Privacy Policy

Account Information: When you sign up, we collect your email address and create a hashed password (we never store your password in plain text). If you sign in using Google, GitHub, or GitLab OAuth, we receive basic profile information and authentication tokens from those providers. Account data is stored securely through Supabase.

Subscription Data: When you subscribe to a paid plan, we store your subscription tier, billing period, active status, credit balance, token limits, credit reset dates, and Stripe identifiers (stripe_customer_id, stripe_subscription_id, stripe_price_id). We also store cancellation timestamps if applicable.

Image and Design Files: When you upload files (PNG, JPG, SVG, WebP) for analysis or editing, they are processed temporarily and returned to your browser. Your files are sent to our AI providers (Anthropic Claude Vision API and Replicate) for processing. We do not permanently store your uploaded images on our servers. Client-side operations (crop, rotate, recolor, color knockout, texture cut) happen entirely in your browser and never leave your device.

Chat and Conversation Data: Messages you send through the AI chat are held in memory only (using a client-side Zustand store). Chat history is not persisted to any database and is cleared when you refresh the page.

Analytics Events: We collect lightweight, fire-and-forget analytics events such as file_uploaded, report_generated, fix_executed, file_downloaded, ai_chat_opened, and print_context_changed. These events are currently logged to the browser console only. We have prepared a PostHog integration for product analytics, but it is not active in production at this time. Vercel Analytics collects anonymous page view and performance data.

Payment Information: All payment processing is handled entirely by Stripe. PrintReady Flow never sees, receives, or stores your credit card number, CVV, or full billing details. We only store Stripe reference identifiers (customer ID, subscription ID, price ID) to manage your subscription status.

We use the following cookies and local storage items:

• Supabase session cookies (httpOnly): Essential for keeping you logged in. These are strictly necessary and cannot be disabled without losing authentication.
• oneflow_free_usage (localStorage): Tracks your daily free credit usage so we can enforce the free tier limit. This data stays on your device.
• Theme preference (localStorage): Remembers your display theme setting. This data stays on your device.

We do not use advertising cookies, tracking pixels, or third-party marketing cookies. You can clear cookies and local storage in your browser settings, but doing so will log you out and reset your free usage counter.

We use your data to:

• Provide the core service: AI-powered image analysis, editing, background removal, upscaling, and print readiness checking
• Manage your account, authentication, and subscription status
• Track and enforce credit usage across Free, Creator, and Pro tiers
• Improve the product by understanding usage patterns (via anonymous analytics)
• Send important updates about your account, subscription, or the service
• Provide customer support when you need help
• Detect and prevent abuse, fraud, and security threats

We do not sell your data to third parties. We do not use your data for advertising. We do not use your uploaded images or chat messages for AI model training.

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases:

• Contract performance: Processing your account data, subscription data, and uploaded files is necessary to provide you the service you signed up for.
• Legitimate interests: Anonymous analytics to improve the product, security monitoring, and fraud prevention. We balance these interests against your privacy rights.
• Legal obligation: Where we need to process data to comply with applicable law (e.g., tax records related to subscriptions).
• Consent: Where required by law, such as for any future non-essential analytics or marketing communications. You may withdraw consent at any time.

PrintReady Flow uses multiple AI services to provide its core features. Here is exactly how your data interacts with each:

In all cases, AI processing is transient. Your files and messages are sent for real-time analysis, results are returned to you, and the data is not permanently stored by these AI providers beyond their standard operational logging windows.

We use these trusted services to operate PrintReady Flow. Each has their own privacy policy governing their data handling:

• Supabase: Authentication (email/password and OAuth via Google, GitHub, GitLab), PostgreSQL database with Row Level Security (RLS). Stores your account and subscription data.
• Stripe: Payment processing and subscription management. Handles all payment card data directly. We never see your card details. Stripe is PCI-DSS Level 1 certified.
• Vercel: Website hosting, deployment, and anonymous performance analytics (page views, Web Vitals).
• Anthropic: AI-powered image analysis and chat via Claude API. Does not train on your data.
• Replicate: AI-powered background removal, upscaling, mockup generation, and image editing.
• PostHog (prepared, not active): Product analytics integration is prepared but currently operates in console-only mode during development. No data is sent to PostHog servers in production at this time.

• Account data: Retained for as long as your account is active. Deleted upon account deletion request.
• Subscription data: Retained for as long as your account is active, plus any period required for tax or legal compliance after cancellation.
• Uploaded images and files: Not permanently stored. Processed in transit and returned to your browser. Temporary processing data is discarded after the operation completes.
• Chat messages: Held in browser memory only. Cleared on page refresh. Never written to a database.
• Analytics events: Currently console-only (not persisted). If PostHog is activated in the future, retention will follow PostHog's data retention policies and this section will be updated.
• Stripe payment records: Retained by Stripe per their retention policies and applicable financial regulations.

We take security seriously and implement the following measures:

• All data is encrypted in transit using HTTPS/TLS encryption
• HTTP Strict Transport Security (HSTS), X-Frame-Options, and X-Content-Type-Options headers are enforced
• Supabase Row Level Security (RLS) ensures users can only access their own subscription data
• Rate limiting is enforced: 5 sign-in attempts per 15 minutes, 3 sign-up attempts per hour, and tier-based API rate limits
• PKCE (Proof Key for Code Exchange) flow is used for OAuth authentication
• No sensitive API keys are exposed to the client browser
• SSRF (Server-Side Request Forgery) protection on image URL processing
• Passwords are hashed and never stored in plain text

While we implement strong security measures, no system is 100% secure. If we ever experience a data breach that affects your personal information, we will notify you and any applicable regulatory authorities promptly, in accordance with applicable law.

Depending on your location, you may have some or all of the following rights regarding your personal data:

For All Users

• Access: Request a copy of what personal information we hold about you
• Deletion: Request that we delete your account and associated personal data
• Correction: Update or correct inaccurate information in your account
• Data portability: Receive your data in a structured, commonly used, and machine-readable format

Additional Rights Under GDPR (EEA/UK Users)

• Restriction of processing: Request that we limit how we use your data in certain circumstances
• Object to processing: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
• Lodge a complaint: File a complaint with your local data protection authority

Additional Rights Under CCPA (California Residents)

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to delete: Request deletion of your personal information
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
• No sale of personal information: We do not sell your personal information to third parties, as defined under the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.

To exercise any of these rights, email us at makko@printreadyflow.com. We will respond within 30 days (or sooner if required by applicable law). We may ask you to verify your identity before processing your request.

PrintReady Flow is operated from the United States. Our third-party service providers (Supabase, Vercel, Stripe, Anthropic, Replicate) may process data in the United States and other countries. If you are accessing the service from outside the United States, please be aware that your data may be transferred to, stored, and processed in a jurisdiction with different data protection laws than your own.

Where required by GDPR, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms provided by our third-party service providers to ensure adequate protection for international data transfers.

PrintReady Flow is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at makko@printreadyflow.com.

We do not currently respond to Do Not Track (DNT) browser signals because there is no industry-standard implementation. However, as described in this policy, we minimize data collection, do not use advertising trackers, and do not sell your personal information.

We may update this privacy policy from time to time. If we make material changes, we will notify you by email at the address associated with your account and update the effective date at the top of this page.

We encourage you to review this policy periodically. Your continued use of the service after changes are posted constitutes your acknowledgment of the updated policy.

If you have questions about this privacy policy, want to exercise your data rights, or have concerns about how we handle your data, reach out to us:

We are a small team and we read every email. We will get back to you as quickly as we can.