Privacy Policy
Last updated April 11, 2026
1. Data Controller
Loreprint AS Org. no. 837 410 592 Klaus Hanssens vei 20B, 5053 Bergen, Norway
Email: [email protected]
Loreprint is an AI-powered platform for creating tabletop RPG character art and ordering physical prints. We are the data controller for the personal data described in this policy.
2. What Personal Data We Process, Purposes and Legal Basis
We process personal data only when we have a valid legal basis under the General Data Protection Regulation (GDPR) Article 6. The tables below show what data we collect, what we use it for, and on what basis.
2.1 Account Information
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Create and manage your user account, send order confirmations and necessary service communications | Art. 6(1)(b) — necessary for contract performance |
| Display name and profile picture | Display your identity within the service | Art. 6(1)(b) — necessary for contract performance |
| Authentication provider and ID (Discord or email/password) | Maintain your login session and secure your account | Art. 6(1)(b) — necessary for contract performance |
| IP address | Rate limiting and abuse prevention | Art. 6(1)(f) — legitimate interest in protecting the service from abuse |
2.2 Character and Generation Data
| Data | Purpose | Legal basis |
|---|---|---|
| Character descriptions (text prompts) | Generate AI images based on your description | Art. 6(1)(b) — necessary for contract performance |
| Character metadata (name, race, class, campaign, backstory, level) | Organize and display your characters within the service | Art. 6(1)(b) — necessary for contract performance |
| Generated images | Store and display images in your account, and process them for print production when ordered | Art. 6(1)(b) — necessary for contract performance |
| Reference images (user-uploaded) | Guide AI generation for visual consistency | Art. 6(1)(b) — necessary for contract performance |
| Generation parameters (seed, model settings) | Reproducibility and quality assurance | Art. 6(1)(b) — necessary for contract performance |
2.3 Order and Payment Data
| Data | Purpose | Legal basis |
|---|---|---|
| Shipping address (name, street address, postal code, city, country) | Production and delivery of physical products | Art. 6(1)(b) — necessary for contract performance |
| Order history (products, quantities, prices, fulfillment status) | Order management and customer service | Art. 6(1)(b) — necessary for contract performance |
| Order history (retention after delivery) | Comply with bookkeeping obligations | Art. 6(1)(c) — legal obligation (Norwegian Bookkeeping Act § 13) |
| Payment metadata (Stripe customer ID, payment intent ID) | Process payments and handle refunds | Art. 6(1)(b) — necessary for contract performance |
We never store credit card numbers or full payment details. All payment processing is handled by Stripe.
2.4 Credit and Transaction Data
| Data | Purpose | Legal basis |
|---|---|---|
| Credit balance | Manage your credit usage within the service | Art. 6(1)(b) — necessary for contract performance |
| Credit transactions (purchases, usage, refunds, signup bonus) | Audit log and customer service | Art. 6(1)(b) — necessary for contract performance |
| Credit transactions (retention after account deletion) | Comply with bookkeeping obligations | Art. 6(1)(c) — legal obligation (Norwegian Bookkeeping Act § 13) |
2.5 Technical Data and Security
| Data | Purpose | Legal basis |
|---|---|---|
| Authentication tokens (cookies) | Maintain logged-in state | Art. 6(1)(b) — necessary for contract performance |
| Rate limiting data (request counters per IP) | Protect the service against automated attacks and abuse | Art. 6(1)(f) — legitimate interest in service security and availability |
| Request logs (IP address, timestamp, request type) | Debugging, security monitoring, and operational stability | Art. 6(1)(f) — legitimate interest in stable and secure operations |
| Product analytics events (page views, clicks, feature usage, anonymous or pseudonymous user ID) | Understand how the service is used and improve it | Art. 6(1)(a) — consent, obtained through the cookie banner |
Legitimate interest assessment: For processing based on Art. 6(1)(f), we have assessed that our legitimate interest in protecting the service from abuse and ensuring uptime and operational stability outweighs the privacy impact. The processing is limited to what is necessary for the purpose, and the data involved is of a technical nature with low privacy risk.
Information required for the contract: Some information is necessary for us to create your account, deliver the service, process payment, or ship ordered products. If you do not provide such information, we may be unable to deliver the service or perform the contract.
3. Use of Artificial Intelligence
Loreprint uses AI models from third-party providers to generate images based on text descriptions you provide. The following applies:
- No automated decisions with legal effect. AI image generation is a creative tool you control yourself. No automated decisions are made that have legal effects or similarly significantly affect you (cf. GDPR Art. 22).
- Your descriptions are sent to the AI provider to generate images. Under the provider's standard API terms, inputs and outputs may also be processed for the provider's operation, improvement, and further development of its services, including training and improving AI models.
- Reference images you upload are sent to the AI provider to guide generation, and are subject to the same terms as described above.
- Upscaling of images occurs via a third-party upscaling provider when an ordered product requires higher resolution. Only the generated image is sent — no personal data.
4. Third-Party Providers and Recipients
We use third-party providers to deliver the service. Depending on the provider's role, they act either as data processors on our behalf or as independent data controllers for their own processing activities. Where a provider acts as a data processor, we have entered into a data processing agreement when required by law.
4.1 Named Providers
These providers are named because you as a user have a direct or visible relationship with them:
| Provider | Role | Purpose | Data shared |
|---|---|---|---|
| Stripe, Inc. (USA) | Independent data controller and data processor | Payment processing | Email, shipping address, payment details |
| Gelato AS (Norway) | Data processor | Print production and shipping | Shipping address, order details, print-ready images |
| Black Forest Labs GmbH (Germany) | Independent data controller for own purposes under standard API terms | AI image generation | Text descriptions, reference images |
| Discord, Inc. (USA) | Independent data controller | Authentication (OAuth login) | Discord user ID, display name, avatar |
| PostHog Inc. (EU cloud, Frankfurt) | Data processor | Product analytics and usage measurement | Pseudonymous user ID, page views, click events, device and browser metadata |
4.2 Categories of Other Providers
| Category | Purpose | Data that may be shared |
|---|---|---|
| Cloud database and authentication provider | Database, authentication, account data storage | Account data, characters, orders |
| Image storage and content delivery provider | Image storage and delivery | Generated images, reference images |
| Web hosting provider | Website hosting | IP address, request logs |
| Background job processing provider | Asynchronous order processing and image processing | Order IDs, task metadata |
| Rate limiting provider | Abuse protection | IP addresses, request counters |
| Image upscaling provider | Resolution enhancement for print production | Generated images (no personal data) |
| Email provider | Transactional email (order confirmations, shipping notifications) | Email address, order number |
A complete and up-to-date list of third-party providers and any sub-processors is available upon request by contacting [email protected].
5. Data Transfers Outside the EEA
Some of our third-party providers and recipients are located outside the EEA. Transfers to third countries are safeguarded through:
- EU-US Data Privacy Framework where the provider is certified under the framework.
- EU Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented with necessary additional measures where required following the Schrems II decision.
We do not transfer personal data to countries outside the EEA without a valid transfer mechanism in place. Details on the transfer mechanism per provider are available upon request.
6. Retention Periods
We retain personal data only for as long as necessary for the purpose for which it was collected, or as long as we are legally required:
| Data category | Retention period |
|---|---|
| Account data (email, display name, avatar, authentication data) | As long as the account is active. Deleted or anonymized without undue delay upon account deletion, unless further retention is necessary to comply with legal obligations, handle disputes, or prevent abuse, or is part of backups deleted on the ordinary cycle. |
| Characters, generation data and images | As long as the account is active. Deleted without undue delay upon account deletion, unless they form part of backups deleted on the ordinary cycle. |
| Reference images (user-uploaded) | Deleted from our systems within 24 hours after generation is complete. Not forwarded to print production. |
| Order records and credit transactions | 5 years after the order date/transaction year, in accordance with the Norwegian Bookkeeping Act § 13. Order data is anonymized upon account deletion (email and name are removed), but amounts and transaction details are retained. |
| Payment records | Retained by Stripe in accordance with their retention policies and applicable legal requirements. |
| Print-ready images (derived files for production) | Automatically deleted 30 days after the order is fulfilled. |
| Rate limiting data | Expires automatically within 24 hours. |
| Request logs | Retained by the hosting provider in accordance with their retention policies, typically 30 days. |
7. Your Rights
Under the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act, you have the following rights:
- Access (Art. 15) — You may request a copy of all personal data we hold about you.
- Rectification (Art. 16) — You may request that inaccurate data be corrected. Most data can be updated directly in your account settings.
- Erasure (Art. 17) — You may request that your account and associated data be deleted. Use the "Delete account" option in your account settings. Order records are retained for the period required by law (see table above), but are anonymized.
- Restriction (Art. 18) — You may request that we restrict processing of your data while a complaint or objection is being handled.
- Data portability (Art. 20) — You may request to receive personal data you have provided to us in a structured, commonly used, and machine-readable format.
- Object (Art. 21) — You may object to processing based on legitimate interest (Art. 6(1)(f)). We will then assess whether our legitimate grounds outweigh your interests.
- Withdraw consent — Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing that has already taken place.
How to exercise your rights: Send an email to [email protected]. We will respond within 30 days. To protect your data, we may ask to verify your identity before processing the request.
Complaints: You have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) if you believe we process your personal data in violation of applicable regulations. Contact information can be found at datatilsynet.no.
8. Cookies
Loreprint uses the following categories of cookies:
- Strictly necessary cookies — Maintain your logged-in state and store your cookie consent choice (
loreprint-cookie-consent). These are required for the service to function and do not require consent. - Analytics cookies — Set by PostHog to measure how the service is used (page views, feature interaction, anonymous device identifier). These are only set after you click Accept in the cookie banner, and data is stored in PostHog's EU cloud (Frankfurt).
You can withdraw your consent at any time by clicking Cookie settings in the footer and choosing Reject. Analytics cookies are deleted and no further analytics events are captured.
We do not use advertising or cross-site tracking cookies.
9. Children
Loreprint is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13, we will delete the data without undue delay.
If you are between 13 and 16 years of age, you need consent from a parent or guardian to use the service, in accordance with the Norwegian Personal Data Act § 5.
If you believe a child under 13 has created an account, contact us at [email protected].
10. Information Security
We have implemented appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, and deletion. These measures are reviewed and updated regularly.
We never store card details — all payment processing is handled by our PCI DSS-certified payment provider.
11. Changes to This Policy
We may update this privacy policy to reflect changes in our practices, new processors, or changes in legal requirements. When material changes are made, we will:
- Update the "Last updated" date at the top of this page.
- Notify registered users via email if the change affects the legal basis for processing or introduces new categories of personal data.
We encourage you to review this policy periodically.
12. Contact
For questions about this privacy policy or our data practices:
- Email: [email protected]
- Address: Loreprint AS, Klaus Hanssens vei 20B, 5053 Bergen, Norway
- Org. no.: 837 410 592