Grafikarta

Privacy Policy

Last updated: 2026-06-06

1. Who we are

TCF Ltd trading as The Cloud Factory ("we", "us", "our", the "Company") operates Grafikarta, a software-as-a-service platform and brand. We are registered in England and Wales under company number 17264204 with registered office at 47 Eridge Road, Tunbridge Wells, TN4 8HR. We are the Data Controller for the personal data described in this policy.

For all privacy enquiries, contact support@grafikarta.com.

2. Personal data we collect

  • Account data: email address, display name, profile image (from a federated sign-in provider, if used), authentication tokens.
  • Session data: session tokens, IP address, user-agent string, timestamps, used to keep you signed in securely.
  • Billing data: a payment-processor customer reference, subscription status, the credit ledger (debits and refunds linked to your account). We do not store full payment card numbers; these are held by our payment processor.
  • Service content: Brand and Product details, prompts, reference images you upload, parameters of each Generation request, and the resulting generated images.
  • Locale preference: your selected language, stored in a cookie.

3. How we use your data and lawful bases

PurposeLawful basis (UK GDPR)
Providing the Service, fulfilling Generations, billingContract (Article 6(1)(b))
Authentication, session security, fraud preventionLegitimate interests (Article 6(1)(f))
Service maintenance, bug investigation, abuse detectionLegitimate interests (Article 6(1)(f))
Legal and tax record-keepingLegal obligation (Article 6(1)(c))
Optional marketing communications (where applicable)Consent (Article 6(1)(a)), withdrawable any time

4. How we share your data

We may share personal information with carefully selected service providers, contractors, business partners, and technology providers who assist us in operating, maintaining, securing, improving, and providing the Services. Each is bound by a data processing agreement and processes personal data only on our documented instructions.

The categories of recipients include providers of:

  • payment processing and subscription billing;
  • AI image generation and processing;
  • transactional email delivery;
  • cloud hosting and object storage;
  • authentication and federated sign-in.

We may also disclose personal data to professional advisers, regulators or law-enforcement authorities where required by law, and to a successor entity in connection with a merger, acquisition or sale of assets.

5. International transfers

Several of our service providers are based outside the United Kingdom, primarily in the United States. Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or equivalent appropriate safeguards.

6. Retention

  • Account, Brands, Products, Generations: kept for the lifetime of your account. On account deletion, soft-deleted within 30 days and permanently purged within 90 days, subject to legal hold.
  • Billing and tax records: retained for the period required by UK tax and accounting law (currently six years).
  • Sessions and logs: typically retained for up to 90 days.
  • Payment-provider event log: retained as long as the corresponding subscription is active plus the statutory tax-record period.

7. Cookies

We use only strictly-necessary and functional cookies and do not run third-party analytics or advertising scripts on the marketing site:

  • locale: stores your language preference for 12 months.
  • session: keeps you signed in to the application; set by our authentication framework, HTTP-only, expires when your session ends.

8. Your rights

Under UK GDPR you have the right to: access your personal data; have it rectified; have it erased; restrict or object to processing; data portability; and withdraw consent at any time where processing is based on consent. To exercise any right, contact support@grafikarta.com. We will respond within one month.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. Security

We apply appropriate technical and organisational measures to protect personal data, including TLS in transit, encrypted storage of credentials, scoped database access, and audit logging. No system is perfectly secure; you are responsible for keeping your account credentials confidential.

10. AI generation and your inputs

When you submit a Generation, the prompt, Product metadata and reference images are transmitted to our third-party AI image generation provider solely to produce your requested output. We do not use your inputs or generated outputs to train our own AI models. The handling of data by that provider is governed by its own policies.

11. Children

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children.

12. Changes

We may update this policy from time to time. Material changes will be notified via the Service or by email. The "Last updated" date above always reflects the latest revision.

13. Contact

For all privacy enquiries and data-rights requests, contact support@grafikarta.com.

14. Company information

  • Company name: TCF Ltd
  • Trading name: The Cloud Factory
  • Company registration number: 17264204
  • Contact email: support@grafikarta.com

TCF Ltd (trading as The Cloud Factory) is the Data Controller and operates Grafikarta. Registered in England and Wales.