Last updated: February 25, 2026
This Privacy Policy describes how Univers Studio ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website at univers.studio and related services (the "Service"), in compliance with:
- Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
- French Law no. 78-17 of January 6, 1978 — Loi Informatique et Libertés, as amended
- Directive 2002/58/EC — ePrivacy Directive, as transposed into French law
1. Data Controller
The data controller responsible for processing your personal data is:
Univers Studio
Email: hello@univers.studio
For full publisher details, see our Legal Notice.
2. Images You Upload
We do NOT store your uploaded images. Images are processed in server memory (RAM) and discarded immediately after generation. We never save, share, train on, or use your images for any purpose other than generating your requested output.
No backup, copy, or log of your uploaded images is retained on our servers or by any third party.
3. Personal Data We Collect
3.1 Registered users (with account)
| Data | Legal basis (GDPR Art. 6) | Purpose | Retention |
|---|---|---|---|
| Email address | Contract performance (Art. 6.1.b) | Authentication, billing, support | Until account deletion |
| Password (hashed with bcrypt) | Contract performance (Art. 6.1.b) | Authentication | Until account deletion |
| Display name (optional) | Consent (Art. 6.1.a) | Personalization | Until account deletion |
| Usage data (credits, tools used) | Contract performance (Art. 6.1.b) | Credit tracking, billing | Until account deletion |
| IP address | Legitimate interest (Art. 6.1.f) | Rate limiting, abuse prevention, security | Server logs: 30 days |
| Payment information | Contract performance (Art. 6.1.b) | Billing via Stripe | Handled entirely by Stripe |
3.2 Free users (no account)
If you use the free tier without creating an account, we collect:
- IP address — to enforce the 3-credit monthly limit and prevent abuse (legal basis: legitimate interest, Art. 6.1.f)
- Browser fingerprint (hashed) — to identify returning visitors without cookies (legal basis: legitimate interest, Art. 6.1.f)
This data is retained for 30 days in server logs, then automatically deleted.
3.3 Data we do NOT collect
- We do not track your browsing behavior across pages
- We do not use third-party analytics (no Google Analytics, no Meta Pixel)
- We do not use advertising trackers or retargeting pixels
- We do not build user profiles for marketing purposes
- We do not sell, rent, or share your personal data with third parties for their own purposes
4. Payment Processing
All payments are processed by Stripe, Inc. We never see, store, or handle your credit card number or bank details. Stripe processes your payment data as an independent data controller under their own Privacy Policy.
We receive from Stripe only: your email, subscription status, plan type, and payment dates. No card numbers or banking details are transmitted to us.
5. Cookies & Local Storage
We use only strictly necessary technical storage:
| Storage item | Type | Purpose | Duration |
|---|---|---|---|
| Authentication token | localStorage | Keep you logged in | Until logout or token expiry |
| Free credit counter | localStorage | Track remaining free credits | Until end of month (reset) |
| Language preference | localStorage | Remember your language choice | Persistent |
We do not use advertising cookies, tracking cookies, or third-party analytics cookies. No cookie consent banner is required as we only use strictly necessary technical storage, exempt under Article 5(3) of the ePrivacy Directive.
6. Third-Party Services (Sub-processors)
| Service | Role | Data shared | Location | Privacy policy |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing | Email, payment info | United States | Link |
| Fly.io, Inc. | API hosting | API requests, IP addresses | United States / EU | Link |
| Vercel, Inc. | Website hosting | HTTP requests, IP addresses | United States | Link |
| Google Fonts | Typography | IP address (font loading) | United States | Link |
7. International Data Transfers
Some of our sub-processors are located in the United States. These transfers are carried out in compliance with GDPR Chapter V using the following safeguards:
- Stripe — EU-U.S. Data Privacy Framework (DPF) certified
- Vercel — Standard Contractual Clauses (SCCs) as per Commission Decision 2021/914
- Fly.io — Data can be pinned to EU regions; Standard Contractual Clauses (SCCs)
- Google Fonts — EU-U.S. Data Privacy Framework (DPF) certified
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit — all traffic is encrypted via HTTPS/TLS 1.3
- Password hashing — bcrypt with salt (never stored in plain text)
- Token authentication — JWT tokens with automatic expiration
- Rate limiting — protects against brute-force and DDoS attacks
- No image storage — uploaded images are processed in RAM only
- Access control — administrative access restricted and logged
9. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), you have the following rights under GDPR Articles 15–22:
| Right | GDPR Article | Description |
|---|---|---|
| Access | Art. 15 | Request a copy of all personal data we hold about you |
| Rectification | Art. 16 | Correct inaccurate or incomplete personal data |
| Erasure | Art. 17 | Request deletion of your account and all associated personal data |
| Restriction | Art. 18 | Request that we limit the processing of your data |
| Portability | Art. 20 | Receive your personal data in a structured, machine-readable format (JSON) |
| Objection | Art. 21 | Object to processing based on legitimate interest |
| Withdraw consent | Art. 7.3 | Withdraw consent at any time (where processing is based on consent) |
To exercise any of these rights, email us at hello@univers.studio. We will respond within 30 days as required by GDPR Article 12.3. No fee is charged for reasonable requests.
10. Right to Lodge a Complaint
If you believe your data protection rights have not been respected, you have the right to lodge a complaint with a supervisory authority. For France:
CNIL — Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Website: cnil.fr
You may also lodge a complaint with the supervisory authority of your country of residence.
11. Data Protection Officer
Given the nature and scale of our data processing activities, the appointment of a Data Protection Officer (DPO) is not mandatory under GDPR Article 37. However, for any data protection inquiry, you may contact us directly at hello@univers.studio.
12. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you (GDPR Article 22). Credit usage and rate limiting are applied uniformly to all users based on their plan.
13. Children
The Service is not directed at children under 16 (or under 13 in countries where a lower age of consent applies). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
14. Data Breach Notification
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:
- Notify the CNIL within 72 hours of becoming aware of the breach (GDPR Article 33)
- Notify affected users without undue delay if the breach is likely to result in a high risk (GDPR Article 34)
15. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Material changes will be communicated via email to registered users at least 14 days before taking effect.
16. Contact
For any privacy-related questions, data access requests, or complaints:
Email: hello@univers.studio
See also: Terms of Service · Commercial License · Legal Notice