Ratlok
DRAFT — pending counsel review. These documents are starting drafts that will be reviewed by legal counsel before public launch. They are not legal advice.

Privacy Policy

Version v0.2-draft · Last updated 2026-05-08

What we collect

  • Account: email, username, optional display name, bio, avatar.
  • Creator KYC: handled entirely by Stripe Connect Express; we do not store identification documents.
  • Transactions: Stripe payment intent IDs, charge IDs, fee amounts. Card numbers never touch our servers.
  • Uploads: images you upload, derived metadata (dimensions, perceptual hash), and OpenAI moderation results.
  • Audit: attestation timestamps and hashed IPs (HMAC-SHA256), download events with hashed IPs and user agent.

How we use it

To operate the marketplace, comply with legal obligations (DMCA, tax), and prevent abuse. We do not sell personal data. We do not run third-party advertising or analytics on the Service.

Sub-processors

  • Stripe — payments, KYC for creators, payouts. Stripe’s privacy notice governs the data they collect.
  • Supabase — Postgres database and object storage for the application data described above.
  • OpenAI — image moderation (image bytes sent to omni-moderation-latest) andimage generation (your prompt text and generated image bytes are sent to gpt-image-1). OpenAI may retain API requests for up to 30 days for abuse monitoring under their API data-usage policy. Outputs are returned to Ratlok and assigned to the requesting user subject to OpenAI’s usage policies and content provenance rules; copyright in AI-generated images is not granted by U.S. law (see Thaler v. Perlmutter).
  • SendGrid — transactional email (receipts, takedown notices, follower notifications).
  • Vercel — application hosting, edge network, and serverless functions.

We will give creators advance notice of new sub-processors. Buyers can monitor this page for changes.

Your rights

You may request a copy of your data or delete your account from the Account dashboard. We retain transaction records for tax and legal compliance after deletion.

Retention

Active account: while your account exists. After deletion: profile fields are cleared and active listings are taken down. We retain orders, licenses, and payment records for up to 7 years (US/state tax obligations) and Stripe disputes for at least 4 years (chargeback window). Hashed IPs in audit tables are retained for 12 months to support fraud and DMCA investigations and then purged.

Children

The Service is not intended for users under 18.

International transfers

We are based in the United States. By using the Service you acknowledge that your data may be processed in the US.

Contact

Privacy questions: [email protected]. DMCA: see the DMCA Policy.