Privacy Policy

This Privacy Policy explains how ProPicture App ("ProPicture", "we", "us") collects, uses, and protects information when you use our website, web application, and related services (the "Service"). The Service is operated by Murat Çimen, a sole proprietor based in Türkiye, acting as the data controller. You can reach us at [email protected].

We do not knowingly collect data from anyone under 18. The Service is intended for adults only.

We collect only what we need to run the Service.

• Account data. When you sign up with email and password, we store your email address and a securely hashed password. When you sign in with Google, we receive your email address, name, profile picture, and a Google account identifier. We do not receive your Google password.
• Uploaded photos. Photos you upload are stored so we can run AI edits and so you can access your generation history.
• Generated images. Images produced by our AI tools are stored in your account under /files until you delete them or close your account.
• Billing metadata. Subscriptions and credit purchases are processed by Polar.sh, our Merchant of Record. Polar receives your payment details directly. We receive only the metadata needed to grant you access: customer ID, plan, status, renewal date, and amount.
• Usage and device data. Server logs (IP address, user agent, timestamps), generation history, and basic device information needed to deliver and secure the Service.
• Analytics. Aggregate usage measured through Google Analytics (with your consent) and Cloudflare Web Analytics (cookieless and privacy-preserving).

• To provide and operate the Service, including AI generation.
• To authenticate you and keep your account secure.
• To process payments and manage subscriptions through Polar.sh.
• To debug, prevent abuse, fight fraud, and enforce our Terms of Service.
• To send transactional and account-related emails.
• To understand product usage in aggregate, so we can improve the Service.
• To comply with our legal obligations.

We do not use your photos to train AI models. Your photos are sent to our AI processors only to generate the output you requested. The processors we use (Google Gemini API and fal.ai API) state in their developer terms that paid API inputs are not used to train their general-purpose models. We do not opt your content into any training program.

If you are in the EEA, UK, or Switzerland, we rely on:

• Contract — to create your account, process your photos, deliver generations, and bill you.
• Legitimate interests — to keep the Service secure, prevent abuse, debug, and run cookieless analytics.
• Consent — for cookie-based analytics and any non-essential tracking. You can withdraw consent at any time.
• Legal obligation — for tax, accounting, and law-enforcement requests.

We share data with the following providers strictly to operate the Service. Each is bound by their own privacy terms and processes data on our behalf or as an independent controller where indicated.

We do not sell or rent your personal data, and we do not share it for cross-context behavioural advertising.

Some of our processors are based outside Türkiye, the EEA, and the UK (mainly the United States). When we transfer personal data internationally we rely on the providers' Standard Contractual Clauses or equivalent safeguards, and on the European Commission's adequacy decisions where they apply.

• Account data: until you delete your account.
• Uploaded photos and generations: until you delete them or close your account.
• Server logs: typically up to 90 days, longer if needed to investigate abuse or comply with the law.
• Billing records: as long as required by Turkish tax law (currently 10 years), held by us and by Polar.sh.

You can request deletion at any time by emailing [email protected]. We will action it within 30 days.

Subject to local law, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data ("right to be forgotten").
• Restrict or object to certain processing.
• Receive your data in a portable, machine-readable format.
• Withdraw consent for cookie-based analytics at any time.
• Lodge a complaint with your local supervisory authority (in Türkiye, the Personal Data Protection Authority "KVKK").

California residents (CCPA / CPRA): you have the right to know, delete, correct, and limit the use of sensitive personal information, and to opt out of "sale" or "sharing." We do not sell or share your personal information as defined by the CCPA.

To exercise any right, email [email protected]. We may need to verify your identity before responding.

• Strictly necessary cookies keep you signed in and protect against cross-site request forgery. The Service does not work without them.
• Analytics cookies (Google Analytics) are loaded only with your consent. You can change your choice at any time from your browser or via the cookie banner.
• Cloudflare Web Analytics measures aggregate traffic without setting cookies and without tracking you across sites.

We use HTTPS for all traffic, hash passwords with industry-standard algorithms, restrict production access, and rely on reputable cloud providers for storage and compute. No system is perfectly secure; if we ever detect a breach affecting your data, we will notify you and the relevant authorities as required by law.

The Service is for users aged 18 and over. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy as the Service evolves. If changes are material, we will notify you by email or through an in-app notice before they take effect. The "Effective date" at the top reflects the latest version.

Questions, requests, or complaints about your privacy: [email protected].