Privacy Policy
Last updated: June 4, 2026
1. Data Controller
The data controller is Inger s.r.o., based in the Slovak Republic (“Operator”, “we”). Contact: info@inger.sk
2. What Data We Collect
2.1 Account Data
- Name and email address (at registration)
- Password (hashed, never in plaintext)
- Organization name and subscription plan
- Google OAuth profile (if using Google sign-in)
2.2 Brand and Content Data
- Brand guidelines (PDF, images) — uploaded by you
- Brand DNA (colors, fonts, tone of voice) — extracted from your materials
- Generated images and text
- Prompts and generation settings
- Ratings and feedback on generated content
2.3 Technical Data
- IP address and browser information (User-Agent)
- Access time and visited pages
- Error logs (Sentry — production only)
2.4 Payment Data
Payment data (card number, CVV) is processed exclusively by Stripe Payments Europe, Ltd. We do not have access to your payment data.
2.5 Public Audit Tool Data (no registration)
Our public “Brand DNA Audit” tool (at /audit) is available without creating an account. When you use it, we process:
- The website URL and/or company registration number (IČO) you audit
- Email address (optional — only if you provide it, e.g. to receive the results)
- A snapshot of the resulting audit score (brand analysis, no login credentials)
- A hashed IP address (SHA-256) — used solely to limit the number of audits from a single address; we do not store the raw IP address
Legal basis: legitimate interest (Art. 6(1)(f) GDPR) — lead generation and protecting the tool against abuse. You may object to this processing at any time (see Section 7).
Retention: audit-tool records are kept for at most 12 months from creation, then deleted. You can request earlier erasure at any time by emailing info@inger.sk (state the URL/IČO or email you submitted).
3. Purpose of Processing
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the Service (generation, analysis) | Contract performance (Art. 6(1)(b)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Security and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Service improvement (anonymous metrics) | Legitimate interest (Art. 6(1)(f)) |
| Lead generation (public audit tool) | Legitimate interest (Art. 6(1)(f)) |
| Transactional emails (confirmations, notifications) | Contract performance (Art. 6(1)(b)) |
| Error monitoring (Sentry) | Legitimate interest (Art. 6(1)(f)) |
4. Sub-processors
Your data is processed by the following sub-processors:
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Anthropic, PBC | AI text generation, image analysis, compliance scoring | USA | DPA + SCCs |
| FAL.AI | AI image generation (Flux Pro, Recraft v3, Ideogram v2) | USA | DPA + SCCs |
| Vercel, Inc. | Hosting, edge network, blob storage for brand assets | USA | DPA + SCCs |
| Supabase, Inc. | PostgreSQL database, authentication infrastructure | USA/EU | DPA + SCCs |
| Stripe Payments Europe, Ltd. (EU billing) | Subscription and payment processing | IE/USA | DPA + SCCs |
| Resend, Inc. | Transactional email delivery | USA | DPA |
| Functional Software, Inc. (Sentry) | Error monitoring + performance tracing | USA | DPA + SCCs |
| Google LLC | OAuth login (optional Workspace SSO) | USA | DPA + SCCs |
| Meta, LinkedIn, X | Publishing to connected social accounts (on user instruction) | USA/EU/IE | DPA + SCCs |
Data transfers to the USA are safeguarded by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework (DPF) where applicable. For each sub-processor we rely on its published DPA + SCCs, which form part of its terms; a signed copy of the DPA is provided to B2B customers on request.
5. AI Processing
Your brand materials are processed by AI models (Anthropic Claude, FAL.AI) solely for the purpose of providing the Service. Important:
- No training use: Anthropic and FAL.AI do not use data sent via API to train their models.
- Temporary processing: Data is processed in real time and is not stored long-term at sub-processors.
- Data minimization: We send AI models only the data required to fulfill a specific request.
6. Data Retention
| Data type | Retention period |
|---|---|
| Account and profile | Duration of account + 30 days |
| Generated content | Duration of account + 30 days |
| Brand materials | Duration of account + 30 days |
| Activity logs | 90 days |
| Error logs (Sentry) | 30 days |
| Audit-tool leads | 12 months |
| Payment records | Per tax regulations (10 years) |
Cancelling a subscription does not delete the account — your data stays while the account exists so you can return. You can delete the account at any time in Settings (or on request). On account deletion we immediately anonymize your personal identifiers (name, email and avatar are replaced with a non-identifiable value and access is locked) and delete personal data tied directly to you (sessions, brand access, notifications). Brand materials and generated content that are part of the workspace audit trail remain stored for the period listed in the table above and are then purged; after anonymization they are no longer linked to your identifiable person. Payment records are retained per tax regulations even after account deletion.
7. Your Rights
Under GDPR you have the following rights:
- Access — request a copy of your personal data
- Rectification — request correction of inaccurate data
- Erasure— request deletion of your data (“right to be forgotten”). In practice this means anonymization of your personal identifiers and deletion of personal data tied to you; workspace content (brand materials, generated content) is retained per the retention periods and, after anonymization, is no longer linked to your identity
- Portability — request an export of your data in a machine-readable format
- Objection — object to processing based on legitimate interest
- Restriction — request restriction of processing
To exercise your rights, contact us at info@inger.sk. We will respond within 30 days.
8. Cookies
We use the following cookies:
- session_token — login session (strictly necessary, 30 days)
- active_brand — active brand in the application (strictly necessary, session)
- studio-theme — remembers your light/dark interface preference (functional, no tracking, 1 year)
We do not use analytics or advertising cookies. We do not use third-party tracking.
9. Security
We implement the following security measures:
- Data transport encryption (HTTPS/TLS)
- Password hashing (scrypt)
- Session-based authentication with httpOnly cookies
- Role-based access control (7 roles)
- Rate limiting on API endpoints
- Input sanitization before AI processing
- Audit log of all operations
10. Changes
We will notify you of changes to this policy by email. The current version is always available on this page.
11. Supervisory Authority
If you believe that the processing of your data violates GDPR, you have the right to lodge a complaint with the Office for Personal Data Protection of the Slovak Republic (dataprotection.gov.sk).
12. Contact
Inger s.r.o.
Email: info@inger.sk
Web: studio.inger.sk