Privacy Policy — Rinjani

Effective date: 17 April 2026 Last updated: 17 April 2026

This Privacy Policy explains how Zamyrailov Oleksii, an individual entrepreneur (eenmanszaak) registered in the Netherlands, operating the Service available at rinjani.ai ("we", "us", "Rinjani"), collects and processes personal data when you use the Service.

We act as the controller of your personal data within the meaning of the EU General Data Protection Regulation ("GDPR") and the Dutch implementation of the GDPR (Uitvoeringswet AVG).

1. Who we are and how to contact us

Controller: Zamyrailov Oleksii, eenmanszaak KvK number: 98987712 VAT (BTW) number: NL005365684B76 Registered location: Utrecht, the Netherlands Privacy contact: [email protected] General legal contact: [email protected]

We have not appointed a Data Protection Officer because we are not legally required to do so. If you have any question, request or complaint regarding your personal data, please contact us at [email protected].

2. Summary (what to read first)

We collect the minimum data we need: email, a username (does not have to be unique), and a hashed password. If you sign in with OAuth, we receive only the information needed to link your account.
We store your prompts and generation results to show you your own history in Studio and to run the Service. We never show your Studio history to other users.
If you choose to participate in Arena, we use your votes, prompts and selected metadata to improve our model recommendation system. Before using this data for model training, we anonymise it irreversibly — after that, it can no longer be linked to you.
We use a small number of service providers (payments, hosting, image storage, AI model providers, analytics for monitoring). They process data strictly on our instructions or under their own terms where they are separate controllers.
We keep financial records for seven (7) years because Dutch law requires it.
You have GDPR rights, including access, rectification, erasure and objection. Contact [email protected] to exercise them.

3. What data we collect

We only collect data that we genuinely need.

3.1 Account data

Email address — to identify your account, send transactional emails (receipts, security alerts, inactivity notices, service updates).
Username — displayed in-product. It does not need to be unique and does not have to be your real name.
Password — stored only as a cryptographic hash. We never see or store your plaintext password.
OAuth identifiers — if you sign in with GitHub or Google, we receive a stable identifier and your email from that provider, used only to link your Rinjani account.

3.2 Service usage data

Prompts you submit in Studio and in Arena.
Generated outputs (images) linked to your account, together with the names of models used, generation time and Credit cost.
Arena votes and choices, and basic associated metadata (for example the pair of models compared, timestamps).
Technical logs (see Section 3.5).

We do not ask for and do not store names, addresses, phone numbers, profile photos or any identity documents beyond what is listed above.

3.3 Payment data

Payments are processed by Stripe, our payment service provider. We do not receive or store your full card number, CVV or bank account details. We receive from Stripe a transaction identifier, status, amount, currency, and tax-relevant information (such as country for VAT). Stripe is an independent controller for payment and fraud-prevention purposes and processes data under its own privacy policy.

3.4 Communications

If you contact us (e.g. via support or abuse reports), we keep the messages and our replies so we can follow up.

3.5 Technical and security data

We automatically collect limited technical data needed to keep the Service running and secure, including:

IP address (for security, abuse prevention and rate limiting);
browser and device information (user-agent);
diagnostic logs, error traces, request timing (stored in our Loki/Prometheus/Grafana stack).

We do not use advertising cookies or third-party marketing trackers. If we introduce non-essential cookies in the future, we will ask for your consent via a cookie banner.

4. Why we process your data and on what legal basis

We process personal data only when we have a lawful basis under Article 6 GDPR. The table below summarises the main purposes.

Purpose	Data	Legal basis
Create and operate your account	Email, username, hashed password, OAuth identifiers	Performance of a contract (Art. 6(1)(b))
Provide Studio (generate and deliver images, show your history)	Prompts, outputs, model metadata, Credit usage	Performance of a contract (Art. 6(1)(b))
Bill you and process payments	Stripe transaction data, VAT-relevant country data	Performance of a contract (Art. 6(1)(b)); legal obligation for tax records (Art. 6(1)(c))
Provide Arena (show comparisons, record votes)	Prompts, outputs, votes, metadata	Performance of a contract (Art. 6(1)(b))
Use Arena data to improve and train our recommendation models and classifiers	Prompts, votes and outputs from Arena — used only after irreversible anonymisation; pre-anonymisation processing is based on your consent	Consent (Art. 6(1)(a)) until anonymisation; after anonymisation the data is no longer personal data and GDPR no longer applies to it
Security, abuse prevention, fraud detection	Technical logs, IP, behavioural signals	Legitimate interest (Art. 6(1)(f)) — keeping the Service safe and reliable
Comply with legal obligations (tax, accounting, responding to authorities)	Invoices, transaction history, relevant account data	Legal obligation (Art. 6(1)(c))
Send transactional emails and important service notices (receipts, inactivity warnings, security alerts, material Terms changes)	Email	Performance of a contract / legitimate interest
Defend or pursue legal claims	Relevant account and usage data	Legitimate interest (Art. 6(1)(f))

If we ever process your data for a new purpose that is not compatible with the above, we will inform you and, where required, obtain your consent.

4.1 Arena participation and training data — in more detail

Participating in Arena is voluntary. Because Arena exists specifically to generate comparative data for our recommendation engine, you provide explicit, separate consent (via a dedicated checkbox in the user interface) to the use of your Arena data for model training. This consent is distinct from your acceptance of the Terms of Service.

Before using Arena data to train or fine-tune our models, we run an irreversible anonymisation process: user identifiers are removed, and no mapping is retained that would allow reattribution of anonymised entries to individual users. From that point on, the data is no longer personal data within the meaning of GDPR, and the corresponding data-subject rights (including deletion) can no longer be exercised over it.

You may withdraw your consent at any time by contacting [email protected] or by disabling it in your account settings. Withdrawal stops future use of your data for training and, where still feasible (i.e. before anonymisation), leads to deletion of your Arena records. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, nor can it be applied retroactively to data that has already been anonymised.

4.2 Studio data

Studio data (prompts, outputs, model and cost metadata) is stored only to provide the Service to you — primarily to display your generation history and to run billing. Studio data is not used to train our models.

5. Who receives your data

We share data only with the recipients listed below, and only to the extent necessary.

5.1 Service providers (processors)

These providers act on our instructions under written agreements (Data Processing Agreements) that comply with Article 28 GDPR:

Vultr — server hosting (Germany, EU).
Cloudflare — domain, CDN, and image storage (R2).
Stripe — payment processing (acting as an independent controller for payment and fraud-prevention purposes, and as processor for the merchant-facing aspects of your transaction, depending on the operation).

5.2 AI model providers

When you submit a prompt, we forward it (together with the minimum metadata needed to route the request) to the relevant AI model provider so that it can generate the requested output. Current providers include:

Replicate
FAL
OpenAI
Google (Gemini)
Leonardo

These providers act as independent controllers or processors under their own terms and privacy policies.

Provider fallback. To improve reliability, the Service may use multiple providers capable of running the same or an equivalent model. If the primary provider for a selected model is unavailable or unable to fulfil a request, we may automatically re-route it to an alternative provider that offers the same or an equivalent model. Your prompt and associated routing metadata are then transmitted to that alternative provider on the same basis as to the primary one. This means that, for a given request, your data may be processed by a provider other than the one initially selected in the user interface.

The current list of providers (including primary and fallback providers for each model) and links to each provider's terms and privacy policy are maintained at https://rinjani.ai/models.

5.3 OAuth providers

If you sign in via GitHub or Google, those providers receive information about the sign-in event under their own privacy terms.

5.4 Authorities and legal claims

We may disclose data to public authorities when required by law, court order or legitimate legal process, and to our legal advisers where necessary to establish, exercise or defend legal claims. We will push back on overbroad or improper requests where appropriate.

5.5 Business transfers

If we reorganise, sell or transfer our business, personal data may be transferred to the acquirer. We will inform you in advance and ensure your rights are preserved.

We do not sell personal data, and we do not share it with advertising networks or data brokers.

6. International transfers

Our servers are located in Germany (EU) and our primary storage provider (Cloudflare) operates globally. Some of our AI model providers and Stripe are established outside the European Economic Area (EEA), notably in the United States.

When personal data is transferred outside the EEA, we rely on appropriate safeguards under Articles 44–49 GDPR, typically:

the EU Standard Contractual Clauses (SCCs) adopted by the European Commission;
adequacy decisions where available (e.g. the EU–US Data Privacy Framework, where the recipient is certified);
supplementary technical and organisational measures where needed.

You can request more information about the specific safeguards applicable to a given transfer by contacting [email protected].

7. How long we keep your data

Category	Retention
Account data	For as long as your account is active. After account closure, deleted within 30 days, subject to the exceptions below.
Studio prompts and generated outputs	For as long as your account is active; deleted within 30 days after account closure.
Arena data (before anonymisation)	Until you withdraw consent or your account is closed; thereafter deleted within 30 days, except for records already anonymised for training (which are no longer personal data).
Anonymised training data	Retained indefinitely; after anonymisation this is no longer personal data.
Financial records (invoices, transactions, VAT-relevant data)	Seven (7) years, as required by Article 52 of the Dutch General Tax Act (Algemene wet inzake rijksbelastingen) and Article 2:10 of the Dutch Civil Code.
Security logs	Typically no longer than 90 days unless an investigation requires longer retention.
Support communications	Up to 24 months after the last relevant interaction.
Data needed to defend or bring legal claims	For the duration of applicable limitation periods.

Account inactivity: if you do not sign in for twelve (12) consecutive months, we notify you by email and then close the account. Deletion of account data then follows under the schedule above; notification precedes deletion so that you have a reasonable opportunity to react.

We may extend the retention period where required by law, regulator or competent authority.

8. Security

We apply technical and organisational measures designed to protect personal data, including:

passwords stored only as cryptographic hashes;
TLS encryption for data in transit;
access controls and logging;
regular backups and monitoring (Prometheus, Grafana, Loki);
segregation of environments and restricted administrative access;
ongoing review and improvement of security practices.

No system is perfectly secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and, where required, affected users in accordance with Articles 33 and 34 GDPR.

9. Your rights

Under GDPR you have the following rights concerning your personal data:

Right of access (Art. 15) — obtain a copy of the data we hold about you.
Right to rectification (Art. 16) — correct inaccurate or incomplete data.
Right to erasure (Art. 17), also known as "right to be forgotten".
Right to restriction of processing (Art. 18).
Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
Right to object (Art. 21), including to processing based on legitimate interests.
Right to withdraw consent at any time where processing is based on consent (Art. 7(3)). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right not to be subject to automated decision-making that produces legal or similarly significant effects (Art. 22). We do not currently use such decision-making.

To exercise your rights, contact [email protected]. We may ask for information to verify your identity. We will respond within one month, extendable by two further months for complex or numerous requests (we will inform you if an extension applies).

Please note: for anonymised training data, the above rights (in particular erasure and access) cannot be exercised, because the data is no longer linked to you and we cannot re-identify you without disproportionate effort. This is explained in Section 4.1.

9.1 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (https://autoriteitpersoonsgegevens.nl). You may also complain to the supervisory authority in your country of residence.

10. Children

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact [email protected] and we will delete the account and associated data.

11. Cookies and similar technologies

We use only strictly necessary cookies (and equivalent technologies such as session tokens) to operate the Service — for example to keep you signed in and to protect against abuse. These are exempt from consent under the ePrivacy rules and their Dutch implementation (Telecommunicatiewet).

If we introduce non-essential cookies in the future (for analytics or marketing), we will display a cookie banner asking for your consent before placing them.

12. Automated decision-making and profiling

We do not make decisions producing legal or similarly significant effects about you solely by automated means. Our recommendation system suggests models for a prompt, but this is a suggestion that does not affect your legal rights. We may, at our discretion, reject or delay generations flagged by automated content filters for safety reasons; such cases can be appealed by contacting support.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will announce them by email and/or through the Service at least 14 days before they take effect. The "Last updated" date at the top of this document reflects the latest revision.

14. Contact

For any question, request or complaint regarding your personal data:

Email: [email protected] Postal: Zamyrailov Oleksii, Utrecht, the Netherlands

This Privacy Policy is drafted in English. Any translations are provided for convenience only; in case of discrepancy, the English version prevails.