Legal

Privacy Policy

Last updated: March 25, 2026

The privacy of your data — and it is your data, not ours! — is a big deal to us. In this policy, we lay out what data we collect and why, how your data is handled, and your rights with respect to your data. We never sell your data. Never have, never will.

Contents
  1. What We Collect & Why
  2. BYOK & AI Data
  3. Cookies & Analytics
  4. When We Access or Disclose Your Information
  5. Your Rights
  6. How We Secure Your Data
  7. Data Deletion & Retention
  8. Location of Data & Cross-Border Transfers
  9. EU Data Transfers
  10. California Residents (CCPA)
  11. Vietnam Residents (PDPL 2025)
  12. India Residents (DPDP Act)
  13. Children's Privacy
  14. Changes & Questions

1. What We Collect & Why

We only collect information that is necessary to provide and improve EaseUI. Here's a complete breakdown:

WhatWhyLawful Basis (GDPR)
Email addressAccount creation, login, support, important product updatesContractual necessity
Name (optional)Personalization, displayed in your workspaceConsent
Payment infoProcessed by Stripe — we never see or store card numbers. B2C individual purchases only; no VAT invoices issued.Contractual necessity
Usage analyticsUnderstanding which features are used to improve the product (PostHog)Legitimate interest
Error reportsBug fixing and reliability (Sentry)Legitimate interest
Your designs & projectsStored to provide the service — your content belongs to youContractual necessity
General geolocationCountry-level only, for compliance and analytics. We do NOT track precise location.Legitimate interest
What we DON'T collect: We don't collect your phone number, physical address, social security number, or any biometric data. We don't run any facial recognition or behavioral profiling.

2. BYOK & AI Data

EaseUI's BYOK (Bring Your Own Key) model is a core privacy feature:

  • Your API keys are stored locally in your browser. They never pass through our servers.
  • Your AI prompts and generated designs are sent directly from your browser to the AI provider (OpenAI, Anthropic, Google, etc.). We do not intercept, log, or store these interactions.
  • Sponsored free-tier users: Your prompts pass through our backend to our API account. We do not log or store the content of your prompts. We only log metadata (timestamp, generation count) for rate limiting.

Each AI provider has their own data handling policies. We encourage you to review them:

3. Cookies & Analytics

Essential Cookies

We use strictly necessary cookies for authentication and session management. These cannot be disabled as they are required for the service to function.

Analytics (PostHog)

We use PostHog for product analytics. PostHog is configured to:

  • Anonymize IP addresses
  • Respect "Do Not Track" browser settings
  • Not use cross-site tracking
  • Store data in EU-compliant infrastructure

You can opt out of analytics at any time in your account settings.

Error Monitoring (Sentry)

We use Sentry for error tracking. Sentry captures error data and limited session context to help us fix bugs. It does not track your browsing behavior or personal data beyond what's needed for error reports.

No Advertising Cookies

We do not use any advertising cookies, trackers, or retargeting pixels. We do not sell or share your data with advertising networks.

4. When We Access or Disclose Your Information

We do not share your personal information with third parties except in the following circumstances:

  • To provide the service: We share necessary data with our service providers (Stripe for payments, Vercel for hosting, Supabase for database, PostHog for analytics, Sentry for error monitoring).
  • When required by law: If compelled by a court order or legal process. We will attempt to notify you unless legally prohibited from doing so.
  • To protect rights: If necessary to enforce our Terms, protect our rights or safety, or investigate fraud.
  • With your explicit consent: If you ask us to share data with a third party.

We have never received a government request for user data. If we ever do, we will fight it if legally possible and will be transparent about it.

No data brokers. No advertisers. No "business partners." Your data stays with us and the essential service providers listed above.

5. Your Rights

Regardless of where you live, we provide the following rights to all EaseUI users:

RightWhat It MeansHow to Exercise
AccessSee all personal data we hold about youEmail us or use account settings
CorrectionFix inaccurate personal dataAccount settings or email us
DeletionDelete your account and all associated dataAccount settings → Delete Account
ExportDownload all your data in standard formatsAccount settings → Export Data
RestrictLimit how we process your dataEmail us
ObjectObject to processing based on legitimate interestEmail us
PortabilityReceive your data in machine-readable formatExport feature

We will respond to any data subject request within 30 days (GDPR) or 45 days (CCPA). Contact us at jang@easeui.design.

6. How We Secure Your Data

  • Encryption in transit: All connections use TLS 1.2+ (HTTPS everywhere)
  • Encryption at rest: All user data is encrypted at rest in our database
  • Access controls: Only essential team members have access to production data, with audit logging
  • Authentication: Supabase Auth with industry-standard practices (bcrypt password hashing, JWT tokens)
  • Regular reviews: We conduct security reviews and follow OWASP Top 10 practices
  • Breach response: Documented incident response plan with 72-hour notification commitment

7. Data Deletion & Retention

When You Delete Content

When you delete content in your EaseUI workspace, it is immediately removed from our active database. Within 30 days, it is purged from our backup systems as well.

When You Delete Your Account

When you delete your account:

  • Your personal data is deleted from active systems within 24 hours
  • Your content (designs, projects) is deleted within 30 days
  • Backup purging completes within 60 days
  • We may retain anonymized, aggregated usage data (this cannot be traced back to you)

Retention Periods

Data TypeRetention
Account dataUntil account deletion + 60 days
Payment records7 years (legal requirement)
Support conversations2 years after last contact
Analytics data24 months, then anonymized
Error logs90 days

8. Location of Data & Cross-Border Transfers

EaseUI's infrastructure is hosted on:

  • Vercel — Edge network (global CDN, serverless functions)
  • Supabase — Database and authentication

Your data may be processed in the United States, European Union, or other regions where our infrastructure providers operate. As of March 2026, EaseUI does not maintain data servers within Vietnam. All user data is stored on infrastructure operated by our sub-processors outside Vietnam.

We comply with cross-border data transfer requirements under applicable laws, including:

  • Vietnam PDPL 2025: Transfer Impact Assessment completed and filed with the Ministry of Public Security as required
  • EU GDPR: Standard Contractual Clauses (SCCs) with sub-processors
  • Other jurisdictions: Applicable adequacy decisions and transfer mechanisms

9. EU Data Transfers

For users in the European Economic Area (EEA), we ensure that any transfer of personal data outside the EEA is protected by:

  • EU-US Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) with our sub-processors
  • Adequacy decisions where available

Our sub-processors (Vercel, Supabase, PostHog, Sentry, Stripe) all maintain GDPR-compliant data processing agreements.

10. California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know: What personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: We do NOT sell personal information, so there is nothing to opt out of
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact jang@easeui.design. We will respond within 45 days.

11. Vietnam Residents (PDPL 2025)

If you are a resident of Vietnam, the Personal Data Protection Law 2025 (Law No. 91/2025/QH15) and Decree 356/2025/NĐ-CP, effective January 1, 2026, apply to how we process your personal data. In addition to the rights listed in Section 5, you have the following specific protections:

  • Explicit consent: We obtain your explicit, informed consent before processing your personal data. Consent is specific to each processing purpose and is never bundled with unrelated services.
  • 72-hour response: We will respond to your data subject requests (access, correction, deletion, restriction) within 72 hours, as required by Vietnamese law.
  • Cross-border data transfer: Your data is transferred outside Vietnam to our infrastructure providers (see Section 8). We have completed the required Transfer Impact Assessment and filed it with the Ministry of Public Security (Bộ Công An) as required by law.
  • Data Protection Officer: Our founder, Jang Trịnh, serves as the designated person responsible for data protection compliance.
  • Right to complain: You have the right to file a complaint regarding our data processing practices with the Ministry of Public Security of Vietnam.

Contact for Vietnam privacy matters: jang@easeui.design

12. India Residents (DPDP Act)

If you are a resident of India, the Digital Personal Data Protection (DPDP) Act 2023 applies to our processing of your personal data. Your rights include:

  • Right to consent: We obtain your informed consent before processing your data
  • Right to access: You may request information about what personal data we hold
  • Right to correction and erasure: You may request we correct inaccurate data or erase data no longer necessary
  • Right to grievance redressal: You may contact us with any complaints about our data handling
  • Right to nominate: You may nominate another person to exercise your rights on your behalf

Contact for India privacy matters: jang@easeui.design

13. Children's Privacy

EaseUI is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it immediately.

14. Changes & Questions

We may update this Privacy Policy from time to time. When we make significant changes, we will:

  • Update the "Last updated" date at the top
  • Notify you via email if the changes are material
  • Post a notice in the app for 30 days

Questions or concerns about our privacy practices? Reach out:

This privacy policy is written in plain language because we believe you should actually understand how your data is handled. Inspired by Basecamp's open-source policies.