Privacy Policy

Effective date: April 17, 2026

1. Introduction

UI Compass LLC ("we", "us", "our") operates LogoNuri. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

The short version: your images never leave your browser. We only collect the minimum data needed for authentication and billing.

2. Data We Collect

When you create an account or use authenticated features, we collect:

  • Email address — Used for passwordless magic link authentication and service notifications.
  • Stripe customer ID — Created when you first start a checkout. Stored in our database to manage your subscription.
  • Session cookie (ll_session) — A functional authentication cookie. The token is SHA-256 hashed before storage.
  • Saved project metadata — If you save a project, we store a project identifier, name, and settings in our database. Free tier supports 1 saved project; Pro supports unlimited. Project asset files are stored in Cloudflare R2 object storage scoped to your account.
  • Published brand kit data — If you (as a Pro user) publish a brand kit to a public URL, the selected assets (e.g., logo.svg, key PNGs, palette metadata) are uploaded to Cloudflare R2 and a record (slug, brand name, view count, status) is stored in our database. You can revoke a share at any time from the app.
  • Canva connection tokens — If you connect a Canva account to enable direct export, we store OAuth access and refresh tokens associated with your account. Tokens can be revoked by disconnecting from the app or by revoking access from Canva.
  • Push notification subscriptions — If you opt in to push notifications, we store the browser-provided push endpoint, public keys (p256dh, auth), and user-agent string so we can deliver notifications. You can unsubscribe at any time from your browser or the app.
  • Bug report submissions — If you submit a bug report through the app, the report contents are forwarded to our GitHub issue tracker (which is public). A hashed record is retained for rate limiting and duplicate detection. Do not include personal or sensitive information in bug reports.
  • Request metadata — IP addresses and a short-lived anonymous device fingerprint are used strictly for rate limiting and abuse prevention. Rate limit records are keyed by minute-bucket and automatically deleted after one hour. Device fingerprints are not used for tracking or advertising.

3. Data We Do NOT Collect

Your images are never transmitted to our servers for processing.

All logo processing — vectorization, background removal, color extraction, favicon generation, AI super-resolution — happens 100% client-side in your browser using WebAssembly and Web Workers. Processing has no upload endpoint. You could disconnect from the internet after the page loads and the tool would still work.

The only time asset files leave your device is if you explicitly choose to save a project (cloud sync to your account) or publish a brand kit (public share URL). Both actions are opt-in and you can delete the data at any time.

We also do not collect:

  • Individual user analytics or behavioral tracking data
  • Third-party tracking or advertising cookies
  • OpenAI API keys — the optional AI Logo Maker uses a bring-your-own-key (BYOK) flow. Your key is held in browser memory only, sent directly from your browser to OpenAI, and is never transmitted to or stored on our servers.

4. How We Use Your Data

  • Authentication — Your email receives magic links for passwordless sign-in.
  • Billing — Your Stripe customer ID links your account to your subscription for payment processing.
  • Session management — The ll_session cookie maintains your authenticated state.
  • Project sync — Saved projects and published brand kits are stored so you can resume work across devices or share via public URL.
  • Third-party exports — Stored Canva OAuth tokens are used solely to push assets to your Canva account when you initiate an export.
  • Push notifications — Stored push subscriptions are used only to deliver notifications you have opted in to (e.g., long-running batch completion).
  • Rate limiting & abuse prevention — IP addresses and device fingerprints protect the service from automated abuse.

5. Third-Party Services

We share limited data with the following third parties, each governed by their own privacy policies:

  • Stripe — Processes payments. Receives your email address and payment information.
  • Resend — Sends transactional email. Receives your email address to deliver magic links.
  • Cloudflare — Hosts the application, CDN, D1 database, R2 object storage, and edge compute infrastructure.
  • Canva — Optional. If you connect a Canva account to enable direct export, we authenticate with Canva via OAuth and transmit generated assets when you initiate an export.
  • OpenAI — Optional. The AI Logo Maker calls OpenAI directly from your browser using a bring-your-own-key (BYOK) flow. Your prompt and API key are sent from your browser to OpenAI; neither is transmitted to or stored on our servers.
  • GitHub — If you submit a bug report through the app, the report contents are forwarded to our public GitHub issue tracker.

6. Cookies

We use a single cookie:

Name Purpose Duration Flags
ll_session Authentication 30 days HttpOnly, SameSite=Lax, Secure (production)

We do not use tracking cookies, third-party cookies, or behavioral analytics. If we add privacy-preserving aggregate analytics in the future, we will update this policy.

7. Data Retention

  • Sessions — Expire after 30 days. Expired sessions are deleted via periodic cleanup.
  • Magic links — Expire after 15 minutes. Expired records are deleted within 1 day.
  • Rate limit records — Keyed by minute-bucket and deleted when older than 1 hour.
  • Device fingerprints — Short-lived, used for abuse prevention only, deleted on the same schedule as rate limit records.
  • Stripe event IDs — Stored for 7 days for webhook idempotency, then automatically deleted. Contains only the event ID and timestamp (no personal information).
  • Saved projects — Retained until you delete the project or your account.
  • Published brand kits — Retained until you revoke the share or delete the project. Revoked slugs are retained for a short period so they can be reclaimed by the same user, then fully deleted.
  • Canva tokens — Retained until you disconnect Canva from the app or delete your account.
  • Push subscriptions — Retained until you unsubscribe, the browser invalidates the endpoint, or you delete your account.
  • Bug report records — Public GitHub issues are retained at GitHub's discretion. Our internal rate-limit records for bug reports follow the standard rate-limit retention.
  • Account data — Retained while your account is active.

8. Data Deletion

You may request deletion of your account and all associated data by contacting us at support@logonuri.com. Upon request, we will delete your email address, Stripe customer ID, sessions, saved projects and associated R2 assets, published brand kits, Canva tokens, and push subscriptions. Bug reports that have already been forwarded to our public GitHub issue tracker remain subject to GitHub's retention; we can only remove the LogoNuri-side rate-limit records for those submissions.

9. Children's Privacy

LogoNuri is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us and we will promptly delete it.

10. International Data

Your data is processed on Cloudflare's global edge network. By using LogoNuri, you consent to the processing of your data in the jurisdictions where Cloudflare operates.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted to this page with an updated effective date. For material changes, we will notify you via the email address associated with your account.

12. Contact

If you have questions about this Privacy Policy, contact us at support@logonuri.com.