Legal

Privacy Policy

Last updated: December 23, 2025

1. Introduction

This Privacy Policy explains how Artatol ("we", "us", or "our") collects, uses, and protects your personal information when you use the ArtaCDN service - our multi-media CDN platform with Cloudflare R2 storage, async processing, and on-the-fly image transformations.

2. Information We Collect

2.1 Account Information (Dashboard Users)

When you create an ArtaCDN account, we collect:

  • Email address, username, password (encrypted), name
  • Organization name and member information
  • Bucket and folder configuration settings
  • API keys and their usage metadata
  • Subscription tier (free, starter, growth, business) and usage limits

2.2 Uploaded Media Files

When you upload files to ArtaCDN, we store and process:

  • Images: Original files, generated variants (thumb, small, medium, large, xlarge, xxlarge), EXIF metadata, dimensions, dominant color
  • Audio: Original files, extracted metadata (duration, bitrate, sample rate, ID3 tags)
  • Video: Original files, extracted metadata (dimensions, duration, FPS, codec), auto-generated thumbnails
  • Files: Original files with content type and size metadata

2.3 Analytics and Usage Data

  • File download counts and bytes served
  • Response time metrics
  • User agent and referer information
  • IP country (derived from IP address)
  • Dashboard usage and API access logs

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our CDN platform
  • Store and serve your media files globally via Cloudflare edge network
  • Process and optimize images (resizing, format conversion, compression)
  • Extract metadata from audio and video files
  • Generate analytics and insights about file usage
  • Provide dashboard access and API functionality
  • Enforce usage limits based on subscription tiers
  • Send important service notifications and updates
  • Provide customer support and respond to inquiries
  • Detect, prevent, and address security issues and abuse
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

  • Contract: Processing necessary to provide our services (Art. 6(1)(b) GDPR)
  • Legitimate Interest: Security, fraud prevention, service improvement (Art. 6(1)(f) GDPR)
  • Legal Obligation: Compliance with applicable laws (Art. 6(1)(c) GDPR)
  • Consent: Where explicitly provided for optional features (Art. 6(1)(a) GDPR)

5. Data Storage and Security

We store your data on secure servers and implement appropriate technical and organizational measures:

  • File storage: Cloudflare R2 (S3-compatible object storage)
  • Database storage: PostgreSQL hosted on OVH Frankfurt, Germany (Kubernetes)
  • Queue management: Redis/BullMQ hosted on OVH Frankfurt, Germany (Kubernetes)
  • Encryption: TLS 1.3 for data in transit
  • Passwords: Bcrypt hashing (one-way, not reversible)
  • Database security: Row-level security (RLS) on PostgreSQL
  • CDN: Cloudflare edge caching for fast global delivery

6. Data Sharing

We do not sell your personal information. We may share your information with:

  • Artatol Account: Authentication and access management (shared infrastructure)
  • Service providers: Cloudflare (R2 storage, CDN, security), OVH (database, queue, infrastructure)
  • Legal authorities: When required by law or to protect our rights
  • Your organization members: Dashboard users within your organization can access shared buckets and files

Note: All application traffic is routed through Cloudflare's reverse proxy for DDoS protection, WAF security, and performance optimization. Your files are stored on Cloudflare R2 and served via their global CDN.

7. Data Retention

We retain your data according to the following schedule:

  • Account data: Retained while account is active
  • Uploaded files: Retained until deleted by you or account closure
  • File metadata: Retained as long as the file exists
  • Analytics data: Retained based on your subscription tier (7-365 days)
  • Usage logs: Retained for 90 days
  • Deleted accounts: All data permanently deleted within 30 days

You can request deletion of your data at any time by contacting us at info@artatol.com.

8. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Object to or restrict processing of your data
  • Portability: Receive your data in a structured, machine-readable format
  • Withdrawal: Withdraw consent at any time
  • Objection: Object to automated decision-making
  • Complaint: Lodge a complaint with your local data protection authority

To exercise these rights, please contact us at info@artatol.com.

9. International Data Transfers

Your files are stored on Cloudflare R2 and may be cached at edge locations globally for optimal performance. Metadata is stored in the European Union (OVH Frankfurt). We ensure appropriate safeguards are in place for any international transfers, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

10. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we will provide prominent notice or obtain consent where required by law.

12. Contact Us

If you have any questions about this Privacy Policy or want to exercise your data protection rights, please contact our Data Protection Officer:

Data Protection Officer

Email: info@artatol.com

Mailing address: Artatol, Prague, Czech Republic