Privacy Policy

Last updated: May 2026

Terms of Service

Who we are

GENERAITR is a SaaS platform operated by TOMLIN STUDIO AB, a Swedish limited company (aktiebolag). TOMLIN STUDIO AB is the data controller for all personal data processed through GENERAITR. We provide AI-powered image and video generation services to agencies and enterprises.

Website: generaitr.com
Contact: hello@generaitr.com

What personal data we collect and why

Account registration

When you create a GENERAITR account we collect:

  • Full name
  • Email address
  • Organisation name
  • Password (stored as a one-way hash; never stored in readable form)

Legal basis: performance of contract (Article 6(1)(b) GDPR). This data is required to create and operate your account.

Subscription and billing

Payments are processed by Stripe. When you subscribe we collect and store:

  • Stripe customer ID and subscription ID
  • Subscription plan and status
  • Payment confirmation events (via Stripe webhook)

Card numbers and full billing details are handled exclusively by Stripe and never stored by GENERAITR. Stripe's privacy policy applies to payment data: stripe.com/privacy.

Legal basis: performance of contract; legal obligation (invoicing and tax records).

AI generation content

When you run a generation you may provide prompts, reference images, brand assets, and other creative materials. We use this content solely to fulfil your generation request.

  • Prompts and parameters are logged per generation for quality assurance and to calculate the credit cost of each run.
  • Uploaded images and generation outputs are stored in your Media Library on EU servers (Hetzner, Germany). Assets are retained until you delete them or close your account.
  • We do not use your content to train AI models.
  • We do not share your content with third parties beyond what is required to process your generation request.

Legal basis: performance of contract; legitimate interest (service quality and billing accuracy).

Support chat

When you use the in-app support chat, we collect the text of your messages and Haiku's replies. Chat logs are stored against your organisation ID only; they are not linked to your personal account. Messages are processed by Anthropic's API (United States) to generate responses. See the Third-party services section for details of the transfer safeguards in place.

Legal basis: legitimate interest (providing timely support and improving the quality of the support service).

Usage and technical data

We collect limited technical data to operate the platform:

  • Generation logs (model, pipeline, credit cost, timestamp)
  • Error logs for debugging
  • Session tokens (stored in your browser's sessionStorage, cleared on tab close)

We do not use advertising cookies or third-party analytics cookies within the authenticated application.

Legal basis: legitimate interest (platform security, abuse prevention, and service reliability).

Trial and interest registration

If you apply for a trial or express interest in GENERAITR, we collect your name, email, and organisation name to evaluate and process your application. This data is stored until the application is resolved or you request deletion.

Legal basis: legitimate interest (evaluating prospective customers).

Cookies and local storage

GENERAITR uses minimal browser storage:

  • sessionStorage: access token, subscription status, trial expiry. Cleared automatically when you close the tab.
  • localStorage: UI preferences (display density, text scale). Contains no personal data.
  • httpOnly cookie: refresh token for keeping you logged in (30-day expiry). Not accessible to JavaScript.

We do not use advertising cookies or third-party analytics cookies within the authenticated application. The marketing website (generaitr.com) may use analytics tools to measure visitor traffic, subject to cookie consent on that site.

Third-party services

We use the following third-party processors:

ServicePurposeData location
StripePayment processingEU / US (SCCs)
Hetzner CloudHosting and storageEU (Germany)
ResendTransactional emailEU / US (SCCs)
AnthropicAI support chatUS (SCCs via DPA)

All GENERAITR platform data is stored on EU servers (Hetzner, Germany). Where sub-processors operate outside the EEA, transfers are covered by Standard Contractual Clauses (SCCs) under GDPR Article 46. Anthropic processes support chat messages solely to generate responses; it does not use API inputs or outputs to train its models, and chat logs retained by GENERAITR are linked only to your organisation ID.

Data retention

  • Account data: retained for the duration of your subscription plus 12 months, unless you request deletion earlier.
  • Generation logs: retained for 24 months for billing and quality assurance purposes.
  • Billing records: retained for 7 years to comply with Swedish accounting law (Bokföringslagen).
  • Trial and interest applications: retained until resolved or upon deletion request.
  • Support conversations: retained for 90 days, then automatically deleted.

Your rights under GDPR

As a data subject you have the following rights. To exercise any of them, contact us at hello@generaitr.com.

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: ask us to correct inaccurate data.
  • Right to erasure: request deletion of your account and associated personal data.
  • Right to restriction: ask us to limit how we use your data.
  • Right to object: object to processing based on legitimate interest.
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to withdraw consent: where processing is based on consent, you may withdraw at any time.

You also have the right to lodge a complaint with the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY): imy.se.

We aim to respond to all requests within 30 days.

Data security

We apply the following measures to protect your data:

  • Passwords are hashed using bcrypt and never stored in plaintext.
  • All data in transit is encrypted using TLS.
  • Access tokens are short-lived (15 minutes); refresh tokens are stored in httpOnly cookies.
  • Platform access is restricted by role; members can only access data within their own organisation.
  • Infrastructure is hosted in EU data centres with Hetzner Cloud.

No system can guarantee absolute security. In the event of a data breach affecting your personal data we will notify you and the relevant authorities as required by GDPR.

Changes to this policy

We may update this policy as the platform evolves. Material changes will be communicated by email or via an in-app notice. The date at the top of this page reflects the most recent revision.

Contact

TOMLIN STUDIO AB
Sundeliusgatan 3
602 35 Norrköping, Sweden
hello@generaitr.com