1. Data We Collect
We collect the following personal data:
- Registration: name, email, and password (stored encrypted with bcrypt)
- Simulator use: images uploaded for simulation, selected glazes, generated mockups
- Payment: payment data processed exclusively by Stripe (we do not store card data)
- Browsing: essential cookies for authentication
2. Legal Basis
We process your personal data on the following legal bases (aligned with GDPR and CCPA where applicable):
- Performance of a contract: to provide the simulation service
- Consent: to send communications
- Legitimate interest: to improve the service and prevent fraud
3. How We Use Your Data
- Authenticate your access to the simulator
- Process glaze simulations via AI (Google Gemini)
- Manage your subscription and payments (via Stripe)
- Send notifications about your account
- Improve service quality
4. Data Sharing
Your data may be shared with:
- Google (Gemini API): images uploaded for mockup generation
- Stripe: data for payment processing
- Vercel: service hosting
- Neon: data storage
We do not sell, rent, or share your personal data with third parties for marketing purposes.
5. Storage and Security
Your data is stored on secure servers (Neon Database, AWS US-East-1). Passwords are encrypted with bcrypt. Communication is protected by HTTPS/TLS. Authentication tokens are stored in httpOnly cookies.
6. Your Rights
You have the right to:
- Confirm whether your data is being processed
- Access your personal data
- Correct incomplete or outdated data
- Request anonymization, blocking, or deletion of unnecessary data
- Data portability
- Delete data processed under consent
- Withdraw consent
To exercise your rights, contact: support@kilnmuse.app
7. Cookies
We only use essential cookies for:
- auth-token: session authentication (httpOnly, 24h)
- localStorage: shopping cart and free-simulation count
We do not use tracking, analytics, or advertising cookies.
8. Data Retention
Your data is kept while your account is active. After account deletion, your personal data will be removed within 30 days, except where a legal obligation requires longer retention.