Privacy Policy
This Privacy Policy explains how Chainvision Games FZCO ("we", "us", "Katama") collects, uses, and protects your personal data when you use katama.ai and related services. We comply with the EU General Data Protection Regulation (GDPR), even though our company is located in Dubai, because we offer services to EU residents.
1. Data Controller
Chainvision Games FZCO
Dubai Silicon Oasis, Dubai Digital Park, Building A1
P.O. Box 342 001, Dubai, UAE
Privacy contact: privacy@katama.ai
EU Representative (Art. 27 GDPR): To be designated. In the interim, please direct all GDPR requests to privacy@katama.ai.
2. Data We Collect
2.1 Account Data (when you sign up)
- Email address
- Display name (if provided)
- Authentication provider (Google, email, etc.) handled by Clerk
- IP address (for security & rate limiting)
- Account creation date
2.2 Usage Data (when you use Katama)
- Prompts you submit to AI models
- Generated outputs (images, videos, text, audio)
- Credit consumption history
- Studio / model preferences
- Project metadata (titles, settings)
2.3 Payment Data (when you subscribe or buy credits)
- Card payments processed by Stripe. Stripe stores card details on its PCI-compliant infrastructure; we receive only a transaction reference.
- Crypto payments (BTC, ETH, SOL, etc.) processed by NOWPayments. We receive a transaction reference and payment status.
- $KATA token payments verified on-chain (BSC, ETH, Base). We read the public transaction; no private keys are ever in our possession.
2.4 Wallet Data (optional, when you connect a wallet)
- Public wallet address (e.g. 0xABC...)
- $KATA balance across supported chains (read on-chain)
- NFT holdings (read on-chain)
- Cryptographic signature you provided to prove wallet ownership
Connecting a wallet is entirely optional. We do not have access to your private keys at any time. The address you link to your Katama account is publicly visible on the relevant blockchains by its nature.
2.5 Technical Data (automatically)
- Browser type, OS, device class
- Page URLs and referrer
- Approximate timestamps
- Error logs (for debugging)
3. Why We Collect Data & Legal Basis
| Purpose | Legal basis |
|---|---|
| Provide the service (account, generations) | Art. 6(1)(b) GDPR — performance of contract |
| Process payments | Art. 6(1)(b) — performance of contract |
| Security, fraud prevention, rate limiting | Art. 6(1)(f) — legitimate interest |
| Comply with legal obligations (tax, audit) | Art. 6(1)(c) — legal obligation |
| Marketing (only if you opt in) | Art. 6(1)(a) — consent |
| On-chain activity logs | Art. 6(1)(f) — legitimate interest (transparency) |
4. Third-Party Processors
We share specific data with the following processors to provide our service. All have signed Data Processing Agreements (DPAs) and process data only on our instructions.
4.1 Authentication
- Clerk (USA) — Stores account credentials, sessions. Transfers protected by Standard Contractual Clauses (SCCs).
4.2 Payment Providers
- Stripe (USA/Ireland) — Card payments. Their EU entity provides GDPR-compliant data handling.
- NOWPayments (Netherlands) — Crypto payments.
4.3 AI Providers (the heart of our service)
When you generate something on Katama, your prompt is sent to the underlying AI provider. We do not send your email, account ID, or other identifying details — only the prompt and necessary technical parameters. The output is returned to us and then to you.
- FAL.ai (USA) — Image and video generation (FLUX, Kling, Seedance, Veo, WAN, OmniHuman). Their privacy policy: fal.ai/privacy
- OpenAI (USA) — GPT chat models, GPT-Image. We use the OpenAI API, which by default does not train on user data. Policy: openai.com/policies/privacy-policy
- Anthropic (USA) — Claude models. API usage does not train models. Policy: anthropic.com/legal/privacy
- ElevenLabs (USA) — Text-to-Speech, voice cloning. Policy: elevenlabs.io/privacy-policy
- Google AI (USA) — Veo video generation. Policy: policies.google.com/privacy
All US transfers are protected by Standard Contractual Clauses (SCCs) per Art. 46 GDPR.
4.4 Infrastructure
- Hetzner Online GmbH (Germany) — Database and backend servers. EU data residency.
- Vercel Inc. (USA) — Frontend hosting and CDN. Transfers protected by SCCs.
- Cloudflare R2 (USA) — Asset storage. Transfers protected by SCCs.
5. Blockchain & On-Chain Data
For transparency, Katama logs aggregated daily activity to the Base blockchain (a public Ethereum Layer 2). What we log:
- A cryptographic hash of your internal user ID (keccak256). The original ID cannot be recovered from the hash.
- Date (YYYYMMDD)
- Aggregated counts: total generations, credits used, by category
Important about blockchain data: Once written to a public blockchain, it cannot be deleted by anyone (us included). This is a fundamental property of the technology. Because we log only a pseudonymous hash and aggregate counts, no identifying information appears on chain.
When you exercise your right to erasure, we delete the mapping between your account and the hash from our database, so the on-chain hash becomes irreversibly anonymous (no one can ever link it back to you again).
6. Data Retention
| Data type | Retention period |
|---|---|
| Active account data | While your account is active |
| Generations & prompts | Until you delete them, or 30 days after account deletion |
| Payment records | 10 years (tax/accounting obligation) |
| Server logs | 14 days (security & debugging) |
| Backups | 30 days rolling |
7. Your Rights (GDPR Chapter III)
- Right of access (Art. 15) — Get a copy of your data
- Right to rectification (Art. 16) — Correct inaccurate data
- Right to erasure (Art. 17) — Delete your account and data
- Right to restrict processing (Art. 18)
- Right to data portability (Art. 20) — Export your data in machine-readable form
- Right to object (Art. 21)
- Right to withdraw consent (Art. 7(3)) — for marketing or other consent-based processing
- Right to lodge a complaint with a supervisory authority (Art. 77)
To exercise any of these rights, email privacy@katama.ai. We respond within 30 days.
8. Cookies & Tracking
We use the minimum cookies necessary to operate the service. See our cookie policy below. You can adjust your preferences at any time via the "Cookie Settings" link in the footer.
Cookie Categories
- Essential (cannot be disabled) — Authentication, session, security, load balancing.
- Functional — Theme preference, language, last-used model.
- Analytics — Aggregated, privacy-preserving usage stats (no user identification).
We do not use marketing cookies or third-party trackers.
9. Children
Katama is not directed to children under 13 (under 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact privacy@katama.ai and we will delete it.
10. Security
We protect your data with industry-standard measures:
- TLS encryption for all data in transit
- Encrypted database connections
- Rate limiting and signature verification on sensitive endpoints
- Regular security audits (most recent: 2026-06-11)
- Private keys for blockchain operations stored offline / with strict access control
11. International Transfers
Some of our processors are located outside the EEA (mostly USA). For these transfers, we rely on Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR. You can request a copy of the SCCs by emailing privacy@katama.ai.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "last updated" date at the top reflects the most recent change. Material changes will be communicated by email or via a prominent notice on the platform.
13. Contact
Privacy questions: privacy@katama.ai
Other inquiries: business@katanainu.com