SpriteCookSpriteCook
Back

Privacy Policy

Effective date: June 8, 2026

This Privacy Policy explains how SpriteCook ("we", "us", "our") collects and uses information when you use the Service at spritecook.ai. We operate from the European Union and aim to handle personal data in line with the GDPR.

1. Information We Collect

  • Personal Data: identifiers and contact details you provide (e.g., name, email). You can start signing up or signing in from our marketing site or the app. If you sign in with a third party (Google, GitHub, or Discord), we receive your basic profile information from them. If you use an email sign-in link, we process your email address to send and verify that link.
  • Usage and Device Data: IP address, device and browser type, operating system, time zone, and interaction data (pages viewed, features used). We collect this to operate, secure, and improve the Service.
  • Content Data: the prompts you write and the reference images or other files you upload to generate outputs. This includes a prompt or image you add from the SpriteCook homepage before you sign in. Image uploads support common formats such as PNG, JPEG, WebP, GIF, and AVIF.
  • API Request Data: when you access our public API or AI agent integrations, we log the endpoint called, request timestamp, HTTP status code, response time, IP address, and API key identifier. We do not log request or response bodies.

When you enter a prompt or upload an image on our homepage before signing in, we hold it temporarily against your browser session so we can carry it into your account if you sign up. Images you upload are stored as private assets in your SpriteCook account and stay visible only to you unless you press the share button to make an asset public. If you do not sign up, the prompt and any uploaded image are not linked to an account and are removed in the normal course of clearing temporary session data.

2. How We Use Information

  • Provide, maintain, and improve the Service and its safety.
  • Process prompts and assets to generate outputs using third‑party AI model APIs (OpenAI, Google Gemini, xAI).
  • Authenticate users, manage accounts, usage limits, and credits.
  • Enforce rate limits, detect abuse, and monitor API usage patterns for service reliability.
  • Communicate about updates, security notices, and support.
  • Comply with legal obligations and enforce our Terms.
  • Use aggregated and de‑identified data for analytics and product improvement.

3. Legal Bases (GDPR)

We process personal data based on: performance of a contract (providing the Service), legitimate interests (security, product improvement, fraud prevention), legal obligations, and, where applicable, your consent (e.g., certain analytics or marketing communications).

4. Sharing and Transfers

  • Service Providers and Sub‑processors: cloud hosting, logging, error monitoring, bot and abuse prevention (e.g., Cloudflare Turnstile), and model API providers.
  • AI Model Providers: prompts and content may be sent to OpenAI, Google (Gemini), and xAI to generate outputs; their terms and policies apply.
  • Legal and Safety: we may disclose data to comply with law or protect rights, safety, and security.

Where data is transferred outside the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses, as applicable.

5. Data Retention

We retain personal data only as long as necessary for the purposes above, including to meet legal, accounting, or reporting requirements. API request logs are retained for up to 90 days for operational and security purposes. We may retain aggregated or de‑identified data for longer.

6. Your Rights (EEA/UK)

  • Access, rectification, erasure, restriction, portability, and objection, subject to conditions.
  • Where we rely on consent, you can withdraw it at any time without affecting prior processing.
  • You may lodge a complaint with your local supervisory authority.

7. Security

We implement reasonable technical and organizational measures to protect personal data. However, no method of transmission or storage is completely secure.

8. Children

The Service is not directed to children under 13 (or applicable local minimum age). We do not knowingly collect personal data from children.

9. Changes

We may update this Privacy Policy from time to time. Material changes will be indicated by updating the effective date and, where appropriate, providing notice within the Service.

10. Contact

For privacy inquiries or to exercise your rights, contact privacy@spritecook.ai.