Privacy Policy
Last updated: 2 June 2026
This policy is a good-faith template reflecting current practices and is provided for information only — it is not legal advice. Please have it reviewed by qualified legal counsel before relying on it.
Convra (studio.convra.net, “the Service”, “we”, “us”) is a software-as-a-service (SaaS) platform that generates marketing content using artificial intelligence (AI). This Privacy Policy explains how we collect, use, store, and disclose your personal data when you use the Service, and the rights you have under the EU General Data Protection Regulation (GDPR).
The Service is operated from Germany / the EU and is GDPR-first. Where this policy conflicts with mandatory applicable law, that law prevails.
1. Data Controller
Under Article 13 GDPR, the controller responsible for deciding the purposes and means of processing your personal data is:
- [Registered legal entity name + address]
- Contact email: acorn.ai.corp@gmail.com
If you have any questions about how your personal data is processed, or wish to exercise the rights described below, please contact us at the email above.
2. Data We Collect
To provide the Service, we collect the following categories of data:
- Account data: when you sign in with Google OAuth, we receive your email, display name, profile picture, and Google account ID.
- Payment data: payments are handled by Stripe; card data is held by Stripe and we store only the Stripe customer ID and your plan.
- Content data: the content you upload and generate, including product images, brand information, generated images/video/audio, and text prompts.
- Usage and cost logs: per-user API-usage and cost logs, keyed by email.
- Product analytics: collected via PostHog; your email is SHA-256 hashed before it is sent.
- Error diagnostics: collected via Sentry, scrubbed of tokens and secrets.
3. Data We Do Not Collect
We do not track:
- IP address
- User-agent
- Geolocation
4. How We Use Your Data
We use your data to:
- Provide, maintain, and improve the Service (including generating the content you request).
- Process payments and manage subscriptions and credits.
- Maintain your account and authenticate you.
- Monitor errors, ensure security, and prevent fraud and abuse.
- Analyse product usage to improve the Service, where you have consented.
5. Legal Bases for Processing
We process your personal data under the following legal bases (Article 6 GDPR):
- Performance of a contract: providing the Service, processing payments and subscriptions.
- Consent: product analytics (you may withdraw consent at any time).
- Legitimate interests: security, fraud and abuse prevention, and error monitoring.
6. Where Data Is Stored & Processors (Sub-processors)
We rely on the following service providers (sub-processors) to process data on our behalf:
- Upstash / Vercel-KV (Redis): structured data.
- Cloudflare R2: uploaded and generated media.
- Stripe: payments.
- PostHog: analytics.
- Sentry: error monitoring.
- AI providers — OpenAI, OpenRouter, Kie.ai, fal.ai, Meshy: your prompts and uploaded images are sent to these providers to generate content.
- Google: authentication.
- Meta / Instagram: only if you connect social accounts to publish.
Some processors are US-based, so international transfers of personal data occur. Such transfers take place under the EU Standard Contractual Clauses (SCCs) to provide appropriate safeguards.
7. Data Retention
- Your data is kept until you delete your account.
- Login sessions expire after 7 days.
- Caches are short-lived, persisting from minutes to hours.
8. Your Rights Under the GDPR
Subject to applicable law, you have the following rights regarding your personal data:
- Access: obtain the personal data we hold about you.
- Rectification: correct inaccurate data.
- Erasure (right to be forgotten): self-service account deletion is available in-app and wipes your profile, assets, and connections.
- Restriction of processing.
- Portability: note that automated export is not yet available — please request it via the contact email.
- Objection.
- Withdraw consent.
- The right to lodge a complaint with a supervisory authority.
To exercise any of these rights, email acorn.ai.corp@gmail.com.
9. Data Security
We apply reasonable technical and organisational measures to protect your data, including scrubbing tokens and secrets before sending data to Sentry, and SHA-256 hashing your email before sending it to analytics. However, no method of transmission over the internet or storage is completely secure.
10. Children's Privacy
The Service is not directed at children under 16, and we do not knowingly collect their personal data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will update the “Last updated” date at the top of this page and notify you where appropriate.
12. Contact Us
If you have any questions about this Privacy Policy or your personal data, email acorn.ai.corp@gmail.com.