Privacy Policy · iColorPalette

Last updated: 2026-05-01

What we collect

Account data: email, display name, hashed password (managed by Supabase Auth — we never see it in plaintext).
Usage data: palettes, gradients, scales, brand kits, moodboards, dark-mode pairings, and canvas configurations you save to your library.
Uploaded images: any image you upload for color extraction. Stored in our private Supabase Storage bucket scoped to your account; deleted when you delete the item or your account.
Billing data: when you purchase credits, our payment processor (Stripe or PayPal) collects your card / account details directly. We store the resulting credit grants and a redacted event record; we never see your card number.
Operational data: IP address, user-agent string, and rate-limit counters used for abuse prevention. Client error reports may include the IP that triggered them; retained for up to 90 days.

We use the following third-party services to operate the app:

Supabase — database, authentication, storage.
Vercel — hosting, edge runtime.
Stripe — credit-pack checkout (US users).
PayPal — alternative checkout.
Google Gemini API — AI palette / moodboard generation. Prompts and uploaded images are sent to Google for processing; we do not control Google’s retention.
Upstash Redis — rate-limit + AI response cache; stores hashed cache keys, not your inputs verbatim.
Sentry — error monitoring. PII (email, IP, request cookies, auth headers) is stripped before events leave the browser or server.
Resend — transactional email (sign-up confirmations, billing receipts).

We do not sell your personal information. We do not share it with advertisers.

All traffic uses HTTPS.
Supabase row-level security restricts every table to its owning user.
Passwords are stored as bcrypt hashes by Supabase Auth; we never receive them.
Server-side error logs are scrubbed of authentication headers, cookies, and personal identifiers before reaching Sentry.

Access: contact us to request a copy of your stored data. (Self-service export coming soon.)
Deletion: visit Account → Settings and use the Delete Account action. This removes your stored palettes, uploaded images, and authentication record. Aggregated audit logs may retain your anonymised user ID for compliance with billing / fraud-prevention requirements.
Correction: edit your display name and notification preferences from Account → Profile.

We use a small number of cookies. See our Cookie Policy for details.

Questions about this policy or your data? Contact us.

Last updated: 2026-05-01

Account data: email, display name, hashed password (managed by Supabase Auth — we never see it in plaintext).
Usage data: palettes, gradients, scales, brand kits, moodboards, dark-mode pairings, and canvas configurations you save to your library.
Uploaded images: any image you upload for color extraction. Stored in our private Supabase Storage bucket scoped to your account; deleted when you delete the item or your account.
Billing data: when you purchase credits, our payment processor (Stripe or PayPal) collects your card / account details directly. We store the resulting credit grants and a redacted event record; we never see your card number.
Operational data: IP address, user-agent string, and rate-limit counters used for abuse prevention. Client error reports may include the IP that triggered them; retained for up to 90 days.

We use the following third-party services to operate the app:

Supabase — database, authentication, storage.
Vercel — hosting, edge runtime.
Stripe — credit-pack checkout (US users).
PayPal — alternative checkout.
Google Gemini API — AI palette / moodboard generation. Prompts and uploaded images are sent to Google for processing; we do not control Google’s retention.
Upstash Redis — rate-limit + AI response cache; stores hashed cache keys, not your inputs verbatim.
Sentry — error monitoring. PII (email, IP, request cookies, auth headers) is stripped before events leave the browser or server.
Resend — transactional email (sign-up confirmations, billing receipts).

We do not sell your personal information. We do not share it with advertisers.

All traffic uses HTTPS.
Supabase row-level security restricts every table to its owning user.
Passwords are stored as bcrypt hashes by Supabase Auth; we never receive them.
Server-side error logs are scrubbed of authentication headers, cookies, and personal identifiers before reaching Sentry.

Access: contact us to request a copy of your stored data. (Self-service export coming soon.)
Deletion: visit Account → Settings and use the Delete Account action. This removes your stored palettes, uploaded images, and authentication record. Aggregated audit logs may retain your anonymised user ID for compliance with billing / fraud-prevention requirements.
Correction: edit your display name and notification preferences from Account → Profile.

We use a small number of cookies. See our Cookie Policy for details.

Questions about this policy or your data? Contact us.