Legal · GDPR

Privacy Policy

Effective date: June 1, 2025 · Last updated: June 1, 2025

This policy explains what personal data we collect, why we collect it, and your rights as a data subject under the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.

Contents

Who We Are (Controller)
What Data We Collect
Legal Basis for Processing
How We Use Your Data
Third-Party Processors
Data Retention
Your Rights (GDPR)
Cookies
International Transfers
Security
Children
Changes to this Policy
Contact & Complaints

1. Who We Are (Data Controller)

iframeALL operates the website and service at iframeall.com. For the purposes of the GDPR, iframeALL is the data controller responsible for your personal data.

Contact: info@iframeall.com

2. What Data We Collect

Category	Data collected	Source
Account data	Email address, username, hashed password, Google account ID (if Google sign-in used)	You, directly or via Google OAuth
Billing data	Subscription tier, Stripe customer ID. Full card details are never stored by us.	Stripe (payment processor)
Usage data	Projects, menus, presets, exports created by you; AI credit usage; timestamps	Your use of the Service
Technical data	IP address (used for rate limiting only, not stored long-term), browser type via standard HTTP headers	Automatically, when you use the Service
Communication data	Content of emails you send us (e.g., support requests, cancellation reasons)	You, directly

We do not collect sensitive personal data (special categories under Art. 9 GDPR) and we do not knowingly collect data from children under 16.

3. Legal Basis for Processing

Contract performance (Art. 6(1)(b) GDPR): Processing your account data, usage data, and billing data is necessary to provide the Service you signed up for.
Legitimate interests (Art. 6(1)(f) GDPR): Security measures, fraud prevention, rate limiting, and service improvement — balanced against your privacy rights.
Legal obligation (Art. 6(1)(c) GDPR): Retaining billing records as required by tax law.
Consent (Art. 6(1)(a) GDPR): Where we rely on consent (e.g., optional marketing), you can withdraw it at any time without affecting the lawfulness of prior processing.

4. How We Use Your Data

To create and manage your account
To provide, operate, and improve the Service
To process payments and manage your subscription
To send transactional emails (password resets, billing receipts)
To enforce our Terms of Service and prevent abuse
To respond to your support requests
To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for automated profiling that produces legal or similarly significant effects.

5. Third-Party Processors

We share data with the following processors, who process it on our behalf under data processing agreements:

Processor	Purpose	Data shared	Privacy policy
Stripe, Inc.	Payment processing	Email, billing info	stripe.com/privacy
Google LLC	OAuth sign-in, Drive integration	Email, Google account ID, Drive file metadata (if used)	policies.google.com/privacy
Anthropic, PBC	AI content generation	Prompts you submit to the AI builder	anthropic.com/privacy
Render Services, Inc.	Cloud hosting (infrastructure)	All data stored in our database	render.com/privacy

We do not authorize these processors to use your data for their own independent purposes beyond what is necessary to provide their services to us.

6. Data Retention

Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion.
Billing records: Retained for 10 years as required by applicable tax law (Czech Republic).
Published exports: Deleted within 30 days of account deletion or on-demand.
Server logs / IP addresses: Not stored beyond 24 hours; used only for real-time rate limiting.

7. Your Rights (GDPR)

As a data subject in the EU/EEA, you have the following rights:

Right of Access (Art. 15) Request a copy of the personal data we hold about you.

Right to Rectification (Art. 16) Request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17) Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.

Right to Restriction (Art. 18) Request that we restrict processing of your data in certain circumstances.

Right to Portability (Art. 20) Receive your data in a structured, machine-readable format.

Right to Object (Art. 21) Object to processing based on legitimate interests.

Right to Withdraw Consent Where processing is based on consent, withdraw it at any time without affecting prior processing.

Right not to be Profiled We do not use automated decision-making or profiling with legal effects.

To exercise any of these rights, email us at info@iframeall.com. We will respond within 30 days. You can also delete your account directly from your account settings, which triggers erasure of your data.

If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority. In the Czech Republic, this is the Office for Personal Data Protection (ÚOOÚ) at uoou.cz.

8. Cookies & Local Storage

iframeALL does not use tracking cookies or advertising cookies.

We use browser localStorage (not cookies) to store your authentication token and editor state locally on your device. This data never leaves your device except when sent to our API for authentication.

Session management is handled via a JWT token stored in your browser's localStorage. This token is not accessible by third-party scripts.

9. International Data Transfers

Our infrastructure is hosted by Render Services, Inc. (United States). Payments are processed by Stripe, Inc. (United States). AI generation is processed by Anthropic, PBC (United States).

Where we transfer personal data outside the European Economic Area (EEA), we rely on appropriate safeguards including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable

You may request information about the specific safeguards in place by contacting us at info@iframeall.com.

10. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

All passwords are hashed using bcrypt — we never store plain-text passwords
All connections are encrypted via HTTPS/TLS
Authentication tokens are cryptographically signed JWTs with expiration
Rate limiting on authentication endpoints to prevent brute-force attacks
Security headers (Content Security Policy, HSTS, X-Frame-Options) on all responses
API keys and secrets are stored in environment variables, never in source code

No method of transmission over the internet is 100% secure. In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours as required by Art. 33–34 GDPR.

11. Children

The Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at info@iframeall.com and we will delete it promptly.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect and by updating the "Last updated" date at the top of this page.

Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

13. Contact & Complaints

For any privacy-related questions, requests, or complaints, please contact our data protection contact:

Email: info@iframeall.com
Response time: within 30 days

If you are not satisfied with our response, you may lodge a complaint with the supervisory authority in your country. In the Czech Republic:

Úřad pro ochranu osobních údajů (ÚOOÚ)
Website: www.uoou.cz
Email: posta@uoou.cz