Privacy Policy

1. Introduction

Overlay Text ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use overlaytext.com ("Service").

By using our Service, you consent to the data practices described in this policy. If you do not agree, please do not use our Service.

2. Information We Collect

2.1 Anonymous Users

If you use the Service without creating an account, we prioritize your privacy:

• Images stay on your device: All image processing (editing, AI segmentation, text overlay) happens entirely in your web browser using JavaScript and WebAssembly. Your images are never uploaded to our servers, never transmitted over the internet, and we never see or have access to them.
• Anonymous analytics only: We collect anonymous usage data via Microsoft Clarity, including page views, button clicks, device type, browser version, and general usage patterns. This data is aggregated and cannot be used to identify you personally.
• No personal information: We do not collect or store names, email addresses, IP addresses (beyond temporary server logs), or any personally identifiable information from anonymous users.
• Temporary data: Any data stored in your browser (like app state) uses local storage and never leaves your device.

2.2 Registered Users (Free & Pro)

If you create an account to access features like creation history and higher export quality, we collect:

• Account Information: Your email address (required for account creation and login), optional display name, profile picture (if you choose to add one), and authentication credentials managed securely by Clerk (our authentication provider).
• Saved Creations: Only images you explicitly choose to save are uploaded to Cloudflare R2 (secure cloud storage). This includes the final exported image with text, thumbnail for gallery display, and segmented image components (person/background) if you used AI features.
• AI Processing: When using the "AI Magic Text" feature, your image is temporarily processed by Google Gemini AI to generate text suggestions. The image is processed for this specific purpose and is not used to train their models.
• Creation Metadata: For each saved creation, we store technical data including creation timestamp, last modified date, canvas dimensions, text layer settings (font, size, color, position), export resolution used, and whether AI segmentation was applied.
• Usage Data: Account-level statistics like total creation count, account creation date, last login timestamp, and subscription tier.

2.3 Pro Subscription Data

If you subscribe to Pro ($5.99/month), additional payment-related data is collected:

• Payment Information: Credit card details, billing address, and payment method information are collected and processed exclusively by Polar (our PCI DSS-compliant payment processor). We never see or store your full credit card number.
• Billing Information: Your email address for receipts, subscription status (active/canceled), billing cycle dates, payment history, and transaction IDs are stored by Polar and shared with us for account management purposes.
• Subscription Metadata: We store your subscription tier (free/pro), subscription status (active/canceled/expired), subscription start date, current billing period end date, and whether cancellation is pending at period end.

2.4 Automatically Collected Technical Data

We automatically collect certain technical information when you use the Service:

• Device & Browser Information: Your IP address (for security and fraud prevention), browser type and version, operating system, device type (mobile/desktop), screen resolution, and language preferences.
• Usage Analytics: Pages visited, features used, time spent on each page, button clicks, navigation paths, and interaction patterns collected via Microsoft Clarity for product improvement.
• Cookies & Local Storage: Essential authentication cookies from Clerk (for keeping you logged in), analytics cookies from Microsoft Clarity (for usage tracking), and browser local storage for app state and preferences.
• Server Logs: Standard web server logs including timestamps, IP addresses, requested URLs, HTTP status codes, and error messages. These are retained temporarily for debugging, security monitoring, and preventing abuse.

3. How We Use Your Information

We use collected information to:

• Provide the Service: Enable editing, AI processing, cloud storage, account management
• Process Payments: Handle subscriptions, billing, refunds via Polar
• Improve the Service: Analyze usage patterns, fix bugs, enhance features
• Communication: Send account-related emails, subscription confirmations, support responses
• Security: Detect fraud, prevent abuse, protect against security threats
• Legal Compliance: Comply with laws, regulations, legal processes

4. Data Storage and Security

4.1 Where We Store Data

• Cloudflare R2: Saved images and thumbnails (encrypted at rest)
• Convex: User data, creation metadata, subscription info (US-based servers)
• Clerk: Authentication data, account information (SOC 2 certified)
• Polar: Payment information, billing history (PCI DSS compliant)

4.2 Security Measures

We implement industry-standard security measures:

• HTTPS encryption for all data transmission
• Encrypted storage for images and sensitive data
• Regular security audits and updates
• Access controls and authentication
• Secure third-party service providers

4.3 Data Retention

• Active Accounts: Data retained while account is active
• Deleted Accounts: Personal data deleted within 30 days, some metadata retained for legal/accounting purposes
• Cancelled Subscriptions: Saved creations retained unless you request deletion
• Analytics: Anonymized analytics data may be retained indefinitely

5. Third-Party Services

We use trusted third-party services. Each has their own privacy policy:

• Clerk (clerk.com): User authentication and account management. Securely stores login credentials and manages authentication. See Clerk Privacy Policy.
• Polar (polar.sh): Payment processing for Pro subscriptions. Handles payment card information securely in PCI DSS compliance. See Polar Privacy Policy.
• Cloudflare R2 (cloudflare.com): Cloud storage for saved images. Provides encrypted storage and content delivery. See Cloudflare Privacy Policy.
• Convex (convex.dev): Backend database storing account data and creation metadata. See Convex Privacy Policy.
• Microsoft Clarity (clarity.microsoft.com): Website analytics including session recordings and heatmaps to understand user behavior. See Microsoft Privacy Statement.
• Google AdSense (google.com/adsense): Advertising network displaying ads on our blog. Collects browsing data for ad personalization and targeting. Uses cookies to track visits across websites. See Google Privacy Policy and How Google Uses Cookies in Advertising.

6. Cookies and Tracking Technologies

6.1 Types of Cookies We Use

We and our third-party partners use cookies, web beacons, pixels, and similar tracking technologies to operate the Service and understand how you use it:

• Essential/Functional Cookies: Required for core Service functionality including authentication (Clerk), session management, security features, and maintaining your login state. These cookies are necessary for the Service to work and cannot be disabled without breaking functionality. Examples: authentication tokens, session IDs, security preferences.
• Analytics Cookies: Help us understand how visitors interact with the Service through Microsoft Clarity. Collect anonymized data about pages visited, time spent, clicks, scrolling behavior, and heatmaps. These cookies can be blocked via browser settings, though this limits our ability to improve the Service based on user behavior.
• Advertising Cookies (Blog Only): Used by Google AdSense and other advertising networks on our blog pages to serve personalized advertisements based on your interests and browsing history. These cookies track your visits across websites to build an advertising profile. You can opt out of personalized ads through Google Ad Settings or use the DAA Opt-Out Tool.
• Performance/Preference Cookies: Browser local storage used to remember your app preferences, settings, UI state, and recently used features to improve your experience. Stored entirely on your device and never transmitted to our servers.

6.2 Third-Party Advertising Cookies

On blog pages only, Google AdSense and other advertising partners use cookies to:

• Serve ads based on your prior visits to our blog and other websites
• Measure ad effectiveness and engagement (clicks, conversions, views)
• Build interest profiles for targeted advertising across the web
• Prevent showing you the same ad repeatedly (frequency capping)
• Determine your geographic location for localized ads

Important: Advertising cookies are NOT used in the editing tool (overlaytext.com/app). They only appear on blog pages.

6.3 Managing Cookies

You have several options to control cookies:

• Browser settings: Most browsers allow you to refuse all cookies, accept only certain cookies, or delete existing cookies. Visit your browser's help section for instructions (Chrome, Firefox, Safari, Edge each have different methods).
• Opt out of personalized ads: Visit Google Ad Settings to disable personalized advertising from Google. Use DAA WebChoices Tool for broader opt-out across multiple advertisers.
• Do Not Track (DNT): We honor Do Not Track browser signals for analytics cookies but cannot control third-party advertiser compliance with DNT.
• Ad blockers: Browser extensions like uBlock Origin, AdBlock Plus can block advertising cookies and ads entirely.

Note: Disabling essential cookies will prevent you from logging in and accessing account features. Disabling analytics cookies only affects our ability to analyze usage patterns.

7. Your Privacy Rights

Depending on your location, you may have these rights:

• Access: Request a copy of your personal data
• Correction: Update incorrect or incomplete data
• Deletion: Request deletion of your account and data
• Portability: Receive your data in a machine-readable format
• Object: Object to certain data processing activities
• Withdraw Consent: Withdraw consent for optional data collection

To exercise these rights, email us at support@overlaytext.com. We'll respond within 30 days.

7.1 California Residents (CCPA)

California residents have additional rights under CCPA:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale of personal information (we don't sell data)
• Right to non-discrimination for exercising rights

7.2 European Residents (GDPR)

EU/EEA residents have rights under GDPR including data portability, right to erasure, and right to lodge complaints with supervisory authorities.

8. How We Share Information

We do NOT sell your personal information. We may share data with:

• Service Providers: Third-party vendors helping us operate (Clerk, Polar, Cloudflare, Convex)
• Legal Requirements: When required by law, court order, or government request
• Business Transfers: In case of merger, acquisition, or asset sale
• Protection: To protect our rights, safety, or property

9. Children's Privacy

Our Service is not intended for children under 13. We do not knowingly collect information from children under 13. If you believe we have collected data from a child, contact us immediately for deletion.

10. International Data Transfers

Your data may be transferred to and stored in the United States and other countries where our service providers operate. By using the Service, you consent to these transfers.

We ensure adequate safeguards are in place for international transfers, including standard contractual clauses and compliance with applicable data protection laws.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be communicated via email (for registered users) or prominent notice on the Service.

Your continued use after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions, data requests, or concerns, contact us: