PRIVACY POLICY
Last updated: May 20, 2026
This Privacy Policy describes how Project Reskin ("Company," "we," "us," "our") collects, uses, and discloses information about you when you visit, use, or purchase from projectreskin.com or any other site, product, or service that links to this Privacy Policy (collectively, the "Services").
We aim to handle as little personal data as possible. The headline:
- The code you paste into the marketing-page diagnostic stays in your browser. It is analyzed locally on your device and never transmitted to our servers.
- The code you paste into the authenticated reskin engine is transmitted to our server and to our AI sub-processor (Anthropic) for inference, then discarded. We do not retain your paste or the generated Output beyond the duration of the request; only a non-reversible hash is stored as a receipt. See §3 for the full processing detail.
- We do not run third-party analytics, advertising trackers, or fingerprinting on the Services. The only cookies we set are the strictly necessary cookies our authentication provider uses to keep you signed in.
- When you purchase or sign in, we collect the minimum information required to authenticate you, process your payment, and operate your account.
By using the Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Services.
TABLE OF CONTENTS
- INFORMATION WE COLLECT
- INFORMATION WE DO NOT COLLECT
- HOW WE PROCESS YOUR CODE
- HOW WE USE INFORMATION
- HOW WE SHARE INFORMATION
- THIRD-PARTY SUB-PROCESSORS
- DATA RETENTION
- DATA SECURITY
- INTERNATIONAL TRANSFERS
- YOUR RIGHTS
- CALIFORNIA RESIDENTS (CCPA / CPRA)
- EUROPEAN AND UK RESIDENTS (GDPR / UK GDPR)
- COOKIES AND TRACKING
- CHILDREN
- CHANGES TO THIS POLICY
- CONTACT US
1. INFORMATION WE COLLECT
Information you provide directly
- Account information. When you register for an account, we collect your email address. We use magic-link authentication; we do not collect, generate, or store passwords. Optional profile fields (for example, a custom accent color preference) are collected only if you choose to provide them.
- Payment information. When you make a purchase, our payment processor (Stripe) collects the information required to process the transaction, including your name, billing address, and payment-card details. We do not receive or store your full payment-card number, CVV, or expiration date. We do receive and store a Stripe customer identifier and the email address associated with the purchase so we can link payments to your account.
- Inputs. When you submit source code, screenshots, or other material to the Service for reskinning ("Inputs"), we receive that material so we can generate the reskinned Output. Inputs are processed as described in §3, §4, and §6 below. Inputs you submit to the marketing-page diagnostic on
projectreskin.comare analyzed locally in your browser and are not transmitted to our servers; see §3 for the full distinction between the diagnostic and the authenticated reskin engine. - Support and feedback communications. If you email us or fill out a contact form, we receive the contents of that message and your email address.
Information collected automatically
- Authentication session cookies. When you sign in, our authentication provider (Supabase) sets cookies on your device that identify your session. These cookies are strictly necessary to keep you signed in and to associate your usage with your account.
- Server logs. Like most websites, our servers and hosting providers automatically log standard information about requests made to the Services, including IP address, user-agent string, request path, response status, and timestamps. We use these logs to operate the Services, debug errors, and detect abuse.
- Usage records. When you submit a reskin request to the authenticated Service, we record metadata about the request (for example: input size category, target sector, model token counts, computational cost, credits charged, outcome, and timestamp). These records do not contain the contents of your Inputs or Outputs.
- Billing records. When you complete a purchase, we record the product purchased, credit balance changes, and the Stripe customer and charge identifiers.
2. INFORMATION WE DO NOT COLLECT
We want to be explicit about what we do not do:
- We do not transmit code pasted into the public marketing-page diagnostic to our servers. That diagnostic runs as JavaScript in your browser using regular-expression analysis and stays on your device. You can verify this by inspecting network requests from
projectreskin.comin your browser's developer tools. See §3 for the full processing detail. - We do not run third-party analytics, advertising trackers, or fingerprinting libraries on the Services.
- We do not sell or rent your personal information to data brokers or advertisers.
- We do not use your personal information to train AI models, our own or anyone else's. See §6 for our AI sub-processor's policy on the same point.
- We do not require, ask for, or want sensitive personal data in your Inputs. Submitting personally identifiable information of third parties, payment-card data, government identifiers, health information, or other sensitive personal data through the Service is prohibited by our Terms of Use §10.
3. HOW WE PROCESS YOUR CODE
Project Reskin has two paste surfaces, and they handle your code very differently. This section is a side-by-side reference; the underlying rules live in §1 (Information We Collect), §2 (Information We Do Not Collect), §6 (Sub-processors), and §7 (Data Retention).
Marketing diagnostic — projectreskin.com
The diagnostic on our marketing site analyzes pasted JSX or HTML to surface a structural read (estimated element counts, detected component shapes, color extraction, framework hint). It runs entirely in your browser as JavaScript using regular-expression and keyword heuristics — no API call, no server transit, no third-party service involvement. We do not receive your paste; nothing is stored on our side. You can verify by inspecting network activity in your browser's developer tools while the diagnostic runs.
Authenticated reskin engine — dashboard.projectreskin.com
Inside the authenticated dashboard, the reskin engine transforms your paste into the Hardware aesthetic using a large-language-model service.
- Transit. Your paste is POSTed from your browser to our server route at
/api/reskin, which forwards it to Anthropic's Claude API (see §6). The reskinned Output streams back to your browser in real time as a sequence of newline-delimited JSON events; it is not buffered to disk on our infrastructure. - Server-side retention. We do not persist the contents of your paste or the generated Output. We do write a single metadata row per terminal reskin to our database — the receipt that appears in your dashboard history — containing timestamp, sector, throttle color, outcome, and a SHA-256 hash of your input and output, truncated to 16 hexadecimal characters. These hashes are not reversible to the original content; they let us surface a history list, deduplicate, and audit credit usage without retaining the underlying text. If a reskin fails mid-stream, we record the failure outcome with the input hash only.
- Sub-processor retention. Anthropic's retention of API inputs is governed by Anthropic's policies and is described in §6 and §7.
4. HOW WE USE INFORMATION
We use the information we collect to:
- Provide and operate the Services, including authenticating your sessions, processing your reskin requests, and delivering Outputs.
- Process your payments and manage your account (credits, license status, refund handling).
- Respond to your support requests and communicate with you about the Services.
- Monitor, debug, and improve the Services, including detecting and preventing fraud, abuse, and security incidents.
- Send transactional communications (purchase confirmations, magic-link sign-in emails, refund notices, material changes to these policies). We do not send marketing email without separate, opt-in consent.
- Comply with legal obligations, enforce our Terms of Use, and protect our rights, our users, and the public.
We do not use your Inputs, Outputs, account name, company name, logo, or screenshots derived from your use of the Services in our marketing materials unless you opt in. Opt-in is granted only through an affirmative in-product control (such as a checkbox or toggle) or through a clearly attributable written confirmation responding to a request from us. Each opt-in is scoped to the specific material it covers. You may withdraw consent at any time as described in our Terms of Use §2.
Legal bases for processing under GDPR (see §12) are: performance of a contract, legitimate interests (security, fraud prevention, service improvement), and where applicable, consent.
5. HOW WE SHARE INFORMATION
We share personal information only in these specific cases:
- With sub-processors that operate the Services on our behalf. See §6 for the current list.
- With your direction or consent. If you ask us to disclose information to a third party, we will do so.
- For legal reasons. We may disclose information if we believe in good faith that disclosure is required by law, legal process (such as a subpoena or court order), or to protect the rights, property, or safety of Project Reskin, our users, or the public.
- In connection with a business transfer. If we sell, merge, or transfer all or part of the business, personal information may be transferred as part of that transaction. We will provide notice and require any successor to honor commitments made in this Privacy Policy.
We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising.
6. THIRD-PARTY SUB-PROCESSORS
We rely on a small set of third-party service providers ("sub-processors") to operate the Services. Each sub-processor processes only the information needed for its specific function and is bound by contractual confidentiality and data-protection obligations.
| Sub-processor | Purpose | Categories of data | Location |
|---|---|---|---|
| Vercel | Hosting and edge delivery for the Site and authenticated Service | IP address, user-agent, request metadata | United States |
| Supabase | Authentication (magic-link OTP) and database (account, license, usage records) | Email address, account identifiers, session cookies, usage and billing metadata | United States |
| Stripe | Payment processing and customer billing | Name, billing address, payment-card details, email, transaction history | United States and other jurisdictions where Stripe operates |
| Anthropic, PBC | AI inference for the reskin engine (Claude API) | Inputs you submit to the authenticated reskin engine; no account or payment data | United States |
| ImprovMX | Email forwarding for support@ and legal@ addresses | Sender email, message contents | United States and EU |
Anthropic specifically does not train its models on customer content submitted via its API. Anthropic's Commercial Terms of Service (effective June 17, 2025) provide that "Anthropic may not train models on Customer Content from Services." See Anthropic's Commercial Terms of Service and Privacy Policy for additional detail on their handling of API inputs.
We will update this list when we add, remove, or replace a sub-processor. If you have purchased a Founder Pass and we add a new sub-processor that materially changes how your Inputs or account data are handled, we will notify active license-holders by email at least 14 days before the change takes effect.
7. DATA RETENTION
We retain personal information only as long as needed to provide the Services and comply with our legal obligations:
- Account information. Retained for as long as your account is active. If you delete your account (§10), we delete or anonymize your account information within 30 days, except where retention is required by law (for example, tax records associated with completed purchases).
- Usage records. Retained for the life of the license for billing audit and credit reconciliation. Anonymized aggregates may be retained longer for service-improvement analytics.
- Inputs submitted to the authenticated reskin engine. Inputs are processed in-memory for the duration of the reskin request and transmitted to our AI sub-processor. We do not persist Inputs in our database; only the truncated SHA-256 hash described in §3 is retained. Anthropic's retention of API inputs is governed by Anthropic's policies; as of the date of this Policy, Anthropic retains API inputs for up to 30 days for abuse-monitoring purposes and does not use them to train models.
- Outputs. Outputs are returned to you and not retained on our servers beyond the duration of the request, except for the truncated SHA-256 hash described in §3.
- Billing records. Retained for at least seven (7) years to satisfy tax and accounting requirements. Stripe retains payment data per its own retention schedule.
- Server logs. Retained for up to 90 days for security and operational purposes, then deleted or rotated.
- Support communications. Retained for up to two (2) years from last contact, then deleted unless required for an ongoing matter.
8. DATA SECURITY
We take reasonable technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. Measures include encryption in transit (TLS), encrypted storage at our sub-processors, principle-of-least-privilege access controls, magic-link authentication (no passwords to compromise), and row-level security in our database.
No method of transmission over the internet or storage system is 100% secure. We cannot guarantee absolute security and you use the Services at your own risk. If we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify affected users and applicable regulators as required by law.
9. INTERNATIONAL TRANSFERS
If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States and in any other country where our sub-processors operate. By using the Services, you consent to the transfer of your information to countries that may have different data-protection laws than your country of residence.
Where required by law, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) for transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States.
10. YOUR RIGHTS
Regardless of where you live, you may:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete personal information.
- Delete your account and the personal information associated with it, subject to the retention exceptions in §7.
- Export a copy of your account, usage, and billing records in a portable format.
- Withdraw consent to any processing based on consent, without affecting the lawfulness of prior processing.
- Object to or restrict certain processing, including processing based on legitimate interests.
To exercise any of these rights, email us at support@projectreskin.com from the email address associated with your account. We will respond within 30 days. We do not charge a fee for these requests unless they are manifestly unfounded or excessive. We will not discriminate against you for exercising any of these rights.
If we cannot verify your identity from the information you provide, we may request additional information to confirm you are the account holder before acting on the request.
11. CALIFORNIA RESIDENTS (CCPA / CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
Categories of personal information we collect. In the past 12 months we have collected the following categories of personal information described in the CCPA: identifiers (email, account ID, IP address); commercial information (purchases and credit balances); internet or other electronic network activity information (server logs, session cookies); and inferences drawn from the foregoing only as needed to operate and secure the Services.
Sources. We collect this information directly from you, automatically when you use the Services, and from our sub-processors (Stripe, Supabase).
Business purposes. We use this information for the purposes described in §4.
Sale and sharing. We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA.
Sensitive personal information. We do not collect sensitive personal information as defined by the CPRA, and our Terms of Use prohibit submitting such information through the Service.
Your CCPA rights. You may exercise the rights described in §10, which include rights to know, access, delete, correct, and opt out of any sale or sharing (which we do not engage in). To make a request, follow the process in §10. You may also designate an authorized agent to make a request on your behalf; we may require verification of the agent's authority.
Right to non-discrimination. We will not deny you services, charge you a different price, or provide a different level of quality because you exercised any of these rights.
12. EUROPEAN AND UK RESIDENTS (GDPR / UK GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following additional disclosures apply.
Controller. Project Reskin is the controller of personal information collected through the Services. Contact details are in §16.
Legal bases. We process your personal information on the following legal bases:
- Performance of a contract — to provide the Services you have purchased and to operate your account.
- Legitimate interests — to secure the Services, prevent fraud and abuse, improve the Services, and communicate with you about service changes. We balance these interests against your rights and freedoms.
- Consent — where you have given consent (for example, optional features you opt into). You may withdraw consent at any time.
- Legal obligation — where processing is required to comply with a legal obligation we are subject to.
Your rights. In addition to the rights described in §10, you have the right to lodge a complaint with your local supervisory authority. We invite you to contact us first so we can address your concerns directly.
International transfers. As described in §9, your information is transferred to the United States. Where required, we rely on Standard Contractual Clauses to safeguard those transfers.
13. COOKIES AND TRACKING
We use only strictly necessary cookies. These cookies are required for the Services to function and are not used for analytics or advertising.
- Authentication cookies. Set by Supabase when you sign in. These keep you signed in across pages and expire when your session ends or you sign out.
- Session-state cookies. Short-lived cookies that may be set to manage in-flight actions (for example, a checkout in progress).
We do not set tracking cookies, advertising cookies, or third-party analytics cookies. We do not use browser fingerprinting techniques.
Because we use only strictly necessary cookies, we do not display a cookie consent banner. If we add any non-essential cookies in the future, we will present a consent banner before setting them and update this Policy.
14. CHILDREN
The Services are not directed to and may not be used by anyone under 18 years old. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will delete that information promptly. If you believe a child has provided personal information to us, please contact support@projectreskin.com.
15. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this Policy. For material changes, we will provide additional notice — typically by email to active account holders at least 14 days before the change takes effect — so you have time to review the change before it applies to you.
16. CONTACT US
If you have questions about this Privacy Policy or want to exercise any of the rights described above, contact us at:
Project Reskin General privacy and account requests: support@projectreskin.com Legal and formal notices: legal@projectreskin.com