Privacy Policy · Charenix Studio

Effective date: 2026-05-27 · Governing law: Republic of China (Taiwan) · GDPR-compliant for EU residents

1. Who we are

Charenix Studio is operated by Ho Yiing Chen (陳禾穎), an independent AI researcher based in Taipei, Taiwan. ORCID 0009-0006-6816-9891. Correspondence: norika@charenix.com. This privacy policy applies to all services listed at charenix.com/studio/services.

2. What we collect

2.1 Account data

Email address (for account, billing, transactional communication)
Name (optional, for personalization)
Company / organization name (optional)
Stripe customer ID (we never see your card number; Stripe handles all payment data per PCI-DSS)

2.2 Service usage data

API request timestamps and token counts (for rate limiting and billing)
Selected model ID and recipe parameters (which merge you used)
Aggregate latency metrics (for our performance monitoring)

2.3 Your proprietary data (RAG / fine-tune corpus)

This is the data you deliberately upload to specialize your model. We store it encrypted at rest on hardware we physically control. We do not back this up off-premise without your written consent.

2.4 What we do NOT collect

Your prompt content. Inference requests are processed in-memory and not logged. The intermediate activations between RPC nodes are ephemeral.
Your generation content. Model outputs are returned to you and not retained server-side.
Browser fingerprinting. No third-party analytics scripts. No Google Analytics, no Facebook Pixel.
Cross-site tracking cookies.

3. Where your data lives

Tier	Inference runs on	RAG storage
Free	Federated pool (community + ours)	None
Basic	Federated pool, prompt-isolated	Encrypted shared volume on our hardware
Pro / Org	Dedicated tenant node we own	Per-tenant volume, isolated
Enterprise	On-prem (your hardware) or dedicated bare-metal (ours)	Your control or per-customer encrypted volume

Federation pool nodes contributed by external volunteers receive only intermediate activations (layer outputs), never raw prompts or completions. The architecture is described in detail at our contributor documentation.

4. Legal basis for processing (GDPR Article 6)

Contract performance for delivering paid services
Consent for marketing emails (opt-in, withdrawable at any time)
Legitimate interest for security monitoring and fraud prevention

For sensitive data categories under Taiwan 個人資料保護法第 6 條 (medical, financial, criminal records), we require explicit written consent and additional contractual terms before processing.

5. Data retention

Account data: retained while your subscription is active. 60 days after final cancellation, all account data is permanently deleted unless legal hold applies.
Your RAG / fine-tune corpus: deleted within 24 hours of you clicking "Delete corpus" in your portal, or 60 days after subscription cancellation, whichever is first.
Billing records: retained 5 years for Taiwanese tax compliance (statutory requirement).
Aggregate, anonymized metrics: retained indefinitely (cannot identify individuals).

6. Your rights

Under GDPR (EU) and 個人資料保護法 (Taiwan), you have the right to:

Access — request a copy of all data we hold about you
Rectification — correct inaccurate data
Erasure ("right to be forgotten") — request deletion before our standard retention period
Portability — receive your data in a machine-readable format
Object — refuse processing for marketing
Withdraw consent at any time

Email norika@charenix.com with subject "Data Request". We respond within 30 days.

7. International data transfers

All servers are physically located in Taiwan. We do not transfer your data outside Taiwan. If we ever do (which would only be with explicit consent), we will use Standard Contractual Clauses (SCC) approved by the EU Commission.

8. Subprocessors

We use the following third-party services. Each is bound by a Data Processing Agreement.

Subprocessor	Purpose	Data shared
Stripe	Payment processing	Card details (not visible to us), email
Resend	Transactional email	Email address, message content
Tailscale	VPN between inference nodes	Encrypted traffic only, no payload visibility
Cloudflare	DNS, DDoS protection	IP address, request URL (not body)

9. Cookies

We use only essential cookies for session management. No advertising cookies, no analytics cookies. If you log in, we set one HttpOnly cookie containing your session token; it expires when you log out or after 30 days of inactivity.

10. Security incidents

In the unlikely event of a data breach affecting your data, we will notify you within 72 hours via email, per GDPR Article 33. The notification will describe the nature of the breach, the data involved, and the remediation steps taken.

11. Children

Our services are not intended for individuals under 16. We do not knowingly collect data from minors. If you believe a minor has registered, email norika@charenix.com and we will delete the account.

12. Changes to this policy

Material changes will be announced 30 days in advance via email to all registered users. Non-material edits (typos, clarifications) are made directly with the "Last updated" date bumped at the top of this page.

13. Contact

For privacy questions or to exercise your rights: norika@charenix.com with subject "Privacy".