Privacy Policy

iCraft ("we," "us," or "our"), operated through icraftnow.com, is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our AI image generation platform, including our website, applications, and API services (collectively, the "Services").

We are based in France and process data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the French Data Protection Act (Loi Informatique et Libertés), and other applicable European data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Information

• Email address — Required for account creation, login, and transactional communications.
• Full name — Required for account identification and billing.
• Company name (optional) — Provided voluntarily for business accounts and invoice generation.
• Password — Stored in hashed form; never stored in plaintext.

2.2 Google OAuth Data

If you sign in with Google, we receive from Google your name, email address, and profile picture URL. We do not receive or store your Google password. We use this data solely for account creation and authentication.

2.3 Payment Information

Payment processing is handled entirely by Stripe. We do not store your full credit card number, CVC, or bank account details. We receive from Stripe: the last four digits of your card, card brand, expiration date, billing address, and transaction history associated with your account.

2.4 Usage Data

• Generation prompts and parameters you submit to the AI.
• Generated images and associated metadata.
• Credit usage and generation history.
• API usage logs (endpoint, timestamp, response status).

2.5 Technical Data

• IP address (for security and abuse prevention).
• Browser type and version.
• Device type and operating system.
• Pages visited and referral source.

2.6 Social Media Account Data

When you connect a social media account (Instagram, Facebook, X/Twitter, LinkedIn, YouTube) to iCraft for content publishing, we collect and store:

• OAuth access tokens and refresh tokens — Encrypted with AES-256-GCM before storage. These tokens allow us to publish content on your behalf when you explicitly request it. We never post without your action.
• Account identifiers — Platform user ID, username, and display name, used to identify your connected account in our dashboard.
• Page/channel information — For platforms that support business pages or channels (Facebook Pages, LinkedIn Company Pages, YouTube Channels), we store the selected page or channel name and ID.
• Publishing history — Records of content published through iCraft, including the platform post ID, publication timestamp, and status (published, failed).

We request only the minimum permissions needed to publish content on your behalf. We do not read your private messages, access your follower lists, or collect analytics from your social accounts. You can disconnect any account at any time from your dashboard, which immediately revokes our access and deletes the stored tokens.

2.7 Data Deletion by Platform Request

Social media platforms (such as Meta/Facebook) may request deletion of your data through automated callbacks. When we receive such a request, we promptly delete all associated social connections, access tokens, and publishing history for the requesting platform. We provide a confirmation code for tracking the deletion status.

3. Legal Bases for Processing

Under the GDPR, we process your personal data on the following legal bases:

4. Cookies and Session Management

We use cookies and similar technologies as follows:

We do not use any third-party tracking cookies, advertising cookies, or analytics cookies that track you across websites. The only cookies we use are strictly necessary for the functioning of our Services.

5. Third-Party Data Processors

We share your data with the following third-party processors, each of whom is bound by data processing agreements:

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
• Generated images: Retained for the duration of your account or until you delete them. Permanently deleted within 30 days of account deletion.
• Payment records: Retained for 10 years as required by French tax and commercial law.
• API usage logs: Retained for 12 months for security and debugging purposes.
• Server access logs: Retained for 12 months for security purposes.
• Social media tokens: Retained for the duration of your connection. Immediately deleted when you disconnect an account or when the platform requests data deletion. Encrypted at rest with AES-256-GCM.

7. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. You may exercise these rights at any time by contacting us at support@icraftnow.com:

We will respond to your request within 30 days. In exceptional circumstances, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons.

8. International Data Transfers

Your data is primarily processed and stored within the European Union. Our Supabase database instance is hosted in the EU region.

Some of our third-party processors (Stripe and Google) may transfer data outside the EU/EEA. Such transfers are protected by:

• EU-U.S. Data Privacy Framework (DPF) adequacy decisions where applicable.
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Additional supplementary measures as recommended by the European Data Protection Board.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Password hashing using industry-standard algorithms (bcrypt).
• Role-based access controls for internal systems.
• Regular security assessments and vulnerability monitoring.
• Supabase Row Level Security (RLS) policies to isolate user data.
• Automatic session expiration and secure token management.

While we take all reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately at support@icraftnow.com.

10. Children's Privacy

Our Services are not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@icraftnow.com and we will promptly delete such data.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify you by email or through a prominent notice on our platform at least 30 days before the changes take effect.
• Where required by law, obtain your renewed consent before applying changes.

12. Contact Information & Right to Complain

For any questions, requests, or concerns about this Privacy Policy or our data processing practices, please contact us:

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For users in France, the relevant authority is: