OGStack Logoogstack
FeaturesHow it worksAI showcaseTemplatesPricingDocs
Log inGet started
Legal

Privacy Policy

Last updated: 2026-04-15

This policy covers what OGStack collects, why, how long we keep it, and the controls you have — for account holders and for the URLs submitted to our API.

1. What we collect

  • Account:email, name, password hash, and — for OAuth sign-in — the provider's subject ID. We never see your OAuth password.
  • Billing: Stripe customer ID, subscription status, and plan. Card numbers never touch our servers.
  • Projects: names, allowed domains, public IDs, and hashed API key fingerprints. Raw keys are shown once and never stored.
  • Submitted URLs: we fetch the public page, parse its metadata, and store the seeds used to render.
  • Generated output: images and audit reports served from our CDN until deleted.
  • Request logs: IP, user-agent, endpoint, status, latency — for rate limits, abuse prevention, and billing reconciliation.

2. How we use it

  • Generate, cache, and serve your images, icon sets, and audit reports.
  • Authenticate sessions and secure API keys.
  • Enforce quotas and bill correctly.
  • Detect and prevent abuse (SSRF checks, rate limits, AI moderation).
  • Send transactional email only — verification, password reset, receipts, security alerts. No marketing without explicit opt-in.

3. Legal bases (GDPR)

Contract to provide the service, legitimate interest for security and analytics, legal obligation for tax records, and consent for any optional marketing — withdrawable anytime.

4. AI processing

AI audit and generation features send the extracted page content (title, description, meta tags, short excerpts) to a language model provider. Account data, API keys, and billing are never sent. Our providers are contractually barred from training on your inputs and retain data for ≤30 days for abuse monitoring only.

5. Retention

  • Account: deleted within 30 days of closure, except where law requires retention.
  • Images & reports: until you delete them. Free-plan output may be purged after 90 days of inactivity.
  • Request logs: up to 30 days.
  • Billing records: 7 years (tax obligations).
  • Backups: encrypted snapshots rotated within 30 days.

6. Sub-processors

  • Cloudflare — R2 storage and CDN.
  • Stripe — payments and subscriptions.
  • Resend — transactional email.
  • LLM provider — AI-enabled generations and audits only.
  • Hosting — managed EU infrastructure for the API and database.

We never sell your data or share it with advertisers. Legal disclosures are made only when compelled, and we notify affected users where permitted.

7. International transfers

Primary infrastructure is in the EU. Transfers to US-based sub-processors rely on Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

8. Security

  • TLS 1.2+ and HSTS for all traffic.
  • bcrypt for passwords; SHA-256 fingerprints for API keys.
  • Encryption at rest for the database, backups, and object storage.
  • Least-privilege, audit-logged production access.
  • SSRF protections on all URL-fetching endpoints.
  • Rate limiting on authentication and generation endpoints.

9. Breach notification

If a breach affects your personal data, we notify affected users and, where required, supervisory authorities within 72 hours of discovery.

10. Your rights

You can access, correct, delete, export, restrict, or object to processing of your data.

  • Export account data and generated content from settings.
  • Delete a project to remove its images, seeds, and reports.
  • Close your account from billing settings.
  • For anything else, email privacy@ogstack.dev (30-day response).
  • EU/UK residents may lodge a complaint with their DPA — please contact us first so we can try to resolve it.

11. Cookies

Strictly necessary only: httpOnly access and refresh tokens for sessions, plus a CSRF token on sensitive forms. No advertising, tracking, or third-party analytics cookies.

12. Children

OGStack is not intended for children under 13 (16 in the EEA). Contact us if you believe a minor has created an account and we'll remove it.

13. Changes

We update this page when material changes occur. Significant changes are emailed to active account holders at least 14 days before taking effect.

14. Contact

Privacy and data requests: privacy@ogstack.dev. General support: support@ogstack.dev.