This Privacy Policy explains how Stocktag ("Stocktag", "we", "our") collects, uses, stores, and shares personal data when you use our websites, apps, APIs, and related services (collectively, the "Service"). By using the Service, you agree to this Privacy Policy.
Who We Are
Stocktag provides AI-powered metadata tooling for stock images, vectors, and videos, including generation, editing, export, and subscription management features.
Data We Collect
- Account data: name, email, authentication provider identifiers, profile photo, user ID, plan, and account status.
- Service content: files you upload, generated metadata, prompts or instructions, edit history, export records, and chatbot messages.
- Billing and subscription data: subscription IDs, status, renewal or cancellation state, purchase history, and transaction metadata from payment processors.
- Usage and diagnostics: feature usage events, request or response status, error logs, model or provider selection, and token usage metrics.
- Technical and network data: IP address or hashed IP in specific anti-abuse flows, browser or device signals, and security-related identifiers.
- Preference data: language, theme, settings, cookie consent choice, and other local or session storage preferences.
BYOK API Key Handling
If you use BYOK (Bring Your Own Key), your provider key may be stored using encrypted storage on our backend (AES-256-GCM at rest), and used only to execute your requests. We also store non-secret key-state markers and preference flags in local or session storage to support UI behavior. Legacy local key storage may exist on some devices until removed by the user.
How We Use Data
- Provide core functionality: authentication, uploads, metadata generation, editing, export, and account management.
- Process payments, subscriptions, credit balances, and billing operations.
- Operate AI features through selected providers and deliver generated outputs.
- Prevent abuse, fraud, automated misuse, and unauthorized access.
- Improve reliability, performance, quality, and user support.
- Comply with legal obligations and enforce our Terms.
Legal Bases (EEA/UK)
- Contract: to provide the Service you requested.
- Legitimate interests: security, abuse prevention, service improvement, and analytics.
- Consent: where consent is required for specific processing.
- Legal obligation: where required by law.
Third-Party Processors and Services
Depending on features you use, data may be processed by third-party service providers, including:
- Infrastructure, auth, storage, and database: Google Firebase and related Google Cloud services.
- Hosting and edge or serverless delivery: Vercel.
- Payments and subscriptions: Paddle (merchant of record and billing operations).
- AI model providers: OpenAI, Google (Gemini), Anthropic, Groq, and xAI (based on plan or provider selection).
- Measurement and advertising technologies: Google Analytics, Google Ads, Meta Pixel, and Meta Conversions API (when consent is granted where required).
- Optional integrations or widgets: Trustpilot widget configured on the site.
- External data sources used in certain features (for example market intelligence or search APIs): public or third-party endpoints such as Nager, Pixabay, Pexels, Unsplash, and search engines.
- Translation endpoint used by translation features (Google Translate endpoint).
Cookies and Local Storage
We use cookies and browser storage for functionality, preferences, security, analytics, and conversion measurement. Our cookie banner allows you to accept or reject optional analytics and advertising measurement cookies. If you reject, optional measurement technologies are disabled and only essential functionality remains active. You can also manage cookie behavior in your browser settings.
Advertising and Conversion Measurement
Where permitted by your consent choice, we use Meta Pixel and Meta Conversions API together with Google Analytics and Ads to measure visits, registrations, checkout starts, purchases, and subscription events. This may include limited event metadata (for example event type or time, page URL, technical identifiers like browser and IP, and hashed identifiers such as email, phone, or external user ID for matching). We do not sell personal data.
Data Retention
- Account and billing records: retained while your account is active and as needed for compliance, disputes, and fraud prevention.
- History exports and related records: generally retained for up to 30 days (unless deleted earlier by you or required longer by law).
- Draft processing records: temporary drafts may be auto-cleaned when stale.
- Guest trial and anti-abuse records: retained for cooldown and security enforcement periods and operational auditing.
- Support and diagnostic logs: retained for operational and security needs, then deleted or anonymized according to internal retention practices.
How We Share Data
We do not sell your personal information. We may share data:
- With processors or subprocessors needed to operate the Service.
- With payment providers to complete purchases and subscription management.
- With authorities when required by law, legal process, or enforceable requests.
- To protect rights, safety, security, and prevent fraud or abuse.
- As part of a merger, acquisition, financing, or asset transfer (with appropriate safeguards).
International Transfers
Your data may be processed in countries other than your own. Where required, we apply appropriate safeguards for cross-border data transfers.
Security
We use administrative, technical, and organizational safeguards, including encrypted transport (HTTPS), authentication controls, access restrictions, and encryption for BYOK secrets at rest. No security system can be guaranteed 100% secure.
Your Rights and Choices
- Access, correct, update, or request deletion of your personal data.
- Object to or restrict certain processing where legally available.
- Request data portability where applicable.
- Withdraw consent where processing relies on consent.
- Manage cookie and storage behavior via browser and in-app settings.
To exercise rights, contact us at support@stocktag.ai. We may ask you to verify identity before completing a request.
Children's Privacy
The Service is not intended for children under 18, and we do not knowingly collect personal data from children. If you believe a child provided personal data, contact us to request deletion.
Policy Changes
We may update this Privacy Policy to reflect legal, technical, or product changes. Updates are posted on this page with a revised "Last updated" date. Material changes may be communicated through the Service or email.
Contact
Questions, requests, or privacy concerns: support@stocktag.ai.