[07]Privacy

Privacy policy.

KriyaX Labs (“we”, “us”, “our”) operates SketchXFlow — an AI-powered design-to-code studio at sketchxflow.com and sketchxflow.kriyaxlabs.com. This document explains how we collect, use, disclose, and safeguard your information, including data we receive from Google when you sign in with a Google account.

§ 1 — Information we collect

What we collect

1.1 Account information

When you register, we collect your name, email, and a hashed version of your password. We never store your password in plain text.

1.2 Usage and generation data

We log generation requests (prompt text, token counts, coin usage, timestamps) to enforce plan limits and improve the Service. We do not retain AI-generated outputs beyond your session unless you save the project.

1.3 Project data

Saved projects (design graphs, exported code, uploaded images) are stored in your account and accessible only to you, unless you create a share link.

1.4 Payment information

All payments are processed by Dodo Payments, which acts as the Merchant of Record for all transactions. We do not receive, store, or have access to your full card number or payment credentials. We receive only a transaction confirmation, customer ID, subscription status, and purchase metadata.

1.5 Automatically collected data

Standard server logs — IP address, browser type, device, pages visited, timestamps — used for security monitoring, abuse prevention, and analytics.

1.6 Information from Google when you sign in with Google

If you choose Continue with Google, we use Google's OAuth 2.0 service to authenticate you. We request only the standard, non-sensitive sign-in scopes:

  • openid — confirms your identity with Google.
  • https://www.googleapis.com/auth/userinfo.email — your verified email address.
  • https://www.googleapis.com/auth/userinfo.profile — your basic profile (name and profile picture URL).

From these scopes we receive: a stable Google subject ID (sub) used to identify your Google account, your email address, your verified-email status, your name, and your profile picture URL. We do not request access to your Gmail, Calendar, Drive, Contacts, or any other Google service.

We use this information solely to (a) create your SketchXFlow account if you're new, (b) sign you into your existing SketchXFlow account, and (c) display your name and profile picture inside the app. If an account already exists with the same verified email, we link the Google identity to that account so you can sign in with either method — we do not create duplicate accounts.

You can revoke SketchXFlow's access at any time from myaccount.google.com/permissions. Revoking access does not delete your SketchXFlow account; if you also set a password, you can continue to sign in with email and password.

§ 1.7 — Google API Services User Data Policy

Limited Use of Google user data

SketchXFlow's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We use Google user data only to provide the SketchXFlow sign-in feature and to display your name + photo.
  • We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features that are prominent in the SketchXFlow user interface.
  • We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based ads.
  • We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymised.

§ 2 — How we use it

How we use your information

  • Provide, maintain, and improve the Service.
  • Process your account registration and authenticate your sessions.
  • Track usage against your plan's coin allocation.
  • Process transactions via Dodo Payments and manage your subscription or coin pack purchases.
  • Send transactional emails — verification, resets, billing receipts.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations.

§ 3 — Sharing

Third-party services

We share your information only with the following:

  • Dodo Payments (Merchant of Record) — handles checkout, billing, taxes, refunds, and chargebacks for paid plans and coin-pack purchases. Receives your name, email, and billing address. We never receive your card number. Their handling is governed by their Privacy Policy.
  • Cloud infrastructure providers — host the Service and store account and project data with encryption at rest and in transit. They process this data only on our behalf.
  • AI model providers — process the prompts you submit so the Service can generate designs. Prompt text is sent to these providers under their respective data-usage policies; we do not authorise them to train models on your prompts.
  • Google Identity Services— when you choose “Continue with Google”, we use Google's OAuth 2.0 service to authenticate you. See section 1.6 above for the full scope and data-handling disclosure.

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

§ 4 — Retention

Data retention

Account data is retained for as long as your account is active. Project data is retained until you delete it or delete your account. Generation logs are retained for up to 90 days for billing and abuse prevention. Payment records are retained as required by tax and financial regulations (typically 7 years).

§ 5 — Security

Data security

Industry-standard measures: encrypted connections (TLS/HTTPS), hashed passwords (bcrypt), HTTP-only secure cookies for authentication, rate limiting on sensitive endpoints, and encrypted data at rest. No method of electronic transmission or storage is 100% secure; we cannot guarantee absolute security.

§ 6 — Your rights

Your rights

Depending on your jurisdiction you may have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data and account.
  • Export your project data.
  • Object to or restrict certain processing.
  • Withdraw consent where processing is based on consent.

To exercise these rights, contact support@kriyaxlabs.com. We respond within 30 days.

6.1 Account deletion

To delete your account and all associated data:

  • Sign in and visit /accountDelete account; this irreversibly removes your account, projects, backups, payment records (where retention law permits), generation logs, comments, and any linked Google identity, OR
  • Email support@kriyaxlabs.com from the address on file. We confirm by reply within 7 days and complete deletion within 30 days.

If you signed in with Google, account deletion also revokes SketchXFlow's OAuth grant — you can independently revoke it at any time from myaccount.google.com/permissions.

§ 7 — Cookies

Cookies

Essential cookies only: an HTTP-only authentication cookie (access_token) and a refresh token cookie. No advertising or third-party tracking cookies.

§ 8 — Children

Children's privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If you become aware a child has provided personal data, contact us — we will delete it.

§ 9 — Transfers

International data transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States and India. These transfers are necessary for providing the Service and are protected by appropriate safeguards.

§ 10 — Changes

Changes to this policy

We may update this Privacy Policy from time to time. Material changes are posted on this page with an updated date. Continued use after changes constitutes acceptance.

§ 11 — Contact

Contact

KriyaX Labs · Email support@kriyaxlabs.com · Web sketchxflow.kriyaxlabs.com.

⁄ End of document← Back to studio