IconsCove

Privacy Policy

Last updated: 19 June 2026

1. Who we are

Iconscove is operated by Mantas Gerulskis, Lithuania. For privacy questions, contact privacy@iconscove.com. See our Legal Notice for full contact details.

Mantas Gerulskis is the data controller for personal data collected through this service, as defined under EU GDPR, UK GDPR, and applicable national law.

2. What we collect

  • Account email address and Google profile data (name, avatar URL) via Google OAuth.
  • Text prompts and parameters you submit for icon generation.
  • Generated images (stored in Supabase Storage on our behalf).
  • Payment metadata: Stripe Customer ID, billing country, last 4 card digits. We never store full card details.
  • Credit balance and transaction history.
  • Subscription state (active plan, renewal dates).
  • IP address and basic request telemetry (transient — processed by hosting infrastructure).
  • Aggregate, anonymous usage and performance metrics (page views, Web Vitals) via Vercel Analytics and Speed Insights — cookieless and not linked to your identity.
  • Newsletter opt-in status and, if subscribed, your email in our mailing list.
  • Browser session activity for error monitoring (masked — see §8 below).
  • Promo code, if you use one (stored in a short-lived cookie and our database).
  • Support correspondence, if you contact us.

3. How we use it

  • Providing the service: account management, AI icon generation, generation history.
  • Payment processing and credit management via Stripe.
  • Preventing abuse, fraud, and misuse of the platform.
  • Error monitoring, debugging, and service stability (including Sentry session replay).
  • Understanding aggregate usage and site performance (Vercel Analytics and Speed Insights).
  • Customer support when you contact us.
  • Legal compliance (responding to lawful requests, retaining records required by law).
  • Sending product updates and newsletters, if you opted in.

4. Legal basis (GDPR Art. 6)

Processing activityLegal basis
Account creation and service operationContract performance — Art. 6(1)(b)
Payment processing and invoicingContract + legal obligation — Art. 6(1)(b) + (c)
Error monitoring, fraud prevention, security, Sentry session replayLegitimate interests — Art. 6(1)(f). Interest: maintaining a secure, stable service. Mitigated by text masking and media blocking in Sentry.
Aggregate, cookieless usage and performance analyticsLegitimate interests — Art. 6(1)(f). Interest: understanding usage and improving performance. Anonymous and cookieless; no cross-site tracking.
Newsletter and marketing emailsConsent — Art. 6(1)(a). Withdraw any time in account settings.
Promo codes and referral trackingContract / legitimate interests — Art. 6(1)(b)+(f)
Compliance with legal obligationsLegal obligation — Art. 6(1)(c)

5. Subprocessors

We share data with the following subprocessors who process personal data on our behalf. All are bound by Data Processing Agreements. Full details are on our Subprocessors page.

  • Vercel Inc. — hosting, edge delivery, and privacy-friendly analytics
  • Supabase Inc. — authentication, database, file storage
  • Stripe, Inc. — payment processing
  • Replicate, Inc. — AI image generation (prompts are sent to Replicate)
  • Functional Software, Inc. (Sentry) — error monitoring and session replay
  • Resend — transactional and newsletter email
  • Upstash — Redis-based rate limiting
  • Google LLC — OAuth identity provider

6. International transfers

Most of our subprocessors are based in the United States. Transfers of personal data outside the EU/EEA rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU–U.S. Data Privacy Framework. Copies of applicable SCCs are available from each subprocessor's DPA documentation (see Subprocessors).

7. AI processing

When you generate icons, your text prompts and any selected parameters are sent to Replicate, Inc. for AI inference. Replicate may log inputs per their own privacy policy and data retention schedule. Generated image outputs are downloaded from Replicate and stored in Supabase Storage on our behalf. We do not use your prompts or outputs to train AI models.

8. Error monitoring and session replay

We use Sentry for error monitoring and, on a subset of sessions, session replay. Session replay is configured with:

  • maskAllText: true — all text on the page is replaced with asterisks before transmission. We cannot read your prompts or any other text.
  • blockAllMedia: true — images and media are not captured.
  • 10% random session sampling; 100% capture when an error occurs.
  • Data retained by Sentry for 60 days by default.

The legal basis is legitimate interest (Art. 6(1)(f)): maintaining a stable, secure service without processing the actual content of your sessions. To opt out of session replay, email privacy@iconscove.com.

9. Cookies

We set the following cookies:

CookiePurposeCategory
sb-*-auth-tokenSupabase session (authentication)Strictly necessary
promo_codePersists a referral/promo code across the OAuth round-trip (max 1 hour)Strictly necessary / functional

We set no advertising, analytics, or marketing cookies. Our analytics (Vercel Analytics and Speed Insights) are cookieless — they collect only aggregated, anonymous usage and performance data and store nothing on your device. Because all cookies we set are strictly necessary for the service to function, EU law does not require consent before setting them.

10. Data retention

  • Active account data: retained until you delete your account.
  • On account deletion: your email, prompts, generations, transaction history, and subscription data are deleted from our database. A tombstone of your hashed email is retained to prevent referral-abuse re-registration.
  • Stripe records: retained by Stripe per their own retention policy (typically as long as legally required for financial records). Stripe customer email is redacted when you delete your account.
  • Sentry: error events and session replays are retained for 60 days and then automatically purged.
  • Vercel access logs: retained for 1 hour to 30 days depending on plan tier.
  • Supabase backups: retained for 7–30 days depending on plan.
  • Replicate: prediction inputs are stored per Replicate's own retention policy. We do not control retention on Replicate's side.

11. Your rights

Under GDPR and applicable national law, you have the right to:

  • Access — obtain a copy of your personal data.
  • Rectification — correct inaccurate data.
  • Erasure ("right to be forgotten") — request deletion of your data.
  • Restriction — request that we limit processing.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — withdraw newsletter consent at any time via account settings; this does not affect the lawfulness of prior processing.
  • Complain — lodge a complaint with your national supervisory authority. For Lithuanian residents, this is the State Data Protection Inspectorate (VDAI) at vdai.lrv.lt.

12. How to exercise your rights

Email privacy@iconscove.com from the address associated with your account. We will respond within 30 days. Account deletion is also available directly from the account settings page.

13. Children

This service is not directed at children under 16. Account creation requires Google OAuth, which is subject to Google's own age verification policies. If we become aware that personal data has been collected from a child under 16 without appropriate consent, we will delete it promptly.

14. Changes to this policy

Material changes will be announced by email and via an in-app banner at least 14 days before they take effect. Non-material updates (clarifications, typos) are indicated by an updated “Last updated” date. Continued use after the effective date constitutes acceptance of the revised policy.

15. Contact

For privacy questions: privacy@iconscove.com
For all other legal matters: legal@iconscove.com