Privacy Policy – Lights & Colors

Last updated: 2025-08-18
Domain: lightsandcolors.art • Contact: kunsttherapieblog@gmail.com

---

1. Data Controller

The data controller is the owner of the service Lights & Colors, available at
https://www.lightsandcolors.art (hereinafter: “Service”).
For data protection matters, you can contact us at:
kunsttherapieblog@gmail.com.

2. Scope of Application

This policy describes data processing related to the use of the Service (web application/blog) and user accounts.

3. What Data We Collect

3.1. Registration and Local Login

• email address
• display name (if provided)
• password – stored only as a hash using Argon2 (we do not store plain-text passwords)

3.2. Login via Google (OAuth 2.0)

Scope of permissions: email and profile (name and avatar).

• we store: email address, name, avatar URL
• we do not receive or store your Google password
• we do not store long-term Google tokens (access/refresh) in our database

3.3. Technical Data and Logs

For security and maintenance purposes, we may process: IP address (from X-Forwarded-* headers), timestamps, request identifiers, basic error logs.

3.4. User Content

Any content added to the Service (e.g. posts, images, comments) is processed in order to provide the publishing and account management service.

4. Data Sources

• directly from you (registration/local login, profile editing, adding content)
• from Google – if you log in via Google OAuth within the scope of email and profile

5. Purposes and Legal Basis of Processing

• Authentication and account management – to enable login and use of the Service (Art. 6(1)(b) GDPR)
• Security and maintenance (rate limiting, logs, moderation) – our legitimate interest (Art. 6(1)(f) GDPR)

We do not conduct behavioral marketing or profiling.

6. Abuse Detection and Moderation Support (OpenAI)

To prevent abuse (e.g. spam, hateful content, incitement to violence) and to maintain service quality, we use OpenAI API as a data processor.

We only transfer the minimum necessary data, mainly user-submitted content for moderation and technical metadata required for classification.

• Decisions are not fully automated – every case flagged by the system is verified by a human
• A moderator may also manually mark content as violating the rules
• We do not provide data for model training – data is used exclusively for classification/moderation purposes

Details on OpenAI’s side: openai.com/policies

7. Data Recipients and Processors

• Supabase – database (PostgreSQL), AWS region eu-north-1 (Stockholm, EEA)
• Vercel / Railway – application hosting
• Upstash (Redis) – task queues (BullMQ); TLS-encrypted connections
• OpenAI – automated content classification
• Google – identity provider (OAuth, independent data controller)

We do not sell data.

8. Data Transfers Outside the EEA

Data is stored in the EEA (Supabase eu-north-1).
If exceptionally transferred outside the EEA, appropriate safeguards are applied (e.g. Standard Contractual Clauses).

9. Data Retention

• account (email, name, avatar) – until account deletion
• technical logs – typically 30 days
• queues (Upstash) – temporarily

10. Security Measures (Summary)

• HTTP headers (helmet): CSP, HSTS, X-Frame-Options, nosniff
• restrictive CORS
• data validation (ValidationPipe)
• authentication via JWT (Authorization header, no cookies)
• local passwords stored as Argon2 hash
• Google OAuth login limited to (email, profile)
• rate limiting, TLS, proxy-aware IP (X-Forwarded-*)

11. Your Rights

You have the right to: access, rectification, erasure (“right to be forgotten”), restriction, data portability, and objection.

We may refuse full erasure in case of abuse (Art. 17(3) GDPR) – in such cases we retain a minimal dataset (email, IP, logs).

Requests: kunsttherapieblog@gmail.com.

12. Cookies

We use JWT tokens in the Authorization header (not in cookies).
The Service may only use necessary cookies (e.g. UI preferences).
No marketing cookies.

13. Cooperation with Authorities

In case of suspected criminal activity (e.g. threats, hate speech, child exploitation, fraud), we may provide competent authorities with all available data, including IP addresses and logs – to the extent required by law.

14. Information for Google Login

You can revoke our app’s access at any time in your Google account settings (“Security” → “Third-party access”).
Revoking access will prevent Google login until you grant consent again.

15. Changes to This Policy

This policy may be updated. The current version is always available at this address.

---

© Lights & Colors — Privacy Policy