c4molegal
HOME
DRAFT · PENDING LEGAL REVIEW

This policy has not been reviewed by a privacy lawyer. Placeholders marked [PLACEHOLDER] require specific values before this document is finalized.

Privacy Policy

Last updated: 2026-04-14

This Privacy Policy describes how c4mo (“c4mo”, “we”, “us”, or “our”) collects, uses, and shares information when you use c4mo.com and related services. We keep data collection minimal and do not sell personal information.

1. Information we collect

When you sign in or use the service, we collect:

  • Account identifiers from your OAuth provider: email address, display name, profile image URL. We never see or store your OAuth provider password.
  • Billing information (Pro only):Stripe customer ID, subscription status. Payment card details are handled entirely by Stripe and never touch c4mo’s servers.
  • Usage data: the jobs you run, the parameters you submit, the plugins you select, and the resulting images.
  • Plugin uploads: WebAssembly binaries you upload and the schema they expose.
  • Technical data: IP address (for rate limiting and abuse detection), request timestamps, and error logs. IP addresses are not retained beyond 30 days unless associated with a specific abuse event.

2. How we use information

We use the information we collect to:

  • Provide, maintain, and improve the service.
  • Authenticate you and maintain your session.
  • Process Pro subscription payments through Stripe.
  • Enforce usage quotas and detect abuse (rate limiting, concurrent job limits, daily caps on anonymous demo usage).
  • Render your job history and export archives on request.
  • Respond to support requests, legal obligations, and security incidents.

3. Third-party service providers

c4mo relies on a small set of infrastructure providers. These providers process data on our behalf and are bound by their own privacy and security obligations:

  • Fly.io — application hosting. Request IPs are visible to Fly for routing.
  • Neon — managed PostgreSQL database. Stores user records, job metadata, and plugin metadata.
  • Cloudflare R2 — object storage. Stores plugin WASM binaries and result images.
  • Stripe — billing and subscription management. Handles payment method details directly.
  • Google and GitHub — OAuth sign-in providers. c4mo receives only the account identifiers listed in Section 1.

We do not share data with advertisers or analytics services. c4mo does not use third-party tracking cookies.

4. Cookies

c4mo uses cookies only for essential authentication and session management. Specifically:

  • authjs.session-token— your signed-in session as a JSON Web Token.
  • authjs.csrf-tokenand related short-lived cookies — cross-site request forgery protection during sign-in.
  • A theme preference cookie to remember light / dark selection.

We do not use cookies for tracking, advertising, or analytics.

5. Data retention

We retain personal data for as long as your account is active. When you request account deletion, your data enters a 30-day soft-delete grace period during which you can restore. After 30 days, your user record, jobs, uploaded plugins, and result images are permanently deleted from Neon and Cloudflare R2.

Stripe retains payment and transaction records per its own policies and applicable financial regulations, separate from c4mo’s retention.

6. Your rights

You have the right to:

  • Access the data we hold about you. The /api/account/export endpoint returns a ZIP archive containing your account manifest and result images.
  • Correct inaccurate data by updating it through your OAuth provider.
  • Delete your account, which initiates the deletion flow described in Section 5.
  • Restrict or object to processing as permitted by applicable law.

[PLACEHOLDER] Residents of jurisdictions with specific privacy rights (GDPR, CCPA) may have additional rights including data portability and the right to lodge a complaint with a supervisory authority. See Section 9 for contact details.

7. Children

c4mo is not directed at children under 13 and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us and we will delete it.

8. Security

We use industry-standard security practices including encrypted transport (TLS), encrypted database backups, scoped object storage credentials, and password-less authentication via OAuth. No system is perfectly secure; c4mo cannot guarantee the security of information transmitted over the internet.

9. Changes and contact

We may update this Privacy Policy from time to time. Material changes will be announced in-app at least 14 days before they take effect.

[PLACEHOLDER] Privacy questions or data requests? Contact us at [email protected]. If you are in the EU, you may contact our EU representative at [EU rep address]. If you are in the UK, you may contact our UK representative at [UK rep address].