Legal
This policy describes how Aruru collects, uses, and protects personal data based on our application backend and infrastructure as operated today. It is not legal advice. Questions: lelekstudio@lelekstudio.com.
Przemysław Gołębiewski
Sewan str 128, 10319 Berlin, Germany
Privacy: lelekstudio@lelekstudio.com
Data is stored in our MongoDB Atlas database (Frankfurt). The categories below match the collections and flows implemented in our backend.
Email address; password (bcrypt hash only — never stored in plain text); email verification status and related tokens; password-reset tokens; optional two-factor authentication data (e.g. TOTP and/or email-based codes); account type and status; administrative flags where applicable.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR); where applicable, legitimate interest in securing accounts (Art. 6(1)(f) GDPR).
Display name; optional avatar (image file uploaded to Cloudinary, stored as URL and cloud asset identifier); bio; city and country; optional social or website links; settings controlling how your profile appears in the community.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and, for optional fields, legitimate interest (Art. 6(1)(f) GDPR).
Studio name, public slug and description, location and tags, logo (Cloudinary), public studio profile data, subscription and trial status, identifiers and metadata for Stripe billing (e.g. customer and subscription IDs, plan tier, billing period), owner contact email where stored on the tenant, and suspension or operational notices where applicable.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Links between your user account and studios (roles, membership status); invitation emails and tokens; studio join requests and related notes or intents as implemented in the application.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Forum thread titles and bodies; replies; view/reply counters; in-app notifications; reports of forum content (reporting user, reason, timestamp). Forum lists are ordered by objective fields such as creation time, last reply, or view count — not by personalised “recommendation” algorithms in our backend.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR); legitimate interest in platform safety (Art. 6(1)(f) GDPR) for reports and moderation.
Where your studio uses operational features, we process records that reference your user identifier, including for example: material purchases, miscellaneous charges, cost summaries, kiln firing entries, studio events and bookings, tasks and task logs, assistant attendance, materials catalogue usage, membership plans, and private kiln requests — as enabled for that studio.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Organisation profile (name, description, category, website, logo via Cloudinary, delivery countries), sponsor posts, aggregate profile view and click statistics, and Stripe billing data linked to the sponsor account.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Card payments go through Stripe Checkout and the Stripe customer portal. Our servers do not receive or store full card numbers or CVV codes. We store billing identifiers and status in our database (e.g. Stripe customer and subscription IDs, plan tier, subscription status, period dates). When creating or updating a Stripe Customer, we send Stripe at least the email address and a name (e.g. studio or sponsor organisation name) and metadata needed to link the payment to your tenant or sponsor account (such as tenant id, plan, and account type).
Stripe acts as a payment service provider; for European payments Stripe commonly uses Stripe Payments Europe, Ltd. — see Stripe’s own privacy notice for the controller/processor role that applies to you: stripe.com/privacy.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and legal obligations (Art. 6(1)(c) GDPR) where accounting or tax law requires retention.
Strong customer authentication (SCA) and fraud measures for card payments are applied by Stripe under applicable EU payment-services law (successor rules to PSD2 are in force in the EU; requirements are operationalised by your bank and Stripe).
We send transactional messages (e.g. email verification, password reset, security and notification emails) via Resend. For each message, Resend receives the recipient address, subject, and HTML body (which may contain single-use links or tokens).
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Uploaded images (avatars, studio and sponsor logos, and similar) are transmitted to Cloudinary for storage and delivery. When an image is removed, we send the relevant public_id (or equivalent) so Cloudinary can delete the asset.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
If you contact support through the product, we store the content of your request, status, and related messages (including admin replies) and the email or channel you use, as implemented in our support ticket system.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) or legitimate interest in handling requests (Art. 6(1)(f) GDPR).
We use the client IP address as part of rate limiting on selected authentication-related HTTP endpoints (implemented with SlowAPI-style logic in our API). That address is not sent by our backend to a separate analytics or advertising service for profiling. Our hosting provider (Railway) may retain short-term server or access logs in the ordinary course of operations.
Legal basis: legitimate interest in security and abuse prevention (Art. 6(1)(f) GDPR).
Our backend does not call third-party analytics (e.g. Google Analytics), error-tracking SaaS (e.g. Sentry), or generative-AI / LLM APIs for moderation or feed ranking. If that changes, we will update this policy.
The personal data export available in the app is designed to reflect the main categories above (account, memberships, notifications, invitations, sponsor profile where relevant, forum posts and replies, tasks, kiln-related entries, purchases, and related records) — see the in-app export for the exact JSON structure.
Media files (avatars, logos) in Cloudinary may take up to 30 days to be fully purged after account deletion.
All sub-processors are bound by a Data Processing Agreement and appropriate transfer safeguards:
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| MongoDB Atlas | Primary database | Frankfurt, Germany (EU) | No transfer outside EEA |
| Railway | Backend hosting | United States | SCCs · DPA |
| Cloudinary | Media storage | United States | SCCs + EU-US DPF · DPA |
| Resend | Transactional email | United States | SCCs · DPA |
| Stripe (incl. Stripe Payments Europe, Ltd. for many EU payments — see Stripe’s privacy policy) | Payment processing, Checkout, Customer Portal | United States / EU as per Stripe | EU-US Data Privacy Framework and/or SCCs as described in Stripe’s DPA · stripe.com/legal/dpa |
| Vercel | Frontend hosting | United States (edge) | SCCs |
We do not sell your data. We do not share your data with advertisers for their own campaigns. We do not use your data for profiling or automated decision-making in our backend.
Aruru hosts user-generated content (including the forum). Under Regulation (EU) 2022/2065 (Digital Services Act; EUR-Lex), providers of intermediary services must operate notice-and-action mechanisms and related transparency rules. In the product you can report forum content that you believe is illegal or violates our rules. We review reports and may remove or restrict content, suspend accounts, or take other proportionate measures. We do not operate automated AI-based moderation in our backend; moderation decisions are human-led, aside from technical limits such as rate limiting.
If we remove or restrict your content for illegality or policy breaches, we will, where practicable, provide the main grounds via the contact channel associated with your account or in-product messaging. You may contest a decision by writing to lelekstudio@lelekstudio.com.
Our backend services do not call third-party large-language-model or similar AI APIs for content moderation or personalised feed ranking. Forum ordering uses transparent, non-personalised sort fields (e.g. time, activity). If you add AI features in the client in the future, describe them separately in this policy.
For consumers in the EU, contracts for digital content and services (including subscriptions) are also governed by Directive (EU) 2019/770 as implemented in national law, alongside these Terms. Practical performance (access, updates, termination) is described in the Terms of Service.
The Aruru web app stores strictly necessary data in browser localStorage (including aruru_access_token and onboarding flags). We do not use advertising cookies or third-party analytics scripts from our own front end. When you pay through Stripe Checkout or the Stripe customer portal, Stripe may set cookies or similar technologies on Stripe’s domains — see Stripe’s cookie policy and privacy notice. The ePrivacy framework (Directive 2002/58/EC as amended) and national implementing laws apply; an EU ePrivacy Regulation has been proposed but is not yet a single binding text across the EU as of this version date.
We respond within 30 days. You may also lodge a complaint with:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61, 10555 Berlin · datenschutz-berlin.de
In the event of a personal data breach posing risk to your rights, we will notify the supervisory authority within 72 hours and affected users without undue delay (Art. 33–34 GDPR).
Our database is hosted in Frankfurt (EU). Some sub-processors are US-based. For transfers outside the EEA we rely on Standard Contractual Clauses (SCCs, Decision 2021/914) or the EU-US Data Privacy Framework where applicable.
Aruru is not directed at children under 16. If you believe a child under 16 has provided us with personal data, contact lelekstudio@lelekstudio.com and we will delete it promptly.
We will notify you of material changes via email or in-app notice at least 14 days before they take effect.
Przemysław Gołębiewski
Sewan str 128, 10319 Berlin, Germany
Privacy: lelekstudio@lelekstudio.com
General: lelekstudio@lelekstudio.com