Privacy Policy

This Privacy Policy ("Policy") describes how Inkover ("Service"), accessible at inkover.ink, collects, processes, stores, and protects personal data of its users.

The data controller is Nikolai Ivanovich Dubina, a self-employed individual registered under the Russian Federation Professional Income Tax regime (Federal Law No. 422-FZ of 27 November 2018), TIN 502997275398, Saint Petersburg, Russian Federation ("Operator"). The Service is not directed to, and is not intended for use by, residents of the European Economic Area or the United Kingdom; access from those territories is technically restricted (see Region Availability). If you are nonetheless able to reach the Service from the EEA or UK, you may contact the Operator at [email protected].

We process personal data in compliance with the data-protection law applicable to each user's location:

• For residents of the European Economic Area and the United Kingdom — the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.
• For residents of the United States — state privacy laws that apply to us, including the California Consumer Privacy Act ("CCPA", as amended by the CPRA) where thresholds are met.
• For residents of the Russian Federation — Federal Law No. 152-FZ "On Personal Data", as amended through 156-FZ of 24 June 2025. For these users the Operator is registered in the Personal Data Operators Registry maintained by Roskomnadzor under Article 22 of 152-FZ.
• For residents of other jurisdictions — equivalent local data-protection law.

Where the law of a user's jurisdiction grants greater protection than another regime referenced in this Policy, the more protective standard applies.

1. Data We Collect

1.1. Data Provided by the User

• Username
• Email address
• Password (stored in hashed form)
• Name (if provided in profile)
• Language and interface preferences

1.2. Data Collected Automatically

• IP address
• Browser type and version, device type
• Service usage data (pages processed, tokens spent, settings used)
• Registration date and last login time
• Cookies (technical session only)
• Data on interaction with the publication feature: publication identifier, access level, access-level change events, events of granting and revoking access to specific email addresses (for the "Allowlist" access level), publication block/unblock events performed by administrators.
• Data on visits to public links (including for unauthenticated Visitors): publication identifier, access time, IP address, User-Agent, HTTP Referer (where available). This data is collected and retained for the purposes of security, investigation of violations, and compliance with applicable information-society-service obligations (including Article 10.1 of Russian Federal Law No. 149-FZ where applicable). The data is not tied to an identifiable individual unless the Visitor is authenticated within the Service.

1.3. User Content

Images uploaded for processing are temporarily stored on Service servers to perform translation operations. Original and processed images are stored in association with the User's account until deleted by the User or upon account deletion.

1.4. Moderation and Security Data

To ensure Service security and legal compliance, the Operator may collect and retain:

• Content processing logs (operation type, date, result, including AI model rejection events) — 12 months.
• Metadata of uploaded images and published materials — for the duration of the relevant publication plus 12 months after its removal.
• Public-link view logs (share_viewed) — 12 months.
• Records of third-party complaints (including data provided voluntarily by complainants: name/organisation, email, description of the infringement, IP address and User-Agent captured by the server at the time of submission) — 3 (three) years from case closure; legal basis — legitimate interest of the Operator in demonstrating good-faith complaint handling (Article 6(1)(f) GDPR; Article 6(1)(7) of 152-FZ for Russian users) and the possible need to defend in court or regulatory proceedings.
• Audit log of access-level changes and administrator actions — 3 (three) years.
• Records of Terms of Service violations and measures applied — 3 (three) years from the expiration of the measure.

Moderation data may be retained longer than the periods listed above where a request is received from authorised government authorities or a dispute or proceeding is commenced, until such matter is fully resolved.

2. Purposes of Data Processing

Personal data is processed for the following purposes:

• Creating and managing User accounts
• Providing Service functionality (image processing, translation)
• Processing payments and maintaining billing records
• Sending Service notifications (processing completion, system alerts)
• Improving Service quality and analyzing usage patterns
• Fulfilling obligations to the User
• Complying with legal requirements

3. Legal Basis for Processing

We rely on the following legal bases, mapped to Article 6 GDPR (and to the equivalent provisions of Russian 152-FZ for users covered by it):

• Consent (Article 6(1)(a) GDPR; Article 6(1)(1) and Article 9 of 152-FZ) — for separately collected consents, including the stand-alone Consent to Personal Data Processing presented at registration and the optional consents for publication (sharing) and exposure of raw source materials.
• Performance of a contract (Article 6(1)(b) GDPR; Article 6(1)(5) of 152-FZ) — for the operation of the account, the translation pipeline, billing and customer support.
• Legitimate interest (Article 6(1)(f) GDPR; Article 6(1)(7) of 152-FZ) — for Service security, fraud prevention, analysis of public-link Visitor traffic and the good-faith handling of rights-holder complaints. Visitors and complainants are not parties to the Terms of Service and do not provide consent; we process the minimum data necessary and honour objections under § 7 of this Policy.
• Legal obligation (Article 6(1)(c) GDPR; Article 6(1)(2) of 152-FZ) — for responses to law-enforcement and court requests and for applying measures required by applicable notice- and-takedown regimes (including DMCA 17 U.S.C. § 512 for users of the US platform, Article 14 of the EU e-Commerce Directive 2000/31/EC and, for Russian-law notices, Article 15.7 of Federal Law No. 149-FZ).

Consent to personal data processing is specific, informed, conscious, and unambiguous. The User provides consent freely, of their own will and in their own interest.

Consent is valid for the entire duration of Service use and 30 calendar days after account deletion. Processing includes: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), anonymization, blocking, deletion, and destruction of personal data. Full consent details are provided on the Consent to Personal Data Processing page.

4. Data Sharing with Third Parties

The Operator may share data with the following categories of recipients:

• Google (Gemini API) — images and text are transmitted for AI model processing (OCR, translation, image generation), subject to Google's privacy policy.
• Payment providers — minimal data required for payment processing. The Operator does not store credit card information.
• Hosting provider — for server infrastructure operation.
• Yandex (Yandex.Metrica) — analytics data (IP address, cookies, device data, website behavior). Data is transferred only with the User's explicit consent to analytics cookies.
• Google (Google Analytics) — analytics data. Data is transferred only with the User's explicit consent to analytics cookies.
• Rights holders and their authorised representatives — in response to substantiated complaints of copyright or related rights infringement, information necessary and sufficient to resolve the dispute is disclosed: the publication identifier, publication and removal times, the fact and date of the measure applied, and the anonymised User status (without disclosing email, name or IP unless required by law or judicial order).
• CDN and service-infrastructure providers (including network security, DDoS protection, static-content routing) — to the minimum extent of technical data (IP address, User-Agent, requested URL) necessary to perform their functions for handling requests to public links.
• Law enforcement and judicial authorities — upon a lawful request or by way of proactive disclosure when signs of a criminal offence are detected, to the extent required by the request or by the contents of the report.

The Operator does not sell, rent, or share personal data with third parties for marketing purposes. For CCPA purposes this means we do not "sell" or "share" your personal information as those terms are defined under California law.

The Operator may disclose personal data in response to lawful requests from competent government authorities (including law-enforcement agencies and courts of the Russian Federation). The Operator also reserves the right to proactively report User information and uploaded content to law-enforcement authorities upon discovering signs of serious criminal activity, in particular child sexual abuse material (CSAM) or other content whose distribution is prohibited by applicable law.

5. International Data Transfers

When you use the Service, data is processed in the Russian Federation and, through our sub-processors (in particular Google Gemini API and Google Cloud Platform), may be transferred to the European Union, the United States and other jurisdictions.

For transfers from the EEA or the UK to countries without an adequacy decision under Article 45 GDPR, we rely on the European Commission Standard Contractual Clauses adopted by Implementing Decision (EU) 2021/914 (and the UK International Data Transfer Addendum where applicable), combined with supplementary technical measures (TLS 1.2+ in transit, AES-256 at rest, encryption-key isolation).

For personal data of Russian Federation citizens, primary recording takes place on servers located within the Russian Federation in accordance with Article 18(5) of 152-FZ. Subsequent transmission to foreign sub-processors for processing is carried out under Article 12 of 152-FZ and is limited to image content and recognised text; it does not include account identifiers (name, email) or payment data.

6. Data Storage and Security

Personal data is stored on secured servers with encryption in transit (TLS/SSL). Passwords are stored in hashed form and cannot be recovered in their original form.

Personal data is retained for the duration of account use and deleted within 30 (thirty) calendar days after account deletion, except for data the Operator is required to retain under applicable law.

Retention periods for specific categories of data related to the publication feature, as well as data of Visitors and complainants, are set out in § 1.4 of this Policy and may differ from the general 30-day period following account deletion.

7. Your Rights

Depending on your jurisdiction, you have the following rights. Where the applicable regime provides a broader right than described here, that broader right applies.

7.1. EEA, UK and other GDPR-aligned jurisdictions

• Right of access (Article 15 GDPR).
• Right to rectification (Article 16 GDPR).
• Right to erasure / "right to be forgotten" (Article 17 GDPR).
• Right to restriction of processing (Article 18 GDPR).
• Right to data portability in a machine-readable format (Article 20 GDPR).
• Right to object to processing based on legitimate interest (Article 21 GDPR).
• Right not to be subject to automated decisions with legal or similarly significant effects (Article 22 GDPR). We do not take such decisions solely based on automated processing; translations produced by AI are always made available for human review before they become the User's final artefact.
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
• Right to lodge a complaint with a supervisory authority — for example, the Irish Data Protection Commission (DPC), the UK Information Commissioner's Office (ICO) or the authority of your country of habitual residence.

7.2. California residents (CCPA / CPRA)

• Right to know what personal information we collect and why.
• Right to delete personal information, subject to statutory exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of "sale" or "sharing" — we do not sell or share personal information in the CCPA sense, so no opt-out is needed.
• Right to non-discrimination for exercising CCPA rights.

7.3. Russian Federation users (152-FZ)

• Rights under Articles 14, 20 and 21 of 152-FZ, including access, clarification, blocking and destruction of data.
• Right to lodge a complaint with Roskomnadzor (the Federal Service for Supervision of Communications, IT and Mass Media).

7.4. How to exercise your rights

Send a request to [email protected]. We will respond within the shorter of: 30 calendar days (GDPR / CCPA default) or 10 business days for Russian-law information requests; 7 business days for correction, blocking or deletion of personal data under 152-FZ. We may extend the GDPR response window by two further months for complex or numerous requests, notifying you of the extension within the first 30 days.

8. Cookies

A detailed description of the cookies and local-storage technologies we use — including categories, providers, retention periods and opt-out controls — is set out in our separate Cookie Policy. Analytics cookies (Google Analytics, Yandex Metrica) are loaded only after explicit consent given through the cookie banner; essential cookies are loaded automatically because the Service cannot function without them.

9. Age Restrictions

The Service is not directed at children. We do not knowingly process personal data of individuals under 16 (or the higher age set by the law of your country, for example 13 under the US Children's Online Privacy Protection Act). If you become aware that a child has provided us with personal data, please contact us and we will delete it.

10. Changes to This Policy

The Operator may update this Policy. The current version is always available on this page; the date of the last update and the version changelog are shown at the top of the document. Material changes are additionally announced in-product and, where required by law, through renewed consent.

11. Contact Information

For data-protection questions, contact [email protected]. For general support, write to [email protected] or use the contact form. Postal correspondence may be addressed to the Operator at its registered address set out at the top of this Policy.