Privacy Policy

Last updated: March 19, 2026

Overview

Chinillaâ„¢ is an AI-powered system design tool operated by Alex Kwon, DBA Chinilla. This policy describes what data we collect, why, and how we handle it. The short version: we collect as little as possible, we never sell your data, and we never train AI models on your designs.

What We Collect

Designs. Your designs are stored in our cloud database (Supabase), protected by row-level security. AI features send canvas context to xAI's Grok API for processing when you actively use them.

Account information. If you sign in with Google or GitHub, we receive your name, email address, and profile picture from the OAuth provider. We store this to identify your account, enable cloud saving, and manage your subscription.

Billing information. If you subscribe to the Pro plan, payment is processed by Stripe. We store your Stripe customer ID, subscription status, and billing period dates. We do not store your credit card number or payment details. Those are handled entirely by Stripe.

Usage data. For Pro subscribers, we track daily AI credit usage (a count of AI requests per day) to enforce the 500 credits/month limit. We do not log the content of your AI requests.

Contact messages. If you use the contact form, your name, email, category, and message are sent to us via email so we can respond to you. Contact messages are not stored in our database.

No analytics or tracking pixels. We do not use Google Analytics, Facebook Pixel, or any third-party tracking. We do not fingerprint your browser.

AI and Your Data

When you use AI features (describe, generate, simulate, codegen, spec export), your canvas data and messages are sent to xAI's Grok API for processing. This happens only when you actively use an AI feature.

We do not train models on your data. Your designs, messages, and canvas content are not used to train or fine-tune any AI model.

xAI processes requests under their own privacy policy. We recommend reviewing xAI's privacy policy for details on how they handle API requests.

Cookies

Chinilla uses cookies strictly for authentication. When you sign in, Supabase sets authentication cookies to maintain your session. These are functional cookies required for the Service to work.

We do not use advertising cookies, tracking cookies, or any cookies for analytics purposes.

How We Use Your Information

  • Authenticate your account and maintain your session
  • Store and sync your cloud-saved projects across devices
  • Process AI requests when you use describe, generate, simulate, codegen, or spec features
  • Process subscription payments and manage your billing cycle
  • Track AI credit usage against your monthly limit
  • Respond to support requests submitted through our contact form
  • Send transactional emails related to your account (e.g., contact form confirmations)

Third-Party Services

We use the following third-party services:

  • xAI (Grok) for AI chat, validation, and generation features
  • Supabase for authentication and database storage (projects, subscriptions, usage tracking)
  • Stripe for payment processing (Pro subscriptions)
  • Resend for transactional email delivery (contact form)
  • Render for hosting and infrastructure
  • GitHub and Google as OAuth providers for sign-in

We do not share your data with anyone else. We do not sell data to advertisers, data brokers, or any other third party.

Data Storage and Security

Your projects are stored in our cloud database. Cloud-saved projects are stored in a Supabase PostgreSQL database with row-level security (RLS) enabled. Each user can only access their own data.

All traffic between your browser and our servers is encrypted in transit via TLS. Server-side API keys (for xAI, Stripe, Supabase, Resend) are stored as environment variables and never exposed to the client.

Data Retention

Cloud projects are retained as long as your account exists. Deleting a project removes it from our database. Deleting your account removes all projects and associated data.

AI usage records are retained for billing cycle tracking. They contain only a count per day, not the content of your requests.

AI chat messages are held in memory during your active session only. They are not persisted to disk on our servers.

Your Rights

  • Export: You can export individual designs as JSON from the canvas. Signed-in users can export all account data (projects, subscription info, usage history) from the dashboard.
  • Delete: You can delete individual projects from the dashboard. You can delete your entire account, which removes all cloud data and cancels any active subscription.
  • Control: Your designs are stored securely in the cloud with row-level security. You can export or delete your data at any time.
  • Access: You can view all data associated with your account from the dashboard at any time.

California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

  • Right to Know: You may request what personal information we collect, use, and disclose about you.
  • Right to Delete: You may request deletion of your personal information. You can do this directly from your dashboard by deleting your account.
  • Right to Opt-Out of Sale: We do not sell your personal information to third parties. We never have and never will.
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, email squeak@chinilla.com or use the self-service options in your dashboard.

European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional rights:

  • Legal Basis: We process your data based on (a) your consent when you create an account or use AI features, (b) contractual necessity to provide the Service, and (c) our legitimate interest in maintaining security and preventing abuse.
  • Right of Access: You may request a copy of all personal data we hold about you. You can export your data from the dashboard.
  • Right to Rectification: You may request correction of inaccurate personal data.
  • Right to Erasure: You may request deletion of your personal data. Deleting your account removes all associated data from our systems.
  • Right to Data Portability: You may export your data in a machine-readable format (JSON) from the dashboard.
  • Right to Object: You may object to processing based on legitimate interest.
  • Right to Withdraw Consent: You may withdraw consent at any time by deleting your account or contacting us.

Our data is processed in the United States via Supabase and Render. By using the Service, you acknowledge this transfer. To exercise your rights, email squeak@chinilla.com.

External Links

The Service may contain links to third-party websites and services (e.g., GitHub, X, xAI, Stripe, documentation sites). These links are provided for convenience and reference. We do not control, endorse, or assume responsibility for the content, privacy policies, or practices of any third-party sites. We encourage you to review the privacy policy of any external site you visit.

Children

Chinilla is not directed at children under 13. We do not knowingly collect personal information from children under 13.

Changes

We may update this policy. Significant changes will be communicated through the app or via email. Continued use of Chinilla after changes constitutes acceptance.

Contact

Questions about this policy? Email squeak@chinilla.com or use our contact form.