Privacy policy

Rurk is operated by Rurk SAS, a simplified joint stock company incorporated in France, whose registered office and mailing address appear in our legal notices. Our Service lets individuals generate AI portrait photographs in the style of reference photographers.

For any data-protection question, we have appointed a Data Protection Officer (DPO) reachable at dpo@rurk.ai.

We collect the following categories of data:

• Account data: email address, name, profile picture, and Google identifier supplied during sign-in.
• Uploaded selfies: the three photos you upload to generate your portraits. They are private to your session.
• Generated portraits: the images our Service produces from your selfies and chosen style.
• Billing data: payment details handled by Stripe (we never store your full card number), subscription history, invoices.
• Technical data: truncated IP address, user-agent, error logs, connection timestamps, used for security and reliability.

We use your data only to:

• Deliver the Service: generate your portraits, display your gallery, manage your workspace.
• Perform our contract: collect payments, issue invoices, give you access to your plan's features.
• Prevent fraud and abuse: rate-limit duplicate generations per IP or account, detect automated behavior.
• Keep you informed: send essential transactional emails (welcome, invoices, security alerts). No marketing emails without your prior opt-in.
• Comply with the law: keep accounting records, respond to lawful requests from competent authorities.

Each processing operation relies on one of the legal bases listed in Article 6 of the GDPR:

• Performance of the contract for account creation, portrait generation, and billing.
• Legitimate interest for Service security, abuse prevention, and technical-quality improvements.
• Legal obligation for storing invoices during the applicable tax-retention period.
• Consent for non-strictly necessary cookies (audience measurement) and any future marketing communication.

Your data is hosted in the European Union. More precisely:

• Database and application: Railway (Western European region).
• Files (selfies, portraits): S3-compatible object storage hosted in Europe (Cloudflare R2, EU region).
• Authentication: Google (USA) for the OAuth flow only, with transfer covered by the European Commission's standard contractual clauses.

Your selfies and portraits remain available as long as your account is active. You can delete them at any time from your workspace.

When you delete your account, your account data and content are erased within 30 days. To comply with accounting and tax obligations, we keep a record of invoices and payments for three (3) years after the last action on your account. Beyond that period, those records are anonymized or destroyed.

Under the GDPR you have, at any time, the following rights over your personal data:

• Right of access: obtain a copy of your data.
• Right to rectification: correct inaccurate data.
• Right to erasure (right to be forgotten): request deletion of your data.
• Right to portability: receive your data in a structured, commonly used, machine-readable format.
• Right to restriction: ask us to temporarily suspend a processing operation.
• Right to object: object to processing based on legitimate interest.
• Right to give post-mortem instructions on what happens to your data after your death.

To exercise these rights, write to dpo@rurk.ai. We respond within one month. You may also lodge a complaint with the French data protection authority CNIL (www.cnil.fr/en).

Rurk uses a limited number of cookies, in two categories.

Strictly necessary cookies

• NEXT_LOCALE: remembers your language preference (FR or EN), 12-month lifetime.
• authjs.session-token: keeps you signed in, removed at sign-out or expiry.
• rurk_preview_used: prevents abuse of the free preview from a single IP, 30-day lifetime.
• rurk_cookies: records your consent choice (all or essential only), 12-month lifetime.

These cookies do not require your consent because they are necessary to operate the Service.

Cookies requiring consent

We do not enable any analytics or marketing cookies until you click Accept all. Choosing Essential only keeps only the cookies listed above.

We rely on trusted technical providers to operate the Service. Each is bound by a data-processing agreement aligned with Article 28 of the GDPR.

• Google (Ireland / USA): OAuth authentication.
• Stripe (Ireland): payment processing and invoicing.
• OpenAI (USA): image generation. The selfies you upload are sent to OpenAI temporarily for the duration of the generation only and are not retained afterwards.
• Resend (EU): transactional email delivery.
• Railway (EU) and Cloudflare (EU): hosting and storage.

No data is sold or rented to third parties. Any transfer outside the EU relies on the European Commission's standard contractual clauses.

Rurk is not intended for people under 16. We do not knowingly collect data from minors. If you are a parent or guardian and believe a minor has provided us with personal data, write to dpo@rurk.ai and we will delete it.

We implement appropriate technical and organizational measures to protect your data: encryption in transit (HTTPS/TLS), restricted access to databases, logging of sensitive actions, regular backups, and routine security testing. No system is infallible — if a breach occurs that is likely to affect your rights, we will notify you within 72 hours.

This policy may be updated to reflect changes to the Service or to the law. The date at the top of the page indicates the current version. We will notify you of substantial changes by email or by an in-app notice.