Privacy Policy

PRIVACY POLICY Last Updated: December 12, 2024 Version: 1.0 This Privacy Policy describes how Caravel ("we," "us," or "our") collects, uses, and protects your personal data when you use our platform and services (the "Service"). This policy applies to all users of the Service, including those in the European Union, and is designed to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using the Service, you consent to the data practices described in this Privacy Policy. 1. DATA CONTROLLER The data controller responsible for your personal data is: Caravel Country: France Contact: contact@caravelai.com If you have any questions or concerns about how we handle your personal data, please contact us at the email address above. 2. PERSONAL DATA WE COLLECT We collect and process the following categories of personal data: 2.1 Account Information - First name and last name - Email address - Username - Password (stored in encrypted/hashed form) 2.2 API Keys and Service Credentials - Anthropic API keys - OpenAI API keys and project IDs - ComfyUI API keys - Model preferences and configuration settings (Note: API keys are stored securely using industry-standard encryption) 2.3 Usage Data - Projects, scenes, shots, and assets you create - Generation jobs and workflow history - Asset uploads and generated content - Timestamps of actions and activities - Log files of system operations 2.4 Technical and Session Data - IP address - Session cookies and authentication tokens - Browser type and version - Device information - Access times and dates 2.5 Communication Data - Email correspondence with our support team - Feedback and inquiries submitted through the Service 3. HOW WE USE YOUR PERSONAL DATA We process your personal data for the following purposes and legal bases under GDPR Article 6: 3.1 Service Provision (Legal Basis: Contract Performance - Art. 6(1)(b)) - Creating and maintaining your account - Providing access to the Mayboard platform - Processing your content generation requests - Managing your projects, scenes, and assets - Executing AI generation workflows - Storing and retrieving your content 3.2 Security and Fraud Prevention (Legal Basis: Legitimate Interests - Art. 6(1)(f)) - Authenticating users and maintaining session security - Detecting and preventing unauthorized access - Monitoring for abusive or fraudulent activity - Maintaining system integrity and security logs 3.3 Service Improvement (Legal Basis: Legitimate Interests - Art. 6(1)(f)) - Analyzing usage patterns to improve the Service - Debugging and fixing technical issues - Developing new features and functionality - Optimizing performance and user experience 3.4 Legal Compliance (Legal Basis: Legal Obligation - Art. 6(1)(c)) - Complying with applicable laws and regulations - Responding to lawful requests from authorities - Enforcing our Terms of Service - Protecting our legal rights 3.5 Communication (Legal Basis: Contract Performance - Art. 6(1)(b) or Consent - Art. 6(1)(a)) - Sending service-related notifications - Responding to your inquiries and support requests - Providing updates about the Service (with your consent) 4. DATA SHARING AND THIRD-PARTY SERVICES We share your personal data with third parties only in the following circumstances: 4.1 AI Service Providers We integrate with third-party AI services to provide content generation functionality. When you use these features, your content and prompts may be shared with: - OpenAI (for GPT-based generation) - Anthropic (for Claude-based generation) - ComfyUI (for image/video generation workflows) These providers process data according to their own privacy policies. We recommend reviewing their policies: - OpenAI: https://openai.com/privacy - Anthropic: https://www.anthropic.com/privacy - ComfyUI: Refer to your ComfyUI provider's privacy policy 4.2 Service Providers We may share data with trusted service providers who assist us in operating the Service, such as: - Hosting and infrastructure providers - Database management services - Email communication services These providers are contractually obligated to protect your data and use it only for the purposes we specify. 4.3 Legal Requirements We may disclose your personal data if required by law or in response to: - Court orders or legal processes - Requests from law enforcement or governmental authorities - Protection of our rights, property, or safety, or that of our users or the public 4.4 Business Transfers In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change in ownership or control of your personal data. We do not sell, rent, or trade your personal data to third parties for marketing purposes. 5. DATA RETENTION We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy: - Account Information: Retained for the duration of your account lifetime - Usage Data and Content: Retained for the duration of your account lifetime - Logs and Security Data: Typically retained for 90 days to 1 year for security purposes - Deleted Account Data: Retained for 30 days after account deletion, then permanently deleted You may request deletion of your account and associated data at any time by contacting team@caravelai.com. 6. YOUR RIGHTS UNDER GDPR If you are located in the European Union or European Economic Area, you have the following rights regarding your personal data: 6.1 Right of Access (Article 15) You have the right to request a copy of the personal data we hold about you. 6.2 Right to Rectification (Article 16) You have the right to request correction of inaccurate or incomplete personal data. 6.3 Right to Erasure / "Right to be Forgotten" (Article 17) You have the right to request deletion of your personal data in certain circumstances, such as when: - The data is no longer necessary for the purposes for which it was collected - You withdraw your consent (where processing is based on consent) - You object to processing based on legitimate interests - The data has been unlawfully processed 6.4 Right to Restriction of Processing (Article 18) You have the right to request that we restrict processing of your personal data in certain circumstances. 6.5 Right to Data Portability (Article 20) You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. 6.6 Right to Object (Article 21) You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. 6.7 Rights Related to Automated Decision-Making (Article 22) You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. To exercise any of these rights, please contact us at team@caravelai.com. We will respond to your request within 30 days. 7. DATA SECURITY We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction: - Encryption: API keys and passwords are encrypted using industry-standard encryption - Access Controls: Role-based access control (RBAC) to limit data access - Secure Authentication: Password hashing and session management - HTTPS: All data transmitted over secure connections - Regular Security Audits: Ongoing monitoring and security assessments - Logging and Monitoring: Activity logs to detect suspicious behavior Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data. 8. COOKIES AND TRACKING TECHNOLOGIES We use cookies and similar technologies to: - Maintain your login session - Authenticate your identity - Remember your preferences - Track activity for security purposes Cookie Types: - Essential Cookies: Required for the Service to function (e.g., session cookies) - Functional Cookies: Enhance functionality and personalization You can control cookie settings through your browser, but disabling essential cookies may affect your ability to use the Service. 9. INTERNATIONAL DATA TRANSFERS Caravel is based in France, within the European Union. If you access the Service from outside the EU, your data may be transferred to and processed in the EU. When we transfer data outside the EU, we ensure adequate safeguards are in place, such as: - Standard Contractual Clauses (SCCs) approved by the European Commission - Adequacy decisions by the European Commission - Other lawful transfer mechanisms under GDPR Chapter V Third-party AI services (OpenAI, Anthropic) may process data in countries outside the EU. Please review their privacy policies for information on international data transfers. 10. CHILDREN'S PRIVACY The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at team@caravelai.com, and we will take steps to delete such information. 11. DATA PROTECTION OFFICER For questions about our data protection practices or to exercise your rights, you may contact our Data Protection Officer (DPO) at: Email: contact@caravelai.com Subject Line: "Data Protection Inquiry" 12. SUPERVISORY AUTHORITY If you are located in the EU and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority. For France, the supervisory authority is: Commission Nationale de l'Informatique et des Libertés (CNIL) Website: https://www.cnil.fr You can find your local supervisory authority at: https://edpb.europa.eu/about-edpb/board/members_en 13. CHANGES TO THIS PRIVACY POLICY We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will: - Update the "Last Updated" date at the top of this policy - Notify you by email or through a prominent notice on the Service - Request your consent if required by law Your continued use of the Service after such changes constitutes acceptance of the updated Privacy Policy. 14. CONTACT US If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: Caravel Email: contact@caravelai.com Subject Line: "Privacy Inquiry" We will respond to your inquiry within 30 days. --- By using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to our collection, use, and disclosure of your personal data as described herein.