VoxelSprites
← Back to home

Privacy policy

Last updated: 2026-05-06

1. Data controller

The data controller for personal data collected through the VoxelSprites Service is:

  • Legal entity: Maxence Krzyzelewski (GDDream)
  • Address: 1005 rue Marsy, 62136 Vieille-Chapelle, France
  • Contact: Contact page or contact@voxelsprites.com

2. Data collected

VoxelSprites collects only the data strictly necessary for the Service to operate:

  • User account: email address, password, optional pseudonym and preferred language. Passwords are never kept in clear: only their hashed form is stored in the database;
  • IP address: an anonymized fingerprint of your IP address is kept for the purposes of abuse prevention, spam mitigation and quota management for unidentified visitors. The IP address itself is not stored;
  • Usage data: text prompts, generated voxel models, associated animations, run history;
  • Technical logs: API calls, errors, response times and identifiers of the AI models used. These logs are anonymized for unidentified visitors;
  • Cookies: see dedicated section below.

Payments are processed by Stripe (Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Irlande)), which acts as data controller for payment data. VoxelSprites does not receive or store any payment details (card number, security code, expiry date). Only a transaction identifier and the payment status are kept for billing and refund-management purposes.

3. Purposes

  • Service delivery (account creation, voxel generation, exports);
  • Authentication (session management, email verification, password reset);
  • Abuse prevention and spam mitigation, including request-rate limitation and the framing of multiple registrations;
  • Transactional communication (verification emails, reset emails, security alerts);
  • Service improvement, through aggregated and statistical analysis of user prompts in order to tune the AI models. This analysis does not give rise to any nominative processing.

4. Legal bases

Data processing relies on:

  • Performance of the contract entered into upon acceptance of the Terms of Service at registration, for the essential features of the Service;
  • Legitimate interest of the Operator in protecting the Service against abuse, namely the anonymization of IP addresses, the limitation of request volumes and the management of quotas;
  • User consent for any non-essential processing, for instance in the event of subscription to a possible newsletter.

5. Retention period

  • Active account: as long as the account is not deleted;
  • Deleted account: personal data is erased within 30 days, unless legal retention obligations apply;
  • Technical logs: 12 mois pour les logs de sécurité et anti-abus (hash IP, tentatives d'authentification) ; 90 jours pour les logs applicatifs (erreurs, latences). As an indication, abuse-prevention logs are kept for twelve months and application error logs for ninety days;
  • Email verification links: twenty-four hours from issuance;
  • Password reset links: one hour from issuance.

6. Cookies

VoxelSprites uses two categories of cookies, all first-party (no third party, no advertising):

6.1 Strictly necessary cookies (cannot be disabled)

  • vs_session: technical cookie required to maintain the session; its lifetime matches that of the browser session;
  • vs_remember_token: persistent login cookie kept for thirty days, allowing the user to remain signed in between visits;
  • vs_lang: language preference cookie kept for one year;
  • vs_cc: storage of your cookie preferences, kept for thirteen months.

6.2 Anonymous audience measurement (optional, requires consent)

  • vs_vid: anonymous visitor identifier (16 random characters), kept for thirteen months. Allows distinguishing a returning visitor from a new one, with no personal identification;
  • vs_sid: anonymous session identifier kept in tab memory (sessionStorage), reset after thirty minutes of inactivity.

These cookies feed only our internal audience measurement tool, hosted on our own servers. No data is transmitted to a third party, no cross-site correlation is performed, no advertising is delivered. The IP address is never kept in plain text (only an anonymised fingerprint).

On first access, a banner offers you the choice to accept, refuse or customise these audience-measurement cookies. Refusing has no impact on Service usage or on account creation. You can change your choice at any time:

6.3 Contractual acceptance at registration (separate from cookies)

When creating an account, a mandatory checkbox requires acceptance of the Terms of Service and this Privacy policy. This acceptance is necessary for the performance of the service contract; without it, the account cannot be created. It does not cover audience-measurement cookies, which remain freely chosen through the cookie banner, independently of any registration.

The date and the anonymised IP fingerprint at the time of this contractual acceptance are kept as proof, for the lifetime of the account plus three years after its deletion.

7. Data recipients

Data is never sold or shared with third parties for commercial purposes. It may be shared with:

  • The Service’s host: o2switch SAS;
  • AI model providers (OpenRouter and its sub-processors), to which only the descriptions entered by the user and the content generated in response are transmitted, to the exclusion of any account data;
  • The transactional email provider, for the delivery of verification, password-reset and Service-notification messages.

La liste détaillée des sous-traitants techniques (hébergeur o2switch, fournisseurs de modèles d'IA via OpenRouter, service SMTP transactionnel, Stripe pour les paiements) est tenue à jour et communiquée sur simple demande via la page Contact

8. Your rights

Under GDPR, you have the following rights:

  • Right of access, rectification and erasure of your data;
  • Right to data portability (export);
  • Right to object to processing;
  • Right to issue post-mortem directives.

To exercise these rights, reach out via the Contact page. In case of disagreement, you may file a complaint with your national data protection authority (in France: CNIL, www.cnil.fr).

9. Security

Passwords are stored hashed, never in clear. Authentication tokens (session, email verification, password reset) are generated using cryptographically secure methods and have a limited lifetime. Communications between the browser and the Service are encrypted via HTTPS.

10. Changes to this policy

The Operator reserves the right to update this policy. The last-modified date appears at the top of this page. Substantive changes will be notified by email to users with an account.