, password reset) come from human visitors, not automated scripts | IP address, browser and device characteristics, interaction signals (such as mouse movement and timing), processed via Cloudflare Turnstile | Legitimate interest (Art. 6(1)(f)) — preventing automated abuse, spam, credential-stuffing attacks, and trial-credit farming |
| Tax and legal compliance — maintaining billing records for Greek tax law | Billing records, invoicing data | Legal obligation (Art. 6(1)(c)) — Greek tax law requires 5-year retention |
| Prompt analysis program (opt-in only) — anonymized analysis of prompts to improve service quality | Anonymized prompts | Consent (Art. 6(1)(a)) — separate, explicit consent via dashboard |
| Service improvement — understanding usage patterns, improving reliability | Aggregated, anonymized usage statistics | Legitimate interest (Art. 6(1)(f)) — improving the service |
| Image provenance — maintaining a registry of image fingerprints for verification and dispute resolution | SHA-256 image hash, timestamp, user ID (first 12 months) | Legitimate interest (Art. 6(1)(f)) — provenance verification, dispute resolution, fraud prevention. Supports EU AI Act Art. 50 compliance. |
| Website analytics — understanding how visitors use the website | Anonymous page views, referrers, browser type, country (no personal data, no cookies) | Legitimate interest (Art. 6(1)(f)) — improving the website. Self-hosted Umami, no third-party data sharing. |
| Transactional communications — email verification, password reset, account notifications | Email address | Contractual necessity (Art. 6(1)(b)) |
| Newsletter (opt-in) — product updates, new features, tips, and announcements | Email address, name (if provided) | Consent (Art. 6(1)(a)) — explicit opt-in via signup form or dashboard toggle. Also compliant with ePrivacy Directive Art. 13(1) / Greek Law 3471/2006 Art. 11. |
| Newsletter analytics — tracking open rates and link clicks to measure engagement and manage the mailing list | Email open events, link click events, linked to subscriber record | Consent (Art. 6(1)(a)) — covered by the same newsletter consent. Self-hosted, no third-party data sharing. |
Legitimate interest assessments: Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights. You may object to processing based on legitimate interest at any time (see Section 8).
4. Who We Share Your Data With
We share your personal data only with the following categories of recipients, and only to the extent necessary for the stated purpose:
4.1 Recipients of Personal Data
We share the minimum personal data necessary with the following recipients. Most are sub-processors that act on our instructions under a Data Processing Agreement. Paddle is a separate controller (a Merchant of Record), which means it independently determines the purposes and means of processing for the payment data it holds and has its own direct obligations to you under its own privacy notice.
For direct-purchase customers (Terms of Service, Section 5.3, "Direct purchase"), Paddle is not involved and the data flows differ; any specific arrangements are recorded in the separate purchase agreement.
| Recipient | Role under GDPR | Location | Purpose | Safeguards |
|---|---|---|---|---|
| OpenRouter, Inc. | Sub-processor | United States | AI model routing — receives your prompts and returns generated images. OpenRouter transmits prompts to upstream model providers (Google LLC, OpenAI Inc., Black Forest Labs GmbH). We use the data_collection: "deny" flag to prevent data retention by OpenRouter. |
Standard Contractual Clauses (SCCs); Data Processing Agreement |
| Cloudflare, Inc. | Sub-processor | United States | Bot protection via Cloudflare Turnstile — verifies that specific forms (signup, newsletter subscription, password reset) are submitted by humans rather than automated scripts. Processes IP address, browser and device characteristics, and interaction signals to issue a short-lived human-verification token. Cloudflare does not retain personal data beyond what is necessary to issue and validate the token. | EU-US Data Privacy Framework (Commission Decision 2023/1795); Standard Contractual Clauses (SCCs) as fallback, via Cloudflare's Data Processing Addendum |
| Paddle.com Market Limited | Separate controller (Merchant of Record) | United Kingdom | For self-service purchases, Paddle is the seller of record: it collects payment from you, calculates and remits VAT, issues the receipt, and absorbs chargebacks. Paddle independently determines its own purposes for the payment data it holds (including fraud prevention, tax remittance, and regulatory reporting) and applies its own privacy notice. We share with Paddle only the minimum data needed to attribute the transaction to your Depicta account (such as account email and transaction reference). | UK adequacy decision; Paddle's own GDPR notice and Data Processing Agreement govern Paddle's processing |
| Scaleway S.A.S. | Sub-processor | France (EU) | Cloud infrastructure, data hosting, object storage, transactional email delivery | Data stays within the EU; Data Processing Agreement |
4.2 Other Disclosures
We may disclose your data:
- To comply with legal obligations — when required by law, court order, or governmental request
- To protect rights and safety — when necessary to enforce our Terms, prevent fraud, or protect the safety of our users or the public
- In connection with a business transfer — if 30ohm L.P. is involved in a merger, acquisition, or asset sale, your data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.
- In connection with service discontinuation — if we permanently discontinue Depicta, we will provide reasonable opportunity to export your personal data before shutdown. After shutdown, remaining data will be handled according to our standard retention schedule (Section 6), including deletion of personal data and retention of billing records as required by law.
We do not sell your personal data. We do not share your data with advertisers.
5. International Data Transfers
Your data is primarily processed and stored in the European Union (France, via Scaleway).
When your data is transferred outside the EU/EEA, we ensure adequate protection through:
- OpenRouter (United States): Transfer is governed by Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), supplemented by a transfer impact assessment. We also require OpenRouter to apply the
data_collection: "deny"setting, minimizing data retention on their end. - Cloudflare (United States): Cloudflare, Inc. is certified under the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795), which the European Commission has found to provide an adequate level of protection for transfers of personal data to certified US organizations. As a fallback — to maintain continuity if the DPF is invalidated by future litigation — Cloudflare's Data Processing Addendum also incorporates Standard Contractual Clauses (SCCs) (Commission Decision 2021/914). The data transferred is limited to the technical signals needed for bot verification (IP address, browser characteristics, and interaction signals). We have conducted a transfer impact assessment for this processing.
- Paddle (United Kingdom): The UK benefits from an EU adequacy decision (Commission Implementing Decision (EU) 2021/1772). No additional transfer mechanism is required.
Upstream AI model providers (Google, OpenAI, Black Forest Labs) receive prompts through OpenRouter. These transfers are covered by OpenRouter's Data Processing Agreement and their respective transfer safeguards.
6. How Long We Keep Your Data
| Data Category | Retention Period | After Expiry |
|---|---|---|
| Prompts | 12 months from generation | Permanently deleted |
| Generation metadata (model, cost, timestamp) | 12 months from generation | Permanently deleted |
| Classifier decisions (allow/deny, category) | 12 months | Permanently deleted |
| Human review samples (prompts, generated images, uploaded images, classifier decisions) | 7 days from sampling | Permanently deleted. If illegal content is identified, relevant data is retained until the matter is resolved with authorities. |
| Account data (email, name, preferences) | Until account deletion + 30-day grace period, or until inactive account closure (see Terms of Service, Section 13.3) | Permanently deleted |
| Billing and invoicing data | 5 years (Greek tax law) | Permanently deleted |
| Audit logs (API access, authentication events) | 12 months | Permanently deleted |
| Image hashes (SHA-256) | 12 months attributed to user; then automatically anonymized (user link removed). Hash + timestamp retained permanently in anonymized form. | User link removed — no longer personal data (see note below) |
| Prompt analysis data (opted-in users) | Anonymized at collection; retained indefinitely in anonymized form | N/A — not personal data once anonymized |
| Newsletter subscription data (non-registered subscribers) | Until unsubscription or deletion request | Permanently deleted |
When you delete your account:
- Account data enters a 30-day grace period (you can reactivate), then is permanently deleted
- Prompts are pseudonymized (your identity is removed) for the remainder of the 12-month retention window, then permanently deleted
- Image hashes are immediately anonymized (user link removed). The anonymous hash + timestamp record is retained permanently for provenance verification — it is no longer personal data after anonymization (GDPR Recital 26).
- Billing data is retained for 5 years regardless of account status (legal obligation)
When your account is closed due to inactivity (see Terms of Service, Section 13.3):
- Account data is permanently deleted immediately — no grace period applies
- Prompts, image hashes, and billing data are handled the same as voluntary account deletion (above)
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
| Right | What It Means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate personal data |
| Erasure (Art. 17) | Request deletion of your personal data, subject to legal retention obligations |
| Restriction (Art. 18) | Request that we limit how we process your data in certain circumstances |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest |
| Withdraw consent (Art. 7(3)) | Withdraw consent for consent-based processing (prompt analysis program, newsletter) at any time, without affecting the lawfulness of prior processing |
How to exercise your rights:
- Email privacy@depicta.ai with your request
- We will respond within 30 days (extendable by up to 60 days for complex requests, with notification)
- We may ask you to verify your identity before processing your request
- Exercising your rights is free of charge unless requests are manifestly unfounded or excessive
Data you can export from your dashboard:
- Account information
- Usage history and generation metadata
- Credit and transaction history
Note: Generated images are not included in data exports because we do not retain them beyond the 1-hour delivery window.
8. Prompt Analysis Program
If you opt in to the prompt analysis program (via your dashboard settings):
- What happens: Your prompts may be analyzed in anonymized form to identify patterns that help us improve prompt templates, model routing, and service quality
- Discount: You receive a 3% discount on per-image costs while opted in
- Consent: This processing is based on your explicit consent (GDPR Art. 6(1)(a)), obtained separately from accepting the Terms of Service
- Withdrawal: You can opt out at any time through your dashboard. The change takes effect on your next generation. Prior processing remains lawful.
- Anonymization: Prompts used for analysis are stripped of identifying information before analysis. Once anonymized, they are no longer personal data under GDPR.
The prompt analysis program is entirely separate from the 12-month safety retention described in Section 6, which applies to all users regardless of opt-in status.
"Send as feedback" feature: You may also explicitly share individual prompts or comments with us through the CLI, skill file, or dashboard. Each submission is voluntary. Submitted feedback is used to improve service quality and is covered by this same consent framework.
9. Newsletter
You may subscribe to our newsletter to receive product updates, new features, tips, and announcements about Depicta. Subscribing is entirely optional and is not required to use the service.
9.1 How to Subscribe
- Website visitors: Use the newsletter signup form on our website. You must provide your email address and give explicit consent by checking the subscription checkbox (not pre-ticked). We use a confirmation email (double opt-in) to verify your email address and your intent to subscribe.
- Registered users: Toggle the newsletter preference on or off in your dashboard settings at any time.
9.2 What We Send
Our newsletter may include:
- Product updates and new features
- Tips for getting the most out of Depicta
- New AI model availability
- Company announcements
We do not include third-party advertisements in the newsletter. We do not use third-party email marketing services — the newsletter is sent through our own email infrastructure. We do not share subscriber email addresses with other companies for marketing purposes.
Analytics: We track newsletter open rates and link clicks using our own self-hosted analytics. This data is linked to your subscriber record to help us understand which content is useful and to manage our mailing list (e.g., identifying inactive subscribers). No data is shared with third parties. You can avoid open tracking by configuring your email client to block remote images.
9.3 How to Unsubscribe
You can unsubscribe at any time through any of these methods:
- Click the unsubscribe link included in every newsletter email
- Toggle off the newsletter in your dashboard settings (registered users)
- Email hello@depicta.ai with subject line "Unsubscribe"
Unsubscription takes effect immediately. You will not receive further newsletters after unsubscribing. Transactional emails (password resets, account notifications, security alerts) are unaffected by your newsletter preference — those are sent under contractual necessity, not consent.
9.4 Legal Basis and Consent
Newsletter delivery is based on your explicit consent (GDPR Art. 6(1)(a)), in compliance with the ePrivacy Directive (Directive 2002/58/EC, Art. 13(1)) as transposed into Greek law (Law 3471/2006, Art. 11).
You may withdraw consent at any time using any of the methods in Section 9.3, without affecting the lawfulness of processing performed before withdrawal.
9.5 Non-Registered Subscribers
If you subscribe to the newsletter without creating a Depicta account, we collect and process only your email address (and name, if you choose to provide it) for the sole purpose of delivering the newsletter. This data is not used for any other purpose and is permanently deleted when you unsubscribe.
10. Automated Decision-Making
10.1 Content Classifier
Our automated content classifier screens all prompts and uploaded images before processing. The classifier decides whether to allow or deny each request. A denial prevents the generation from proceeding.
In addition, a small random sample of requests undergoes human review to verify the classifier's effectiveness. This review is conducted on pseudonymized data — the reviewer cannot see your identity unless prohibited content is identified and escalation is required. See our Terms of Service, Section 10.2, for details.
Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. We rely on the following bases for our classifier:
- Contractual necessity (Art. 22(2)(a)) — our Terms and Acceptable Use Policy require content screening as part of the service
- Legal obligation (Art. 22(2)(b)) — certain content categories (e.g., CSAM) are illegal to produce, and we are legally required to prevent their generation
Your safeguards:
- You can appeal any content moderation decision through the process described in our Acceptable Use Policy
- Appeals are reviewed by a human
- You are not charged for rejected requests
10.2 Low Balance Restrictions
When your credit balance falls below certain thresholds, available models and quality settings are automatically restricted. This is a direct consequence of the credit system described in our Terms of Service, not an automated decision about you as a person.
11. Cookies
We use essential cookies to operate the service (authentication, session management). We also use Cloudflare Turnstile for bot protection on specific forms — it may set cookies from challenges.cloudflare.com to verify that visitors are human. We do not use tracking or advertising cookies.
Website analytics: We use Umami, a privacy-focused analytics tool, self-hosted on our own servers in the EU. It collects anonymous, aggregated usage data (page views, referrers, browser type, country) to help us improve the website. No cookies are set, no personal data is collected, and no data is shared with third parties.
For complete details, see our Cookie Policy.
12. Children's Privacy
Depicta is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child under 16 has created an account, please contact us at privacy@depicta.ai.
13. Data Security
We implement technical and organizational measures to protect your data, including:
- Encryption in transit — all data transmitted via TLS 1.3
- Encryption at rest — prompts encrypted with AES-256-GCM
- Password hashing — passwords are hashed using a strong, modern algorithm and never stored in plaintext
- API key hashing — API keys are hashed and never stored in plaintext
- Access control — principle of least privilege for all internal access
- Audit logging — all access to personal data is logged
- Isolated content classifier — runs in a separate container with no shared state
- Regular security reviews — dependency scanning, configuration audits
No system is perfectly secure. If you discover a security vulnerability, please report it to security@depicta.ai.
14. Changes to This Policy
We may update this Privacy Policy from time to time.
Material changes — changes that introduce new categories of personal data collection, new data sharing with third parties, new processing purposes, reduced retention protections, or changes to your GDPR rights — will be communicated as follows:
- We will notify you at least 30 days before the changes take effect
- Notification will be sent to your registered email address and posted on the website
- The updated policy will display the new "Last updated" date
Non-material changes — such as corrections of typographical errors, clarifications that do not alter the scope of data processing, formatting adjustments, or updates to contact information — take effect when posted on the website. We will update the "Last updated" date but are not required to notify you by email.
If you do not agree with the changes, you may close your account. Continued use of Depicta after the effective date constitutes acknowledgment of the updated policy.
15. How to Contact Us
For any questions or requests related to your privacy or personal data:
- Data protection inquiries: privacy@depicta.ai
- General inquiries: hello@depicta.ai
- Company: 30ohm L.P.
- Registration details: depicta.ai/about
We aim to respond to all privacy-related inquiries within 30 days.
16. Your Right to Complain
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with a supervisory authority.
Hellenic Data Protection Authority (HDPA)
- Greek name: Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (ΑΠΔΠΧ)
- Address: 1-3 Kifissias Ave., 115 23 Athens, Greece
- Phone: +30 210 6475600
- Email: contact@dpa.gr
- Website: www.dpa.gr
If you reside in another EU Member State, you may also contact the data protection authority in your country of residence.