- Home
- Privacy Policy
Privacy Policy
Data Controller
The data controller for this service is Studio505 AB, a Swedish limited company (aktiebolag) with its registered address at Jordabalksvägen, 226 57 Lund, Sweden (organisation number: 559578-9974). You can reach us at contact@studio505.dev.
We are committed to protecting your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
1. Information We Collect
Information You Provide
- Account Information: Name, email address, username, and password
- Profile Information: Bio, avatar, website, country, social media handles (X/Twitter, Discord, YouTube, TikTok, Instagram — all optional), and other details you choose to share, including during the post-signup onboarding flow
- Payment Information: Processed securely through Stripe; we don't store full card details
- Communications: Messages, support requests, and feedback
- Commission Messages & Files: Text messages, images, and files exchanged between buyers and sellers within commission contract workspaces. These are stored to facilitate delivery, dispute resolution, and quality assurance.
- Thumbnail Uploads: Images you upload to the AI thumbnail generation tool for processing
- Discord Account Data: If you choose to link your Discord account, we store your Discord user ID, username, and linked status for the purposes of role synchronisation and notifications
Information Collected Automatically
- Usage Data: Pages visited, features used, time spent, and interactions with the platform
- Device Information: Browser type, operating system, screen resolution, language settings, and device identifiers
- Network Information: IP address, approximate geolocation derived from IP, ISP, and connection type
- Browser Fingerprint: We collect technical browser characteristics (canvas fingerprint, WebGL renderer, installed fonts, audio context, hardware concurrency) to detect fraud, prevent abuse, and enforce rate limits. This data is hashed and never linked to identifiable information without cause.
- Log Data: Access times, referring URLs, HTTP request metadata, and error logs
- Error & Crash Telemetry: Subject to analytics consent, we capture JavaScript exceptions, failed network requests, server-side errors and component stack traces via PostHog so we can diagnose and fix bugs. Stack traces may incidentally include the URL you were on and your anonymous PostHog distinct ID.
- Session Replay (sampled, consent-gated): Subject to analytics consent, we record an anonymised playback of a small sample of sessions (~10% of anonymous visitors, 100% of signed-in users) to debug usability issues. All form inputs (text, email, password, search, etc.) are masked before recording, and replay is disabled on checkout, settings and admin routes.
- Ad Interaction Data: Impressions, clicks, and conversions related to sponsored asset placements. This data is used to measure campaign performance and is aggregated in seller analytics dashboards.
- Seller Analytics Data: Revenue timelines, per-asset view/download/conversion metrics, and follower counts collected to power the seller analytics dashboard
- Cookies & Local Storage: See our Cookie Policy for full details
2. Why We Collect Fingerprints & IP Data
We collect browser fingerprints and IP addresses for the following strictly-defined purposes:
- Fraud Prevention: Detecting and blocking abusive signups, fake reviews, and fraudulent purchases
- Rate Limiting: Enforcing fair-use limits on API calls and platform actions to protect all users
- Security Monitoring: Identifying compromised accounts and unauthorized access attempts
- Abuse Detection: Preventing ban evasion and multi-account abuse
Fingerprint and IP data is not used for advertising, not sold to third parties, and is retained only as long as necessary for the security purposes described above (maximum 12 months).
3. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
- Contract: To fulfill our contract with you (e.g., providing services, processing purchases, managing commission escrow)
- Consent: Where you have given explicit consent — for example opting in to marketing email (a separate, unticked-by-default choice you can make at sign-up or under Dashboard → Settings → Email) or linking a Discord account. You can withdraw consent at any time, without affecting processing carried out before withdrawal
- Legitimate Interests: For fraud prevention, rate limiting, security monitoring, ad performance measurement, improving services, and sending a limited number of onboarding/lifecycle emails about your own account and our own similar services (always with a one-click opt-out)
- Legal Obligation: To comply with legal requirements
4. How We Use Your Information
We use collected information to:
- Provide, maintain, and improve the Service
- Process transactions, subscriptions, and commission escrow payments
- Send notifications, updates, and marketing communications (with consent)
- Send onboarding & lifecycle emails: shortly after you create an account we may send a small number of service emails about your own account — for example a welcome email, a reminder to finish setting up your profile, or a one-time note about the Buyer Plus free trial. We send these on the basis of our legitimate interest in helping new users get set up (and, for the trial reminder, marketing our own similar services to existing customers, as permitted under Swedish marketing law). Each such email contains a one-click unsubscribelink, and you can switch them off at any time under Dashboard → Settings → Notifications (“Announcements”). We record which of these emails we have sent you so you never receive the same one twice.
- Send marketing & promotional email: if you opt in, our team may send occasional promotional messages, product news, and offers to segments of our users. We do this on the basis of your consent (or, where permitted under Swedish marketing law, our legitimate interest in updating existing users about our own similar services). Every such email carries a one-click unsubscribe link, and you can turn marketing email off at any time under Dashboard → Settings → Email. Withdrawing marketing consent does notstop service or transactional email (receipts, security alerts, and account notices), which we must send to operate the Service. We keep a record of your consent (when and how it was given or withdrawn), and we do not sell your data or share it with third-party advertisers for their own marketing.
- Respond to inquiries and provide customer support
- Monitor and analyze usage patterns and trends
- Detect, prevent, and address fraud, abuse, and security incidents
- Enforce rate limits and fair-use policies
- Measure and report ad campaign performance to sellers
- Facilitate commission dispute resolution
- Synchronise roles and deliver notifications via linked Discord accounts
5. Information Sharing
We may share your information with:
- Service Providers: Third parties that help us operate (e.g., Stripe for payments, hosting providers, Resend for email delivery, Google Analytics 4 for traffic statistics, PostHog Inc. for product analytics, error monitoring and sampled session replay)
- Other Users: Your public profile and seller information
- Commission Counterparties: When you participate in a commission, the other party can see messages and files you share within the contract workspace
- Legal Requirements: When required by law or to protect our rights
- Business Transfers: In connection with a merger or acquisition
We do not sell your personal information to third parties.
6. Data Security
We implement appropriate technical and organizational security measures to protect your information, including encryption in transit and at rest, access controls, IP-based rate limiting, browser fingerprinting for fraud detection, and regular security assessments. However, no method of transmission over the Internet is 100% secure.
7. Data Retention & Account Deletion
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
You can request deletion of your account at any time from your account settings. When you do, your account enters a 30-day grace period during which you may cancel and keep your account. After the grace period, we process the deletion: your personal data is erased or irreversibly anonymized so it can no longer be linked to you. Specifically:
- Erased: your profile details (name, avatar, bio, links), Discord connection, security/IP logs, wishlist, cart, follows and other purely personal data; your login is permanently disabled.
- Anonymized and retained: records we are legally required to keep — in particular financial and transaction records (purchases, sales, payouts, tips, invoices) — are detached from your identity and kept in anonymized form. Reviews, questions and forum posts you wrote are kept but shown as authored by “Deleted user” so other people’s context and sellers’ ratings remain accurate.
Financial records: as a Swedish company, we are required by the Swedish Bookkeeping Act (Bokföringslagen) to retain accounting material — including records of purchases, payouts and invoices — for seven (7) years. This is a lawful exception to the right to erasure under Article 17(3)(b) GDPR; such records are kept in anonymized form and are not used to identify or contact you. Security logs (including IP and fingerprint data) are retained for up to 12 months. Commission messages and files are retained for 90 days after contract completion for dispute resolution, then permanently deleted.
8. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), you have the following rights:
- Right of Access: Request a copy of your personal data
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing: Request limitation of how we use your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
To exercise these rights, visit your account settings or contact us at contact@studio505.dev.
9. Your Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the CCPA, as amended by the CPRA:
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected
- Right to Correct: Request correction of inaccurate personal information
- Right to Delete: Request deletion of your personal information
- Right to Opt Out of Sale or Sharing: Opt out of the sale of your personal information or its "sharing" for cross-context behavioral advertising
- Right to Limit Use and Disclosure of Sensitive Personal Information: Request that we limit the use of sensitive personal information to what is necessary to provide the Service
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
To exercise these rights, visit your account settings or contact us at contact@studio505.dev.
Do Not Sell or Share My Personal Information: We do not sell personal information for money. Where analytics/advertising signals could constitute "sharing" under the CPRA, you can opt out at any time via Cookie Settings in the footer or by emailing contact@studio505.dev.
10. International Data Transfers
Your information may be transferred to and processed in countries other than your own. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
11. Children's Privacy
Our Service is not intended for children under 16 (or 13 in the United States). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.
12. Cookies and Tracking Technologies
We use cookies, localStorage, and similar technologies to enhance your experience and maintain platform security. You can manage your cookie preferences through our cookie consent banner or by visiting our Cookie Policy.
13. Automated Decision-Making
We use automated systems (including fingerprint analysis and IP reputation checks) to detect and block abusive activity. These systems may automatically restrict access when abuse is detected. You may contact us to request human review of any automated decision that affects your account.
14. Changes to This Policy
We reserve the right to update or modify this Privacy Policy at any time, at our sole discretion, without prior notice (except where required by applicable law). The "Last Updated" date at the top of this page reflects the most recent revision. We will notify you of significant changes via email or through the Service where required by law. Your continued use of the Service after any changes are posted constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you must stop using the Service.
15. Contact Us
For privacy-related inquiries or to exercise your rights, please contact us:
- Data Controller: Studio505 AB, Jordabalksvägen, 226 57 Lund, Sweden
- Email: contact@studio505.dev
- Privacy Team: contact@studio505.dev
16. Supervisory Authority
If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se, or with the supervisory authority in your country of residence within the EU/EEA.
Was this page helpful?