Legal
Privacy Policy
Last updated: May 2026
This policy explains what personal data Variafy collects when you use the service, how we use it, who else sees it, and how to delete it. It is written in plain English on purpose — if a clause is unclear, email us and we will explain it.
Who we are
Variafy is a creative-production tool operated by an independent founder based in the EU. The contact for any privacy question, data-deletion request, or rights-of-the-data-subject request is bejandavid04@gmail.com. References to "we", "us", "Variafy" throughout this policy mean that operator.
What we collect
Account data — your email address, the display name you chose at signup, and a hashed credential or OAuth identifier from Google (when you use Sign in with Google). Usage data — every credit you spend, what model produced each output, which platform sizes you exported, and the prompts you submitted. Content data — the banners you generated or imported, the asset files you uploaded (logos, reference images), the conversation history of each project. Billing data — your Stripe customer ID, your current plan, your subscription status; Variafy never sees your actual card details (those live with Stripe).
How we use it
To operate the service you signed up for — generate banners, route edits, charge for the subscription you bought, restore items from your recycle bin, send you receipts and confirmation emails. To meet legal obligations — keep billing records, respond to lawful requests for data. We do not sell your data to third parties, we do not run advertising profiles, and we do not use your prompts or generated content to train any model.
Where it lives
All user data and assets live in Supabase's EU regions. Stripe processes payment data under their own EU-compliant infrastructure. OpenAI and Google process generation prompts under each provider's default API terms (no training on submitted content). Vercel hosts the application; the JavaScript bundles served to your browser come from Vercel's edge network, but no personal data is cached there.
Who else sees it
Supabase — our database, storage, and authentication provider. Stripe — our payment processor for the subscription plans you purchased. OpenAI and Google — the image and language model providers we send your prompts and reference images to when you trigger a generation, edit, or resize. These are the only sub-processors. Each has their own privacy posture and data-processing agreement which we accept on your behalf when we send them your data.
How long we keep it
Active account data: for as long as your account is open. Generated and imported banners: until you delete them. Deleted items: in the recycle bin for 3, 7, 15, or 30 days (your setting, default 7), then a daily cron permanently removes the database row and storage object. Billing records: kept as long as required by tax law (typically 7 years in the EU) even if you close your account, because the law requires us to keep them. Credit ledger: kept indefinitely for audit purposes.
Your rights under GDPR
You can request a copy of every piece of personal data we hold about you, ask us to correct anything that's wrong, ask us to delete your account and everything in it (subject to the billing-record exception above), restrict how we process your data, or object to specific processing. To exercise any of these rights write to bejandavid04@gmail.com with a description of what you're asking for and proof that you control the email address on the account. We respond to valid requests within 30 days.
Per-user isolation
Variafy uses Row-Level Security on every user-owned table in the database. No user can technically read or write another user's rows, even with a leaked API key — the database itself enforces the boundary. Your generated banners, your prompts, your asset library, your credit balance: all scoped to your user ID at the database layer.
Cookies and tracking
Variafy sets a session cookie from Supabase Auth so you stay logged in across page loads. No third-party analytics cookies, no ad-tracking pixels, no Google Analytics. Stripe Checkout (which opens on a separate domain when you upgrade) sets its own cookies under Stripe's privacy policy.
Children
Variafy is not intended for users under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, write to bejandavid04@gmail.com and we will delete it.
Changes to this policy
When we materially change this policy we will email every active account at the address on file, at least 14 days before the change takes effect. You can read previous versions in the project's public repository on GitHub if you want to compare what changed.
For privacy or data-deletion requests, write to bejandavid04@gmail.com.