Privacy Policy
This Privacy Policy describes how the CRMA Fine-Tuner & Continual Learning service (“Service”), operated by Kiran Nayudu (“we”, “us”, “our”), collects, uses, and protects your information.
By using the Service, you consent to the practices described in this policy.
1. Information We Collect
Account Information
- Username (chosen by you, pseudonymous)
- Password (stored as a bcrypt hash — we never store or see your plaintext password)
- Email address (optional — used only for password reset and job completion notifications)
Usage Data
- Training job metadata: model name, epochs, batch size, job status, timestamps, token estimates, cost
- Uploaded datasets: processed only for your training job (see Section 3)
- IP address: used for rate limiting only, not stored persistently
- Credit balance and billing events: credit additions, charges, and refunds
What We Do NOT Collect
- Credit card or payment information (handled entirely by Stripe — we never see your card details)
- Browser cookies or tracking pixels
- Third-party analytics or advertising data
2. How We Use Your Information
| Data | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Username / password hash | Account authentication | Contract performance |
| Password reset, job notifications | Consent (optional) | |
| Job metadata | Service delivery, billing | Contract performance |
| Uploaded datasets | Fine-tuning / continual learning | Contract performance |
| IP address | Rate limiting, abuse prevention | Legitimate interest |
| Billing events | Billing records, refunds | Contract performance / legal obligation |
We do not sell, rent, or share your personal information with third parties for marketing purposes.
3. Data Retention and Deletion
- Uploaded datasets: Deleted within 1 hour of job completion or failure.
- Model artifacts on GPU infrastructure: Deleted within 24 hours of job completion.
- Account data: Retained for the lifetime of your account.
- Billing events: Retained as long as your account exists (required for financial records).
4. Data Processing and Infrastructure
| Component | Provider | Location |
|---|---|---|
| API backend | Modal (modal.com) | United States |
| GPU training | Modal (A10G instances) | United States |
| Database | SQLite on Modal Volume | United States |
| Payments | Stripe | United States |
| Frontend | Streamlit Cloud / HuggingFace Spaces | United States |
Cross-border transfers: If you are located outside the United States, your data will be transferred to and processed in the United States.
5. Your Rights
For all users:
- Access: View your account information via
GET /me - Correction: Update your email via
POST /me/email - Deletion: Request account deletion (see Section 8)
Additional rights under GDPR (EU/EEA users):
- Right to erasure (Art. 17)
- Right to data portability (Art. 20)
- Right to restrict processing (Art. 18)
- Right to object (Art. 21)
- Right to lodge a complaint with your local data protection authority
Additional rights under CCPA (California residents):
- Right to know what personal information we collect
- Right to delete your personal information
- Right to non-discrimination for exercising your privacy rights
6. Security
- Passwords hashed with bcrypt
- API authentication uses signed JWT tokens with 8-hour expiry
- All API traffic encrypted via HTTPS/TLS
- Rate limiting protects against brute-force
- Uploaded data isolated per-user and auto-deleted
- Credit card data handled entirely by Stripe (PCI DSS compliant)
7. Children
The Service is not intended for use by individuals under the age of 18.
8. Contact
Kiran Nayudu
Contact: GitHub Issues
Response time: within 30 days.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or notice on the Service.