Sheet · 04 of 04 · privacy notice

Privacy.

Effective date: May 24, 2026. Plain version: your documents never leave your browser. Long version follows.

Strux performs all conversion locally in your browser. The contents of any document you paste, type, drop, or load are never transmitted to a Strux server, never stored, never logged, and never read by us. We could not retrieve them if we wanted to. There is no upload endpoint to attack.

1Who controls your data.

Calyvent is the data controller for the limited account information described below. Our single contact channel is strux@calyvent.com. We do not operate a phone line. We do not have a Data Protection Officer. We are a small studio.

2What we collect.

Free tier.

For free use, we collect: standard request logs at the Cloudflare edge (IP address, user-agent, request path, timestamp), retained by Cloudflare on its standard rolling window. We do not access these logs except to investigate abuse.

Paid tier.

For paid use, we additionally collect: your email address (used for sign-in and receipts); a Supabase user ID and session token; a Stripe customer ID and subscription ID; the current period end date; the active/canceled status of your subscription. We do not store your card number, your billing address, or any other payment instrument data — Stripe holds those.

3What we never collect.

The files you parse.
The text you paste.
The output you generate.
Any field, value, schema, identifier, or row that passes through the workspace.
Browsing analytics, click-paths, scroll-depth, session-replay, mouse-movement, or heat-maps.
Marketing pixels, advertising identifiers, third-party trackers.
Your card number, CVV, expiration, or billing address.

We have no telemetry pipeline. We have no analytics tool. We have no error-tracking service that ships payloads. The only network calls Strux makes during conversion are loading the page itself and (on the upgrade page) Supabase and Stripe.

4Why we collect it.

The minimum data we collect is collected to: (a) authenticate you to your account; (b) charge your subscription; (c) deliver receipts; (d) detect and prevent fraud; (e) comply with tax and accounting law.

5Legal bases (GDPR / UK GDPR).

Contract — to provide the paid service you signed up for.
Legitimate interests — to prevent fraud and abuse on our infrastructure.
Legal obligation — to retain billing records for tax and accounting law.

6Sub-processors.

Cloudflare, Inc. — hosting, edge delivery, DNS, DDoS protection. United States.
Stripe, Inc. — payment processing, card storage, subscription billing. United States.
Supabase Inc. — authentication and entitlement database. United States.

Each sub-processor has its own privacy notice governing its use of your data. We have no other sub-processors.

7International transfers.

Calyvent operates from the United States. Our sub-processors are headquartered in the United States. If you are in the EEA, the United Kingdom, or Switzerland, your account data is transferred to the United States, which has not been the subject of an adequacy decision applicable to all transfers. We rely on the Standard Contractual Clauses approved by the European Commission with each sub-processor where applicable.

8Retention.

Cloudflare edge logs — Cloudflare's standard rolling window (typically 7 days), outside our control.
Supabase account record — for the lifetime of your account, plus thirty days after closure.
Stripe billing record — as long as Stripe and applicable tax law require.
Email correspondence with us — kept for as long as needed to resolve the issue, then deleted within twenty-four months.

9Your rights.

Depending on your jurisdiction, you may have the right to: access the personal data we hold about you; request correction; request deletion; request a copy in a portable format; object to processing; restrict processing; withdraw consent; lodge a complaint with a supervisory authority. To exercise any of these rights, email strux@calyvent.com. We will respond within thirty days. We do not charge a fee for reasonable requests.

California residents: you have the rights described in the CCPA/CPRA. We do not sell your data and we do not share it for cross-context behavioural advertising.

10Children.

Strux is not intended for anyone under eighteen. We do not knowingly collect data from minors. If you believe a minor has created an account, email us and we will delete it.

11Security.

We use TLS for all transport, signed authentication tokens issued by Supabase, and webhook signature verification with Stripe. We do not store card numbers. Account access is gated by single-use email links — there is no password to leak. No system is perfectly secure; you accept this when you use Strux.

12Cookies and local storage.

The free tier uses your browser's local storage to remember a daily counter and your last-used input. The paid tier additionally stores a Supabase auth session in local storage. We do not set advertising cookies, marketing cookies, or analytics cookies.

13Do Not Track.

We do not track you, so DNT signals are not relevant. We honour them anyway.

14Breach notification.

If we become aware of a security incident affecting your personal data, we will notify you by email at the address on your account within seventy-two hours, where required by law. Because we do not store your conversion data, a breach of our infrastructure cannot expose it.

15Changes.

We may update this notice. The current version is always at this URL with an effective date at the top. Material changes will be announced by email to current paid users at least fourteen days in advance.

16Contact.

All privacy correspondence: strux@calyvent.com. Subject line privacy reaches the right inbox.

last set · may twenty-fourth · two thousand twenty-six