Privacy Policy

Vision Engine is operated by Zephios. For any question regarding your personal data, please contact privacy@zephios.com.

When using the service we process: your email address (magic-link authentication), the project briefs and images you submit, and technical session metadata (for security and audit).

EXIF metadata: all GPS coordinates, camera models, serial numbers, and other identifying technical metadata embedded in uploaded images are systematically stripped before any storage. Only the ICC color profile is preserved for rendering fidelity.

IP and User-Agent: never stored in clear. Every audit trace uses an HMAC-SHA256 hash with a server-side secret, truncated to 16 hex chars — non-reversible but correlatable for forensic purposes.

Processing is grounded on contract performance (authentication, core service, billing), legitimate interest (security forensic audit), and legal obligation (accounting). No marketing or advertising processing is performed.

• Active account: as long as the account is active
• Expired / abandoned projects: automatic purge 30 days after expiry
• Admin access logs: 12 months
• Billing data: 10 years (accounting obligation)
• Deleted account: erasure within 30 days, except legal obligations

We rely on Vercel (hosting), Supabase (DB + auth, hosted in the EU, Frankfurt), Stripe (billing, PCI-DSS Level 1), Replicate (render generation, ephemeral transit, no retention), and Resend (transactional emails).

All transfers outside the EU are framed by the Standard Contractual Clauses of the European Commission. The complete and up-to-date list of sub-processors is available on request at privacy@zephios.com.

You have rights of access, rectification, erasure, restriction, portability, and objection. To exercise them: privacy@zephios.com, response within 30 days.

You may also lodge a complaint with the French CNIL or your local data protection authority.

Vision Engine uses only strictly necessary cookies: Supabase session (authentication), mfa_verified (admin MFA), and webauthn_challenge (5-minute auth challenge). All are HttpOnly, Secure, SameSite=Strict.

No tracking, third-party analytics, or advertising cookies are dropped. No prior consent is therefore required for these strictly-necessary cookies under EU ePrivacy guidance.

Admin authentication via WebAuthn (passkey, phishing-resistant). Forensic audit of every admin action. Cryptographic watermark on every render allowing the origin of any leak to be traced. Full technical details in our security page.

In the event of a breach posing a risk to user rights and freedoms, the relevant data protection authority is notified within 72 hours and affected users are informed without undue delay (GDPR Art. 33-34).

This Privacy Policy is governed by French law. Any dispute falls under the exclusive jurisdiction of the courts of Paris, subject to mandatory consumer-protection provisions.

privacy@zephios.com · security@zephios.com