PRIVACY

Your work is your work.

Last updated · April 26, 2026

Our promise to artists

  • Your work is never used to train AI - ours or anyone else's. Not your textures, not your strokes, not your masks, not your comments, not your reference uploads.
  • We block AI scrapers and crawlers from your projects at the edge, and tag every page with noai and noimageai so well‑behaved bots stay out.
  • We don't sell your data. No ad networks, no data brokers, no analytics that follow you around the web.
  • We collect the minimum we need to run Texel, sign you in, sync your sessions, and send the emails you asked for.

01Who we are

Texel is a collaborative texturing tool for the web. This Privacy Notice covers texel.art, the marketing site you're on now, and the Texel application (the painting tool, real‑time collaboration, asset storage, and exports). When we say "we" or "Texel", we mean the company building Texel.

If you have a question about anything in this notice, write to us at privacy@texel.art and we will get back to you.

02What we collect

We split this by where the data comes from so you can see exactly what each part of Texel touches.

From the marketing site & waitlist

When you join Early Access, we collect:

  • Your email address.
  • The role you picked (Artist, TD/Rigging, Art Director).
  • Your studio or team name (only if you fill it in).
  • UTM tags from the link you clicked (so we can see which posts and partners brought you in). These end up as a note on your contact record.

Waitlist contacts are stored with our email provider, Loops, until we send you your invite or you ask us to delete you. We don't run any third‑party analytics, ad pixels, or session‑replay scripts on this site.

From your Texel account

Sign‑in is handled by our identity provider, WorkOS. When you sign in we receive:

  • Your name and email.
  • The organisation/team you signed in to.
  • Whether your email is verified.

We don't see or store your password. If your studio uses single sign‑on (SAML/SCIM) or a passkey, those flows are handled by your identity provider - Texel just gets the result.

From your projects

When you upload, paint, or collaborate, we store the data needed to keep your project alive and in sync with your team:

  • 3D models and texture assets you upload - FBX meshes and image textures (.png, .jpg, .jpeg, .webp, .exr). Files are uploaded directly from your browser to our object store using short‑lived presigned URLs.
  • Project state - nodes, masks, brushes, paint strokes, node graphs, branches, comments, view bookmarks, and history. Real‑time collaboration uses CRDTs (Yjs) inside a per‑project Durable Object, so every edit you and your collaborators make ends up in your project's state.
  • Per‑project access - who is invited, who has read or write access, scoped permissions you've set on nodes, channels, or UDIMs.

Anything inside your project belongs to you. We act as custodian - your team's work, in your team's project, under your team's permissions.

From your browser & device

Like any service on the web, our servers and edge log basic information so we can run the thing and keep it secure: IP address, request paths and timestamps, user‑agent string, error traces. These are short‑lived operational logs - not a profile of you.

Texel runs in your browser; we use localStorage and sessionStorage for things like remembering your waitlist signup, theme choice, and session state. See the Cookies & local storage section for the specifics.

03AI, training & crawlers

This is the section artists care about most, so we are putting it up front and saying it plainly.

No training. No scraping. No exceptions.

  • We do not train AI models on your work. Not on your textures, masks, brush libraries, strokes, nodes, comments, prompts, chats, or reference uploads. Not for our models, not for any partner's models, not for any "general improvement" excuse.
  • We do not license, sell, or hand off your project content to AI dataset providers, image search indexes, or model trainers. Ever.
  • We block AI scrapers and crawlers. Both this site and the app are tagged X-Robots-Tag: noai, noimageai, noarchive and our robots.txt explicitly disallows known AI bots (GPTBot, ChatGPT‑User, Google‑Extended, Applebot‑Extended, Anthropic / ClaudeBot, CCBot, PerplexityBot, Bytespider, Meta‑ExternalAgent, Cohere, Diffbot, ImagesiftBot, and friends). When they ignore those, we block them at the network edge.
  • Our project URLs / assets are not crawlable. Project assets are served from short-lived presigned URLs scoped to your team - there's no public catalog of texture sets, no shareable scrape target, no indexable gallery.

What about the AI nodes inside Texel?

Texel ships AI nodes (upscale, mask‑aware fill, normal extraction, edge wear, etc.) as transparent operators in the same node graph as the rest of your tools. Here is exactly what happens with your data when you use them:

  • Lighter nodes run on your GPU in the browser. Inputs never leave your machine.
  • Heavier nodes run in a region you pick. Inputs are processed inside our infrastructure, in the region you selected, and are not retained beyond what's needed to return the result and keep your project's history reversible.
  • Your inputs and outputs are not used to train any model. Not the AI provider's model. Not ours. The models we ship are trained on data we have explicit licenses for.
  • Nothing leaves the project unless you flip the switch. External providers, on‑prem nodes, or community workflows are all opt‑in and labelled.
  • Every AI‑touched pixel keeps a trace. Each AI node keeps its source mask, parameters, and seed preserved on the graph, and you can export a manifest with the texture set when production needs to know exactly what was made by whom.

04How we use what we collect

We use your data only for the things you would expect:

  • To run Texel. Sign you in, load your project, sync paint strokes between collaborators, store your textures, render exports.
  • To keep it secure. Detect abuse, block scrapers, enforce per‑project permissions, investigate incidents.
  • To talk to you. Send your Early Access invite, account email like password resets and security alerts, and product updates if you opted into them.
  • To improve Texel. Aggregated, de‑identified usage signals (e.g. "how many people use UDIM workflows", "how often does the branch view get opened") - never your project content, and never resold.
  • To meet legal obligations. Tax, fraud prevention, responding to lawful requests.

We do not use your data for ad targeting, profile building, behavioural retargeting, or any kind of model training.

05Who we share it with

We use a small number of trusted vendors ("subprocessors") to run the service. Each one only sees the data it needs to do its job.

Cloudflare
Hosting, CDN, edge functions, real-time collaboration (Durable Objects), and asset storage (R2). All Texel traffic and project data runs on Cloudflare infrastructure.
WorkOS
Identity, sign-in, single sign-on, and organisation/team membership.
Loops
Transactional and Early Access email. Stores your email, role, optional studio name, and UTM source as a contact note.
Stripe
Billing and payments (only when paid plans launch). Stripe handles your card details directly - we never see them.

We do not sell your data. We do not share it with advertisers or data brokers. If we ever need to add a new subprocessor that touches your project content, we will update this page before they go live.

We may share data when we are legally required to (e.g. a valid court order). When we can, we will tell you first.

06Where your data lives

Texel runs on Cloudflare's global network. Project state lives in a Durable Object pinned to a region close to your team; assets live in R2, replicated across Cloudflare's data centres. Heavier AI compute runs in the region you pick. We don't move project content out of those regions.

If your team needs strict data residency (EU‑only, US‑only, on‑prem), talk to us - we have hooks for it on enterprise plans.

07How long we keep it

  • Project content - for as long as the project exists. When you delete a project, we remove its assets and durable state from active storage; backups roll off within 30 days.
  • Account info - while your account is active. After you delete your account, identifiers are wiped and only the minimum required for legal/tax purposes is retained.
  • Waitlist entries - until your invite goes out, or until you ask us to delete you.
  • Operational logs - short‑lived (typically 30 days), longer only when needed for security investigations.

08Your rights

Wherever you are, you can ask us to:

  • See what we hold about you.
  • Export your data in a portable format.
  • Correct anything that's wrong.
  • Delete your account and your projects.
  • Stop sending you marketing email (the unsubscribe link works, too).

Email privacy@texel.art and we'll handle it. If you're in the EU/UK, you also have the right to lodge a complaint with your local data protection authority.

09Cookies & local storage

We don't run advertising cookies. The cookies and browser storage Texel uses are the boring kind:

  • Sign‑in session - a secure, httpOnly session cookie set by WorkOS so you stay signed in.
  • Theme preference - stored locally so the app remembers light/dark.
  • Waitlist confirmation - once you sign up for Early Access, your email is remembered locally so the form doesn't ask you again. You can clear it from the success card.
  • UTM source - kept in sessionStorage for the duration of your visit, then sent with your waitlist signup so we know how you found us.

10Security

Texel is built with the basics done right: TLS everywhere, scoped presigned uploads, per‑project access checks on every WebSocket and API call, server‑side secrets stored in Cloudflare's secret store, and audit‑ready operation history at the project level. If you find a security issue, please email security@texel.art - we will respond fast and we won't sue researchers acting in good faith.

11Minimum age

Texel is built for working artists. You need to be at least 13 years old to use the Service - or 16 if you're in the EU or UK, where local digital‑consent law sets a higher floor. We don't knowingly collect data from anyone below that age. If you believe an underage account has been created, email privacy@texel.art and we'll remove it.

12Changes to this notice

If we materially change anything in this notice - especially anything in the AI section - we'll update the date at the top, post a clear note in the app, and email everyone with an account. We won't quietly walk back the promises on this page.

13Contact

For privacy questions, data requests, or anything in this notice: privacy@texel.art.

For security reports: security@texel.art.

For everything else: hello@texel.art.