Privacy Policy

1. Information We Collect

1.1 Information You Provide

• Account information: When you register, we collect your name, email address, username, and country. We do not store your password directly — authentication is handled securely through our authentication system using industry-standard password hashing (scrypt).
• Payment information: When you purchase credits or subscribe to a plan, payment processing is handled by Polar.sh. We receive your subscription status, plan tier, and transaction identifiers. We do not store your credit card number, bank account, or other payment instrument details on our servers.
• Contact form submissions: When you contact us, we collect your name, email address, inquiry type, subject, and message content.
• Download history: We record which illustrations you download, the license type (Personal or Commercial), and timestamps to manage your credit balance and generate license certificates.

1.2 Information Collected Automatically

• Cookies and session data: We use encrypted, httpOnly session cookies (via Better Auth) to keep you logged in for up to 7 days. These cookies contain your user ID, username, email, and access tier — not tracking data.
• Search queries: When you search our illustration library, your search terms are processed by Meilisearch to return results. Search queries are not linked to your personal identity and are not stored beyond the request lifecycle.
• Server logs: Our hosting infrastructure automatically records IP addresses, browser type, referring URLs, and timestamps for security and debugging purposes. These logs are retained for up to 30 days.

1.3 Information We Do Not Collect

We do not use third-party advertising trackers. We do not sell, rent, or share your personal data with advertisers. We do not collect biometric data, precise geolocation, or data from minors under 16 without parental consent.

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account
• Process purchases, manage credit balances, and fulfill subscription plans
• Generate license certificates for your commercial downloads
• Provide search results when you browse our illustration library
• Respond to your contact form inquiries and support requests
• Send transactional emails (account confirmation, password reset, purchase receipts)
• Detect and prevent fraud, abuse, and unauthorized access to your account
• Improve and maintain the Platform (aggregate, anonymized usage analytics only)

We will never use your personal data for automated decision-making or profiling that produces legal effects.

3. Cookies and Similar Technologies

Catalyst Vibes uses a minimal set of cookies. We categorize them as follows:

• Essential cookies (always active): Our session cookie (catalyst_session) is required for authentication and cannot be disabled. It is encrypted, httpOnly, and expires after 7 days of inactivity.
• Functional cookies: Cookie consent preference storage — records whether you have accepted or declined non-essential cookies.
• Analytics cookies (optional): If we implement analytics in the future, these cookies will only be set after you provide explicit consent via our cookie banner. As of March 2026, we do not use any third-party analytics services.

You can manage your cookie preferences at any time through the cookie consent banner that appears on your first visit, or by clearing cookies in your browser settings.

4. Third-Party Services

We share limited data with the following trusted service providers, solely for the purposes described:

• Polar.sh — Payment processing for credit purchases and subscription billing. Polar.sh receives your email and processes payment details under their own privacy policy.
• Cloudflare — Content delivery (CDN) and DDoS protection. Cloudflare processes IP addresses and request metadata to serve our illustration files from R2 storage.
• Meilisearch — Search indexing. Processes your search queries server-side. No personal data is stored in the search index.
• Email provider — Transactional emails (account creation, password reset). Receives your email address and name only when sending system-generated messages.

We do not sell your data to any third party. Each service provider is contractually bound to process your data only as instructed by us.

5. Data Retention

• Account data: Retained as long as your account is active. If you request deletion, we will erase your personal data within 30 days, except where retention is required by law (e.g., financial transaction records).
• Download and license records: Retained for the duration of your account plus 3 years after deletion, as these serve as proof of license.
• Contact form submissions: Retained for up to 12 months after the inquiry is resolved.
• Server logs: Automatically deleted after 30 days.
• Session cookies: Expire after 7 days of inactivity and are not stored server-side.

6. Data Security

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted via HTTPS/TLS
• Session cookies are managed by Better Auth with encrypted tokens, marked httpOnly and Secure
• Passwords are hashed using scrypt — we never store plaintext passwords
• Database queries use parameterized statements to prevent SQL injection
• User input is validated with Zod schemas and sanitized with sanitize-html to prevent XSS attacks
• Payment processing is handled entirely by Polar.sh — we never touch your payment card data

While no system is 100% secure, we take reasonable precautions to protect your information. If we become aware of a data breach affecting your personal data, we will notify you and relevant authorities within 72 hours as required by GDPR.

7. Your Rights (GDPR and CCPA)

Depending on your location, you may have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention requirements.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to restrict processing: Request that we limit how we use your data while a dispute is resolved.
• Right to object: Object to processing based on legitimate interest (we do not process data based on legitimate interest currently).
• Right to withdraw consent: Withdraw consent for non-essential cookie processing at any time via the cookie banner.

California residents (CCPA): You have the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. International Data Transfers

Your data may be processed in countries outside your country of residence. Our servers and service providers operate in the United States and Europe. When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the European Commission.

9. Children's Privacy

Catalyst Vibes is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last revised" date at the top of this page. We encourage you to review this policy periodically. Continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

• Email: [email protected]
• Contact form: catalystvibes.com/contact

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.