Legal
Privacy Policy
Last updated: 3 July 2026
This Privacy Policy explains how ZardForge ("ZardForge", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use our website, the ZardForge studio (AI 2D game-asset generation, the browser-based editor, and sprite-sheet export), and related services (together, the "Service"). It also describes your rights under the EU General Data Protection Regulation (GDPR) and Lithuanian data-protection law.
This policy works together with our Terms & Conditions. By using the Service you acknowledge the practices described here.
1. Who we are (data controller)
The data controller responsible for your personal data is:
- Company: Zardsoft, MB
- Registered address: [registered address, Lithuania]
- Company code: [company code]
- Privacy contact: privacy@zardforge.com
We are established in the Republic of Lithuania (EU). If you have any question about this policy or how we handle your data, contact us at the email above.
2. Data we collect
We collect only the data we need to run the Service, bill it, keep it secure, and meet our legal obligations.
Account data
- Your name and email address.
- A securely hashed password if you sign up with email and password (we never store your password in plain text).
- If you sign in with Google or Facebook: we obtain your OAuth account identifier and basic profile fields (name, email, and where available an avatar) from that provider. The source of this data is Google or Meta — not you directly.
- Your email-verification status.
Profile data
- Display name and avatar image you choose to set.
- Workspace and team membership, roles, and invitations (if you use shared workspaces).
Authentication & security logs
- Session and login activity, and security-related events.
- Limited technical metadata (such as IP address and timestamps) used to protect accounts against abuse and fraud.
Billing data (paid plans)
- Billing name, billing address, and country.
- VAT number, for business (B2B) customers.
- A payment-method reference (such as the card brand and last four digits and a processor token). We do not store your full card number, CVC, or expiry — that card data is handled directly by Stripe (see "Who we share data with").
- Subscription, plan, invoice, and payment-status records.
Your prompts and content
- The text prompts you submit, any reference images you upload, and generation settings.
- The assets you generate, edit, and upload (images, layers, exports, sprite sheets and atlas metadata), plus project and file names.
Usage & technical data
- IP address, device and browser information.
- Essential cookies / session tokens needed to keep you signed in.
- Basic, aggregated usage signals to keep the Service reliable and to improve it.
Whether you have to provide this data
Providing your account data (and, for paid plans, your billing data) is necessary to enter into and perform our contract with you, and — for invoices — to meet our legal accounting and VAT obligations. If you do not provide it, we cannot create your account, provide the Service, or bill paid plans. Submitting prompts and reference images is voluntary, but the AI generation feature cannot work without them.
3. How we use your data
- To create and manage your account and authenticate you.
- To provide the Service: generate assets from your prompts, run the editor, and produce exports.
- To process payments, manage subscriptions, and issue invoices.
- To send transactional emails (verification, password reset, billing and invoices, important service notices).
- To keep the Service secure and prevent fraud and abuse.
- To comply with tax, accounting, and other legal obligations.
- To maintain and improve the Service, and — only where required — to send optional product or marketing communications you can opt out of.
4. Legal bases for processing (GDPR Art. 6)
- Account creation, authentication, and providing the Service (AI generation, editor, exports, account support) — performance of a contract (Art. 6(1)(b)).
- Transactional emails (verification, password reset, important service notices) — performance of a contract (Art. 6(1)(b)); billing and invoice emails also rest on legal obligation (Art. 6(1)(c)).
- Payments, subscriptions, invoicing, VAT, and accounting retention — legal obligation (Art. 6(1)(c)) under Lithuanian and EU law.
- Security, fraud and abuse prevention — legitimate interest (Art. 6(1)(f)) in protecting the Service, our users, and our infrastructure from misuse.
- Maintaining and improving the Service via aggregated usage signals — legitimate interest (Art. 6(1)(f)) in keeping the Service reliable and improving its quality, where not overridden by your rights.
- Optional analytics or marketing, and non-essential cookies — consent (Art. 6(1)(a)). You can withdraw consent at any time.
5. AI generation & your content
- Avoid including personal or sensitive information in prompts or reference images unless you intend to.
- The AI provider processes this data under its own terms and privacy practices. This may involve a transfer outside the EU/EEA, which we address under "International transfers" below.
- Generated and uploaded assets, plus your projects, are stored on our infrastructure (database and object storage) so you can access and edit them.
Please read this carefully
To generate assets, the prompts you submit and any reference images you upload are sent to a third-party AI image-model provider — Google's Gemini image model (also referred to as "Nano Banana"), accessed either via Google AI Studio (the Gemini Developer API) or, depending on our configuration, via Google Cloud Vertex AI. This is necessary to perform the generation you request. That provider processes your prompt and reference images to return a generated image to us.
6. Who we share data with (sub-processors)
We do not sell your personal data. We share it only with service providers ("sub-processors") that help us run the Service, under contracts that require them to protect your data and use it only on our instructions. The main ones are:
- Better Auth & our own PostgreSQL database — authentication and storage of your account and application data (profiles, workspaces, projects, asset metadata). Hosted on our infrastructure.
- Object storage (S3-compatible / MinIO) — storage of the actual generated and uploaded image bytes and exports.
- Resend — sending transactional email (verification, password reset, billing and invoices). Any transfer outside the EU/EEA is covered under "International transfers" below (Standard Contractual Clauses).
- Stripe — payment processing. Stripe collects and handles your card data directly as a payment processor/controller for that purpose. Stripe may transfer data to the United States under appropriate safeguards (Standard Contractual Clauses).
- Google and Meta (Facebook) — sign-in providers. If you choose to sign in with Google or Facebook, that provider supplies us your account identifier and basic profile fields (name, email, and where available an avatar). They act as independent controllers for their own authentication services and may process data outside the EU/EEA (including the United States) under Standard Contractual Clauses.
- Google — Gemini ("Nano Banana") image model — the AI provider that generates assets from your prompts and reference images. Depending on our configuration this runs either through Google AI Studio (the Gemini Developer API) or through Google Cloud (Vertex AI), where a processing region/location can be set. May involve a transfer subject to Standard Contractual Clauses with the relevant Google entity.
- VIES (European Commission VAT Information Exchange System) — used to validate the VAT numbers of business customers for correct VAT treatment.
We may also disclose data where required by law, to enforce our terms, or to protect the rights, safety, and security of users and the public.
7. International transfers
We aim to keep data within the EU/EEA where practical. Some of our sub-processors (notably Stripe, the AI image-model provider (Google), and the sign-in providers (Google, Meta)) may process data in countries outside the EU/EEA, including the United States. Where that happens, the transfer is protected by appropriate safeguards under the GDPR — most commonly the European Commission's Standard Contractual Clauses (SCCs), together with additional technical and organizational measures where needed. You can request a copy of the safeguards we rely on (for example the Standard Contractual Clauses), or details of where they have been made available, by emailing privacy@zardforge.com.
8. How long we keep your data
- Account & content data — for as long as your account is active. When you delete your account, we delete or anonymize your personal data within 30 days, except where we must keep certain records for legal reasons.
- Invoices & accounting records — retained to meet Lithuanian accounting and tax law. We keep accounting documents for 10 years, in line with the Lithuanian Law on Accounting.
- Security & log data — typically kept for up to 12 months, unless a longer period is needed to investigate a specific security incident.
9. Your rights under the GDPR
You have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten"), subject to our legal retention duties.
- Restrict or object to certain processing, including processing based on legitimate interests.
- Object to direct marketing at any time — where we send marketing communications, you can opt out at any time and we will stop using your data for that purpose.
- Data portability — receive your data in a structured, commonly used, machine-readable format.
- Withdraw consent at any time, where we rely on consent.
To exercise any of these rights, email privacy@zardforge.com. We will respond within the timeframe required by law. You also have the right to lodge a complaint with the Lithuanian supervisory authority, the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, VDAI), or with the supervisory authority in your country of residence.
10. Automated decision-making
We do not make decisions about you based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 GDPR. Generating images from the prompts you submit is not such a decision: it is processing you request, not an automated decision taken about you.
11. Cookies & sessions
We use a small number of essential cookies / session tokens that are strictly necessary to sign you in and keep you authenticated. These cannot be switched off without breaking the Service. We do not use third-party advertising or cross-site tracking cookies. If we ever add optional analytics or similar cookies, we will ask for your consent first and update this policy.
12. Children
The Service is not directed to children. You must be at least 16 years old to create an account; this is our eligibility requirement. If you believe a child has provided us personal data, contact us and we will delete it.
13. Security
We use appropriate technical and organizational measures to protect your data, including hashed passwords, encrypted transport (HTTPS), access controls, and trusted sub-processors. No method of transmission or storage is completely secure, but we work to keep your data safe and to respond promptly to any incident.
14. Changes to this policy & contact
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. For any privacy question or request, contact privacy@zardforge.com.
See also our Terms & Conditions and return to the homepage.