Privacy Policy | Abracadabrax

1. Who we are

Abracadabrax is an AI image and video generation workspace with the brand promise "Every model. One canvas." The service is operated by Abracadabrax Studio, a placeholder company name that will be replaced with the final legal entity before launch.

Company location: [insert registered address and country]. Privacy contact: legal@abracadabrax.ai.

2. What data we collect

We collect the following categories of personal data when you create an account, sign in, generate media, use paid features, or arrive through a campaign link.

Account data

users.email.
users.password_hash, which stores a bcrypt hash of your password, not the plain password.
users.name and users.avatar_url, when provided or returned by an OAuth provider.
oauth_accounts records for Google OAuth when configured, including provider identifiers and OAuth tokens needed to maintain that login connection.
users.created_at, users.updated_at, users.email_verified, and account provider fields.

Technical and location data

users.signup_ip, users.signup_user_agent, and users.signup_referrer.
users.signup_country, users.signup_country_code, and users.signup_city, enriched from IP address on a best-effort basis.
users.last_login_at and users.last_login_ip.
analytics_events.ip, analytics_events.country, analytics_events.country_code, analytics_events.city, analytics_events.user_agent, analytics_events.referrer, and analytics_events.path.

Campaign and referral data

users.gclid and users.fbclid, which are Google and Meta ad click identifiers when present in the landing URL.
users.utm_source, users.utm_medium, users.utm_campaign, users.utm_term, and users.utm_content.
users.ref_code and equivalent referral or campaign metadata stored in analytics_events.metadata.

Product usage and generated content

analytics_events.event, analytics_events.source, analytics_events.user_id, analytics_events.session_id, analytics_events.metadata, and timestamps.
media_jobs.prompt, media_jobs.model_id, media_jobs.kind, media_jobs.params, media_jobs.output_urls, media_jobs.cost_credits, media_jobs.provider, job status, errors, and timestamps.
Prompts, reference inputs, generation parameters, and generated image or video output URLs needed to run, show, retry, audit, and bill generations.

Billing and credits

credit_transactions, including user ID, job ID, amount, type, description, balance after transaction, and timestamp.
subscriptions, including Stripe customer ID, Stripe subscription ID, plan, status, period dates, and timestamps.
Payment card details are handled by Stripe when Stripe is configured. Abracadabrax does not store full card numbers.

3. Legal bases

For users in the EEA, UK, and similar jurisdictions, we rely on the following GDPR Article 6 legal bases.

Data category	Primary basis	Reason
Account data, login data, session records, OAuth account data	Contract; legitimate interests	Needed to create accounts, authenticate users, protect accounts, and provide the service.
Prompts, model IDs, generation parameters, output URLs, media job records, credits	Contract; legitimate interests	Needed to run generations, show outputs, charge credits, troubleshoot jobs, and prevent abuse.
Stripe customer, subscription, invoice, and billing state	Contract; legal obligation	Needed to process paid subscriptions, maintain accounting records, handle disputes, and meet tax or payment compliance obligations.
IP address, user agent, referrer, country, city, login logs, analytics events	Legitimate interests	Needed for fraud prevention, security, rate limiting, debugging, attribution, and product improvement.
UTM parameters, `gclid`, `fbclid`, referral codes	Legitimate interests; consent where required	Used to understand campaign performance and attribute signups. Non-essential ad or analytics tags in the EEA/UK require consent before firing.
Marketing emails and future non-essential analytics or advertising cookies	Consent	Used only where you opt in or where a valid consent framework allows the processing.

4. How we use it

Operate the service, including account creation, login, session management, model routing, generation history, and output delivery.
Run image and video jobs through fal.ai and upstream model providers selected in the product.
Manage credits, subscriptions, renewals, billing portal access, and Stripe webhook events.
Prevent fraud, spam, account takeover, chargeback abuse, scraping, policy evasion, and misuse of AI generation systems.
Debug failed jobs, measure feature usage, monitor performance, and improve product reliability.
Measure marketing analytics, including signup attribution from UTM parameters, gclid, fbclid, and referral codes.
Send transactional email such as login, billing, receipt, or account notices when email sending is configured.

5. Sharing and subprocessors

We share personal data with service providers only as needed to operate Abracadabrax, process payments, secure the service, or comply with law.

Provider	Purpose	Data involved
fal.ai	Model inference and generation routing	Prompts, model IDs, generation parameters, reference inputs where used, output files or URLs, and job metadata.
Railway	Application hosting and infrastructure in EU/US regions	Application traffic, server logs, database content, environment configuration, and operational metadata.
Railway Postgres	Primary application database	Account, analytics, job, credit, subscription, OAuth, API request, and webhook tables.
Stripe	Payment processing, subscriptions, billing portal, dispute handling	Email, Stripe customer ID, subscription ID, plan, billing status, invoices, receipts, payment method metadata, and dispute data.
ip-api.com	Best-effort IP geolocation	IP address sent to derive country, country code, and city.
Resend	Transactional email, planned	Email address, name where available, message content, delivery metadata, and unsubscribe or suppression data where applicable.

We may also disclose data if required by law, to enforce our Terms, to protect users and the public, or as part of a merger, acquisition, financing, or sale of assets.

6. International transfers

Abracadabrax may use subprocessors and infrastructure in the United States, the European Union, and other locations where our providers operate. This means personal data may be transferred outside your country.

Where GDPR or UK GDPR transfer rules apply, Abracadabrax Studio will rely on appropriate safeguards such as the European Commission Standard Contractual Clauses, UK transfer addenda where needed, and provider data processing agreements.

7. Retention

Account data: while the account is active, then up to 24 months after closure unless a longer period is needed for disputes, security, accounting, or legal compliance.
analytics_events: up to 24 months.
Application logs and api_requests: up to 12 months.
media_jobs, prompts, output URLs, credit records, and generation metadata: while the account is active, then up to 24 months after closure unless deletion is requested and no exception applies.
credit_transactions and subscriptions: retained as needed for billing, tax, accounting, chargeback, and fraud-prevention records.
Stripe-hosted billing and payment records: retained according to Stripe's policies and applicable payment, tax, and anti-fraud obligations.

8. Your rights

Depending on where you live, you may have privacy rights. To exercise them, email legal@abracadabrax.ai. We may need to verify your identity before acting on a request.

GDPR and UK GDPR

Access your personal data.
Rectify inaccurate or incomplete data.
Erase data where no exception applies.
Restrict processing.
Receive a portable copy of certain data.
Object to processing based on legitimate interests.
Withdraw consent where processing is based on consent.
Complain to your local data protection authority.

California privacy rights

Know the categories and specific pieces of personal information we collect, use, disclose, or share.
Delete personal information, subject to security, legal, billing, and service exceptions.
Correct inaccurate personal information.
Opt out of sale or sharing of personal information. Abracadabrax does not sell personal information for money. If future ad tools create "sharing" under California law, we will provide the required opt-out controls.
Limit use of sensitive personal information if we ever collect it for purposes that trigger that right.
Not receive discriminatory treatment for exercising privacy rights.

9. Children

Abracadabrax is not directed to users under 18. Do not create an account or use the service if you are under 18. If we learn that a user under 18 has provided personal data, we may delete the account and related data.

10. Cookies

Today Abracadabrax sets one first-party cookie: session, an HTTP-only, HMAC-signed authentication cookie with a 30-day maximum age. It is strictly necessary to maintain your signed-in session.

See the Cookie Policy for the current cookie table and our framework for future analytics or advertising tags.

11. Ad platforms

Abracadabrax may use Google Ads conversion tracking and Meta Pixel for campaign measurement and optimization. Today, first-party analytics or advertising cookies are not loaded by Abracadabrax. When non-essential Google Analytics, Google Ads, Meta Pixel, or similar tags are added, users in the EEA and UK will see a consent banner before those tags fire.

Abracadabrax stores click identifiers such as gclid and fbclid, plus UTM parameters, to attribute signups to campaigns and understand which marketing channels lead to account creation. A consent management platform is planned. Current state: only the strictly necessary session cookie is set by Abracadabrax.

12. Security

Passwords are hashed with bcrypt before storage.
Sessions use an HTTP-only, HMAC-signed cookie named session.
Production sessions are set with the Secure flag and SameSite=Lax.
Traffic should be served over HTTPS in production.
Railway-managed Postgres is used for the database, with encryption at rest provided by the hosting/database platform.
Access to infrastructure and payment data should be limited to personnel and service providers who need it to operate the service.

13. Changes to this policy

We may update this Privacy Policy when Abracadabrax changes, when processors change, or when legal requirements change. The "Last updated" date shows when the current version took effect. Material changes may be announced in-product or by email where appropriate.

14. Contact

For privacy questions or rights requests, contact Abracadabrax Studio at legal@abracadabrax.ai. Replace Abracadabrax Studio and the placeholder address with the final legal entity details before launch.