Privacy Policy

How We Handle Your Data

This policy explains what personal data Alcheon collects, why, and how you can control it. This policy is written in compliance with the UK GDPR and the Data Protection Act 2018.

Last updated: 8 March 2026

1. What we collect

Data When Legal basis
IP address Every API request and form submission (for rate limiting, held in memory only) Legitimate interests (abuse prevention)
Name, email, reason When you submit a content removal request via /takedown Legal obligation / legitimate interests
API usage logs Tool calls made via your API key (tool name, timestamp, duration) Contract performance / legitimate interests

API keys are generated anonymously — we do not collect your name or email address when you request a key. Keys are not linked to any personal identity.

We do not collect payment card details directly — payments are handled by Stripe, who are the data controller for that information.

2. Why we collect it

  • IP address — to enforce rate limits and prevent abuse. IP addresses are stored in process memory only and are not persisted to the database. They are lost when the server restarts.
  • Takedown request data — to process and respond to content removal requests, and to maintain a record of actions taken.
  • Usage logs — to enforce credit limits, diagnose errors, and improve the service.

3. Scraped website data

Alcheon's core function is to extract design system data from publicly accessible websites. This includes:

  • Colour palettes (hex values from CSS)
  • Typography metrics (font names, sizes, weights)
  • Spacing, border radius, and shadow values
  • Layout patterns and component structure descriptions
  • AI-generated design analysis and vibe descriptions

This data is not personal data — it is derived from the publicly visible design language of a website, not from any individual's personal information.

Alcheon respects robots.txt directives on all sites it crawls. If you are a site owner and wish to have your site's data removed, please use our Content Removal page.

4. Data retention

DataRetention period
API key (anonymous — no email linked)Until you request deletion, or 2 years of inactivity
IP addresses (rate limiting)In-memory only — cleared on server restart, rolling 1-hour window
Takedown request recordsIndefinitely, as a legal record of actions taken
Scraped design dataUntil a valid removal request is approved, or at our discretion
API usage logs90 days

5. Sharing & processors

We do not sell your personal data. We use the following third-party processors:

We may disclose personal data if required by law or to protect against fraud or abuse.

6. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data where there is no compelling reason to retain it.
  • Restriction — ask us to limit how we use your data while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests.

To exercise any of these rights, use the Content Removal form or the contact details in section 8. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

7. Cookies

The Alcheon website does not use tracking cookies or analytics cookies. No third-party advertising or behavioural tracking is present.

Stripe may set cookies on payment pages. Refer to Stripe's cookie policy for details.

8. Contact

For privacy-related queries or to exercise your data rights, use our Content Removal & Contact form. We will respond within 30 days.

Data Controller: Alcheon

Jurisdiction: United Kingdom

Changes to this policy will be posted on this page with an updated date.