Privacy Policy

This policy explains how Tellcraft (operated by Tellcraft LLC) collects, uses, stores, and protects your personal data, in line with Taiwan PDPA and EU GDPR principles.

1. Data We Collect

1.1 Provided by You

• Account: email, name, avatar (via Google / LINE OAuth)
• Conversations: all messages you enter in the chat interface (requirements, design preferences, iteration instructions)
• Payment data: processed by Stripe. We only store stripe_customer_id, stripe_payment_intent_id, order amounts, payment status. We do not store full credit card numbers, CVC, or expiry dates.
• Uploads: images, references, templates you upload

1.2 Automatically Collected

• Usage logs: login times, IP address, browser UA, visited pages, interaction events
• AI generation records: your prompts and the code/design/changes the AI produces
• Technical telemetry: error logs, performance metrics, A/B test groupings (de-identified)
• Cookies: login state (auth_token), language preference (NEXT_LOCALE), theme preference

2. How We Use Data

• Provide the Service: process AI generation, deployment, payments, order tracking
• Customer support: human engineers use conversation context to help you complete your site
• Improve the Service: analyze usage patterns to refine prompts, templates, UX
• Legal compliance: respond to lawful authority requests, prevent fraud
• Marketing: product update notifications (you can unsubscribe anytime)

We do not use your conversations or generated code to train our own AI models, nor sell your personal data to third parties.

3. Third-Party Data Processors

We share data with the following processors to deliver the Service:

4. Data Retention

• Account and orders: account lifetime + 5 years after deletion (accounting/consumer law)
• Conversations and generations: project lifetime; purged 30 days after project deletion
• Payment records: retained by Stripe per their policy (typically 7 years)
• Usage telemetry: 1 year (de-identified)
• Cookies: login token 30 days, language preference 1 year

5. Your Rights

Under PDPA / GDPR, you have the right to:

• Access: request a copy of your personal data
• Rectification: correct inaccurate data
• Erasure: request deletion (subject to legal retention requirements)
• Restrict processing: pause specific data uses
• Data portability: get your data in machine-readable format (JSON / CSV)
• Object: oppose processing based on legitimate interest
• Withdraw consent: revoke consent-based processing

To exercise any right, email tellcraft2026@gmail.com. We respond within 30 days.

6. Data Security

• Transport: HTTPS site-wide (TLS 1.2+)
• Storage: DB passwords hashed (bcrypt); sensitive fields (e.g. Stripe IDs) stored separately
• Access control: least privilege, all admin actions logged
• Third parties: only providers compliant with SOC 2 / ISO 27001
• Payments: fully delegated to Stripe; we never touch card data

In case of a data breach, we will notify affected users and authorities within 72 hours (per GDPR / PDPA requirements).

7. International Data Transfers

Some of our processors are based in the US (Stripe, Anthropic, Vercel, Neon). We ensure they implement appropriate data protection mechanisms (e.g. Standard Contractual Clauses).

8. Children's Privacy

The Service is not designed for children under 13. If we learn we have collected data from a minor, we will delete it immediately. Parents who discover an unauthorized registration should contact tellcraft2026@gmail.com.

9. Cookies

• Essential: login token, language — required for service operation
• Preferences: theme — can be disabled in browser settings
• Analytics: not currently enabled (we'll update this policy and seek consent if added)

10. Policy Changes

We may amend this policy; material changes will be announced 7 days in advance via this page and email. Continued use after amendments constitutes acceptance.

11. Contact

Privacy questions, right exercises, breach reports: tellcraft2026@gmail.com