Privacy Policy

1. Information We Collect

We collect information you provide directly: account details (email, name), artwork data, artwork images and videos, related media metadata, and contact information you enter into the platform.

When you sign in with Google OAuth, Google shares your email address and basic profile information (name and profile picture) with us. We use this solely to create and authenticate your account.

2. How We Use Your Information

Your data is used to provide the Artwork Codex service: storing and displaying your artworks, generating PDFs, and enabling features you use. We do not sell your personal information.

3. Third-Party Services

We use the following sub-processors to provide the service:

• Supabase — Database, authentication, and file storage
• Cloudinary — Image storage, delivery, and optimization (images are automatically resized and format-converted for performance)
• Stripe — Payment processing and subscription management for web subscriptions
• Apple App Store — In-App Purchase processing for iOS subscriptions. Apple receives your Apple ID and purchase information per their privacy policy (apple.com/legal/privacy).
• RevenueCat — Subscription receipt validation and entitlement state for the iOS app. RevenueCat receives your account identifier (Supabase user ID), purchase events, and basic device metadata (iOS version, country code, store identifier). See revenuecat.com/privacy.
• Resend — Transactional email delivery (signup confirmations, password resets). Your email address is shared with Resend for delivery purposes only.
• Google — OAuth authentication (if you choose to sign in with Google)
• Apple Sign in with Apple — OAuth authentication (if you choose to sign in with Apple). You may opt to share a private relay email instead of your real Apple ID email; in that case, we never see your real email address.
• Meta / Instagram — Optional Instagram import. If you connect an Instagram Creator or Business account, Meta shares your Instagram account ID, username, selected media metadata, captions, and temporary media URLs so we can copy selected posts into your private Artwork Codex archive. We store imported images in Cloudinary and captions in your artwork notes.

3a. Instagram Import

Instagram import is optional. When you connect Instagram, we store an encrypted access token so you can review and import your eligible image and carousel posts. We do not scrape Instagram, we do not post to your account, and we do not request messaging, publishing, comments, or insights permissions for the import feature.

If you disconnect Instagram or Meta sends us a deauthorization or data deletion request, we remove the stored Instagram connection token. Artwork records and images you already chose to import remain in your Artwork Codex account unless you delete them or request full account deletion.

3b. iOS App — Permissions and Data

The Artwork Codex iOS app requests these device permissions, each only when you take an action that requires them:

• Camera — to photograph artworks for your inventory.
• Photo Library (read) — to import existing photos of artworks or videos of artworks from your library.
• Photo Library (add) — to save generated PDFs and selected artwork media to your library when you choose to share them.
• Contacts — only when you explicitly initiate a contact import. We never read your contacts in the background.

When you add artwork media in the iOS app, we process only the images, videos, and media metadata you select or create, such as file type, file size, upload status, and display order. This information is used to store, sync, display, and manage your artwork archive across Artwork Codex.

The iOS app does not collect device identifiers (IDFA, device fingerprints) for tracking purposes. We do not include third-party analytics, advertising, or attribution SDKs in the iOS build. Crash and diagnostic information is collected only via Apple's standard App Store Connect tooling, which is governed by Apple's privacy policy.

Anonymous accounts (created via the “Get Started” button on the iOS sign-in screen) do not collect any personal information. If you later upgrade an anonymous account to a real account via Sign in with Apple, Google, or email, we collect only the email address provided by your chosen sign-in method.

4. Cookies

We use essential cookies for authentication. We do not use tracking or advertising cookies.

If you arrive via a referral link, we set a temporary httpOnly cookie containing the referral code. This cookie expires after 30 days and is used solely to credit the referring user when you subscribe. It cannot be read by third-party scripts.

5. Public Content

Portfolios and viewing rooms you create may be publicly accessible via their unique URLs. Artwork titles, images, videos, media metadata, dimensions, and other details you include in these features are visible to anyone with the link. You control which artworks are included and can remove them at any time.

6. Media Processing

Images and videos you upload are stored and processed by our media storage and delivery providers. Images may be resized, reformatted, and optimized for display. Videos may be processed for playback in the app and on the web. Original-resolution media is preserved where the feature and your plan support it.

7. Referral Program

When you participate in the referral program, we store your unique referral code on your profile and track referral relationships (referrer and referred user IDs, referral status, and conversion date). When a referred user makes their first payment, a credit is applied to the referrer's Stripe account balance.

8. Data Retention & Account Freezing

If your paid subscription is cancelled, your account enters a frozen read-only state. All your data (artworks, images, videos, media metadata, contacts, sales) is preserved — nothing is deleted. You can continue to view and export your data. If you resubscribe, full access is restored immediately.

If you request account deletion, we will permanently remove all your data, including media stored with our storage and delivery providers, within 30 days.

9. Your Rights

You may export your data at any time using the export feature in Settings. You may request deletion of your account and all associated data by contacting us.

Under GDPR and CCPA, you have the right to access, correct, or delete your personal data. You may also request a portable copy of your data.

9a. Data Deletion Requests

To request deletion of your account and all associated data, email hello@artworkcodex.com with the subject "Data Deletion Request" and include the email address associated with your account. We will process your request within 30 days and confirm deletion by email. This includes all artwork records, images, videos, media metadata, contacts, sales data, and profile information.

10. Security

We use industry-standard security measures including encrypted connections (HTTPS), row-level security policies, and secure authentication. However, no system is completely secure.

11. Changes to This Policy

We may update this policy from time to time. We will notify users of significant changes via email.

12. Contact

Questions about privacy? Contact us at hello@artworkcodex.com.