Privacy Policy

1. Who We Are & Scope

Photomatic is an AI photo and video editing, enhancement and design service available on the web and as a mobile app. For data we collect to run our own Services, we act as the “data controller”.

Where we process content strictly on behalf of a business customer under a contract, we act as a “data processor” and handle that data according to the customer’s instructions.

This Policy covers all platforms — web, iOS and Android — and all features, including AI generation, editing tools, effects and account services.

2. Information You Provide to Us

• Account information: your name, email address and profile photo — provided directly or through a third-party sign-in (such as Google or Apple) handled via Firebase Authentication.
• Content you upload: photos, images, videos and text prompts that you submit to be edited, enhanced, restored or used to generate new media. These may contain faces and other personal information.
• Purchase information: the plan or credit pack you buy, billing country and transaction details processed by our payment providers (we do not store full card numbers).
• Communications: messages, support tickets, survey responses and feedback you send us.

3. Information We Collect Automatically

• Usage and event data: features used, buttons tapped, screens viewed, generations created, session duration and in-app actions — collected through analytics tools (Mixpanel and PostHog).
• Device and technical data: device model, operating system and version, app version, language, time zone, network information, crash logs and unique device or installation identifiers.
• Approximate location: a coarse location (such as country or city) derived from your IP address — we do not collect precise GPS location.
• Subscription and purchase events: subscription status, entitlements, renewals and cancellations, managed through RevenueCat together with the relevant payment provider or app store.
• Cookies and similar technologies on our website (see our Cookie Policy).

4. Photos & Face Data — What We Do With Them

Many Photomatic features work on photos that contain people’s faces. We want to be completely clear about how this works:

• Purpose-limited: your photos and any faces in them are processed for the sole purpose of producing the edit, effect, enhancement or generated result you request.
• Sent to AI models: to create your result, the image (which may include faces) is securely transmitted to AI model providers — both our own and trusted third-party models — that perform the generation or editing.
• Temporary storage: uploaded images and generated outputs are temporarily stored on our servers and cloud storage while we process your request and keep your recent history available to you. They are automatically deleted after a limited retention period, or sooner if you delete them or your account.
• No facial recognition or identification: we do not use facial recognition to identify or verify who you are, we do not match your face against any database, and we do not build face-recognition profiles.
• No model training on your data: we do not use your photos, faces or generated outputs to train, fine-tune or improve any AI model without your explicit, separate opt-in consent.
• No sale: we never sell your photos, faces or any personal information.

5. Sensitive / Biometric Data & Consent

Some laws (such as the GDPR, Illinois BIPA and others) may treat facial geometry derived from a photo as sensitive or biometric data. Where such laws apply, we rely on your explicit consent — given when you choose to upload an image and use a face-related feature — as our legal basis for processing.

You can withdraw that consent at any time by stopping use of those features, deleting the content, or deleting your account. Withdrawing consent does not affect processing already carried out.

6. How We Use Your Information

• To provide, operate, maintain and improve the Services and their AI features.
• To process your uploads and deliver the edits, effects, enhancements and generated media you request.
• To create and manage your account and authenticate your sign-in.
• To process payments, subscriptions, credits, renewals and refunds.
• To measure and analyze usage so we can improve performance, reliability and the user experience.
• To personalize the product experience and remember your preferences.
• To provide customer support and respond to your requests.
• To detect, investigate and prevent fraud, abuse, security incidents and technical issues.
• To send service and transactional messages, and (where permitted) product updates you can opt out of.
• To comply with legal obligations and enforce our Terms.

7. Legal Bases for Processing (GDPR)

• Performance of a contract — to deliver the Services and features you sign up for.
• Consent — for processing photos and face data where required, for non-essential analytics, and for optional marketing; you may withdraw consent at any time.
• Legitimate interests — to secure, analyze, troubleshoot and improve the Services, provided your rights do not override those interests.
• Legal obligation — to meet tax, accounting, consumer-protection and other legal requirements.

8. Service Providers & Subprocessors

We share data with trusted third parties that process it on our behalf under contracts requiring appropriate confidentiality and security safeguards. Our key providers include:

• Firebase (Google) — authentication, app infrastructure and hosting.
• Mixpanel — product analytics and event tracking.
• PostHog — product analytics and feature-usage insights.
• RevenueCat — subscription and in-app purchase management.
• Razorpay — payment processing (primarily for customers in India).
• Paddle — payment processing and merchant-of-record services (for international customers).
• Cloud hosting and storage providers used to run the Services and temporarily store content.
• AI model providers (our own and trusted third parties) that process your prompts and images to generate results.

9. Payments

Payments on the web are processed by Razorpay and/or Paddle depending on your region; in-app purchases are processed by the Apple App Store or Google Play. Where Paddle acts as merchant of record, it handles billing, tax and receipts.

These providers receive the information needed to complete your transaction (such as billing details and amount). We do not receive or store your full card or banking credentials.

10. When We Share for Other Reasons

• We do not sell your personal information.
• Legal and safety: to comply with the law, a legal process or a valid government request, or to protect the rights, safety and property of users, the public or Photomatic.
• Business transfers: in connection with a merger, acquisition, financing or sale of assets, with notice as required by law.
• Aggregated/de-identified data: information that cannot reasonably be used to identify you.

11. International Data Transfers

We and our providers may process and store data in countries other than yours, including the United States, the European Union and India. Where required, we use appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or reliance on recognized transfer frameworks.

12. Data Retention

We keep account information while your account is active. Uploaded images and generated outputs are kept only for a limited period to provide your history and then deleted. Analytics, billing and transaction records may be retained longer where needed for legitimate business, accounting and legal purposes. You can request deletion of your data at any time.

13. Your Privacy Rights

Depending on where you live, you may have some or all of the following rights:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to fix inaccurate or incomplete data.
• Deletion — ask us to delete your personal data, including uploaded photos.
• Portability — receive your data in a portable format.
• Withdraw consent — including for photo/face processing, at any time.
• Object / restrict — object to or restrict certain processing.
• Opt out of “sale” or “sharing” and limit the use of sensitive personal information (CCPA/CPRA).
• Complain — lodge a complaint with your local data protection authority.

14. How to Exercise Your Rights

You can manage much of your data in-app (for example, editing your profile or deleting content and your account). To make a formal request, email [email protected]. We will verify your identity and respond within the timeframe required by applicable law.

15. Children’s Privacy

The Services are not directed to children under 13 (or the minimum age required in your country). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

16. Data Security

We use encryption in transit, access controls, monitoring and other technical and organizational measures to protect your data. While no method of transmission or storage is completely secure, we work continuously to safeguard your information and limit retention of sensitive content.

17. Changes to This Policy

We may update this Policy from time to time. Material changes will be posted on this page with a new “Last updated” date and, where appropriate, communicated in-app or by email. Your continued use of the Services after changes take effect means you accept the updated Policy.

18. Contact Us

For privacy questions or to exercise your rights, contact us at [email protected]. For billing and refund matters, contact [email protected].