Privacy Policy

Last Updated: May 18, 2026 Effective Date: May 18, 2026

This Privacy Policy describes how Rastrix Inc., a corporation organized under the laws of the Republic of Korea ("Rastrix", "we", "us", "our"), collects, uses, and protects your information when you use PerfectVector (the "Service"). This Privacy Policy is part of, and incorporated by reference into, our Terms of Service.

If you do not agree with this Privacy Policy, do not use the Service.

1. Who We Are (Data Controller)

For the purpose of data-protection laws, the controller of personal data collected through the Service is:

Rastrix Inc., Republic of Korea
Contact: contact@perfectvector.com

2. What We Collect

2.1 Information you provide directly

Uploaded images. Raster images you upload to be vectorized. These are processed on our servers to generate an SVG.
Google account information. When you sign in, Google shares your email address, Google's stable user identifier (sub), and basic profile information with us. Google credentials (passwords, 2FA codes) never reach our servers.
Marketing-email preferences. When you create an account, we record your marketing-email consent state along with a history of changes (timestamp, request IP, browser user-agent, and the method used — settings toggle, email link, or webhook). The default is opted-in; you can toggle it off anytime in your account settings or via the unsubscribe link in any marketing email.
Support communications. Messages you send to us, including their contents and metadata.

2.2 Information collected automatically

Usage data. Jobs you run, download events, time of access, feature interactions.
Device and network data. IP address, user-agent string, browser type, operating system, approximate geolocation derived from IP.
Log data. Access logs, error traces, and performance metrics — used for debugging, abuse detection, and security monitoring.
Cookies and similar technologies. See §6.

2.3 Information from payment processing

If you subscribe to a paid plan, our payment processor Lemon Squeezy collects payment details (card number, billing address, tax information) directly from you. Rastrix Inc. never receives or stores your card data. We receive only the transaction metadata needed to grant and maintain your subscription: Lemon Squeezy subscription identifier, plan, status, billing-period dates, and the last 4 digits of the card on file (where Lemon Squeezy provides it).

3. How We Use Your Information

We process your information for the following purposes:

3.1 Service delivery

Vectorize your uploaded images and deliver the SVG back to you.
Authenticate you on sign-in and keep you signed in between sessions.
Enforce plan quotas (count of Download Claims per rolling window).
Process subscriptions, renewals, cancellations, and refunds via Lemon Squeezy.
Respond to your support requests.

3.2 Security, abuse prevention, and legal compliance

Detect and prevent fraud, automated abuse, multi-account quota evasion, and other misuse of the Service.
Investigate suspected violations of our Terms of Service.
Comply with legal obligations (tax records, law-enforcement requests, lawful disclosures).

3.3 Service improvement

Analyze aggregate usage patterns to improve the Service.
Debug failed or low-quality vectorizations.
Conduct research and development on our algorithms.

We do not use your uploaded images, generated SVGs, or any personal data to train machine-learning models, nor do we share them with third parties for that purpose. This is both our policy and a contractual commitment to users — see Terms §9.

3.4 Communications

Service-related notices (billing, security, account changes, material Terms updates) — these are essential to the Service and cannot be opted out of while you have an account.
Product-update emails and feature announcements. By creating an account, you opt in to these by default. We rely on legitimate interest under GDPR Art. 6(1)(f) and the ePrivacy Directive's soft-opt-in for similar services. You can opt out at any time via the toggle in your account settings, the unsubscribe link in any marketing email, or by emailing contact@perfectvector.com. We honor opt-outs within 24 hours.

3.5 Lawful bases (EEA/UK users)

For users subject to the EU or UK GDPR, our lawful bases for processing are:

Contract (GDPR Art. 6(1)(b)): providing the Service you signed up for.
Legitimate interests (GDPR Art. 6(1)(f)): security, abuse prevention, Service improvement, internal analytics, and product communications under the ePrivacy Directive's soft-opt-in for similar services (we treat account creation as soft opt-in for marketing about the Service).
Legal obligation (GDPR Art. 6(1)(c)): tax records, law-enforcement requests.
Consent (GDPR Art. 6(1)(a)): non-essential cookies where consent is required.

4. How We Share Your Information

We do not sell your personal information. We share it only as described below.

4.1 Service providers (data processors)

We use the following providers to operate the Service. Each is contractually required to process your data only on our instructions:

Provider	Purpose	Data categories
Google Cloud Platform (United States / Korea regions)	Compute, database, object storage	All categories above
Lemon Squeezy (United States)	Payment processing, Merchant of Record	Billing, subscription metadata
Google (Sign-In)	Authentication	Email, Google user ID
Sentry (United States)	Error monitoring	Error traces, limited request metadata
Resend (United States)	Marketing email delivery, contacts list, unsubscribe handling	Email address, marketing-consent state

We may engage additional service providers within any of the categories above (compute and storage, payments, authentication, error monitoring, email delivery, analytics) from time to time. Our commitments about how each category handles your data apply to any such provider. We will refresh this table on material changes to the category set itself.

4.2 Legal and safety disclosures

We may disclose information when we believe in good faith it is necessary to:

Comply with a law, subpoena, court order, or other legal process.
Enforce our Terms of Service or investigate suspected violations.
Protect the rights, property, or safety of Rastrix Inc., our users, or the public.
Investigate fraud or security issues.

4.3 Business transfers

If Rastrix Inc. is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify affected users by updating this page and, where required by law, by email.

5. International Data Transfers

Rastrix Inc. is established in the Republic of Korea. Our service providers are located in the United States, the European Union, Korea, and other jurisdictions as needed to operate the Service. By using the Service, you acknowledge that your information may be transferred to and processed in countries other than the one you are resident in, which may have different data-protection laws.

Where required (e.g., for EEA/UK users), we rely on appropriate safeguards for cross-border transfers — including European Commission Standard Contractual Clauses and equivalent mechanisms.

6. Cookies and Similar Technologies

We use cookies and similar technologies for the following purposes:

Essential cookies. Required to keep you signed in, enforce security, and deliver the Service. These cannot be disabled without breaking core functionality.
Analytics cookies. Help us understand aggregate usage patterns (e.g., via Google Tag Manager / Google Analytics when enabled). Where required by law, we request consent before setting these.

We do not use third-party advertising or cross-site tracking cookies.

You can manage cookies through your browser settings. Disabling essential cookies may prevent you from signing in.

7. Data Retention

The same retention story, for different audiences:

Accounts and activity

Active user accounts. Retained for as long as your account is active.
Deleted user accounts (see §8). Anonymized immediately on deletion and retained in that anonymized form for audit, abuse-response, and aggregate-analytics purposes. No personally identifying fields remain.
Download Claim records. Retained indefinitely in anonymized form after account deletion, for billing audit and abuse-pattern analysis.
Session tokens (refresh tokens). Auto-expire 30 days after issue; revoked immediately on sign-out, deletion, or reuse detection.
Marketing-consent audit log. Records of consent state changes (granted/withdrawn events with timestamp, IP, user-agent) are retained for 3 years from the last state change, then auto-deleted. This satisfies the audit-trail requirements of Korean PIPA §50 and exceeds GDPR/CAN-SPAM minimums. On account deletion, IP and user-agent are nulled; the row itself is preserved for audit integrity.

Uploaded images and generated SVGs

We may retain uploaded images and generated SVGs for a limited period after processing for the following purposes only: (a) debugging failed or low-quality vectorizations reported by users or detected by monitoring, and (b) responding to abuse or content-takedown requests.

We do not use uploaded images or generated SVGs for machine learning, model training, or sharing with third parties. Retained images are stored in access-controlled storage and accessible only to authorized engineers.

The retention period for uploaded images and generated SVGs is currently indefinite while the Service is in early access. We will publish a fixed retention window once the Service exits early access.

Logs and diagnostics

Request and error logs (Cloud Run / Cloud SQL defaults): approximately 30 days, then auto-pruned.
Error-monitoring records (Sentry): approximately 30 days, then auto-pruned.
Webhook audit trail (for Lemon Squeezy events): retained indefinitely for now; may add a 90-day prune cron in a future release.

Billing records

Billing records are retained by Lemon Squeezy under its own policy and as required by tax law (typically seven years or longer). We cannot delete records held by Lemon Squeezy; refer to Lemon Squeezy's privacy policy for their practices.

8. Account Deletion and Your Rights

8.1 Self-serve account deletion

You may delete your account at any time from your account settings. On deletion:

Your active sessions are signed out and all refresh tokens are revoked.
Your email, Google identifier, and any identifiable upload and download metadata are irreversibly anonymized. We cannot recover them afterward.
Anonymized historical records (e.g., download-event rows with no identifying fields) may remain for audit, abuse-response, and aggregate-analytics purposes.
You cannot re-sign-in with the same Google account for 7 days. After the cooldown, a new sign-in creates a fresh account with no connection to the deleted one.

Deleted accounts cannot be self-serve restored. If you want to recover, contact contact@perfectvector.com; we may create a new account for you, but no prior data will be restored.

8.2 Data we cannot delete on request

Some data is retained even after account deletion:

Billing records held by Lemon Squeezy (tax law).
Anonymized audit / analytics records (no PII remains).
Logs held by our cloud and observability providers under their own retention defaults (typically 30 days).

8.3 Your statutory rights

Depending on where you live, you may have the following rights in relation to your personal data:

Access. Request a copy of the personal data we hold about you.
Rectification. Ask us to correct inaccurate data.
Erasure / deletion. Ask us to delete your data. The self-serve deletion flow in §8.1 is the primary mechanism; for edge cases, contact us.
Restriction. Ask us to limit how we process your data in certain circumstances.
Objection. Object to processing based on legitimate interests.
Data portability. Request your data in a structured, machine-readable format (applies to data you provided to us).
Withdraw consent. Where processing is based on consent, withdraw it at any time (e.g., unsubscribe from the newsletter).
Complain. Lodge a complaint with your local data-protection authority — see §11, §12, §13.

To exercise these rights, email contact@perfectvector.com from the address on your account. We aim to respond within 30 days.

9. Data Security

We implement technical and organizational measures to protect your information, including:

Encryption in transit (TLS/HTTPS for all client-server communication).
Encryption at rest for databases and object storage (cloud-provider defaults).
Access controls. Only authorized engineers have access to production data, and access is logged.
Session security. Short-lived access tokens (15 minutes) with rotating refresh tokens, plus reuse-detection that revokes the entire token lineage on replay.
Security monitoring. Error and access monitoring, with alerts on suspicious patterns.

No system is perfectly secure. We cannot guarantee absolute security, but we will notify affected users of a data breach where required by law and within the timeframes required by applicable law.

10. Children's Privacy

The Service is not directed to anyone under 18, and we do not knowingly collect personal data from anyone under 18. If we learn we have collected such data, we will delete it. Parents or guardians who believe a minor has created an account should contact contact@perfectvector.com.

11. Korea (PIPA)

Items of personal information collected: as listed in §2.
Purposes of collection and use: as listed in §3.
Retention periods: as listed in §7.
Refusal to provide: you may refuse to provide personal data; in that case certain features (account sign-in, paid subscriptions) may be unavailable.
Data subject rights. Under PIPA you have rights of access, correction, deletion, and suspension of processing. Exercise them by emailing contact@perfectvector.com.
Third-party provision and overseas transfer. As disclosed in §4 and §5.
Complaints. You may file complaints with the Personal Information Protection Commission (PIPC) or the Korea Internet & Security Agency (KISA).

12. European Economic Area and United Kingdom (GDPR)

If you are in the EEA, UK, or Switzerland, you have the rights listed in §8.3 under the GDPR (or the UK GDPR, as applicable).

Legal bases: as listed in §3.5.
International transfers: as described in §5; we rely on appropriate safeguards, including Standard Contractual Clauses where applicable.
Supervisory authority. You have the right to lodge a complaint with your local data-protection authority. A list of EEA authorities is available at edpb.europa.eu. For the UK, the ICO: ico.org.uk.
EU / UK representative. Not currently designated.

13. California (CCPA / CPRA)

If you are a California resident, under the California Consumer Privacy Act (as amended by the CPRA) you have the rights to:

Know what personal information we collect, use, and share.
Request deletion of your personal information.
Correct inaccurate personal information.
Opt out of the "sale" or "sharing" of personal information.
Non-discrimination for exercising your rights.

We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. We do not knowingly collect or process data of California residents under 16 without affirmative consent.

To exercise California rights, email contact@perfectvector.com. You may designate an authorized agent to submit requests on your behalf.

14. Other U.S. States

Several U.S. states (including Colorado, Connecticut, Virginia, Utah, and others) have enacted consumer-privacy laws granting similar rights. Residents of those states may exercise those rights by emailing contact@perfectvector.com.

15. Changes to This Privacy Policy

We may modify this Privacy Policy from time to time.

Changes that materially reduce your privacy rights — for example, broader sharing of personal data, removal or shortening of a deletion guarantee, or weakening of a user-rights mechanism — will be announced at least 30 days in advance via email to your account address and/or an in-app banner, and will take effect at the end of the notice period.
Other changes (clarifications, new service providers within a category already disclosed, expanded transparency, operational updates, typographical fixes) are effective on publication, with the "Last Updated" date refreshed.

Continued use of the Service after the effective date of any change constitutes acceptance of the updated Privacy Policy.

16. Contact

General and privacy inquiries: contact@perfectvector.com
Website: https://perfectvector.com
Operator: Rastrix Inc., Republic of Korea

By using PerfectVector, you acknowledge that you have read and understood this Privacy Policy.