Legal

Privacy Policy

Last updated: April 6, 2026

1. Who we are

This Privacy Policy describes how HALLMARK.AI ("we", "us") collects, uses, and shares information when you use our website and invisible watermarking services (collectively, the "Service").

2. Information we collect

  • Account data: email address and authentication credentials when you create an account.
  • Usage and billing: token balances, subscription or payment-related records processed by our payment providers, and service logs needed to operate the Service.
  • Content you submit: when you use watermark embedding or verification, files and derived signals are processed as described in our product disclosures. We design the Service to minimize retention of raw media where possible; specific handling may depend on feature configuration and operational requirements.
  • Technical data: IP address, device and browser type, and cookies or similar technologies used for security, preferences, and analytics.

3. How we use information

We process personal data only where we have a lawful basis to do so under applicable law, including the GDPR (Article 6). The table below sets out our processing activities and their lawful bases:

PurposeData usedLawful basis
Provide and operate the ServiceAccount data, usage dataPerformance of contract (Art. 6(1)(b))
Authenticate users and prevent abuseAccount data, technical dataPerformance of contract; Legitimate interests (Art. 6(1)(b)(f))
Security monitoring and fraud preventionTechnical data, logsLegitimate interests (Art. 6(1)(f))
Analytics and service improvementUsage data, technical dataLegitimate interests (Art. 6(1)(f))
Transactional and account emailsEmail addressPerformance of contract (Art. 6(1)(b))
Processing payments and billing recordsBilling dataLegal obligation; Performance of contract (Art. 6(1)(b)(c))
Comply with law and enforce our TermsAll categories as neededLegal obligation (Art. 6(1)(c))

4. Sharing and subprocessors

We do not sell your personal data. We share information only with the following categories of trusted subprocessors who help us operate the Service, each bound by appropriate data processing agreements:

  • Cloud infrastructure — hosting and computing services that run the Service.
  • Payment processing (Stripe) — handles subscription and payment transactions. Stripe's privacy policy applies to data they process on your behalf.
  • Email delivery (Resend) — used to send transactional and account-related emails.
  • Product analytics (PostHog) — used to understand how the Service is used and improve it. Data is collected in a privacy-preserving manner.

We may also disclose personal data if required by law, court order, or to protect the rights, safety, and integrity of the Service and our users.

5. Retention

We retain personal data only for as long as necessary for the purposes described in this policy, subject to legal obligations. Specific retention periods by data category:

  • Account data — retained for the lifetime of your account, plus up to 30 days after account deletion to allow for recovery. After that, it is permanently deleted.
  • Payment and billing records — retained for 7 years to comply with accounting and tax legal obligations.
  • Server and access logs — retained for up to 90 days for security and debugging purposes, then deleted.
  • Submitted media files — processed transiently and not retained beyond the duration required to complete the watermarking or verification operation, unless otherwise stated in feature-specific disclosures.

6. Your rights

Depending on where you are located, you may have the following rights regarding your personal data. EU/EEA and UK residents have these rights under the GDPR and UK GDPR respectively. Contact us at miliuchenko.oleksii@gmail.com to exercise any right. We will respond within 30 days.

  • Right of access (Art. 15 GDPR) — obtain a copy of the personal data we hold about you and information about how it is used.
  • Right to rectification (Art. 16 GDPR) — request correction of inaccurate or incomplete personal data.
  • Right to erasure / "right to be forgotten" (Art. 17 GDPR) — request deletion of your personal data where there is no compelling reason for us to continue processing it.
  • Right to restriction of processing (Art. 18 GDPR) — request that we limit how we use your data in certain circumstances, for example while a dispute is resolved.
  • Right to data portability (Art. 20 GDPR) — receive your personal data in a structured, machine-readable format (JSON or CSV) and transmit it to another controller.
  • Right to object (Art. 21 GDPR) — object to processing based on legitimate interests, including for direct marketing or profiling.
  • Right not to be subject to automated decision-making (Art. 22 GDPR) — not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not make such decisions about you.
  • Right to lodge a complaint — if you believe we have not handled your data correctly, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or the relevant EU Data Protection Authority in your member state).

7. Security

We implement technical and organizational measures designed to protect information. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

8. International transfers

Our servers and subprocessors may be located outside your home country, including in the United States. Where personal data is transferred from the EU/EEA or the UK to a country without an EU adequacy decision, we rely on appropriate safeguards such as the Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46 of the GDPR, or equivalent mechanisms approved under applicable law. By using the Service, you acknowledge that your data may be processed in these jurisdictions. You may request a copy of the relevant transfer mechanisms by contacting us.

9. Cookies

We use cookies and similar technologies to operate and improve the Service. The categories we use are:

  • Strictly necessary cookies — required for authentication and core Service functionality (e.g. session tokens). These cannot be disabled.
  • Analytics cookies — used by PostHog to understand how the Service is used and to improve it. These are loaded only after your consent where required by law.

We do not use advertising or marketing cookies. You can manage cookie preferences through your browser settings. Blocking essential cookies may affect Service functionality.

10. AI and automated processing

HALLMARK.AI uses artificial intelligence and machine learning models to provide its core watermarking and watermark-detection features. Specifically:

  • Watermark embedding — an AI model embeds an invisible signal into image files you submit for this purpose.
  • Watermark verification — an AI model analyzes submitted files to detect whether a watermark signal is present and returns a result to you.

These AI features process only the content you explicitly submit. We do not use AI to make automated decisions about you as an individual that produce legal or similarly significant effects (Art. 22 GDPR). No profiling of users is performed for advertising or behavioral targeting purposes.

11. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:

  • Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete — request deletion of your personal information, subject to certain exceptions.
  • Right to correct — request correction of inaccurate personal information we hold about you.
  • Right to opt out of sale or sharing — we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm.
  • Right to non-discrimination — we will not discriminate against you for exercising any CCPA rights.

We honor Global Privacy Control (GPC) signals. If your browser sends a GPC opt-out signal, we will treat it as a request to opt out of any sale or sharing of personal information.

To exercise your California rights, contact us by email at miliuchenko.oleksii@gmail.com or via the contact form on our website. We will verify your identity before processing your request and respond within 45 days.

12. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal information.

13. Changes

We may update this policy from time to time. We will post the revised version and update the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy where permitted by law.

14. Contact

For privacy questions, email miliuchenko.oleksii@gmail.com or add me on LinkedIn.

Home · Terms of Use