Privacy Policy
The plain-language version of what data InfraStudio collects, why we need it, and what we do with it.
Last updated April 17, 2026
We collect the minimum data needed to run your account, bill you, and improve the product. We don't sell your data. Your diagrams are yours. You can export or delete everything at any time from your account settings.
Who we are
InfraStudio ("we", "our", "us") provides a browser-based network infrastructure diagramming tool at useinfrastudio.com. This policy explains how we handle personal data when you visit the site, create an account, or use the app.
What we collect
Account data
- Name and email address — provided by you at signup, used to identify your account and send transactional emails (password resets, billing receipts).
- Password — stored only as a salted PBKDF2 hash. We never see your plaintext password and cannot recover it.
- Session tokens — a random 256-bit token stored in an
is_sessionHttpOnly cookie, used to keep you logged in. Expires after 30 days.
Diagrams and content
- The diagrams, folders, tags, and related content you create in the app. Stored in our database so you can access them across devices. We do not read, mine, or share your diagrams.
Billing data (paying customers only)
- Stripe customer ID and subscription details — plan, status, renewal date. We do not store your card number or CVV; Stripe handles that directly.
Usage and analytics
To understand how the product is used and to debug issues, we record:
- Device and browser info — browser, OS, screen size, language, connection type.
- Approximate location — country, region, city (derived from your IP by Cloudflare; we do not store your raw IP long-term).
- Referrer and UTM parameters — how you found the site.
- Product events — which features you use (e.g. "diagram exported", "node added"), session duration, errors.
This data helps us prioritize fixes and improvements. It is not sold to third parties and is not used for advertising.
Cookies
We use one essential cookie:
| Name | Purpose | Duration |
|---|---|---|
| is_session | Keeps you signed in | 30 days |
We do not set advertising cookies, tracking pixels, or third-party analytics cookies.
Who we share data with
We use a small number of sub-processors to run InfraStudio. Each is bound by their own privacy terms:
- Cloudflare — hosting, edge compute, DDoS protection. Requests pass through their network; they provide approximate geolocation.
- Supabase — PostgreSQL database for account and diagram storage.
- Stripe — payment processing for paid plans. Card data goes directly to Stripe and never touches our servers.
- Google Fonts — web typography, loaded from
fonts.googleapis.com.
We do not sell personal data, and we do not share it with advertisers or data brokers.
How long we keep data
- Account data and diagrams — kept for as long as your account is active. Deleted when you delete your account.
- Billing records — retained by Stripe per their retention policy and as required by tax law (typically 7 years).
- Usage and analytics — kept for product improvement. You can request deletion at any time.
- Session tokens — deleted on logout or after 30 days of inactivity.
Your rights
Wherever you live, you have the right to:
- Access — see what data we hold about you.
- Export — download your diagrams at any time from the app.
- Delete — delete your account and all associated data from Settings → Delete Account. This cancels active subscriptions and permanently removes your diagrams, folders, tags, sessions, and usage data.
- Correct — update your name or email from account settings.
- Object or restrict — ask us to stop using your data for certain purposes.
If you're in the EU/UK you also have the right to lodge a complaint with your local data protection authority.
Security
We use standard practices: HTTPS everywhere, PBKDF2 password hashing with per-user salts, HttpOnly session cookies, and encrypted storage at rest via Supabase. No system is perfect, but we take your data seriously.
Children
InfraStudio is not directed at children under 13, and we do not knowingly collect data from them. If you believe a child has provided us with personal data, contact us and we will delete it.
International transfers
Our infrastructure runs on Cloudflare and Supabase, which operate globally. Your data may be processed in countries outside your own. We rely on standard contractual clauses and our sub-processors' compliance frameworks (GDPR, CCPA) for lawful cross-border transfers.
Changes to this policy
If we make material changes, we'll update the "Last updated" date above and, where appropriate, notify you by email. Continued use of InfraStudio after changes means you accept the revised policy.
Contact
Questions, requests, or concerns? Email support@useinfrastudio.com and we'll get back to you within a few business days.