Privacy Policy
Last updated: 2026-05-01
1. Data we collect
- Account: email address, password (stored as a salted hash via werkzeug.security, never plaintext), optional TOTP secret.
- Usage: prompts, generation parameters, generated outputs, job timestamps, audit events for login / signup / verification / billing.
- Technical: IP address of login attempts and audit events, browser-reported timing for performance debugging.
- Crypto payments: derived deposit addresses (public on-chain), invoice records, transaction hashes.
We do not collect government identity documents, payment-card data, or third-party social-network identities.
2. How we use it
- Operate the Service: authenticate users, run generations, deliver outputs.
- Prevent abuse: rate-limiting, fraud detection, debugging.
- Comply with law: respond to lawful legal requests, retain audit logs for a reasonable investigation window.
3. Sharing with third parties
- AI provider (currently Civitai): we send your prompts and parameters to the provider that fulfills the generation. The provider may have its own retention policy.
- Email delivery (Resend): verification emails are sent through Resend; only your email address and the verification link are shared.
- Hosting infrastructure: standard cloud provider for the server. No additional analytics, no tracking, no ad-tech.
We do not sell user data. We do not run third-party trackers.
4. Retention
- Generated outputs: pruned automatically 90 days after creation.
- Audit events and login attempts: kept indefinitely for security and debugging; may be removed on account-closure request.
- Account record: kept while the account exists.
5. Your rights
You can request:
- Export of the data tied to your account.
- Deletion of your account and associated data (audit and security logs may be retained for a limited period as required by law or to prevent abuse).
Send requests to owner@rendermix.app from the email associated with your account.
6. Security
Passwords are hashed with werkzeug's scrypt-based generate_password_hash. Sessions use Secure / HttpOnly / SameSite=Strict cookies. The application is served over TLS with HTTP/2.
7. Children
The Service is not intended for users under 18. We do not knowingly collect data from minors.
8. Changes
Material changes to this policy will be posted on the dashboard. Continued use after notice constitutes acceptance.