Skip to content
Milk&Ink

Privacy Policy

Version 2026-05-01. How we collect, use, and protect your data.

Effective May 1, 2026

Milk&Ink Studio (“we,” “us”) takes your privacy seriously. This Privacy Policy explains what we collect, why we collect it, how we use it (including for training our AI systems), and your rights over that data. This policy covers the web application at milkink.studio and our related services.

If you create an account on Milk&Ink Studio, you must agree to this Privacy Policy and our Terms of Service.Agreeing grants us, among other things, permission to use Your Content to train and improve our models — unless your workspace is on the Enterprise plan, which carves training out by contract. This is the single most important thing in this document. Please read section 2 carefully.

1. What we collect

Account data

  • Email address, name, and password hash (via Supabase Auth)
  • Profile avatar (if you provide one)
  • Workspace membership and role
  • The version of this policy you accepted, and when you accepted it

Usage data

  • Pages visited, features used, and interaction timestamps
  • IP address and browser user-agent (for rate limiting and security)
  • Server logs (request paths, response codes, errors)

Content you upload (“Your Content”)

  • Canon definitions: characters, locations, props, style rules, palettes
  • Reference images and asset files
  • Scripts, shot descriptions, prompts, and generated outputs
  • Review comments and approval decisions

Billing data

When you subscribe to a paid plan, payment information is collected and processed by Stripe. We store only a customer ID and subscription ID — never your full card number or CVV.

2. How we use your data — including for AI training

Operational use. We use your data to:

  • Provide the Service: run generations, sync collaborators, show your shots and reviews.
  • Improve the Service: aggregate, anonymized analytics to understand usage patterns.
  • Security: detect fraud, abuse, and unauthorized access.
  • Communication: transactional email (account confirmation, billing, notifications).
  • Legal: comply with applicable laws and respond to lawful requests.

Training and model improvement. By creating an account, you grant us a license to use Your Content — including reference images, canon definitions, scripts, prompts, generated outputs, approval decisions, and continuity scores — to train, fine-tune, evaluate, and otherwise improve the AI systems we operate or contract with. This includes:

  • Building proprietary models specialized for episodic / canon-locked production;
  • Fine-tuning third-party foundation models we license, where the provider permits;
  • Constructing labeled training datasets (your approved-vs-rejected take signals are exceptionally valuable here);
  • Benchmarking and evaluating model quality.

The Enterprise plan is exempt from training use. Workspaces on the Enterprise plan are contractually carved out: their content is never added to a training corpus, never used to fine-tune a model, and never shared with a provider for training purposes. Other plans (Free, Pro, Production, Studio) are included.

We do not sell your data to third parties. We do not provide your data to third-party advertisers. The training license is exclusively for our own model and product improvement.

You can request deletion of your data at any time under section 5. Deletion removes Your Content from our systems within 30 days. However, where Your Content has already been incorporated into a trained model, the resulting model parameters cannot practically be reversed— this is true of every AI training pipeline today, ours included. Future training runs will exclude deleted content.

3. Third-party processors

We rely on a small set of vendors to run the Service. Each is contractually obligated to handle your data securely and only for purposes we specify.

  • Supabase — authentication, database, and file storage
  • Railway — web application hosting
  • Stripe — payment processing
  • Upstash — rate limiting and event bus (metadata only)
  • Sentry — error tracking (may include stack traces with your user ID)
  • AI providers— when you submit a generation, your prompt and reference images are sent to the provider you select (fal.ai, Runway, Google Veo, etc.). Each provider has its own privacy terms and may retain submitted content according to those terms; we route around providers known to retain content for their own training where commercially feasible.

4. Data retention

  • Account data: retained while your account is active.
  • Canon & shot content: retained until you delete it or close your account.
  • Server logs: 30 days.
  • Billing records: retained for 7 years for tax compliance.
  • Training corpus snapshots: retained for the lifetime of the models trained on them. As noted in section 2, content removed from your account is removed from future training runs but may persist as model weights in already-trained checkpoints.

When you delete your account, we delete your content within 30 days, except where we are legally required to retain it.

5. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access a copy of the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data (“right to be forgotten”)
  • Export your data in a portable format
  • Object to or restrict specific uses (including training use — though objecting to training use means you must use the Enterprise plan or stop using the Service)

To exercise any of these rights, email privacy@milkink.studio. We respond within 30 days.

6. Security

We use industry-standard measures to protect your data: TLS in transit, encryption at rest, row-level security on the database, signed upload URLs for storage, and least-privilege access for our team. No system is perfectly secure — if you believe your account has been compromised, contact us at security@milkink.studio.

7. International transfers

Our primary hosting region is the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses where required.

8. Children

The Service is not intended for users under 16. We do not knowingly collect data from children. If we learn we have, we will delete it.

9. Cookies

We use strictly necessary cookies for authentication and session management. We do not use advertising cookies or cross-site tracking.

10. Changes to this policy

We will notify you of material changes by email or in-app notice at least 30 days in advance. Material changes — including changes to how we use Your Content for training — require you to re-accept the policy at next login.

11. Contact

Questions or requests: privacy@milkink.studio.