Privacy Policy

Effective Date: April 6, 2026

This Privacy Policy explains how Lumi Zone Lukasz Blania ("we," "us," "our," or "Articfly") collects, uses, stores, and protects your personal data when you use the Articfly platform, including the website at articfly.com, the dashboard at app.articfly.com, and all related services (collectively, the "Service").

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Polish Act on Protection of Personal Data (Ustawa o ochronie danych osobowych), and other applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

Lumi Zone Lukasz Blania ul. Malinska 1 47-320 Gogolin, Poland

Email: contact@articfly.com

If you have any questions about this Privacy Policy or our data practices, please contact us at the email address above.

2. What Data We Collect

2.1 Account Data

When you create an account, we collect:

Email address — provided during sign-up via our authentication provider (Clerk)
Name — if provided during sign-up
Clerk User ID — a unique identifier assigned by our authentication provider
Account preferences — language, timezone, notification settings, and other configuration choices you make in the dashboard

2.2 Subscription and Billing Data

When you subscribe to a paid plan or purchase article top-ups:

Subscription status and plan details — plan type, billing period, renewal dates
Transaction records — purchase history, top-up records, invoice references

Note: All payment processing is handled by Polar.sh as our Merchant of Record. We do not collect, store, or have access to your credit card numbers, bank account details, or other payment instrument data. Polar.sh processes payments and handles VAT/tax compliance on our behalf. Please refer to Polar.sh's privacy policy for details on how they handle your payment data.

2.3 Content Data

When you use the Service, we store:

Generated articles — titles, content, keywords, metadata, and status
Brand voice analysis — website URLs and content you submit for brand voice analysis, and the resulting brand briefs
Content plans — calendar entries and content planning data
Article rewrites — original content references and rewritten output
SEO tool results — URLs and content you submit for analysis, and the resulting reports

2.4 WordPress Integration Data

If you connect a WordPress site:

Site URL and site name — of your connected WordPress installation
Connection credentials — encrypted API keys for the plugin connection
Publication data — articles published or scheduled to your WordPress site

2.5 Technical and Usage Data

When you access the Service, we automatically collect:

IP address — for rate limiting, security monitoring, and abuse prevention
Browser type and version — via standard HTTP headers
Pages visited and features used — through our self-hosted analytics platform (Umami)
Timestamps — of your interactions with the Service
Security events — login attempts, rate limit triggers, and other security-relevant actions

2.6 Cookies and Similar Technologies

We use the following cookies:

Cookie	Provider	Purpose	Duration	Type
Session cookie	Clerk	Authentication — keeps you signed in	Session	Essential
`__client_uat`	Clerk	Authentication state	Session	Essential
CSRF token	Next.js	Cross-site request forgery protection	Session	Essential
Analytics	Umami (self-hosted)	Anonymous usage statistics	24 hours	Analytics

We do not use third-party advertising cookies or cross-site tracking technologies. Our analytics solution (Umami) is self-hosted and does not share data with any third parties.

3. How We Use Your Data

We process your personal data for the following purposes and legal bases:

Purpose	Legal Basis (GDPR Art. 6)
Providing and maintaining the Service (account management, article generation, SEO tools)	Performance of contract (Art. 6(1)(b))
Processing payments and managing subscriptions (via Polar.sh)	Performance of contract (Art. 6(1)(b))
Sending transactional emails (account confirmations, password resets, billing notifications)	Performance of contract (Art. 6(1)(b))
Ensuring security, preventing fraud, and enforcing rate limits	Legitimate interest (Art. 6(1)(f))
Monitoring and logging security events	Legitimate interest (Art. 6(1)(f))
Analyzing usage patterns to improve the Service (via self-hosted Umami)	Legitimate interest (Art. 6(1)(f))
Complying with legal obligations (tax records, law enforcement requests)	Legal obligation (Art. 6(1)(c))

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on you.

We do not sell your personal data to third parties.

4. AI-Generated Content and Data Processing

4.1 How AI Processing Works

When you use our article generation, rewriting, brand voice analysis, or SEO tools, the content you provide (topics, keywords, URLs, instructions, existing articles) is sent to third-party AI providers for processing. These providers act as sub-processors under our data processing agreements.

4.2 AI Providers

We use the following AI providers to power our content generation and analysis features:

Google (Gemini API) — Mountain View, CA, USA
Anthropic (Claude API) — San Francisco, CA, USA
OpenAI (GPT API) — San Francisco, CA, USA

4.3 What Data Is Sent to AI Providers

Article topics, keywords, and writing instructions you provide
Existing article content submitted for rewriting or analysis
Website URLs and content submitted for brand voice analysis or SEO analysis
Content plans and calendar-related prompts

4.4 AI Provider Data Handling

We use these AI providers under their business API terms, which typically:

Do not use your inputs or outputs to train their models
Process data only to fulfill the API request
Delete inputs and outputs after a short retention period (typically 30 days or less)

We encourage you to review the privacy policies of our AI providers for the most current information on their data practices.

5. Data Sharing and Sub-Processors

We share your personal data only with the following categories of service providers, all of whom act as data processors or sub-processors under appropriate data processing agreements:

Sub-Processor	Purpose	Location	Data Shared
Clerk (clerk.com)	Authentication and user management	USA	Email, name, login activity
Supabase (supabase.com)	Database hosting	EU (London, West Europe)	All account and content data
Polar.sh (polar.sh)	Payment processing (Merchant of Record)	EU	Email, Clerk User ID, subscription data
Vercel (vercel.com)	Website and application hosting	Global (edge network)	IP address, request data
Upstash (upstash.com)	Rate limiting (Redis)	EU	IP address, user ID (hashed keys only)
Google (Gemini API)	AI content generation	USA	Content inputs as described in Section 4.3
Anthropic (Claude API)	AI content generation	USA	Content inputs as described in Section 4.3
OpenAI (GPT API)	AI content generation	USA	Content inputs as described in Section 4.3

We do not share your personal data with any other third parties except:

When required by law, regulation, or legal process
To protect the rights, safety, or property of Articfly, our users, or the public
In connection with a merger, acquisition, or sale of assets (with prior notice to you)

6. International Data Transfers

Your data is primarily stored in the European Union (Supabase, London region). However, some of our sub-processors are based in the United States. For these transfers, we rely on:

EU-US Data Privacy Framework (DPF) — for providers certified under the DPF
Standard Contractual Clauses (SCCs) — approved by the European Commission, where the DPF does not apply
Adequacy decisions — where applicable

We ensure that all international transfers of personal data are subject to appropriate safeguards as required by GDPR Chapter V.

7. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy:

Data Type	Retention Period
Account data	Until you delete your account, plus 30 days for backup recovery
Generated articles and content	Until you delete them or delete your account
Subscription and billing records	5 years after the end of the subscription (legal/tax obligations)
Security event logs	12 months
Analytics data (Umami)	24 months (aggregated, no personal identifiers)
Rate limiting data (Upstash)	24 hours

When you delete your account through the dashboard, we initiate deletion of your personal data from our active systems. Some data may persist in encrypted backups for up to 30 days before being permanently removed.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Art. 15)

You have the right to request a copy of the personal data we hold about you.

8.2 Right to Rectification (Art. 16)

You have the right to request correction of inaccurate personal data.

8.3 Right to Erasure (Art. 17)

You have the right to request deletion of your personal data. You can delete your account at any time through the dashboard settings. This will trigger deletion of your account data, articles, and associated content.

8.4 Right to Restriction of Processing (Art. 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances.

8.5 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

8.6 Right to Object (Art. 21)

You have the right to object to the processing of your personal data based on legitimate interests. This includes the right to object to processing for analytics purposes.

8.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based on your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

8.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at contact@articfly.com. We will respond to your request within 30 days as required by the GDPR. We may ask you to verify your identity before processing your request.

8.9 Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. In Poland, the relevant authority is:

Prezes Urzedu Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warszawa, Poland Website: uodo.gov.pl

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS/HTTPS
Encryption at rest — database data is encrypted at rest by our infrastructure providers
Access controls — strict role-based access to production systems
Rate limiting — protection against brute-force and abuse attacks
Security headers — Content Security Policy, HSTS, X-Frame-Options, and other HTTP security headers
Input validation — server-side validation and sanitization of all user inputs
SSRF protection — blocking of private network ranges in URL-fetching features
Security monitoring — automated logging of security-relevant events
Regular updates — timely patching of dependencies and infrastructure

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

10. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at contact@articfly.com.

11. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of every site you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

Posting the updated Privacy Policy on this page with a new "Effective Date"
Sending a notification via email or through the dashboard for significant changes

Your continued use of the Service after the updated Privacy Policy becomes effective constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Lumi Zone Lukasz Blania ul. Malinska 1, 47-320 Gogolin, Poland Email: contact@articfly.com

Privacy Policy

Privacy Policy

1. Data Controller

2. What Data We Collect

2.1 Account Data

2.2 Subscription and Billing Data

2.3 Content Data

2.4 WordPress Integration Data

2.5 Technical and Usage Data

2.6 Cookies and Similar Technologies

3. How We Use Your Data

4. AI-Generated Content and Data Processing

4.1 How AI Processing Works

4.2 AI Providers

4.3 What Data Is Sent to AI Providers

4.4 AI Provider Data Handling

5. Data Sharing and Sub-Processors

6. International Data Transfers

7. Data Retention

8. Your Rights Under GDPR

8.1 Right of Access (Art. 15)

8.2 Right to Rectification (Art. 16)

8.3 Right to Erasure (Art. 17)

8.4 Right to Restriction of Processing (Art. 18)

8.5 Right to Data Portability (Art. 20)

8.6 Right to Object (Art. 21)

8.7 Right to Withdraw Consent (Art. 7(3))

8.8 How to Exercise Your Rights

8.9 Right to Lodge a Complaint

9. Data Security

10. Children's Privacy

11. Third-Party Links

12. Changes to This Privacy Policy

13. Contact Us

READY TO SCALE?