Privacy Policy

Last updated: May 4, 2026

This Privacy Policy explains how Diffusion Studio Inc. (“we”, “us”, “our”) collects, uses, and shares personal data when you use Diffusion Studio (the “Service”), an Integrated Media Environment available at https://diffusion.studio, via our desktop application, and via our API.

We are the data controller for personal data processed in connection with the Service, in the meaning of Regulation (EU) 2016/679 (the “GDPR”).

1. Who we are

Controller: Diffusion Studio Inc., 1207 Delaware Ave #2396, Wilmington, DE 19806, United States — Delaware corporation, file number 7698816
Contact (general): support@diffusion.studio
Contact (privacy / data protection): contact@diffusion.studio
Data Protection Officer: We have not appointed a DPO because we are not required to under Article 37 GDPR
EU representative (if controller is outside the EU): Not applicable

2. Personal data we collect

We collect the following categories of personal data:

2.1 Account data

When you create an account via Supabase Authentication (email/password, one-time passcode, or OAuth via Google, Apple or GitHub):

email address
authentication provider and provider user identifier
hashed password (only for email/password sign-up; we never see your plaintext password)
account creation and last sign-in timestamps

2.2 Billing data

When you purchase a subscription or credit top-up:

Stripe customer ID
billing address, country and tax identifiers (collected and stored by Stripe)
payment-card brand and last four digits (we never store full card numbers)
subscription plan, credit balance, invoice history

2.3 Usage data

prompts, parameters and model configurations submitted to generative features (image, video, audio, text-to-speech, transcription, upscaling, background removal)
credits consumed per generation
timestamps of generation requests

2.4 User content

media files (images, audio, video) you upload as inputs or references for generation, stored in Google Cloud Storage
project and workspace data stored locally in your browser (IndexedDB) and, where applicable, synced to our backend

2.5 Technical and diagnostic data

IP address, browser type, operating system, device identifiers
pageviews, route changes and product events (e.g. sign_in, sign_out, account_deleted) collected via Umami analytics
crash reports and exception traces (including user ID and email) collected via Sentry

2.6 Communication data

the content of any messages you send to contact@diffusion.studio
your email-marketing preferences (product_updates_enabled, marketing_announcements_enabled)

We do not intentionally collect special-category data (Article 9 GDPR). Please do not submit such data through prompts or uploads.

3. How we use your data and the legal basis

Purpose	Legal basis (GDPR Art. 6)
Creating and maintaining your account, providing the Service	Contract (Art. 6(1)(b))
Processing payments and managing subscriptions	Contract (Art. 6(1)(b))
Running generative AI features on your prompts and inputs	Contract (Art. 6(1)(b))
Storing usage records to enforce credit limits and prevent abuse	Legitimate interest (Art. 6(1)(f)) — operating a metered service
Error monitoring and security via Sentry	Legitimate interest (Art. 6(1)(f)) — service stability and security
Product analytics via Umami	Legitimate interest (Art. 6(1)(f)) — improving the Service. <If Umami is configured to set cookies or you serve EU users with a strict CMP, change this to Consent (Art. 6(1)(a)).>
Sending product updates and marketing emails	Consent (Art. 6(1)(a)), withdrawable at any time
Complying with legal, tax and accounting obligations	Legal obligation (Art. 6(1)(c))

4. Recipients and sub-processors

We share your personal data only with the following categories of recipients, each acting as a processor under a Data Processing Agreement:

Sub-processor	Purpose	Data categories	Location
Supabase	Authentication and primary database	Account data, usage records	US
Stripe	Payment processing and subscription management	Billing data	US
Google Cloud Storage	Storage of uploaded media	User content	us-central1
Amazon Web Services (S3)	Hosting of static assets (fonts)	Technical data only	eu-central-1
Fly.io	API hosting	All data in transit through the API	Multi-region (including US and EU)
Sentry	Error monitoring	Technical and account data	US
Umami	Product analytics	Technical and usage data	US
OpenAI	Image generation, text-to-speech	Prompts and reference inputs you submit	US
Google (Gemini / Veo)	Video generation	Prompts and reference inputs you submit	US
ElevenLabs	Music, sound effects, text-to-speech	Prompts and reference inputs you submit	US
AssemblyAI	Audio/video transcription	Audio you submit for transcription	US
Fal.ai	Background removal, image and video upscaling	Images/videos you submit	US

5. International transfers

Several of our sub-processors are located outside the European Economic Area, including in the United States. Where we transfer personal data outside the EEA, we rely on:

the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), and/or
the EU-US Data Privacy Framework where the recipient is certified.

You may request a copy of the transfer safeguards by contacting contact@diffusion.studio.

6. Retention

We retain personal data only as long as necessary for the purposes set out above:

Account data: for the lifetime of your account, then deleted within 24 hours (subject to legal-hold exceptions).
Billing data: for 10 years as required by tax and accounting law in Delaware.
User content (uploaded media): until you delete it, or until 24 hours after creation.
Sentry error logs: 90 days.
Umami analytics: 2 years.
Support correspondence: 2 years after the ticket is closed.

When you delete your account via the in-app Delete account function, we trigger deletion of your authentication record at Supabase and your associated user_data and usage_records rows. Backups are purged on a rolling 24h cycle.

You have the right to:

access your personal data (Art. 15)
rectification of inaccurate data (Art. 16)
erasure (“right to be forgotten”, Art. 17)
restriction of processing (Art. 18)
data portability (Art. 20)
object to processing based on legitimate interests (Art. 21)
withdraw consent at any time, without affecting the lawfulness of prior processing
lodge a complaint with a supervisory authority, in particular the one in your EU Member State of residence, place of work, or place of the alleged infringement.

To exercise any of these rights, email contact@diffusion.studio. We will respond within one month (Art. 12(3)).

8. Automated decision-making

We do not carry out automated decision-making producing legal or similarly significant effects (Art. 22 GDPR). Generative AI outputs are produced on your request and at your direction.

9. Security

We use industry-standard measures including TLS in transit, encryption at rest with our cloud providers, scoped JWT access tokens, signed and time-limited upload URLs, and least-privilege access controls. No system is perfectly secure; if we become aware of a personal-data breach affecting you, we will notify you and the competent supervisory authority in accordance with Articles 33 and 34 GDPR.

10. Cookies and local storage

The web app uses browser localStorage to remember your color-mode preference and IndexedDB to store your project and workspace data locally on your device. We do not currently set tracking cookies. Umami operates without cookies in its default configuration; if this changes we will update this Policy and request your consent where required.

11. Children

The Service is not directed at children under 16. We do not knowingly process personal data of children. If you believe a child has provided us with personal data, contact contact@diffusion.studio and we will delete it.

12. Changes to this Policy

We may update this Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be notified to you in-app or by email at least 14 days before they take effect.