Política de Privacidad
Privacy Policy
Effective Date: October 1, 2026
1. Introduction and Scope
EroGrid ("Company", "we", "our", or "us") is committed to protecting the privacy and security of the personal data of our users ("you", "your"). This Privacy Policy details the technical and operational methodologies we employ to collect, process, store, and transfer your data within our artificial intelligence content generation infrastructure (the "Services").
As an entity operating from the European Union, this policy has been drafted in strict adherence to the General Data Protection Regulation (GDPR) (EU) 2016/679, the Digital Services Act (DSA) (EU) 2022/2065, the ePrivacy Directive, and applicable international data protection frameworks including the California Consumer Privacy Act (CCPA).
2. Identity of the Data Controller
For the purposes of the GDPR, EroGrid acts as the Data Controller for the personal data collected through the Services.
Contact Information for Privacy Matters:
- Data Protection Officer (DPO): dpo@erogrid.com
- Legal Department: legal@erogrid.com
3. Categories of Personal Data Collected
We collect and process the following categories of personal data, strictly adhering to the principle of data minimization:
3.1 Identity and Contact Data
- Registration Data: Encrypted email address, cryptographic password hashes (bcrypt/Argon2), and assigned alphanumeric User IDs.
- Age Verification Data: To comply with strict EU and member state regulations regarding adult content, we utilize certified third-party Identity Verification Providers (IDVs). EroGrid does not permanently store your raw biometric data or unredacted government ID images. We solely retain a cryptographic confirmation token and the verified Date of Birth required for legal audits.
3.2 Financial and Transaction Data
- Payment Processing: We do not process or store full Primary Account Numbers (PANs). All fiat transactions are routed via PCI-DSS Level 1 processors (e.g., Stripe). We retain only the last 4 digits of the card, billing ZIP code, and transaction IDs for anti-fraud and accounting purposes.
- Cryptocurrency Transactions: Wallet addresses and TXIDs used for Web3 subscription payments via NowPayments are stored on our ledgers exclusively for payment reconciliation.
3.3 Technical and Telemetry Data
- Infrastructure Logs: IP addresses, User-Agent strings, TLS session IDs, and request timestamps are retained in volatile memory for strict security purposes (DDoS mitigation and API abuse detection), after which they are automatically expunged or anonymized.
- Generation Metadata: The text prompts, negative prompts, seed numbers, and configuration weights submitted to the inference nodes.
4. Lawful Basis for Processing (GDPR Article 6)
Under the GDPR, we rely on the following legal bases to process your personal data:
- Performance of a Contract (Art. 6(1)(b)): Processing Identity and Financial Data to provide the Services, manage your subscription, and execute AI generation requests.
- Legal Obligation (Art. 6(1)(c)): Processing Age Verification Data to comply with statutory requirements preventing minors from accessing explicit content, as well as accounting and tax obligations.
- Legitimate Interests (Art. 6(1)(f)): Processing Technical Data to ensure network security, prevent fraud, and optimize our GPU cluster routing, provided these interests do not override your fundamental rights.
- Consent (Art. 6(1)(a)): For non-essential tracking cookies or explicit opt-in data contributions.
5. Machine Learning and Data Boundary
We maintain a strict boundary between user data and our foundational model training protocols:
- Private Generations: Images generated via the Services using paid Compute Credits, along with their associated prompts, are strictly excluded from any automated machine learning training, fine-tuning, or LoRA extraction pipelines. Your private content remains your own.
- Opt-In Contributions: Users may explicitly opt-in to donate specific generated images to our telemetry pool to improve algorithmic safety and anatomical coherence. Such data is permanently anonymized prior to ingestion.
6. Disclosure and Data Sharing
We do not sell, rent, or trade your personal data. Disclosures are limited to:
- Authorized Subprocessors: Cloud infrastructure providers (e.g., Supabase for database management) and Identity Verification partners. All subprocessors are bound by rigorous Data Processing Agreements (DPAs) compliant with GDPR Article 28.
- Law Enforcement and Statutory Reporting: We will disclose data if required by a valid EU or member state judicial order. Furthermore, we are legally mandated to report any detected instances of Child Sexual Abuse Material (CSAM) to the relevant European authorities (e.g., Europol) and international bodies (NCMEC), providing all associated user metadata.
7. International Data Transfers
EroGrid's primary inference clusters and databases are located within the European Union (e.g., Frankfurt). In instances where data must be routed through or stored in the United States, we rely on the EU-US Data Privacy Framework (DPF) and the European Commission’s Standard Contractual Clauses (SCCs) to guarantee an equivalent level of protection.
8. User Rights (GDPR)
As an EU resident (and extended globally by our policy), you possess comprehensive rights regarding your personal data:
- Right to Access: Request a structured JSON export of all personal data and generation metadata associated with your account.
- Right to Rectification: Correct inaccurate or incomplete account data.
- Right to Erasure ("Right to be Forgotten"): Request the permanent deletion of your account and associated generations. Note: Certain financial records and cryptographic age-verification tokens must be retained by law for tax audits and minor-protection compliance.
- Right to Restriction & Objection: Object to processing based on legitimate interests.
- Right to Data Portability: Receive your data in a machine-readable format.
To exercise these rights, submit a formal request via your Account Settings dashboard or email dpo@erogrid.com. We respond to all verified requests within 30 calendar days.
9. Data Security
EroGrid implements enterprise-grade, defense-in-depth security architectures:
- Data at Rest: All PostgreSQL databases (via Supabase) and object storage buckets are encrypted utilizing AES-256 block-level encryption.
- Data in Transit: All traffic over the public internet is encrypted using TLS 1.3 with Perfect Forward Secrecy (PFS).
- Access Controls: Internal access to production environments requires multi-factor authentication (MFA) and operates on a principle of least privilege.