Introduction & Organizational Info

We, at Chroma Studio, are dedicated to serving our users to the best of our abilities. Part of our commitment involves the responsible management of personal information collected through our website chromastudio.app. Our primary goals in processing this information are:

• Allowing registered users to save their favorite color palettes and gradients.
• Providing a smooth authentication experience via third-party OAuth providers.
• Improving our tools and features based on aggregated, anonymized usage data.

It is our policy to process personal information with the utmost respect for privacy and security. We adhere to all relevant regulations and guidelines to ensure that the data we handle is protected against unauthorized access, disclosure, alteration, and destruction.

We do not have a designated Data Protection Officer (DPO) but remain fully committed to addressing your privacy concerns. Please contact us at contact@chromastudio.app.

Scope and Application

Our privacy policy is designed to protect the personal information of all our stakeholders, including website visitors, registered users, and customers. We ensure that your personal data is processed with the highest standards of privacy and security.

Information We Collect and Why

Account Information:

When you create an account, we collect the minimum data necessary:

• Name — your first name and, if provided, your optional last name, either entered directly or received from your OAuth provider.
• Email address — used as your account identifier.
• OAuth provider name — if you sign in via Google, GitHub, Facebook, or Figma, we store which provider you used. We do not store your password for OAuth sign-ins; that is managed entirely by the provider.

Purpose: This data is collected solely to allow you to log in and manage your favorite palettes and gradients. We do not use it for advertising, profiling, or any other secondary purpose.

Generated Palette & Gradient Data (Auto-saved):

When you generate palettes or gradients, the resulting color combinations may be stored in our Supabase database as public shared catalog entries. This is what populates the Explore Palettes and Discover Gradients pages. The data stored per generated palette/gradient includes:

• The color values (hex codes).
• An auto-generated sequential name (e.g. "Palette 42").
• A public visibility flag (is_public: true).
• The date and time it was generated.
• Your user ID, if you are logged in at the time of generation. If your account is deleted, public catalog entries may remain but this association is removed.

Favorites (Liked Content):

When you like a palette or gradient, a record is created in the user_interactions table in our Supabase database. This record links your user ID to the content ID and stores whether you have liked or saved it. This data is what drives your personal Favorites page. Unliking a palette removes this record permanently.

Password Storage (Email Accounts):

If you create an account with an email and password, your password is never stored in plain text. Supabase stores a bcrypt hash (with a randomly generated salt) in its internal auth.users table, which is not directly accessible to Chroma Studio. Only Supabase's authentication servers can verify a password against this hash. See Supabase's password security documentation for technical details.

Technical Data (via Supabase):

Supabase, our authentication and database provider, may automatically log your IP address and device/browser information as part of authentication security (e.g., to detect suspicious logins). This technical data is governed by Supabase's Privacy Policy.

What We Do NOT Collect:

• Payment information — Chroma Studio is entirely free, no payments are processed.
• Plain-text passwords — bcrypt-hashed by Supabase, inaccessible to us.
• Location data beyond approximate IP geolocation (used by Supabase for auth security).

Data Storage and Protection

Data Storage:

• Personal information is stored in secure servers located in: US, EU.
• Data Hosting Partners: We partner with reputable data hosting providers committed to using state-of-the-art security measures.

Data Protection Measures:

• Encryption: We employ robust encryption technologies to protect data during transfer and at rest.
• Access Control: Access is strictly limited to authorized personnel who have a legitimate business need to access the data.

Data Sharing and Disclosure

Sharing Personal Information:

We may share your information with Third-Party Service Providers who perform services on our behalf. These partners are contractually obliged to keep your information confidential and are prohibited from using it for any other purpose.

Data Processing Agreements (DPAs):

We share data under the protection of DPAs that ensure third parties manage your information in accordance with GDPR and implement adequate security measures.

User Rights and Choices

We recognize and respect your rights regarding your personal information, in accordance with the General Data Protection Regulation (GDPR) and other applicable laws.

Your Rights Include:

• Right of Access (Art 15): Request access to your personal information.
• Right to Rectification (Art 16): Request correction of incorrect or incomplete data.
• Right to Erasure (Art 17): Request deletion of your data (Right to be Forgotten).
• Right to Data Portability (Art 20): Receive your data in a machine-readable format.
• Right to Object (Art 21): Object to processing, including for direct marketing.
• Right to Withdraw Consent (Art 7(3)): Withdraw consent at any time.

To exercise any of these rights, please contact us at contact@chromastudio.app.

Cookies and Tracking Technologies

We use cookies and other tracking technologies for website functionality, enhancing user experience, and analytics. Categories include: Essential, Performance and Analytics, Functional, and Advertising and Targeting Cookies.

You can manage your preferences via our cookie consent banner. For detailed information, visit our Cookie Policy at chromastudio.app/cookie-policy.

International Data Transfers

We may transfer your personal information to locations outside of your country of residence only in compliance with applicable regulations, such as the GDPR.

Children's Privacy

Our services are not intended for children under the age of 13. We do not knowingly collect personal information from children under this age without verifiable parental consent (in compliance with COPPA).

Parents have the right to review, update, or delete any personal information collected from their child by contacting us at contact@chromastudio.app.

Compliance with United States Privacy Laws

For residents of the United States of America, including those of California (CCPA), the following additional rights apply:

• Right to Know: Request disclosure of the personal information we have collected, used, shared, or sold about you.
• Right to Delete: Request deletion of personal information we have collected.
• Right to Opt-Out: Chroma Studio does not sell or share personal information.
• Sensitive Data: We only process sensitive personal data with your prior consent.

Data Deletion

You have the right to request the deletion of your personal data and account at any time, in accordance with GDPR Art. 17 (Right to Erasure), CCPA, and other applicable privacy laws.

Self-Service Account Deletion:

The easiest way to delete your data is directly through your account settings:

1. Log in to chromastudio.app.
2. Go to Account Settings.
3. Click the "Delete My Account" button.
4. Confirm the deletion when prompted.

What Gets Deleted:

Upon account deletion, the following data is permanently removed from our active systems:

• Your authentication account and profile information (name, email, profile picture).
• Private palettes and gradients associated with your account.
• Your likes, saves, and interaction history.
• Any other personal data associated with your user ID.

What May Remain:

Public palettes and gradients generated through Chroma Studio may remain available as shared catalog content so that other users' discovery pages and favorites are not affected by one account deletion. When this happens, the content is no longer associated with your deleted account.

Note: Account deletion is irreversible. Once deleted, your account and personal interaction records cannot be recovered.

If You Used a Social Login (Facebook, Google, GitHub):

Deleting your Chroma Studio account removes all data we hold on our end. To also revoke access permissions granted to Chroma Studio, visit the privacy or security settings of the respective platform (e.g., Facebook Settings → Apps and Websites).

Request Deletion via Email:

If you are unable to access your account, you may request data deletion by emailing us at contact@chromastudio.app with the subject line "Data Deletion Request". We will process your request within 30 days.

Data Breach Notification Procedures

We have clear procedures for promptly identifying, assessing, and mitigating the impact of a data breach. We will notify relevant Regulatory Authorities and Affected Individuals within the timeframes specified by applicable regulations.

Policy Updates and Changes

We may update this policy periodically. We will notify you of significant changes via email or website notifications. For material changes requiring consent under GDPR, we will seek your explicit opt-in consent before implementing them.

Contact Us

If you have any questions or concerns about our privacy policy, please contact us at:

Email: contact@chromastudio.app