Privacy Policy
This Privacy Policy describes how Infra Studio (“Infra Studio,” “we,” “us,” or “our”) collects, uses, and shares personal information when you use the Infra Studio website, applications, and related services (collectively, the “Service”). We designed the Service to collect as little personal information as possible and to keep what we do collect under your control.
Contents
1. What we collect
Information you give us
- Account data: name, email address, password (stored as a one-way hash), and profile details you choose to add.
- Authentication data: when you sign in with Google or another federated identity provider, we receive the identifiers and profile fields the provider shares with us (typically email, display name, and avatar URL).
- Your Content: the designs, street cross-sections, files, comments, and other materials you create, upload, or share in the Service.
- Billing data: if you subscribe to a paid plan, your payment details are collected and processed by Stripe on our behalf. We store billing identifiers, plan metadata, and invoices, but we do not store full payment card numbers.
- Communications: messages you send to support, feedback forms, and survey responses.
Information we collect automatically
- Usage data: pages and features you access, timestamps, referring URLs, and approximate geographic location derived from your IP address.
- Device and connection data: IP address, browser type and version, operating system, device identifiers, and language preferences.
- Diagnostic data: error reports, performance metrics, and stack traces we collect to keep the Service reliable.
2. How we use your information
We use personal information to:
- provide, operate, secure, and improve the Service;
- authenticate you and keep your account safe;
- process subscriptions, prevent fraud, and manage billing;
- deliver transactional emails (sign-up confirmation, password reset, billing receipts, product notifications);
- send service updates and, where permitted, occasional product announcements you can unsubscribe from at any time;
- respond to support requests and feedback;
- debug issues, monitor performance, and prevent abuse;
- comply with legal obligations and enforce our Terms.
3. Legal bases (EEA / UK users)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information under the following legal bases:
- Contract: to provide the Service you signed up for.
- Legitimate interests: to keep the Service secure, prevent abuse, and improve its features, balanced against your privacy rights.
- Legal obligation: to comply with tax, accounting, and other legal requirements.
- Consent: for optional communications or cookies that require it; you can withdraw consent at any time.
4. When we share information
We do not sell your personal information. We share it only in the following circumstances:
- Subprocessors: vendors that process data on our behalf under contract (see the table below).
- With your direction: when you share Your Content with collaborators, make a design publicly accessible, or connect a third-party integration.
- Legal and safety: to comply with valid legal process, protect our rights, investigate fraud, or address security incidents.
- Corporate transactions: if Infra Studio is involved in a merger, acquisition, or asset sale, personal information may be transferred to the successor entity, subject to the confidentiality obligations in this policy.
5. Subprocessors we use
| Vendor | Purpose | Region |
|---|---|---|
| Supabase | Authentication, database, file storage, realtime | Asia Pacific (Tokyo) |
| Stripe | Payment processing, subscription billing, fraud prevention | United States / Global |
| Cloudinary | Image hosting and delivery (thumbnails, avatars, assets) | Global CDN |
| Resend | Transactional email delivery | United States / EU |
| Google (OAuth) | Federated sign-in when you choose “Continue with Google” | Global |
| Sentry | Error monitoring and diagnostics | United States / EU |
| Plausible Analytics | Privacy-focused, cookieless web analytics | European Union |
| Hostinger / Coolify | Application hosting and deployment infrastructure | European Union |
We review our subprocessors for appropriate security and data-protection practices and will update this list when we add or replace a vendor. If you would like a current, dated copy of the list for procurement purposes, email support@infrastudio.co.
6. How long we keep data
We keep personal information only as long as necessary for the purposes described in this policy. Typical retention windows are:
- Account and Your Content: while your account is active, plus up to thirty (30) days after deletion to allow recovery.
- Billing and tax records: as required by applicable financial and tax law (typically seven (7) years).
- Authentication logs and security events: up to twelve (12) months.
- Diagnostic and error reports: up to ninety (90) days.
- Support conversations: up to twenty-four (24) months after resolution.
7. Security
We implement industry-standard technical and organizational measures to protect personal information, including encryption in transit (TLS), encryption at rest for databases and storage, hashed passwords, HttpOnly refresh-token cookies, short-lived access tokens, least-privilege access controls for staff, strict Content-Security-Policy headers, and regular third-party penetration testing. No system is perfectly secure, and we encourage you to use a strong unique password and to enable multi-factor authentication where available.
If you believe you have discovered a security vulnerability, please report it responsibly to support@infrastudio.co and give us a reasonable opportunity to investigate and remediate before public disclosure.
8. Your rights and choices
Depending on where you live, you may have the following rights regarding your personal information:
- Access: request a copy of the information we hold about you.
- Correction: ask us to update information that is inaccurate or incomplete.
- Deletion: ask us to delete your account and associated personal information.
- Portability: receive a structured, machine-readable copy of Your Content and account data.
- Objection and restriction: object to or ask us to restrict certain processing activities.
- Withdraw consent: for processing that relies on consent, you can withdraw it at any time.
- Complaint: lodge a complaint with your local data-protection authority.
Many of these rights can be exercised directly from your account settings. For anything else, or if you prefer, email support@infrastudio.co. We will respond within the timelines required by applicable law (typically within thirty (30) days).
California residents: you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know, the right to delete, the right to correct, and the right to opt out of “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined by the CCPA/CPRA.
9. International transfers
Infra Studio is a global service. Personal information may be processed in countries other than the one in which you reside, including the United States and Japan (where our Supabase project is hosted). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses, equivalent transfer mechanisms, or the EU–U.S. Data Privacy Framework to protect information that crosses borders.
10. Children
The Service is not intended for children under the age of 16 (or the applicable age of digital consent in your jurisdiction, whichever is higher). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact support@infrastudio.co and we will delete it.
11. Cookies and similar technologies
We use a small number of cookies and equivalent storage mechanisms that are strictly necessary to operate the Service, including:
sb-refresh-token— an HttpOnly cookie holding your encrypted refresh token so you stay signed in across reloads.is_sess— a signed session cookie used for CSRF protection and ephemeral server-side state.user_id— a convenience cookie holding your public user identifier.
For analytics we use Plausible, which does not set cookies and does not collect personal information. We do not use advertising cookies, cross-site trackers, or fingerprinting. Because our analytics and authentication cookies are strictly necessary for the Service, we do not display a cookie banner; you can disable cookies in your browser, but parts of the Service will not function without them.
12. Automated processing and AI
We may use automated systems to detect fraud and abuse, rate-limit suspicious traffic, and personalize in-product tips. We do not use your personal information or Your Content to train third-party generative-AI foundation models without your explicit opt-in.
13. Changes to this policy
We may update this Privacy Policy from time to time. If we make a material change, we will provide reasonable notice (for example, by email or in-product banner) before the change takes effect. The “Effective date” and “Last updated” fields at the top of this page always reflect the current version.
14. Contact
Questions about this policy or your data? Reach us at:
Infra Studio — support@infrastudio.co
For data-subject access requests, please include the email address associated with your account so we can verify your identity.