Privacy Policy

This Privacy Policy describes how Caranguejo.art ("Caranguejo", "we") collects, uses, stores and shares personal data from its users. The service is operated by an individual based in Brazil and complies with the Brazilian General Data Protection Law (LGPD — Law 13.709/2018) and, where applicable, the GDPR for users in the European Economic Area.

By creating an account, using the platform or interacting with our services you agree to this Policy. If you disagree with any part, please do not use the service.

We collect the following categories of personal data:

• Account data: email, password (stored as a cryptographic hash — never in plain text), display name or username, avatar, preferred language, time zone.

• Google OAuth data (when you choose to sign in with Google): unique identifier (sub), email, display name and profile picture. We do not receive your Google password.

• Creation content: text prompts, reference images/videos/audios you upload, generation parameters (model, aspect ratio, duration, seed), generated media, saved elements, Flow projects, posts published to the community.

• Payment data: processed entirely by Stripe. We do NOT store card number, CVV or full banking details. From Stripe we receive only: customer id, subscription/charge id, status, last 4 digits of the card (to display in /account), card expiration date and issuer country.

• Technical data: IP address, user agent (browser and OS), session cookies, usage events (which model ran, how long it took, success/failure), error and security logs.

• Communications: messages sent through the contact form, support tickets, replies we send.

We use the data strictly for the following purposes:

• Operate the platform — authenticate you, process generation requests, display your creations.

• Process payments and manage subscriptions via Stripe.

• Charge credit consumption per generation and show updated balance.

• Prevent abuse and fraud — multi-account detection, anomalous usage patterns, fraudulent chargebacks.

• Comply with legal obligations — invoicing, tax retention, court orders.

• Communicate important updates — terms changes, security alerts, payment receipts.

• Improve the platform — aggregated and anonymous usage analysis (which feature is most used, average latency, error rate per provider).

We do not sell, rent or trade your personal data with third parties for marketing purposes.

We process personal data under the following legal bases:

• Contract performance — to provide the service you signed up for (plans, credits, generation).

• Consent — to send marketing communications, publish content to the public gallery, use OAuth.

• Compliance with legal obligation — for tax retention and responding to authorities.

• Legitimate interest — to prevent fraud, abuse and protect infrastructure.

To deliver the service we share strictly necessary data with the following subprocessors:

Infrastructure and operations

• Stripe Inc. — payment processing, subscription management, receipt issuance. PCI-DSS Level 1 compliant.

• Google LLC — OAuth 2.0 authentication (when the user chooses this method).

• Wasabi Technologies — media storage in S3-compatible buckets, with time-limited pre-signed URLs.

• Amazon Web Services — Amazon SES — delivery of transactional emails (verification, password resets, receipts, notifications).

AI models (content generation)

Each generation you run is processed by the API of the provider that operates the selected model. When you select a model, your prompt + inputs (text, image, audio, video) are sent to that specific provider for processing. The transfer is unavoidable — there is no way to generate without sending the input to whoever runs the model. Your relationship with each provider is governed by that provider's own policies (linked below).

• OpenAI

• Google

• Anthropic

• ByteDance / Volcano Engine

• Black Forest Labs

• MiniMax

• Alibaba

• RunwayML

• Suno

• ElevenLabs

• Topaz Labs

• Recraft

• Stability AI

• Luma Labs

Subprocessors are selected for security, legal compliance and service quality. We update this list whenever we integrate new models.

We keep your data for as long as necessary for the purposes described. Specific retention periods:

• Active account: data kept while the account exists and has had activity in the last 90 days.

• Inactive account without subscription: accounts without an active subscription and no login for 90+ days may have generated media, elements and Flow projects deleted. We send an email notice 30 days in advance indicating the scheduled deletion date and how to reactivate the account (a simple login is enough).

• Content published to the community: your posts may remain visible after your account is deleted, unless you explicitly request removal.

• Security logs: 12 months.

• Admin audit logs: 24 months.

• Financial data (invoices, Stripe transactions): 5 years (Brazilian tax obligation).

• Backups: encrypted database backups are retained for up to 60 days for disaster recovery.

You may request early deletion of your account at any time via [email protected] or the /account dashboard. Financial data and security logs may be retained to comply with legal obligations even after account deletion.

You have the right, at any time and free of charge, to:

• Confirm whether we process your personal data and obtain access to it.

• Correct incomplete, inaccurate or outdated data.

• Request anonymization, blocking or deletion of unnecessary, excessive or non-compliant data.

• Data portability to another service provider — we provide a JSON file with your data.

• Deletion of data processed with your consent (except when there's legal basis to retain).

• Information about the public and private entities with whom we share data.

• Withdrawal of consent at any time.

To exercise any of these rights, send a request to [email protected] from the email of your account. We respond within 15 calendar days.

We use strictly necessary cookies:

• Authenticated session: signed token stored in an HTTP-only cookie to keep you logged in.

• Preferences: language, locale, theme (light/dark).

• Security: CSRF token to prevent request forgery.

We do not use advertising tracking cookies nor share your behavior with ad networks. You can block cookies in your browser settings — this may break authentication.

We share personal data with public authorities only when strictly necessary to:

• Comply with court order or request from a competent authority.

• Comply with a specific legal obligation (tax authorities, prosecutors, civil/federal police).

• Protect rights, property or safety of Caranguejo, its users or the public.

• Investigate, prevent or take action against illegal activity (especially CSAM, financial fraud).

When legally permissible, we notify the affected user before disclosure.

Several of our subprocessors (AI providers, Stripe, Wasabi) are based outside Brazil — mainly the United States, the European Union and Singapore. International data transfers occur under the following safeguards:

• Standard contractual clauses for data protection in agreements with each subprocessor.

• Verification of adequacy of the receiving country (LGPD art. 33–35).

• Encryption in transit (TLS 1.2+) and at rest.

We apply technical and organizational measures to protect your data:

• TLS 1.2+ encryption on all connections.

• Passwords stored with bcrypt/argon2 hashes — irrecoverable in plain text.

• Storage buckets with pre-signed URLs and short expiry.

• Audit logs of every administrative action in critical systems.

• Principle of least privilege — operators access only what they need for their role.

• Encrypted and periodically tested backups.

• Continuous monitoring of anomalies and intrusion attempts.

No system is 100% secure. In the event of a security incident that compromises personal data, we will notify those affected and the ANPD as required by LGPD art. 48.

The platform is not intended for users under 16. We do not knowingly collect data from children. If we identify that an account belongs to a minor under 16 without parental/guardian consent, the account will be suspended and the data deleted. If you are a guardian and believe a child created an account without your authorization, write to [email protected].

We may update this Policy periodically to reflect changes in the service, in the law or in our subprocessors. Material changes are notified at least 30 days in advance via email and an in-app banner. The date of the last update is shown at the top of this page. Continued use of the platform after changes implies agreement with the updated version.

Our Data Protection Officer (DPO) and official channel for any request related to personal data is:

• Email: [email protected]

• Support WhatsApp: +55 48 98822-6098

You may also contact the Brazilian Data Protection Authority (ANPD) if you believe your rights have not been respected.