OpenArt Studio

GDPR Compliance

Last updated: March 28, 2026

This page explains how OpenArt Studio (operated by LahoriGames Limited, Company No. 15105974, registered in England & Wales) complies with the General Data Protection Regulation (GDPR) and your rights as a data subject.

1. What is GDPR?

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA.

As a UK-registered business operating post-Brexit, we comply with the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018, as well as the EU GDPR for users located within the EU/EEA.

Our Data Controller is LahoriGames Limited, registered at Companies House, England & Wales (Company Number: 15105974). For all data protection enquiries, contact us at privacy@openartai.io.

2. Lawful Basis for Processing

Under GDPR Article 6, we process your personal data on the following lawful bases:

  • Contract (Art. 6(1)(b)):Processing necessary to provide you with our AI creative services — account creation, content generation, subscription management, and billing.
  • Legitimate Interests (Art. 6(1)(f)):Analytics, fraud prevention, security monitoring, and improving our platform. We conduct balancing tests to ensure our interests do not override your rights.
  • Consent (Art. 6(1)(a)):Marketing emails and personalised advertising cookies. You may withdraw consent at any time without affecting processing already carried out.
  • Legal Obligation (Art. 6(1)(c)):Retaining financial records for HMRC compliance, responding to lawful requests from courts and regulators.
3. Data We Collect & Why

Account & Authentication Data

Email address, display name, profile photo (optional), account creation date. Used to identify you, provide account access, and secure your account. Stored in Google Firebase Authentication.

User-Generated Content

AI prompts you submit, images/videos/stories you generate, characters you create in Character Studio. Stored in Google Firestore and Google Cloud Storage. Retained until you delete them or close your account.

Usage & Analytics Data

Pages visited, features used, generation counts, session duration. Collected via Google Analytics 4 (GA4). Used to improve our platform and understand feature popularity. IP addresses are anonymised.

Payment & Billing Data

Subscription tier, billing history, payment method type (card brand/last 4 digits). Full card details are processed and stored by Stripe (our PCI DSS-compliant payment processor). We never store raw card numbers.

Technical & Device Data

Browser type, operating system, device type, IP address (anonymised for analytics), time zone, referral source. Used for security monitoring, fraud detection, and service optimisation.

Cookie & Tracking Data

Cookies for session management, preferences, analytics (GA4), and advertising (Google AdSense). See our Cookie Policy for full details and opt-out options.

4. Your Rights Under GDPR

Under GDPR Articles 15–22, you have the following rights. To exercise any of them, email privacy@openartai.io. We respond within 30 days (extendable by 2 months for complex requests).

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including the purposes of processing, categories of data, and recipients.

Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten") where there is no legitimate reason for us to continue processing it.

Right to Data Portability (Art. 20)

Receive your personal data in a structured, machine-readable format (JSON/CSV), and transfer it to another service provider.

Right to Restrict Processing (Art. 18)

Request that we restrict the processing of your personal data in certain circumstances — for example, while you contest the accuracy of data.

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing purposes. We will stop unless we have compelling legitimate grounds.

Right Not to be Subject to Automated Decision-Making (Art. 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you. We do not make such automated decisions about our users.

5. International Data Transfers

Your data is processed in the United Kingdom, United States, and European Economic Area via the following services:

  • Google Firebase / GCP: Data stored on Google Cloud Platform. Google maintains SCCs (Standard Contractual Clauses) for GDPR compliance and is covered under the EU–US Data Privacy Framework.
  • Stripe: Payment processing in the US. Stripe is certified under the EU–US Data Privacy Framework and uses SCCs for international transfers.
  • Google Analytics 4: Analytics data processed by Google LLC (US). IP anonymisation is enabled. Google participates in the EU–US Data Privacy Framework.
  • Google AdSense: Advertising platform operated by Google LLC. Subject to Google's Privacy Policy and GDPR controls.

All international transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Article 46.

6. Data Retention & Security

We retain personal data only as long as necessary for the purposes stated:

  • Account data: Retained for the duration of your account. Deleted within 30 days of account closure request.
  • User-generated content: Retained until you delete it or close your account.
  • Billing records: Retained for 7 years for HMRC tax compliance (legal obligation).
  • Analytics data: Retained for 26 months (GA4 default), then automatically deleted.
  • Support communications: Retained for 3 years from last contact.

Security measures include AES-256 encryption at rest, TLS 1.3 in transit, Firebase Security Rules limiting data access, regular security reviews, and multi-factor authentication options. We maintain a breach notification procedure and will notify affected users and the ICO within 72 hours of discovering a personal data breach.

7. Children's Data

OpenArt Studio is not directed at children under 13 years of age (or 16 years in the EU/EEA where applicable). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@openartai.io and we will delete such data without delay.

8. Complaints & Supervisory Authority

If you are unhappy with how we handle your personal data, please contact us first at privacy@openartai.io. We aim to resolve all complaints within 30 days.

You also have the right to lodge a complaint with your national supervisory authority:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
  • EU/EEA: Your local Data Protection Authority (DPA). Full list at edpb.europa.eu
9. Contact the Data Controller

Data Controller: LahoriGames Limited

Company Number: 15105974 (England & Wales)

Data Protection Email: privacy@openartai.io

General Support: support@openartai.io

Legal: legal@openartai.io

Privacy Policy →Terms of Service →Cookie Policy →Contact Us →