Privacy Policy

• Account information — your email address and a securely hashed password when you create an account.
• Billing information — handled by our payment processors (Peach Payments / PayFast). We only see the transaction ID, plan, amount, and outcome. We never see your card details.
• Uploaded files — the images and SVGs you upload are processed in memory for conversion purposes only. They are discarded immediately after the response, unless you choose to save them to your account.
• Usage telemetry — basic, non-identifying logs (conversion mode, output size, success / failure) so we can keep the engine healthy. We do not log the contents of your files.
• Anti-abuse tokens — to prevent free-trial abuse we store an irreversible SHA-256 hash of your IP and browser fingerprint. We do not store the raw IP address.

We collect this information on the lawful bases set out in POPIA: to provide the service you signed up for (contract performance), to charge for paid plans (legitimate interest), to keep the service secure (legitimate interest), and to comply with any legal obligations.

Your image is sent to our server, traced and optimised into an SVG, and the result returned to your browser. The original upload is then discarded. We do not claim any ownership of your artwork — it remains yours. You remain responsible for ensuring you have the rights to upload, convert, and use the source artwork.

Subscriptions and credit packs are processed by Peach Payments and PayFast (POPIA-compliant gateways). We receive only the transaction outcome and a tokenised reference. Card numbers and CVV codes never reach our servers.

We use two strictly necessary cookies:

• access_token — keeps you signed in.
• decal_anon — preserves your free-trial credits between visits.

We do not use third-party advertising cookies, social media beacons, or behavioural tracking pixels.

Passwords are hashed with bcrypt. Sessions are signed with rotating secrets. We rate-limit login attempts and lock accounts after repeated failures. Authentication events are kept for 90 days for forensic review.

You have the right to access the personal information we hold about you, to correct it, to object to processing, and to request deletion of your account and all associated data. To exercise any of these rights, email privacy@decal-lab.com from your account email address. We will respond within 30 days.

Account data is retained for as long as your account is active. Saved conversions remain until you delete them or close your account. Billing records are retained for 5 years to satisfy South African tax obligations. Anti-abuse hashes are rotated every 12 months.

We rely on a small number of trusted third parties: Peach Payments and PayFast for billing, our hosting provider for compute and storage, and our transactional email provider. None of them have permission to use your data for their own purposes.

We never sell, rent, or trade personal information. We never use uploaded artwork for marketing or training without explicit, opt-in consent.

For any privacy question, complaint, or data-subject request, email privacy@decal-lab.com. You may also lodge a complaint with the South African Information Regulator if you believe your rights under POPIA have been breached.