Privacy Policy
Effective date: February 27, 2026 · Version 1.0.0
1. Introduction and Scope
This Privacy Policy ("Policy") describes how Contia ("we," "us," or "our"), operating the Contia platform at contia.app(the "Service"), collects, uses, shares, retains, and protects your personal data when you visit our website, create an account, or use any feature of the Service.
Contia is a batch AI content generation software-as-a-service ("SaaS") that enables users to create images and videos using third-party AI models. This Policy applies to all users of the Service, including free-tier and paid subscribers, team members, and visitors to our website.
By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with our data practices, please do not use the Service.
2. Data Controller
The data controller responsible for your personal data is:
ContiaJurisdiction: the State of Delaware, United States
Email: legal@contia.app
For all privacy-related inquiries, data-subject requests, or complaints, please contact us at legal@contia.app.
3. Categories of Personal Data Collected
We collect and process the following categories of personal data:
3.1 Account Data
When you register for an account, we collect your email address and password. Passwords are cryptographically hashed by our authentication provider (Supabase Auth) and are never stored or accessible in plaintext. If you sign in through a third-party identity provider, we may receive your name, email address, and profile picture as provided by that provider.
3.2 Content Data
When you use the Service, we collect and store the content you create and upload, including:
- Prompts— text instructions you provide to guide AI generation.
- Reference images— images you upload as input for generation jobs (stored in Supabase Storage and transmitted to AI providers via time-limited signed URLs).
- Generated outputs— images and videos produced by AI models as a result of your generation jobs.
- Job metadata— model selection, parameters, aspect ratio, resolution, job status, and timestamps.
3.3 Billing Data
We maintain a credit-based billing system. We collect and store:
- Credit balance— your current credit balance within Contia.
- Top-up history— records of credit purchases, including amount, currency, payment method, and timestamp.
- Usage events— per-job credit deductions, including the model used, cost, and associated job identifier.
We do not directly collect or store credit card numbers, bank account details, or other raw payment instrument data. All payment processing is handled by our third-party payment processors (Stripe, YooKassa, and/or Kaspi Pay), which operate under their own privacy policies.
3.4 Team Data
If you create or join a team, we collect:
- Team names and URL slugs.
- Member email addresses and roles.
- Invitation records, including invitee email, inviter identity, and invitation status.
3.5 Support Data
When you contact our support team, we collect:
- Support ticket subject and message content.
- Attachments you upload in connection with a support request (such as screenshots or files).
- Correspondence history between you and our support team.
3.6 Technical Data
We automatically collect certain technical data when you use the Service, including:
- IP addresses— collected with each request for security, rate limiting, and abuse prevention.
- User agent strings— browser type, version, and operating system information.
- Session cookies— see Section 3.7 below.
3.7 Cookies
Contia uses essential authentication cookies only. We do not use advertising, analytics, or tracking cookies.
| Cookie Name | Purpose | Duration |
|---|---|---|
sb-*-auth-token | Authentication session token managed by Supabase, containing access and refresh credentials | Access token refreshes every hour; refresh token persists up to 30 days |
Because these cookies are strictly necessary for the Service to function, they are set without requiring separate cookie consent. No personal data is shared with third parties through these cookies.
4. Purposes and Legal Bases for Processing
We process your personal data for the purposes described below, relying on the corresponding legal bases:
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Providing and operating the Service | Account, Content, Team | Performance of contract |
| Processing payments and maintaining billing records | Billing | Performance of contract |
| Authenticating users and managing sessions | Account, Technical, Cookies | Performance of contract |
| Transmitting prompts and reference images to AI providers | Content | Performance of contract |
| Responding to support requests | Support, Account | Performance of contract |
| Preventing abuse, fraud, and unauthorized access | Technical, Account | Legitimate interests (security) |
| Enforcing our Terms of Service and Acceptable Use Policy | Content, Account, Technical | Legitimate interests (enforcement) |
| Complying with legal obligations (tax records, law enforcement requests) | Billing, Account | Legal obligation |
| Sending transactional emails (account verification, password resets, billing receipts) | Account | Performance of contract |
| Optional prompt enhancement via AI | Content (prompts only) | Consent (opt-in feature) |
5. How We Use Your Data
5.1 Service Delivery
Your account data is used to authenticate you and provide access to the Service. Your content data — prompts, reference images, and generation parameters — is transmitted to third-party AI providers to execute generation jobs on your behalf. Generated outputs are stored in our cloud storage and made available to you through the Service.
5.2 Billing and Credits
When you purchase credits, your billing data is processed by our payment providers (Stripe, YooKassa, or Kaspi Pay). We record the resulting transaction in our billing ledger and adjust your credit balance accordingly. Per-job usage events are logged to track credit consumption.
5.3 Team Collaboration
If you create or join a team, your email address and role are visible to other team members and team administrators. Invitations are sent to the email addresses you provide.
5.4 Support
When you submit a support ticket, we use the information you provide — along with your account data — to investigate and resolve your issue. Support correspondence is retained for quality assurance and to maintain a record of prior interactions.
5.5 Security and Abuse Prevention
We use IP addresses, user agents, and session data to detect and prevent unauthorized access, rate-limit API usage, and enforce our Acceptable Use Policy. We may review content data (prompts and generated outputs) to enforce content policies, respond to takedown requests, and comply with applicable laws.
5.6 Prompt Enhancement (Optional)
If you opt in to the prompt enhancement feature, your prompt text is sent to a third-party language model provider (OpenRouter) to generate an improved version of your prompt. This feature is entirely optional and can be toggled on or off at any time.
6. Data Sharing with Third Parties
We share personal data only with the third-party processors listed below, solely for the purposes described. We do not sell your personal data to any third party.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, and cloud storage | Account data, content data (prompts, reference images, generated outputs), team data, billing ledger, job metadata | United States |
| WaveSpeedAI PTE. LTD. | AI image and video generation | Prompts, generation parameters, and reference images (transmitted via time-limited signed URLs). WaveSpeed may use aggregated, de-identified resultant data to improve their services and may use Customer Data to train derivative models per their terms. | Singapore |
| OpenRouter | Optional prompt enhancement via large language models | Prompt text only (when you opt in to prompt enhancement) | United States |
| Resend | Transactional email delivery | Email addresses (for account verification, password resets, billing receipts, and team invitations) | United States |
| Stripe | Payment processing (USD, EUR, and other supported currencies) | Billing data (transaction amounts, currency, payment method tokens) | United States |
| YooKassa | Payment processing (RUB) | Billing data (transaction amounts, currency, payment method tokens) | Russia |
| Kaspi Pay (Kaspi.kz) | Payment processing (KZT) | Billing data (transaction amounts, currency, payment method tokens) | Kazakhstan |
We require each processor to handle your data in accordance with applicable data protection laws and our contractual obligations. A complete list of our subprocessors, including their roles, data categories, and locations, is available at /legal/subprocessors.
We may also disclose personal data if required to do so by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, the safety of our users, or the public.
7. International Data Transfers
Your personal data may be transferred to and processed in countries other than the country in which you reside. In particular, most of our infrastructure and third-party processors are located in the United States, our payment processor YooKassa operates in Russia, and Kaspi Pay operates in Kazakhstan.
Where we transfer personal data outside of the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions, we rely on appropriate safeguards including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions by relevant data protection authorities, where available.
- Data processing agreements with each processor that include commitments to maintain appropriate security measures.
You may request a copy of the relevant transfer safeguards by contacting us at legal@contia.app.
8. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following retention periods apply:
| Data Category | Retention Period |
|---|---|
| Account data | Retained while your account is active. Upon account deletion, we permanently erase account data within 30 days, except where retention is required by law. |
| Content data (prompts, reference images, generated outputs) | Retained while your account is active. Permanently deleted when your account is deleted. |
| Billing ledger (credit purchases, usage events) | Retained indefinitely for financial compliance, tax reporting, and audit purposes, even after account deletion. |
| Team data | Retained while the team exists. Removed when the team is deleted or your membership is revoked. |
| Support data | Retained for 1 year after the support ticket is closed, then permanently deleted. |
| Technical data (IP addresses, user agents) | Retained in server logs for up to 90 days, then automatically purged. |
| Cookies | sb-*-auth-token: access token refreshes every hour; refresh token persists up to 30 days. Cleared on logout. |
9. Your Rights
Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal data:
- Right of access— You may request a copy of the personal data we hold about you, including the categories of data collected, the purposes of processing, the recipients to whom data has been disclosed, and the applicable retention periods.
- Right to rectification— You may request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to erasure— You may request that we delete your personal data. Upon receiving a valid erasure request, we will delete your account and associated data in accordance with the retention periods described in Section 8, except where we are required by law to retain certain records.
- Right to data portability— You may request that we provide your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and you may request that we transmit that data directly to another controller where technically feasible.
- Right to restriction of processing— You may request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when processing is unlawful.
- Right to object— You may object to processing of your personal data that is based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights.
- Right to withdraw consent— Where processing is based on your consent (e.g., optional prompt enhancement), you may withdraw consent at any time by disabling the relevant feature. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
10. How to Exercise Your Rights
To exercise any of the rights described above, please contact us at legal@contia.app with your request. In your email, please include:
- The email address associated with your Contia account.
- A clear description of the right you wish to exercise and the specific data concerned.
- Sufficient information to verify your identity (we may ask you to confirm details only the account holder would know).
We will acknowledge your request within 5 business days and fulfil it within 30 days from the date of receipt. If the request is complex or we receive a large number of requests, we may extend the response period by an additional 60 days, in which case we will inform you of the extension and the reasons for the delay.
You may also delete your account and all associated content data directly from your account settings within the Service.
If you believe that our processing of your personal data violates applicable data protection law, you have the right to lodge a complaint with your local supervisory authority.
11. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and you believe your child has provided us with personal data, please contact us at legal@contia.app. If we become aware that we have collected personal data from a child under 18 without verification of parental consent, we will take steps to delete that information promptly.
12. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit— All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest— Databases and storage buckets are encrypted at rest using AES-256 encryption managed by our infrastructure provider.
- Password hashing— User passwords are hashed using industry-standard algorithms (bcrypt) by Supabase Auth. We never store or have access to plaintext passwords.
- Row-Level Security (RLS)— Database access is enforced at the row level using Supabase RLS policies, ensuring that each user can only access their own data.
- Signed URLs— Reference images shared with AI providers are transmitted via time-limited signed URLs that expire automatically, minimizing the window of access.
- Access controls— Administrative access to production systems is restricted to authorized personnel and protected by multi-factor authentication.
- Regular reviews— We periodically review and update our security practices to address emerging threats and vulnerabilities.
While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make changes, we will:
- Update the "Effective date" and "Version" at the top of this page.
- Post the revised Policy on this page at /legal/privacy.
- For material changes that significantly affect how we process your data, we will notify you by email to the address associated with your account at least 14 days before the changes take effect.
Your continued use of the Service after the revised Policy becomes effective constitutes your acceptance of the updated terms. If you do not agree with the revised Policy, you should stop using the Service and delete your account.
14. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
ContiaEmail: legal@contia.app
We aim to respond to all privacy-related inquiries within 5 business days.