Privacy Policy
Celiums.io Effective Date: June 1, 2025 Last Updated: June 1, 2025 Version: 2.0
Plain-English Summary (not a substitute for the full policy below) We collect your email address, IP address, API usage logs, and payment information (processed by Stripe). We do not use cookies. We do not sell your data. We do not use your prompts or queries to train AI models. You have strong rights over your data. Questions? Email privacy@celiums.io.
Table of Contents
- Who We Are and How to Contact Us
- Scope of This Policy
- Data We Collect — Specific Categories
- Legal Bases for Processing (GDPR Article 6)
- How We Use Your Data — Purpose Table
- Prompt and Query Data — AI Training Disclosure
- Automated Decision-Making and Profiling (GDPR Article 22)
- Data Retention Periods
- Sub-Processors and Third-Party Recipients
- International Data Transfers
- Your Rights Under GDPR (EU/EEA Residents)
- Your Rights Under UK GDPR (UK Residents)
- Your Rights Under CCPA/CPRA (California Residents)
- Children's Privacy (COPPA and GDPR Article 8)
- Security and Data Breach Notification
- Cookies, Tracking, and Do Not Track
- Layered Notice at Collection Points
- Changes to This Policy
- How to Exercise Your Rights
- Supervisory Authority Complaints
- Governing Law and Jurisdiction
1. Who We Are and How to Contact Us
Data Controller (GDPR/UK GDPR):
| Field | Detail |
|---|---|
| Company Name | Celiums.io |
| Legal Form / Jurisdiction | Corporation incorporated in Delaware, USA |
| Primary Contact | privacy@celiums.io |
| Postal Address | [Registered Agent Address, Delaware, USA] |
| EU Representative | [To be appointed under GDPR Article 27 — see note below] |
| UK Representative | [To be appointed under UK GDPR Article 27 — see note below] |
GDPR Article 27 Note: Celiums.io is a non-EU/EEA establishment that offers services to individuals in the EU/EEA and UK and monitors their behavior. We are therefore required to designate a representative in the EU/EEA and in the UK. Until formal appointment is published, all data subject requests and supervisory authority inquiries should be directed to privacy@celiums.io, which is monitored continuously. We are in the process of formally appointing representatives and will update this policy upon appointment.
There is no Data Protection Officer (DPO) currently appointed. All privacy inquiries are handled directly by our privacy team at privacy@celiums.io.
2. Scope of This Policy
This Privacy Policy applies to:
- All visitors to celiums.io and its subdomains;
- All registered users and API customers of the Celiums.io service;
- All individuals whose personal data we receive in connection with our services, including data received from third parties (GDPR Article 14).
This policy satisfies the transparency requirements of:
- GDPR Articles 13 and 14 (EU/EEA residents);
- UK GDPR Articles 13 and 14 (UK residents);
- CCPA/CPRA (California residents);
- COPPA (US residents under 13);
- Applicable US state privacy laws.
3. Data We Collect — Specific Categories
We collect only the personal data listed below. We do not collect special categories of personal data (GDPR Article 9) such as health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation.
3.1 Data You Provide Directly
| Data Element | Specific Description | Source |
|---|---|---|
| Email Address | Your registration and account email address (e.g., user@example.com) | Provided by you at registration |
| Payment Information | Billing name, billing address, last four digits of card, card brand, expiry date, and transaction identifiers. Full card numbers are never seen or stored by us. | Provided by you via Stripe's hosted payment interface |
3.2 Data Collected Automatically
| Data Element | Specific Description | Source |
|---|---|---|
| IP Address | IPv4 or IPv6 address of the device making API requests or accessing the website | Automatically collected by our servers and Cloudflare |
| API Usage Logs | Timestamp of each API call, API endpoint called, HTTP method, HTTP response code, response latency in milliseconds, API key identifier (hashed), and data volume in bytes. Prompt content and query content are logged separately — see Section 6. | Automatically generated by our API infrastructure |
| API Key Identifier | A hashed, non-reversible identifier derived from your API key, used to associate usage logs with your account without storing the raw key | Automatically generated at key creation |
3.3 Data We Do NOT Collect
We explicitly confirm we do not collect:
- Browser cookies of any kind (no session cookies, tracking cookies, or analytics cookies);
- Device fingerprints;
- Geolocation data beyond what is inherent in an IP address;
- Social media profile data;
- Special category data under GDPR Article 9;
- Data from children under 16 (EU) or under 13 (US) knowingly.
4. Legal Bases for Processing (GDPR Article 6)
For each category of personal data, we identify the specific legal basis under GDPR Article 6(1). Where we rely on legitimate interests under Article 6(1)(f), we document our balancing test below.
4.1 Legal Basis Table
| Data Category | Legal Basis | GDPR Article | Explanation |
|---|---|---|---|
| Email Address | Performance of a contract | Art. 6(1)(b) | Your email is necessary to create and maintain your account, authenticate your identity, send service notifications, and fulfill our contractual obligations to you. Without it, we cannot provide the service. |
| API Usage Logs | Performance of a contract | Art. 6(1)(b) | Usage logs are necessary to enforce your plan limits, calculate billing, provide usage dashboards, and ensure service delivery. Without them, we cannot perform the contract. |
| Payment Data (via Stripe) | Performance of a contract | Art. 6(1)(b) | Processing payment is a core element of the paid service contract. We also have a legal obligation to retain payment records for tax and accounting purposes (Art. 6(1)(c)). |
| IP Address | Legitimate interests | Art. 6(1)(f) | See balancing test in Section 4.2 below. |
| Prompt/Query Content | Performance of a contract | Art. 6(1)(b) | Prompt content is processed in real time to deliver the API response you requested. It is not retained beyond the request lifecycle except as described in Section 6. |
4.2 Legitimate Interests Balancing Test — IP Address
Purpose: We collect and temporarily retain IP addresses to:
- Protect the security and integrity of our API infrastructure (detect and block abuse, DDoS attacks, and unauthorized access);
- Enforce rate limiting and plan-based access controls;
- Comply with applicable law enforcement requests where legally required;
- Diagnose technical faults.
Our Interests: We have a legitimate interest in maintaining a secure, stable, and abuse-free service for all users. This is a genuine and pressing operational need.
Necessity Test: IP address collection is the minimum necessary for these purposes. We do not use IP addresses to build behavioral profiles, target advertising, or identify individuals beyond what is required for security purposes.
Balancing Against Data Subject Interests: IP addresses are pseudonymous data (they identify a device or network, not necessarily a named individual). We retain them for only 30 days (see Section 8), after which they are permanently deleted. We apply access controls limiting who can query IP logs. The impact on data subjects is low given the short retention period and limited use.
Conclusion: Our legitimate interests are not overridden by the interests or fundamental rights of data subjects, given the limited retention period, pseudonymous nature of the data, and the genuine security purpose served.
Right to Object: You have the right to object to this processing at any time. See Section 11.
5. How We Use Your Data — Purpose Table
| Purpose | Data Used | Legal Basis | Notes |
|---|---|---|---|
| Account creation and authentication | Email, API key identifier | Contract | Core service delivery |
| Service delivery (API responses) | Prompt/query content, API key identifier | Contract | Real-time processing only |
| Billing and invoicing | Email, usage logs, payment data | Contract + Legal obligation | Stripe processes card data |
| Usage monitoring and plan enforcement | Usage logs, IP address, API key identifier | Contract (logs), Legitimate interest (IP) | Automated — see Section 7 |
| Security, fraud prevention, abuse detection | IP address, usage logs | Legitimate interest | 30-day IP retention |
| Service communications (transactional) | Contract | Account alerts, billing notices | |
| Legal compliance and tax records | Payment data, email | Legal obligation | 7-year retention |
| Responding to legal requests | IP address, usage logs, email | Legal obligation | Only when legally compelled |
| Service improvement (aggregated, anonymized analytics) | Anonymized usage statistics | Legitimate interest | No individual is identifiable |
We do not use your data for:
- Behavioral advertising or retargeting;
- Sale to third parties;
- Sharing for cross-context behavioral advertising;
- Training AI or machine learning models (see Section 6).
6. Prompt and Query Data — AI Training Disclosure
This section is critically important. Please read it carefully.
6.1 What Happens to Your Prompts and Queries
When you submit a prompt or query through the Celiums.io API:
- Real-time processing: Your prompt is transmitted to the relevant AI model provider to generate a response. This transmission is governed by the model provider's terms and data processing agreements.
- No retention by Celiums.io: Celiums.io does not store the content of your prompts or queries in our databases beyond the duration of the API request/response cycle.
- No training use: Celiums.io does not use your prompts, queries, or API responses to train, fine-tune, or otherwise improve any AI or machine learning model. This is an absolute commitment.
- No profiling from prompts: We do not analyze prompt content to build profiles about you, infer your characteristics, or make decisions about you.
6.2 Metadata vs. Content
We distinguish between:
- Prompt content (what you ask): Not retained, not used for training, not analyzed.
- Request metadata (that you made a request, when, how large): Retained as API usage logs for 90 days for billing and service purposes (see Section 8).
6.3 Downstream Model Providers
If Celiums.io routes your request to a third-party AI model provider, that provider's own data processing terms apply to how they handle prompt data. We will maintain an up-to-date list of model providers and their data handling commitments at celiums.io/sub-processors or upon request to privacy@celiums.io.
7. Automated Decision-Making and Profiling (GDPR Article 22)
7.1 Automated Processing We Perform
We use automated systems for the following purposes:
| Automated Process | Description | Effect on You | Human Review Available? |
|---|---|---|---|
| Rate Limiting | Our systems automatically count API requests per time window and throttle or temporarily block requests that exceed your plan's rate limits. | Your API requests may be temporarily rejected (HTTP 429) if you exceed your rate limit. This is a temporary, reversible effect. | Yes — contact support@celiums.io |
| Plan Enforcement | Our systems automatically compare your usage against your subscribed plan and restrict access to features or volume not included in your plan. | Access to certain API endpoints or volumes may be restricted. | Yes — contact support@celiums.io |
| Abuse Detection | Our systems flag unusual usage patterns (e.g., abnormally high request volumes from a single IP) for security review. | Flagged accounts may be temporarily suspended pending human review. | Yes — human review is always conducted before permanent action |
7.2 What We Do NOT Do
- We do not engage in profiling for marketing purposes.
- We do not make automated decisions that produce legal effects or similarly significant effects on individuals based on personal characteristics (GDPR Article 22(1)).
- Rate limiting and plan enforcement are based solely on your contractual plan terms, not on any assessment of your personal characteristics.
7.3 Your Rights Regarding Automated Processing
If you believe an automated decision has been applied to your account incorrectly, you have the right to:
- Request human review of the decision;
- Express your point of view;
- Contest the decision.
Contact us at privacy@celiums.io or support@celiums.io to exercise these rights.
8. Data Retention Periods
We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law. The following periods are specific and binding.
| Data Category | Retention Period | Basis for Period | What Happens After |
|---|---|---|---|
| Account Data (email, account settings) | Duration of account + 30 days after account deletion request | Contract performance; 30-day grace period for account recovery | Permanently and irreversibly deleted after 30-day grace period |
| API Usage Logs (metadata: timestamps, endpoints, response codes, volumes) | 90 days from the date of each log entry | Contract performance (billing, plan enforcement) | Automatically purged after 90 days |
| IP Address Logs | 30 days from collection | Legitimate interest (security, abuse prevention) | Automatically purged after 30 days |
| Payment Records (transaction IDs, billing amounts, billing address, last 4 digits) | 7 years from transaction date | Legal obligation (US tax law, IRS requirements, applicable financial regulations) | Securely archived then deleted after 7 years |
| Prompt/Query Content | Not retained beyond the request/response cycle | Not applicable | Never written to persistent storage by Celiums.io |
| Correspondence with us (support emails, privacy requests) | 3 years from last correspondence | Legitimate interest (legal defense, audit trail) | Deleted after 3 years |
8.1 Early Deletion
You may request deletion of your data before the end of the standard retention period. We will honor such requests except where retention is required by law (e.g., the 7-year payment record requirement). See Section 11 for how to exercise your right to erasure.
8.2 Anonymization
Where we retain data for analytics or service improvement purposes beyond the periods above, we first anonymize it such that no individual can be identified, directly or indirectly. Anonymized data is not personal data and is not subject to this policy.
9. Sub-Processors and Third-Party Recipients
We use the following sub-processors to deliver our service. Each has been assessed for GDPR compliance. We do not sell data to any third party.
9.1 Complete Sub-Processor List
| Sub-Processor | Purpose | Data Shared | Location | Transfer Mechanism | DPA/Compliance |
|---|---|---|---|---|---|
| DigitalOcean, LLC | Cloud infrastructure hosting; stores account data, usage logs, and application databases | Email, usage logs, IP address, API key identifiers | United States (primary); data centers in US regions | Standard Contractual Clauses (SCCs — 2021 EU Commission SCCs) + DigitalOcean DPA | DigitalOcean DPA available at digitalocean.com/legal/data-processing-agreement |
| Stripe, Inc. | Payment processing; handles all card transactions and billing | Billing name, billing address, email, transaction data | United States | EU-U.S. Data Privacy Framework (DPF) certified | Stripe DPF certification; Stripe DPA available at stripe.com/legal/dpa |
| Cloudflare, Inc. | Content Delivery Network (CDN), Web Application Firewall (WAF), DDoS protection | IP addresses, HTTP request metadata (in transit) | Global edge network (data processed in US and EU nodes) | EU-U.S. Data Privacy Framework (DPF) certified | Cloudflare DPF certification; Cloudflare DPA available at cloudflare.com/gdpr/introduction |
| Resend, Inc. | Transactional email delivery (account notifications, billing emails) | Email address, email content (transactional only) | United States | Standard Contractual Clauses (SCCs — 2021 EU Commission SCCs) | Resend DPA available at resend.com/legal/dpa |
9.2 Sub-Processor Changes
We will provide 30 days' advance notice of any new sub-processor or material change to an existing sub-processor's role by updating this policy and notifying registered users by email. You may object to a new sub-processor by contacting privacy@celiums.io. If we cannot accommodate your objection, you may terminate your account and receive a pro-rata refund for unused prepaid service.
9.3 No Sale of Data
We do not sell personal data to any third party. We do not share personal data with advertising networks, data brokers, or any party for commercial purposes unrelated to service delivery.
10. International Data Transfers
10.1 Overview
Celiums.io is incorporated in the United States. When you use our service from the EU/EEA or UK, your personal data is transferred to and processed in the United States. We take all legally required steps to ensure such transfers are lawful and that your data receives an equivalent level of protection.
10.2 Transfer Mechanisms for EU/EEA Residents
For transfers of personal data from the EU/EEA to the United States, we rely on the following mechanisms:
a) Standard Contractual Clauses (SCCs)
For sub-processors not covered by the Data Privacy Framework, we use the European Commission's Standard Contractual Clauses (SCCs) adopted on June 4, 2021 (Commission Implementing Decision (EU) 2021/914). These SCCs are incorporated into our Data Processing Agreements with DigitalOcean and Resend.
b) EU-U.S. Data Privacy Framework (DPF)
Stripe and Cloudflare are certified under the EU-U.S. Data Privacy Framework, which was adopted by the European Commission on July 10, 2023 (Adequacy Decision C(2023) 4745). This framework provides an adequate level of protection for personal data transferred to certified US organizations.
c) Schrems II Transfer Impact Assessments (TIA)
Following the Court of Justice of the European Union's judgment in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (Case C-311/18, "Schrems II"), we have conducted Transfer Impact Assessments (TIAs) for each US-based sub-processor. Our TIAs assess:
- The legal framework of the destination country (US surveillance laws including FISA Section 702, EO 12333);
- The nature of the data transferred (pseudonymous, limited categories, no special category data);
- The technical and organizational safeguards in place (encryption in transit and at rest, access controls, data minimization);
- The practical likelihood of government access given the nature of our business and data.
Our TIA conclusions are that, given the pseudonymous and limited nature of the data transferred, the short retention periods, the encryption measures applied, and the contractual protections in the SCCs and DPF, the transfers present an acceptable risk level. TIA summaries are available upon request to privacy@celiums.io.
10.3 Transfer Mechanisms for UK Residents
For transfers of personal data from the United Kingdom to the United States, we rely on the International Data Transfer Agreement (IDTA), which was approved by the UK Information Commissioner's Office (ICO) and came into force on March 21, 2022, as the UK's post-Brexit equivalent of the EU SCCs.
We have incorporated the IDTA into our data processing agreements with sub-processors that receive UK personal data. The IDTA is used in conjunction with the UK Addendum to the EU SCCs where applicable.
10.4 Requesting Transfer Documentation
You may request a copy of the relevant SCCs, IDTA, or DPA documentation by emailing privacy@celiums.io. We will provide these within 30 days.
11. Your Rights Under GDPR (EU/EEA Residents)
If you are located in the EU or EEA, you have the following rights under the General Data Protection Regulation. These rights are not absolute and are subject to legal limitations, but we will always explain our reasoning if we cannot fulfill a request.
11.1 Right of Access (Article 15)
You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about how it is processed (purposes, categories, recipients, retention periods, safeguards for transfers, and your rights).
How to exercise: Email privacy@celiums.io with subject line "GDPR Access Request." Response time: Within 30 days (extendable by 2 months for complex requests, with notice). Cost: Free of charge for the first request. We may charge a reasonable fee for manifestly unfounded or excessive repeat requests.
11.2 Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete personal data completed without undue delay.
How to exercise: Email privacy@celiums.io or update your account settings directly.
11.3 Right to Erasure / "Right to Be Forgotten" (Article 17)
You have the right to request deletion of your personal data where:
- The data is no longer necessary for the purposes for which it was collected;
- You withdraw consent (where consent was the legal basis);
- You object to processing and there are no overriding legitimate grounds;
- The data has been unlawfully processed;
- Deletion is required by EU or Member State law.
Limitations: We cannot delete payment records required by tax law (7-year retention) or data we are legally compelled to retain.
How to exercise: Email privacy@celiums.io with subject line "GDPR Erasure Request."
11.4 Right to Restriction of Processing (Article 18)
You have the right to request that we restrict processing of your personal data (i.e., store it but not use it) where:
- You contest the accuracy of the data (restriction applies during verification);
- Processing is unlawful but you prefer restriction over erasure;
- We no longer need the data but you need it for legal claims;
- You have objected to processing pending verification of our legitimate grounds.
11.5 Right to Data Portability (Article 20)
Where processing is based on contract or consent and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and to transmit it to another controller.
Scope: This applies to data you provided to us (email address, account settings). It does not apply to derived data (e.g., usage logs generated by our systems).
11.6 Right to Object (Article 21)
You have the right to object at any time to processing based on legitimate interests (Article 6(1)(f)), including the processing of your IP address described in Section 4.2. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
You also have the right to object at any time to processing for direct marketing purposes (we do not conduct direct marketing, but this right exists).
11.7 Right to Withdraw Consent (Article 7(3))
Where we rely on consent as a legal basis (we currently do not rely on consent for any processing described in this policy), you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
11.8 Right Not to Be Subject to Solely Automated Decisions (Article 22)
You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. See Section 7 for our automated processing disclosures and how to request human review.
11.9 Right to Lodge a Complaint with a Supervisory Authority (Article 77)
You have the right to lodge a complaint with a data protection supervisory authority. You may do this in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
Key supervisory authorities include:
| Country | Authority | Website |
|---|---|---|
| Ireland | Data Protection Commission (DPC) | dataprotection.ie |
| Germany | Federal Commissioner for Data Protection (BfDI) + State DPAs | bfdi.bund.de |
| France | Commission Nationale de l'Informatique et des Libertés (CNIL) | cnil.fr |
| Netherlands | Autoriteit Persoonsgegevens (AP) | autoriteitpersoonsgegevens.nl |
| Sweden | Integritetsskyddsmyndigheten (IMY) | imy.se |
| All EU/EEA | Full list at EDPB | edpb.europa.eu/about-edpb/about-edpb/members_en |
We encourage you to contact us first at privacy@celiums.io so we can attempt to resolve your concern directly, but you are under no obligation to do so before contacting a supervisory authority.
12. Your Rights Under UK GDPR (UK Residents)
If you are located in the United Kingdom, you have equivalent rights under the UK General Data Protection Regulation (as retained in UK law by the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018.
Your rights mirror those in Section 11 above. The key differences for UK residents are:
- Supervisory Authority: The Information Commissioner's Office (ICO) is the UK supervisory authority.
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Online complaint form: ico.org.uk/make-a-complaint
- Transfer Mechanism: Transfers of your data to the US are governed by the IDTA (see Section 10.3) rather than EU SCCs.
- Adequacy: The UK has not adopted the EU-U.S. DPF as an adequacy mechanism; we rely on the IDTA for UK-to-US transfers.
To exercise any of your UK GDPR rights, contact privacy@celiums.io.
13. Your Rights Under CCPA/CPRA (California Residents)
This section applies to residents of California and supplements the rest of this policy. It is provided pursuant to the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA).
13.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
| CCPA Category | Specific Data Elements | Collected? |
|---|---|---|
| Identifiers | Email address, IP address, API key identifier | Yes |
| Commercial Information | Transaction records, billing history, subscription plan | Yes |
| Internet or Other Electronic Network Activity | API usage logs (timestamps, endpoints, response codes) | Yes |
| Financial Information | Last 4 digits of payment card, billing address (via Stripe) | Yes (limited) |
| Geolocation Data | Approximate location derived from IP address | Incidental only |
| Inferences | No inferences drawn about preferences or characteristics | No |
| Sensitive Personal Information | None collected | No |
13.2 Purposes for Collection
We collect the above categories for the following business purposes:
- Providing and improving our API service;
- Processing payments and managing subscriptions;
- Security, fraud prevention, and abuse detection;
- Legal compliance and responding to legal process;
- Internal analytics (aggregated and anonymized only).
13.3 No Sale of Personal Information
We do not sell your personal information. We have not sold personal information in the preceding 12 months. We do not sell personal information of consumers under 16 years of age.
13.4 No Sharing for Cross-Context Behavioral Advertising
We do not share your personal information for cross-context behavioral advertising as defined by the CPRA. We have not shared personal information for this purpose in the preceding 12 months.
13.5 Disclosure of Personal Information to Third Parties
We disclose personal information to our sub-processors (listed in Section 9) for business purposes only. These disclosures are governed by written contracts that prohibit the sub-processor from using the data for any purpose other than performing services for us.
13.6 Your CCPA/CPRA Rights
a) Right to Know (Sections 1798.100, 1798.110, 1798.115) You have the right to request that we disclose: the categories and specific pieces of personal information we have collected about you; the categories of sources; the business or commercial purpose for collection; and the categories of third parties with whom we share it.
b) Right to Delete (Section 1798.105) You have the right to request deletion of personal information we have collected about you, subject to certain exceptions (e.g., completing a transaction, legal obligations).
c) Right to Correct (Section 1798.106) You have the right to request correction of inaccurate personal information.
d) Right to Opt-Out of Sale or Sharing (Section 1798.120) As we do not sell or share personal information, this right is not applicable, but we honor it by default.
e) Right to Limit Use of Sensitive Personal Information (Section 1798.121) We do not collect sensitive personal information as defined by the CPRA.
f) Right to Non-Discrimination (Section 1798.125) We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge different prices, or provide a different quality of service because you exercised your rights.
13.7 How to Submit a CCPA Request
Email privacy@celiums.io with subject line "CCPA Privacy Request." We will verify your identity before processing your request. We will respond within 45 days (extendable by an additional 45 days with notice).
You may designate an authorized agent to submit requests on your behalf. Authorized agents must provide written authorization signed by you.
14. Children's Privacy (COPPA and GDPR Article 8)
14.1 Age Restrictions
Celiums.io is not directed to children and is not intended for use by:
- Individuals under 16 years of age in the EU/EEA (pursuant to GDPR Article 8 and applicable Member State law);
- Individuals under 13 years of age in the United States (pursuant to the Children's Online Privacy Protection Act, COPPA, 15 U.S.C. §§ 6501–6506).
Where EU Member States have set a lower age of digital consent (minimum 13 under GDPR Article 8(1)), we apply the higher threshold