Privacy Policy for Articfly

Summary

This Privacy Policy explains how Lumizone ("Company," "we," "us," or "our") collects, uses, shares, and protects personal data when you use Articfly (articfly.com), our AI-powered content generation platform. Articfly uses third-party artificial intelligence services, including OpenAI, Google Gemini, and DeepSeek, to generate blog articles and content. Your content inputs are not used to train AI models when using our paid API services. We process data under Polish law and the EU General Data Protection Regulation (GDPR). You have rights to access, correct, delete, and port your data, and you may lodge complaints with the Polish Data Protection Authority (UODO).

---

1. Data Controller Information

The data controller responsible for processing your personal data is:

Lumizone

ul. Malińska 1

47-320 Gogolin

Poland

Contact Email: contact@articfly.com

For all privacy-related inquiries, data subject requests, or concerns about our data practices, please contact us at the email address above.

---

2. Personal Data We Collect

2.1 Information You Provide Directly

Account Information: When you create an Articfly account, we collect your name, email address, password (stored in hashed form), and billing information. For Enterprise accounts, we may collect company name, business address, and tax identification numbers.

Payment Information: When you subscribe to our paid plans (Basic, Pro, or Enterprise), payment card details, billing address, and transaction history are collected and processed by our payment processor, Stripe. We do not store complete credit card numbers on our servers.

User Content: When you use our AI content generation features, we collect:

• Text prompts and instructions you provide to generate articles
• Content you input for rewriting or enhancement
• Generated articles and outputs
• WordPress connection credentials (encrypted)
• Scheduled publication settings and preferences
• Images selected from Pexels or generated using AI

Communication Data: When you contact our support team, we collect the content of your messages, email address, and any attachments you provide.

2.2 Information Collected Automatically

Usage Data: We automatically collect information about how you interact with Articfly, including pages visited, features used, generation requests made, articles published, session duration, and timestamps.

Device and Technical Data: We collect your IP address, browser type and version, device type, operating system, unique device identifiers, and referring URLs.

Cookie Data: We use cookies and similar tracking technologies to collect information about your browsing activity. See Section 11 (Cookies and Tracking Technologies) for details.

2.3 Information from Third Parties

WordPress Integration: When you connect your WordPress site, we receive site URL, authentication tokens, and publishing capability information.

Payment Processor: Stripe provides us with transaction confirmations, payment status, and fraud prevention signals.

---

3. How We Use Your Personal Data

We process your personal data for the following purposes and under the following legal bases under Article 6 of the GDPR:

3.1 Contract Performance (Article 6(1)(b) GDPR)

• Service Delivery: Processing your content generation requests, delivering AI-generated articles, executing WordPress publications, and managing scheduled posts
• Account Management: Creating and maintaining your account, authenticating your identity, and managing subscriptions
• Payment Processing: Processing subscription payments, managing billing, issuing invoices, and handling refunds
• Customer Support: Responding to your inquiries and providing technical assistance

3.2 Legitimate Interests (Article 6(1)(f) GDPR)

• Service Improvement: Analyzing usage patterns (in aggregated, anonymized form) to improve our platform's features, user interface, and performance
• Security and Fraud Prevention: Protecting our platform, users, and systems from unauthorized access, abuse, and fraudulent activity
• Technical Operations: Maintaining server infrastructure, debugging issues, and ensuring service availability

3.3 Legal Obligations (Article 6(1)(c) GDPR)

• Tax and Accounting: Maintaining financial records as required by Polish and EU law
• Legal Compliance: Responding to lawful requests from authorities and complying with applicable regulations

3.4 Consent (Article 6(1)(a) GDPR)

• Marketing Communications: Sending promotional emails, product updates, and newsletters (only with your explicit consent)
• Non-Essential Cookies: Placing analytics and marketing cookies on your device (only with your prior consent)

You may withdraw consent at any time by contacting us at contact@articfly.com or using the unsubscribe link in marketing emails, without affecting the lawfulness of processing based on consent before withdrawal.

---

4. Artificial Intelligence Data Processing

Articfly uses artificial intelligence technologies from third-party providers to generate content. This section explains how your data is processed in connection with AI features.

4.1 AI Service Providers

We partner with the following AI providers to deliver our content generation services:

OpenAI (United States)

We use OpenAI's API services (GPT models) for article generation and content enhancement. Under OpenAI's API data usage policy:

• Your prompts and generated outputs are NOT used to train OpenAI's models by default
• Data is retained by OpenAI for up to 30 days for abuse monitoring and safety purposes
• OpenAI may access data for abuse investigation, support, or legal compliance
• Data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• OpenAI has established OpenAI Ireland Limited for EEA users; we have executed a Data Processing Addendum with Standard Contractual Clauses

Google Gemini (United States/European Union)

We use Google's Gemini API for certain content generation features. Under Google's paid API terms:

• Your prompts and responses are NOT used to train Google's models
• Data is retained for up to 55 days for abuse monitoring
• Human reviewers may access flagged content for safety review
• Google maintains Data Processing Addendum with Standard Contractual Clauses for EU data protection

DeepSeek (People's Republic of China)

⚠️ Important Notice: We offer DeepSeek as an optional AI model choice. If you select DeepSeek for content generation, please be aware:

• All data is processed and stored on servers located in the People's Republic of China
• Data may be used to train and improve DeepSeek's AI models
• Data is subject to Chinese law, including the Cybersecurity Law and national security legislation, which may require disclosure to Chinese government authorities
• DeepSeek may share data with advertising partners and analytics companies
• There is no adequacy decision from the European Commission for China
• We rely on Standard Contractual Clauses for this transfer; however, Chinese law may limit the effectiveness of these safeguards

By selecting DeepSeek as your AI model, you explicitly acknowledge these risks and consent to the transfer of your data to China under these conditions. We recommend using OpenAI or Google Gemini for processing sensitive or personal data.

4.2 AI Model Training

We do not use your content to train our own AI models. When you use Articfly:

• Your prompts and generated outputs processed via OpenAI and Google Gemini APIs are not used for training their foundation models
• If you select DeepSeek, your data may be used for training as described above
• We may use aggregated, anonymized usage data (not including your actual content) to improve our platform's features and user experience

4.3 Data Retention for AI Processing

4.4 EU AI Act Transparency Disclosure

In accordance with the EU Artificial Intelligence Act (Regulation 2024/1689):

• AI-Generated Content: All content produced by Articfly is artificially generated by AI systems. Where technically feasible, such content is marked in a machine-readable format to enable detection.
• Human-AI Interaction: When you use our content generation features, you are interacting with artificial intelligence systems, not humans.
• User Responsibility: If you publish AI-generated content for the purpose of informing the public on matters of public interest, you may be required under Article 50(4) of the EU AI Act to disclose that the content was artificially generated.

---

5. Image Services and Stock Photography

5.1 Pexels Stock Images

Articfly integrates with Pexels to provide stock photography for your articles. When you search for or use stock images:

• Search queries may be transmitted to Pexels
• Pexels is operated by Canva Germany GmbH
• Pexels may use search data for analytics and service improvement
• Images are provided under the Pexels License (free for commercial use)
• Data may be processed in the United States, European Union, Australia, and other locations

For Pexels' full privacy practices, see: https://www.pexels.com/privacy-policy/

5.2 AI-Generated Images

When you use AI image generation features:

• Your image prompts are processed by our AI image generation provider
• Generated images are stored in your account until deletion
• Image generation may be subject to content policies restricting certain types of imagery

---

6. Data Sharing and Recipients

We share your personal data only as described in this policy and only with the following categories of recipients:

6.1 Service Providers (Data Processors)

All service providers are bound by data processing agreements requiring them to process data only on our documented instructions and to implement appropriate security measures.

6.2 WordPress Integration

When you connect Articfly to your WordPress site, we transmit article content, images, and metadata to your designated WordPress installation. This transfer is initiated by you and governed by your relationship with your WordPress hosting provider.

6.3 Legal and Safety Disclosures

We may disclose your personal data if required to:

• Comply with applicable law, regulation, or legal process
• Respond to lawful requests from public authorities, including law enforcement
• Protect the rights, privacy, safety, or property of Articfly, our users, or the public
• Enforce our Terms of Service or investigate potential violations

6.4 Business Transfers

If Lumizone is involved in a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

6.5 No Sale of Personal Data

We do not sell your personal data to third parties for monetary consideration. We do not share personal data for cross-contextual behavioral advertising purposes.

---

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States and, if you select DeepSeek, the People's Republic of China.

7.1 Transfers to the United States

We transfer personal data to the following US-based service providers:

Under EU-US Data Privacy Framework:

• Stripe, Inc. — Certified under the EU-US Data Privacy Framework, UK Extension, and Swiss-US Data Privacy Framework
• Google LLC — Certified under the EU-US Data Privacy Framework
• OpenAI — Maintains Data Processing Addendum with Standard Contractual Clauses; OpenAI Ireland Limited serves as contracting entity for EEA users

The EU-US Data Privacy Framework was adopted by European Commission Implementing Decision (EU) 2023/1795 of July 10, 2023, pursuant to Article 45 GDPR. This adequacy decision ensures that certified US organizations provide an adequate level of data protection.

You may verify company certifications at: https://www.dataprivacyframework.gov/list

Standard Contractual Clauses:

In addition to the Data Privacy Framework, we have entered into Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with our US processors as a supplementary safeguard.

7.2 Transfers to China (DeepSeek)

Important: China does not have an adequacy decision from the European Commission. If you choose to use DeepSeek:

• We rely on Standard Contractual Clauses (Article 46(2)(c) GDPR) for the transfer
• We have conducted a Transfer Impact Assessment identifying that Chinese law, including the Cybersecurity Law and national security legislation, may require service providers to grant Chinese authorities access to personal data
• These laws may limit the effectiveness of Standard Contractual Clauses as a safeguard
• Additional technical measures (encryption) are implemented where feasible

By selecting DeepSeek, you acknowledge these risks and consent to the transfer under these conditions.

7.3 Your Rights Regarding Transfers

You have the right to:

• Request information about the specific safeguards applied to international transfers of your personal data
• Obtain a copy of the Standard Contractual Clauses or other transfer mechanisms used
• Lodge a complaint with the Polish Data Protection Authority (UODO) regarding international transfers

To obtain copies of transfer safeguards, contact us at: contact@articfly.com

---

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.

8.1 Retention Periods

8.2 Account Deletion

When you delete your account or request erasure:

• Account information and user content are deleted within 30 days
• Backups are purged within 90 days
• We may retain anonymized, aggregated data that no longer identifies you
• Data required for legal compliance (e.g., invoices) is retained for the legally mandated period

---

9. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation, you have the following rights:

9.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about:

• The purposes of processing
• Categories of data processed
• Recipients of your data
• Retention periods
• Your rights regarding the data
• The source of the data (if not collected from you directly)
• The existence of automated decision-making

9.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data or completion of incomplete data without undue delay.

9.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent (and no other legal basis applies)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required for legal compliance

This right does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.

9.4 Right to Restriction of Processing (Article 18)

You have the right to request we restrict processing of your data when:

• You contest the accuracy of the data (during verification)
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) and to transmit that data to another controller, where:

• Processing is based on consent or contract performance
• Processing is carried out by automated means

You may request that we transmit your data directly to another controller where technically feasible.

9.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests (Article 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

You have the absolute right to object to processing for direct marketing purposes at any time. Upon objection, we will immediately cease using your data for marketing.

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.

Articfly does not currently make automated decisions with legal or significant effects on users. Our AI content generation produces outputs under your direction and control.

9.8 How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: contact@articfly.com

Postal Address: Lumizone, ul. Malińska 1, 47-320 Gogolin, Poland

What to include in your request:

• Your full name and email address associated with your account
• Specific right(s) you wish to exercise
• Any relevant details to help us locate your data

Response Timeline:

We will respond to your request within one month of receipt. If your request is complex or we receive numerous requests, we may extend this period by up to two additional months. We will inform you of any extension within the first month, explaining the reasons for the delay.

Identity Verification:

To protect your privacy, we may request additional information to verify your identity before processing your request. This verification will be proportionate and will not require you to provide more data than necessary.

Fees:

Exercising your rights is generally free. However, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, particularly if repetitive.

---

10. Right to Lodge a Complaint

If you believe we have not processed your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority.

Polish Data Protection Authority:

Urząd Ochrony Danych Osobowych (UODO)

ul. Stanisława Moniuszki 1A

00-014 Warsaw

Poland

Telephone: +48 22 531 03 00

Email: kancelaria@uodo.gov.pl

Website: https://uodo.gov.pl

Electronic Inbox (ePUAP): /UODO/SkrytkaESP

We encourage you to contact us first at contact@articfly.com to resolve any concerns before filing a complaint with the supervisory authority.

---

11. Cookies and Tracking Technologies

11.1 What Are Cookies

Cookies are small text files placed on your device when you visit a website. They enable the website to remember your actions and preferences and provide various functions. We also use similar technologies such as pixels, web beacons, and local storage.

11.2 Legal Basis for Cookies

We use cookies in accordance with the ePrivacy Directive (2002/58/EC) as implemented by Polish Electronic Communications Law (Article 399) and the GDPR:

• Strictly necessary cookies: No consent required (legal basis: legitimate interest)
• All other cookies: Require your prior consent before placement

11.3 Types of Cookies We Use

Strictly Necessary Cookies

These cookies are essential for the operation of Articfly. Without them, the service cannot function properly. They do not require consent.

Functional Cookies

These cookies remember your preferences and choices to enhance your experience. They require your consent.

Analytics Cookies

These cookies help us understand how visitors use Articfly so we can improve our service. They require your consent.

Third-Party Cookies

Stripe Payment Cookies:

Our payment processor, Stripe, sets cookies for fraud prevention and payment functionality:

Stripe may collect personal data including via cookies and similar technologies. The personal data Stripe collects may include transactional data and identifying information about devices that connect to its services. Stripe uses this information for fraud detection, loss prevention, authentication, and analytics. For more information, see Stripe's Privacy Policy at: https://stripe.com/privacy

11.4 Managing Cookie Preferences

Cookie Consent Banner:

When you first visit Articfly, we display a cookie consent banner where you can:

• Accept all cookies
• Reject all non-essential cookies
• Customize your preferences by category

Changing Your Preferences:

You can change your cookie preferences at any time by clicking the "Cookie Settings" link in our website footer or by contacting us at contact@articfly.com.

Browser Settings:

You can also control cookies through your browser settings:

• Chrome: Settings → Privacy and Security → Cookies and other site data
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Cookies and website data
• Edge: Settings → Cookies and site permissions → Cookies and site data

Please note that blocking certain cookies may affect the functionality of Articfly.

11.5 Do Not Track

Articfly honors Do Not Track (DNT) browser signals. When we detect a DNT signal, we do not place non-essential tracking cookies.

---

12. Data Security

12.1 Technical Measures

We implement appropriate technical measures to protect your personal data, including:

• Encryption in Transit: All data transmitted between your browser and our servers is protected using TLS 1.2 or higher encryption
• Encryption at Rest: Sensitive data, including passwords and authentication credentials, is encrypted using AES-256 encryption
• Password Security: User passwords are hashed using industry-standard bcrypt algorithms; we never store plain-text passwords
• WordPress Credentials: Connection credentials for WordPress integration are encrypted and stored separately from other data
• Access Controls: We implement role-based access controls limiting employee access to personal data on a need-to-know basis
• Infrastructure Security: Our servers are hosted in data centers with physical security controls, including access restrictions and environmental protections

12.2 Organizational Measures

• Employee Training: Personnel with access to personal data receive data protection training
• Confidentiality Obligations: All employees and contractors are bound by confidentiality agreements
• Vendor Assessment: We assess the security practices of our service providers before engagement
• Incident Response: We maintain incident response procedures for potential data breaches

12.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the Polish Data Protection Authority (UODO) within 72 hours of becoming aware of the breach
• If the breach poses a high risk to you, we will notify you directly without undue delay
• Notifications will include the nature of the breach, likely consequences, and measures taken or proposed

12.4 Security Limitations

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your personal data. You are responsible for maintaining the confidentiality of your account credentials and should contact us immediately if you suspect unauthorized access to your account.

---

13. Children's Privacy

13.1 Age Requirement

Articfly is not intended for use by individuals under the age of 16 years. This age requirement reflects Article 8 of the GDPR as implemented by Polish law for information society services.

13.2 No Intentional Collection

We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@articfly.com. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly.

13.3 Parental Rights

Parents or guardians may:

• Request information about any data collected from their child
• Request deletion of their child's personal data
• Refuse further collection or use of their child's data

---

14. Third-Party Links and Services

Articfly may contain links to third-party websites, services, or integrations that are not operated by us. This Privacy Policy applies only to Articfly and does not cover third-party services.

We are not responsible for the privacy practices of third-party services. We encourage you to review the privacy policies of any third-party services you access through or in connection with Articfly, including:

• Your WordPress hosting provider
• Pexels: https://www.pexels.com/privacy-policy/
• Stripe: https://stripe.com/privacy
• OpenAI: https://openai.com/privacy/
• Google: https://policies.google.com/privacy

---

15. Changes to This Privacy Policy

15.1 Updates and Modifications

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• Minor Changes: For non-material updates (clarifications, formatting), we will update the "Last Updated" date at the top of this policy
• Material Changes: For significant changes that affect your rights or how we process your data, we will:

- Provide notice via email to the address associated with your account

- Display a prominent notice within the Articfly platform

- Where required by law, obtain your consent before the changes take effect

15.2 Review Recommendation

We encourage you to review this Privacy Policy periodically to stay informed about our data practices. Your continued use of Articfly after changes become effective constitutes acceptance of the revised policy.

15.3 Previous Versions

Upon request, we can provide you with previous versions of this Privacy Policy.

---

16. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of Poland and applicable European Union law, including the General Data Protection Regulation (EU) 2016/679.

Any disputes arising from or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Poland, without prejudice to your right to lodge a complaint with a supervisory authority or seek remedies before the courts of your place of habitual residence.

---

17. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Lumizone

ul. Malińska 1

47-320 Gogolin

Poland

Email: contact@articfly.com

We aim to respond to all inquiries within 5 business days and to all formal data subject requests within one month as required by GDPR.

---

18. Definitions

• "Articfly" means the web application and services available at articfly.com, including all AI content generation, WordPress publishing, and related features.
• "Controller" means the entity that determines the purposes and means of processing personal data (Lumizone).
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• "Processor" means an entity that processes personal data on behalf of the Controller.
• "User Content" means text prompts, articles, images, and other content you create, upload, or generate using Articfly.

---

This Privacy Policy was last updated on January 8, 2026.

---

Document Information:

• Version: 2.0
• Effective Date: January 8, 2026
• Applicable Law: Polish law, EU GDPR (Regulation 2016/679), ePrivacy Directive (2002/58/EC), EU AI Act (Regulation 2024/1689)
• Supervisory Authority: Urząd Ochrony Danych Osobowych (UODO), Warsaw, Poland