Privacy Policy
1. Introduction
Studio PxG LLC ("we," "us," "our"), a registered Service-Disabled Veteran-Owned Small Business (SDVOSB) based in Honolulu, Hawaii, operates LumenForge.io (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
We are committed to protecting your privacy and processing your data transparently and lawfully in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and applicable state and federal privacy laws.
2. Data We Collect
| Data Category | Examples | Legal Basis (GDPR) | Retention |
|---|---|---|---|
| Identity Data | Name, email address (via Clerk/Google OAuth) | Contract performance | Account lifetime + 30 days |
| Authentication Data | OAuth tokens, JWT claims (tier, userId) | Legitimate interest (security) | Access tokens: 1 hour; Refresh tokens: 7 days |
| Usage Data | Prompts submitted, generations count, Spark balance | Contract performance | 90 days (prompts not stored after processing) |
| Payment Data | Transaction IDs, subscription status, product tier | Contract performance + legal obligation | 7 years (tax records) |
| Technical Data | IP address (SHA-256 hashed), browser type, device info | Legitimate interest (security) | 30 days |
| Waitlist Data | Email address, signup timestamp, hashed IP | Consent | Until waitlist concludes or consent withdrawn |
3. How We Use Your Data
- Service Delivery: To authenticate you, process AI generation requests, manage your Spark balance, and deliver the IDE experience.
- Payment Processing: To facilitate subscriptions and purchases through our Merchant of Record, Paddle.com. We do not directly process or store credit card numbers.
- Security: To prevent fraud, abuse, and unauthorized access. IP addresses are stored only as SHA-256 hashes.
- Communication: To send transactional emails (receipts, account changes) and, with your consent, product updates.
- Improvement: To analyze aggregate, anonymized usage patterns to improve the Service.
4. AI Prompt Data
We do not permanently store your prompts. Prompts are sent to AI inference providers (Google Gemini, Anthropic Claude) for processing and are not retained after the response is generated. Cached responses may be stored temporarily (up to 24 hours) in Redis for performance optimization. We do not use your prompts to train any AI models.
5. Third-Party Processors
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Paddle.com | Payment processing (Merchant of Record) | Email, billing info, transaction data | paddle.com/legal/privacy |
| Clerk | Authentication (OAuth) | Email, name, OAuth tokens | clerk.com/legal/privacy |
| Google Cloud | Infrastructure hosting, AI inference | Prompts (transient), usage metadata | cloud.google.com/privacy |
| Cloudflare | DNS, CDN, DDoS protection | IP addresses, request headers | cloudflare.com/privacypolicy |
6. Data Storage & Security
Your data is stored on Google Cloud Platform infrastructure (GKE, Memorystore, Firestore) in the us-central1 region. We implement industry-standard security measures including:
- TLS encryption in transit for all connections
- JWT authentication with 1-hour access token expiry and single-use refresh token rotation
- SHA-256 hashing of sensitive identifiers (IP addresses, refresh tokens)
- HMAC-SHA256 verification of all payment webhooks
- Atomic Redis operations for financial transactions
- Structured JSON logging with no PII in production logs
7. Your Rights
Under GDPR (EU/EEA/UK residents):
- Access: Request a copy of your personal data.
- Rectification: Request correction of inaccurate data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Restriction: Request limitation of processing.
Under CCPA (California residents):
- Know: Right to know what personal information we collect and how we use it.
- Delete: Right to request deletion of your personal information.
- Opt-out: Right to opt out of the sale of personal information. We do not sell personal information.
- Non-discrimination: We will not discriminate against you for exercising your rights.
To exercise any of these rights, contact us at privacy@studiopxg.com. We will respond within 30 days.
8. Cookies & Tracking
We use minimal cookies strictly necessary for authentication and session management. We do not use third-party advertising cookies, tracking pixels, or behavioral analytics. We do not use Google Analytics.
9. Children's Privacy
The Service is not intended for children under 13 years of age (or the minimum age in the applicable jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us at privacy@studiopxg.com.
10. International Data Transfers
Your data is processed in the United States. For users in the EU/EEA/UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission for international data transfers.
11. Data Breach Notification
In the event of a data breach affecting your personal data, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service. The "Last Updated" date at the top of this page indicates when the policy was last revised.
13. Contact Information
Data Controller: Studio PxG LLC
Honolulu, Hawaii, United States
Privacy inquiries: privacy@studiopxg.com
General: support@studiopxg.com