Privacy Policy
This policy explains what personal data Piixel (“Piixel”, “we”, “us”) collects when you use our AI app-builder, why we process it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and Swedish data protection law. We are the data controller for the personal data described here.
1. Who we are
Piixel is operated by Piixel Studio, a sole trader (enskild firma) established in Sweden. If you have any question about this policy or your data, contact us at [email protected].
2. The data we collect
- Account data — your email address and a securely hashed password. We never store your password in readable form.
- Your content — the prompts you type and the projects you build: chat messages, the generated source code and files, and snapshots. This may contain personal data if you put it there. Apps you choose to publish are served at a public URL with no login required — don’t publish anything you want to keep private.
- Billing data — if you subscribe, your plan and a Stripe customer reference, plus the billing name, address and VAT details you enter at checkout. We do not see or store your card number — card details are handled directly by Stripe.
- Usage data — a record of your builds (model used, token counts, cost, whether a build was billed) so we can run quotas, billing and our service.
- Technical data — limited request metadata (such as IP address) used transiently for security, rate-limiting and bot protection.
3. Why we use it, and our legal bases
- To provide the service — create your account, run builds, store and display your projects. Legal basis: performance of our contract with you (Art. 6(1)(b)).
- To take payment and keep records — process subscriptions through Stripe and meet tax/accounting obligations. Legal basis: contract, and legal obligation (Art. 6(1)(b),(c)).
- To keep the service secure and prevent abuse — bot protection (Cloudflare Turnstile), rate limiting and the usage ledger. Legal basis: our legitimate interests in a secure, sustainable service (Art. 6(1)(f)).
- To operate, maintain and improve the service. Legal basis: legitimate interests (Art. 6(1)(f)).
- To send you service messages (e.g. about your account or a purchase). Any optional marketing is sent only with your consent. Legal basis: legitimate interests / your consent (Art. 6(1)(a),(f)).
4. AI processing of your content
Piixel turns your prompts into working software by sending them — together with the relevant code from your project — to third-party AI model providers that generate the plan, the code and any images. This processing is necessary to deliver the feature you asked for (Art. 6(1)(b)). We do not use your content to train our own models. Your content is processed by the AI subprocessors listed in section 5 under their own terms; we choose providers and settings to limit further use of your data, but we encourage you not to include sensitive personal data in prompts you don’t need to.
5. Who we share data with (subprocessors)
We do not sell your personal data. We share it only with service providers that help us run Piixel, under appropriate data-processing terms:
- Cloudflare — hosting, database, storage, edge delivery and bot protection (the infrastructure Piixel runs on).
- Stripe — subscription payments, tax calculation and billing.
- DeepSeek — the AI models that plan and write your code; receives your prompts and relevant project code.
- xAI (Grok) and fal.ai (FLUX) — on-demand image generation for your apps; receive the prompt/topic used to make an image.
- Anthropic and OpenAI — alternative AI model providers we may use as fallbacks; if enabled they would receive the same prompt and project code as our primary model.
- GitHub — only if you connect your GitHub account to export a project: we create/update a private repository in your account containing that project's code, and store the access authorisation you granted (encrypted) until you disconnect or delete your account.
Your browser also loads fonts and interface libraries (e.g. Google Fonts/Material Icons, the code editor and animation libraries) from third-party content-delivery networks. This exposes your IP address to those providers as a normal part of loading the page. We do not use advertising or analytics trackers.
6. International transfers
Some of these providers are located outside the European Economic Area (EEA) — in the United States (Cloudflare, Stripe, xAI, fal.ai, any Anthropic/OpenAI fallback, and the fonts/CDNs above) and, for our primary AI models, in China (DeepSeek). Transfers to China are not covered by an EU adequacy decision and carry higher risk, so we treat your prompts and code as confidential. Where data is transferred outside the EEA we rely on safeguards such as the European Commission’s Standard Contractual Clauses and the providers’ own data-protection commitments. Contact us for more information about these safeguards.
7. How long we keep it
We keep your account and project data for as long as your account is active. When you delete a project or your account, we delete the associated files, history and snapshots; we retain a minimal billing/usage record where we need it to meet legal, accounting and fraud-prevention obligations. Security and rate-limit data is short-lived and expires automatically.
8. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased (“right to be forgotten”);
- restrict or object to certain processing;
- receive your data in a portable, machine-readable format;
- withdraw any consent you have given, at any time.
To exercise any of these, email [email protected]. You can also delete your account — and with it your projects, files, chat history, snapshots and published apps — yourself at any time from the dashboard (account menu → Delete account). You also have the right to lodge a complaint with your local supervisory authority — in Sweden, the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY, imy.se).
9. Cookies and local storage
Piixel does not use advertising or third-party analytics cookies. We use your browser’s local storage for strictly necessary purposes only: keeping you signed in (authentication tokens), remembering your theme, and recent/starred projects. These are essential to the service and are not used to track you across other sites.
10. Security
We protect your data with measures including hashed passwords, encrypted connections, rotating session tokens, access controls scoped to your account, and bot protection. No system is perfectly secure, but we work to keep your data safe and to respond promptly to any incident.
11. Children
Piixel is not directed at children. You must be at least 16, or the age of digital consent in your country, to use the service.
12. Automated decisions
We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. Piixel’s AI generates software at your direction; it does not profile you.
13. Changes to this policy
We may update this policy from time to time. If we make a material change we’ll give reasonable notice, and the “last updated” date above will change.
14. Contact
Questions or requests about your privacy? Email [email protected]. See also our Terms of Service.