Privacy Policy

CX Studio is an independent project run by a working photographer based in Sweden (European Union). For any privacy question, write to privacy@cxstudio.app.

All your data is stored on servers located inside the European Union:

• Application + edge delivery: Cloudflare edge network (EU region preferred; requests are served from the closest EU point of presence when possible).
• Database, authentication, and file storage: Supabase in eu-west-1 (Ireland).
• Payments: Stripe (PCI-DSS compliant). Card data never touches our servers.

Your original photos and videos are never sent to any third-party "AI" or "enhancement" service. Editing happens in your browser; only the originals and your recipes are stored.

• Account: email address and an authentication token, managed by Supabase Auth.
• Content: photos, videos, edit recipes, and presets you upload or create. Stored under your user ID, protected by row-level security so only you can read or modify them.
• Payments: if you donate, Stripe records the transaction. We receive your donation amount and a Stripe customer ID. We do not see, store, or process card numbers.
• Technical logs: standard server logs (IP address, user agent, request path) retained for up to 30 days for security and abuse prevention.

What we do not collect: no Google Analytics, no Facebook Pixel, no advertising trackers, no cross-site cookies, no session-replay tools.

• Performance of a contract (Art. 6(1)(b)) — to run the editor, store your library, and let you sign in.
• Legitimate interest (Art. 6(1)(f)) — to keep the service secure, prevent abuse, and process donations.
• Consent (Art. 6(1)(a)) — for anything optional. You can withdraw consent at any time.

Under GDPR you have the right to:

• Access a copy of the data we hold about you.
• Correct anything inaccurate.
• Delete your account and all associated data ("right to be forgotten").
• Export your data in a portable format.
• Object to processing or restrict it.
• File a complaint with your national data protection authority (in Sweden, the IMY).

To exercise any of these rights, email privacy@cxstudio.app. We respond within 30 days, usually much faster.

Account data and your library are kept for as long as your account is active. If you delete your account, all your photos, videos, recipes, presets, and account records are permanently removed within 30 days. Server logs roll over within 30 days. Payment records are retained by Stripe per their own policy and by us only as required by accounting law.

CX Studio uses only essential cookies and local storage required to keep you signed in and to remember your editor preferences. No advertising or tracking cookies are set. No consent banner is needed because we do not set non-essential cookies.

CX Studio is not directed at children under 16. If you believe a child has created an account, email privacy@cxstudio.app and we will delete it.

All traffic is served over HTTPS with HSTS. Database access is protected by row-level security policies. Passwords are hashed by Supabase Auth (never stored in plain text). To report a security issue, see security.txt.

If we materially change how we handle data, we will update this page and the "last updated" date above. Substantive changes will also be communicated by email to registered users.