AStudio

§ Legal

Privacy Notice

Last updated: 14 May 2026

This Privacy Notice explains how Alkistis Triantafyllopoulou, an individual sole trader based in Greece ("we", "us", "our"), collects, uses, and protects personal data when you use AStudio (the "Service"). For the personal data described below, we act as the data controller.

1. What we collect & why

We collect the following categories of personal data:

  • Account data — name, email address, password hash, authentication provider (e.g. Google) — to create and secure your account. Legal basis: performance of contract.
  • User content — drawings, images, prompts and other Inputs you submit, plus generated Outputs and saved precedents — to provide the Service. Legal basis: performance of contract.
  • Usage & telemetry — pages visited, features used, render counts, error events, approximate device and browser information, IP address — for security, abuse prevention, and improving the Service. Legal basis: legitimate interests.
  • Support communications — messages you send us and our replies — to respond and keep a record. Legal basis: legitimate interests.
  • Order metadata — subscription status, plan, and a customer identifier returned to us by our payment provider — required to grant access to the paid plan. Legal basis: contract. We do not receive or store your full card details; they are collected and processed by Paddle.

2. Who we share data with

  • Paddle — our Merchant of Record, who processes payments, manages subscriptions, calculates and remits sales tax, and issues invoices. See Paddle's privacy notice.
  • Cloud infrastructure & database providers — to host the Service and store account data and content.
  • AI model providers — to generate critiques and visual references from your Inputs. Inputs are sent on a per-render basis and are not used by these providers to train their models where their terms allow us to opt out.
  • Email & analytics providers — to send transactional emails and understand aggregate usage.
  • Professional advisers — accountants and legal advisers, where necessary.
  • Authorities — where required by law, court order, or to protect rights and safety.

3. International transfers

Some of our service providers are located outside the European Economic Area (EEA) and the UK. Where personal data is transferred outside the EEA/UK, we rely on an adequacy decision of the European Commission, the EU Standard Contractual Clauses (and, where relevant, the UK International Data Transfer Addendum), or another lawful transfer mechanism, together with appropriate technical and organisational safeguards.

4. How long we keep data

  • Account data: while your account is active, plus up to 24 months after closure.
  • User content: while your account is active; deleted within 30 days of account closure unless you request earlier deletion.
  • Order metadata and invoices: up to 10 years, as required by Greek tax law.
  • Logs and telemetry: typically up to 12 months.
  • Support communications: up to 24 months after the case is closed.

We delete or anonymise personal data when it is no longer needed for the purposes above, unless we are required to keep it by law.

5. Your rights (GDPR)

Under the EU and UK GDPR you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase your data ("right to be forgotten") in certain circumstances;
  • Restrict or object to certain processing, including processing based on legitimate interests;
  • Receive your data in a portable format;
  • Withdraw consent at any time, where processing is based on consent;
  • Lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr) or the supervisory authority in your country of residence.

We aim to respond to rights requests within one month. Please reach out via our contact page.

6. Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), encryption at rest, access controls, principle-of-least-privilege for staff access, audit logging, and regular review of our providers' security posture. No system can be guaranteed 100% secure; please use a strong, unique password and notify us immediately if you suspect unauthorised access.

7. Cookies

We use a small number of cookies and similar technologies:

  • Essential cookies — to keep you signed in and remember your preferences. These cannot be disabled.
  • Analytics cookies — to understand aggregate usage and improve the Service. You can disable these in your browser settings.

We do not use cookies for cross-site advertising. Paddle may set its own cookies during checkout; see Paddle's privacy notice for details.

8. Children

AStudio is not directed at children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes

We may update this Privacy Notice from time to time. Material changes will be notified by email or in-product notice.

10. Contact

Controller: Alkistis Triantafyllopoulou, Greece. Reach us via the contact page.