Privacy Policy
Last updated: May 25, 2026
This Privacy Policy explains what data TLWR ("we", "us", "the Service") collects, where it is stored, and what rights you have over it. We apply the principle of data minimization: we collect only what is necessary to operate the Service.
1. Two Environments: Your Device vs. Our Servers
TLWR consists of two connected parts — the editor (a browser application that runs on your device) and the portal (the website, gallery, and personal account). They have fundamentally different data flows, and it is important to understand which data stays on your device and which data reaches our servers.
What stays on your device (editor)
- Project files — scenes, characters, presets, timelines, and all project assets are stored in folders you select on your own file system. We never upload the content of your private projects to our servers unless you explicitly initiate a Publish action.
- Editor settings and global preferences — interface configuration, editor layout, and workflow preferences are stored locally in a settings folder on your device.
- Third-party API keys — if you enter API keys for external AI services (such as OpenAI), they are saved locally in a settings file on your device. These keys are never transmitted to TLWR servers.
- Working session data — undo/redo history, unsaved state, and editor cache are stored in the browser's IndexedDB (a local database inside your browser). This data does not leave your device.
What is transmitted to our servers (portal & account)
- Account registration data (email, chosen username)
- Profile information you fill in voluntarily (display name, bio, public contacts)
- Content you explicitly publish to the public gallery
- Collections (bookmarks) and publication preferences you set in your account
- Anonymized analytics events (see §6)
2. Local Storage Technologies
The TLWR editor uses several browser storage mechanisms. Under the EU ePrivacy Directive, these are treated equivalently to cookies. All usage described below is strictly necessary for the Service to function and does not require additional consent.
| Technology | What is stored | Leaves your device? |
|---|---|---|
localStorage | Editor preferences, language and theme selection, UI state flags | No |
IndexedDB (Dexie) | Project working data, asset cache, undo history, temporary render state | No |
| File System Access API | Read/write access to project folders you explicitly select in the file picker. The browser requests your permission before any folder access is granted. | No — file content stays local unless you publish |
Auth cookies (sb-access-token, sb-refresh-token) | Authentication session with Supabase (set only after account sign-in) | Sent to Supabase auth servers only, scoped to .tlwr.app |
tlwr_locale cookie | Your language preference (ru / en) | No |
We do not use advertising cookies, social media pixels, fingerprinting scripts, or any form of cross-site tracking.
3. Account Data (Registered Users)
Creating an account is optional. If you register, we collect and store the following on our servers:
| Data | Purpose | Mandatory? |
|---|---|---|
| Email address | Authentication, account notifications, password recovery | Yes |
| Username | Public profile identifier | Yes |
| OAuth provider ID | Sign-in via Google / Discord / GitHub (if used) | Only if OAuth sign-in is chosen |
| Display name, avatar, bio | Public profile page | No — optional |
| Public contact links | Shown on your public profile if you add them | No — optional |
| Subscription tier and token balance | Service access, quota management | Yes (system-generated) |
| Publication metadata | Gallery listing: title, description, tags, content type, NSFW flag | Only for published content |
| Collections (bookmarks) | Your saved gallery items — visible only to you | No — optional |
| Project list snapshot | The editor periodically sends a list of your local project names and a hash of their paths to display in your dashboard. Project content is never included. | No — optional, can be disabled |
4. Published Content
When you publish content to the public gallery, the media files (images, audio, project archives) are uploaded to Cloudflare R2 (object storage) and the associated metadata is stored in our database. Published content is publicly accessible by default unless you set visibility to "Unlisted" or "Private".
You can delete your publications at any time from your dashboard. Deleted files are removed from public access immediately and permanently purged from storage within 30 days.
We do not use your content to train AI models. We do not sell, license, or share your content with third parties for commercial purposes.
5. How We Use Your Data
- To provide and operate the Service (authentication, gallery, account features)
- To enforce subscription quotas and platform limits
- To send transactional notifications: account activity, quota warnings, moderation decisions (not marketing unless you opt in)
- To detect and remove content that violates our Terms of Service (automated NSFW screening + human moderation)
- To comply with legal obligations
We do not sell your personal data. We do not use it for advertising.
6. Analytics
We use Umami (Umami Cloud, EU-hosted) for website analytics. Umami collects no personal data and sets no cookies or tracking identifiers. Only anonymized aggregate statistics are recorded (page views, referrer country, browser type). No individual user profiles are created.
You can opt out by enabling the Do Not Track (DNT) header in your browser settings — Umami respects this signal.
We do not use Google Analytics, Meta Pixel, or any other third-party behavioral tracking tool.
7. Third-Party Services
We use the following sub-processors. Each has a Data Processing Agreement (DPA) in place that requires them to handle data in accordance with GDPR.
| Service | Purpose | Data processed | Region |
|---|---|---|---|
| Supabase | Authentication, database (user profiles, publications, collections) | Email, profile data, publication metadata | EU (Frankfurt) |
| Cloudflare R2 | Media file storage (published images, audio, project archives) | Published media files | EU / US (configurable) |
| Cloudflare CDN / WAF | Content delivery, DDoS protection, TLS termination | IP addresses (short-term logs, not linked to accounts) | Global edge |
| Umami Cloud | Anonymous analytics | Anonymized page view data, no personal data | EU |
| Resend | Transactional email (account notifications, password recovery) | Email address, notification content | EU |
| Payment processor | Subscription billing | Payment details (not stored by us — handled directly by the processor) | Per processor's policy |
8. Data Retention
| Data | Retention |
|---|---|
| Account data (profile, email) | Until account deletion, then purged within 30 days |
| Published media files | Until deleted by the user or moderation removal, then purged within 30 days |
| Publication metadata | Until account deletion or manual deletion |
| Collections and bookmarks | Until account deletion |
| Moderation and audit logs | 2 years (required for legal compliance and appeals) |
| Cloudflare access logs (IP addresses) | Up to 30 days — not linked to user accounts |
| Billing records | 7 years (tax and accounting legal requirement) |
9. Your Rights (GDPR / CCPA)
If you are a resident of the European Union, EEA, United Kingdom, or California, you have the following rights regarding your personal data:
- Right to access — you can request a copy of all personal data we hold about you.
- Right to rectification — you can correct inaccurate information directly in your account settings, or by contacting us.
- Right to erasure ("right to be forgotten") — you can delete your account and all associated data from your account settings. We will process the deletion within 30 days.
- Right to data portability — you can request an export of your data in a machine-readable format (JSON).
- Right to restrict processing — you can ask us to stop processing your data while a dispute is resolved.
- Right to object — you can object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent (e.g., marketing emails), you can withdraw at any time.
To exercise any of these rights, email us at privacy@tlwr.app. We will respond within 30 days. We may ask you to verify your identity before processing the request.
You also have the right to lodge a complaint with your local data protection authority (for EU residents: your national DPA; for UK residents: the ICO).
10. Security
- All data in transit is encrypted via TLS 1.3.
- Authentication tokens are stored in HttpOnly Secure cookies (inaccessible to JavaScript).
- Media uploads use one-time presigned URLs — files are written directly to storage without passing through our application servers.
- Access to all data is governed by Row-Level Security (RLS) policies in the database — queries return only data the requesting user is authorized to see.
- Privileged actions (moderation, admin operations) are logged in an append-only audit log.
In the event of a data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Article 33.
11. Children's Privacy
The Service is not directed to children under 13 (or under 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@tlwr.app and we will delete it promptly.
12. Changes to This Policy
We may update this policy as the Service evolves. Material changes will be communicated via email (for registered users) and a notice on this page. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
13. Contact
For any privacy-related questions, data requests, or concerns, contact us at:
We aim to respond to all requests within 5 business days, and no later than 30 days as required by law.