PRIVACY POLICY

Welcome to Avatoy's Privacy Policy

Paper Code Adrianna Błaszczyńska ("Company", "us", "we", or "our") owns and operates https://www.avatoy.ai and the Avatoy mobile application (hereinafter referred to as "Service").

The Company's Privacy Policy governs your visit to https://www.avatoy.ai and Avatoy mobile application, and explains how we collect, manage, use, safeguard and disclose Personal Information that results from your use of our Service, which is subject to the privacy principles set out in the general law intended to protect your privacy, as amended from time to time, and where relevant by the European Union General Data Protection Regulations (EU) 2016/679 (the GDPR), California Privacy Protection Act (the CalOPPA) and California Consumer Privacy Act (the CCPA).

We use your data to provide and improve Service. By using Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms of Use.

Our Terms of Use ("Terms") govern all use of our Service and together with the Privacy Policy constitutes your agreement with us ("Agreement").

Data Minimization: We follow the principle of data minimization, collecting and processing personal data that is necessary to operate and improve the Service.

Crash Reporting: Crash reports are automatically collected to help us improve the Service. For more details, see the "Crash Reports" section below.

TYPES OF DATA COLLECTED

USE OF DATA

We use your data to provide and maintain the Service, process payments, provide customer support, improve the Service, and comply with legal obligations. We do not use your photos for any purpose other than generating images.

Generated Images Ownership

We do not claim ownership of the images generated from your photos. As between you and us, you are responsible for how you use generated images. You may use generated images for your own personal, non-commercial purposes. We do not provide any warranties or guarantees for commercial use of generated images. You are solely responsible for evaluating whether your commercial use complies with all applicable laws and third-party rights. If you choose to use generated images commercially, you do so entirely at your own risk. Because generative AI models may produce similar outputs for different users and may reflect patterns from training data, we cannot guarantee that generated images are unique or free from third-party rights.

RETENTION OF DATA

Original Photos: Original photos are deleted from our own storage after processing. We retain only non-identifiable metadata (e.g., timestamps, style selections, credit costs).

Generated Images: Generated images are temporarily stored on our servers during generation and delivery. Once downloaded to your device, the server copy is deleted. Downloaded images are stored locally on your device only.

Account Data: We retain your account information and generation metadata for as long as your account is active. For purposes of this policy, an account is considered "active" if you have logged into or used the Service within the preceding 12 months. You may request deletion by contacting us at support@avatoy.ai. Some data, such as transaction records, may be retained as required by law.

Transaction Data: Purchase and subscription records are retained as required by law.

Diagnostic Data: Crash reports and log files are retained for service improvement. You may request deletion of your personal data. Due to the technical nature of crash reports (which are not linked to account identifiers), we may not always be able to identify and delete individual crash reports already stored by Crashlytics. We may need to retain some diagnostic data for security or legal compliance purposes.

DATA DELETION

You have the right to request deletion of your personal data. However, some data cannot be deleted due to legal, accounting, or security requirements. To request deletion:

1. Account Deletion: Contact us at support@avatoy.ai with your user ID (found in Settings) to request complete account deletion. Upon account deletion:
   • Your user account and UID will be removed
   • Generation metadata will be deleted
   • Transaction records may be retained as required by law (anonymized)
   • Locally stored images on your device will remain until you delete them manually
2. Individual Data Deletion: You may request deletion of specific data types. We will process your request promptly, subject to legal retention requirements.
3. Automatic Deletion: Generated images in cloud storage are automatically deleted after download or after a limited period if not downloaded.

Account Access: The Service uses anonymous, device-based authentication. Restoring your account depends on available device data and backups. For details about account persistence, see our Terms of Use.

Some data may need to be retained for legal, accounting, or security purposes even after account deletion.

TRANSFER OF DATA

Your information, including Personal Data, may be transferred to – and maintained on – computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

If you are located outside United States and choose to provide information to us, please note that we transfer the data, including Personal Data, to United States and process it there. Your data may be processed in the United States. This transfer is necessary for the performance of our contract with you and for our legitimate interests in providing the Service.

Data Transfer Safeguards: We transfer personal data to the United States using appropriate safeguards. Our service providers, including Google Cloud and Firebase, participate in the EU-U.S. Data Privacy Framework (DPF) and UK Extension to the EU-U.S. DPF, where applicable. For other service providers, we use appropriate safeguards such as standard contractual clauses or equivalent mechanisms. For more information about the Data Privacy Framework, please visit https://www.dataprivacyframework.gov/.

The Company will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

DISCLOSURE OF DATA

We may disclose personal information that we collect, or you provide:

Disclosure for Law Enforcement.

Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities.

Business Transaction.

If we are involved in a merger, acquisition or asset sale, your Personal Data may be transferred.

Other cases. We may disclose your information also:

• to contractors, service providers, and other third parties we use to support our business;
• to fulfill the purpose for which you provide it;
• for any other purpose disclosed by us when you provide the information;
• with your consent in any other cases;
• if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of the Company, our customers, or others.

SECURITY OF DATA

We implement industry-standard technical and organizational security measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: Data stored on our servers is encrypted using Google Cloud's default encryption at rest
• Access controls: Access to personal data is restricted to authorized personnel only
• App attestation: We use Firebase App Check to verify that requests come from legitimate app instances, helping protect against abuse and fraud
• Regular security assessments: We conduct regular security assessments and updates

YOUR RIGHTS

General Data Protection Rights

You have the following rights in relation to your Data:

• Right to access - the right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is "manifestly unfounded or excessive." Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the reasons why.
• Right to correct - the right to have your Data rectified if it is inaccurate or incomplete.
• Right to erase - the right to request that we delete or remove your Data from our systems.
• Right to restrict our use of your Data - the right to "block" us from using your Data or limit the way in which we can use it.
• Right to data portability - the right to request that we move, copy or transfer your Data.
• Right to object - the right to object to our processing of your Personal Data including where we use it for our legitimate interests.
• Right to withdraw consent - the right to withdraw your consent at any time where we rely on your consent to process your personal information. Note: Because we do not currently rely on consent as a legal basis for processing, withdrawal of consent does not affect our ongoing processing under other legal bases (contract, legitimate interests, legal obligation).

To make enquiries or exercise any of your rights set out above, please contact us via this e-mail address: support@avatoy.ai. Please note that we may ask you to verify your identity before responding to such requests. Due to anonymous authentication, you must provide your user ID (found in Settings) to make a request. Some data is necessary to provide the Service.

If you are not satisfied with the way a complaint you make in relation to your Data is handled by us, you may be able to refer your complaint to the relevant data protection authority. If you are a resident of the European Economic Area (EEA), you have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the EEA.

Legal Basis for Processing (EEA Users)

Under the GDPR, we process your personal data based on the following legal bases:

Data Processors:

Google Cloud and Google Firebase act as data processors under our data processing agreement with Google.

Our other third-party AI processing provider(s) act as data processors under separate data processing agreements we have in place with them.

• Contract: Processing necessary for the performance of a contract with you, including:
  • Service operation and image generation functionality
  • Billing and payment processing
  • Account management and subscription services
• Legitimate Interests: Processing necessary for our legitimate interests, including:
  • Analytics and usage data collection to improve our Service
  • Security and fraud prevention
  • Technical support and customer service
  • Service maintenance and optimization
• Legal Obligation: Processing necessary to comply with legal obligations, including:
  • Tax and accounting record retention
  • Compliance with applicable laws and regulations
• Consent: We do not currently rely on consent as a legal basis for processing your personal data. If we introduce optional features or services in the future that require consent, we will obtain your explicit consent at that time and you will have the right to withdraw it at any time.

For more information about GDPR, see: https://eur-lex.europa.eu/eli/reg/2016/679/oj

Your Data Protection Rights under the California Privacy Protection Act (CalOPPA)

According to CalOPPA we agree to the following:

• Users can visit our site anonymously
• Our Privacy Policy link includes the word "Privacy" and can easily be found on our website
• Users will be notified of any privacy policy changes on our Privacy Policy Page
• Users can request access to, deletion of, or information about their data by emailing us at support@avatoy.ai with their user ID (found in Settings)

Your Data Protection Rights under the California Consumer Privacy Act (CCPA)

If you are a California resident, you are entitled to learn what data we collect about you, ask to delete your data, and not to sell (share) it. To exercise your data protection rights, you can make certain requests and ask us:

What personal information we have about you. If you make this request, we will return to you:

• The categories of personal information we have collected about you (user identifier, usage data, device information, transaction data, generation metadata).
• The categories of sources from which we collect your personal information (directly from you through app usage, device information, and third-party services like Firebase and Apple).
• The business or commercial purpose for collecting your personal information (providing and improving the Service, processing transactions, customer support).
• The categories of third parties with whom we share personal information (third-party AI processing providers, analytics services, payment processors, and app distribution platforms as described in this Privacy Policy).
• The specific pieces of personal information we have collected about you. We collect device identifiers and, for website visits, IP addresses, which are treated as personal information under CCPA. Because accounts are anonymous, we cannot identify your account without you providing your user ID (found in Settings). Once you provide your user ID, we can provide the generation history metadata and transaction records associated with that account. Device identifiers and IP addresses in our logs are not linked to your user ID in a way that allows us to retrieve them uniquely per user.
• A list of categories of personal information that we have sold. We do not sell your personal information to any third parties.
• A list of categories of personal information that we have disclosed for a business purpose (as described in the "USE OF DATA" and "DISCLOSURE OF DATA" sections above).

You are entitled to ask us to provide you with this information up to two times in a rolling twelve-month period. Due to anonymous authentication, you must provide your user ID (found in Settings) to make a request.

To delete your personal information. If you make this request, we will delete the personal information we hold about you from our records and direct any service providers to do the same, subject to legal retention requirements. Some data, such as transaction records, cannot be deleted due to legal or accounting requirements. If you choose to delete your personal information, you may not be able to use certain functions that require your personal information to operate. To request deletion, please contact us at support@avatoy.ai with your user ID (found in Settings).

To stop selling your personal information. We do not sell or rent your personal information to any third parties for any purpose. You can request disclosure or deletion of your personal information, subject to legal retention requirements.

If you ask us to delete your data, it may impact your experience with the Service. We will not discriminate against you for exercising your rights.

To exercise your California data protection rights described above, please send your request(s) by one of the following means:

By email: support@avatoy.ai (please include your user ID from Settings)

Your data protection rights, described above, are covered by the CCPA, short for the California Consumer Privacy Act. To find out more, visit the official California Legislative Information website. The CCPA took effect on 01/01/2020.

SERVICE PROVIDERS

We may employ third party companies and individuals to facilitate our Service ("Service Providers"), provide Service on our behalf, perform Service-related services or assist us in analyzing how our Service is used.

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Third-Party Subprocessors

The following third-party service providers act as data processors or subprocessors on our behalf:

• Google Cloud Platform (Google LLC): Cloud infrastructure and hosting services, including server storage and computing resources
• Google Firebase (Google LLC): Authentication services (Firebase Anonymous Auth), analytics (Firebase Analytics), crash reporting (Firebase Crashlytics), app attestation (Firebase App Check), cloud functions, Firestore database, and Remote Config
• Third-Party AI Processing Providers: AI image generation and model inference services used to process your photos and generate images. The specific providers we use may change over time. All such providers act as data processors under contract with us.
• Apple Inc. (via App Store and StoreKit): Payment processing for subscriptions and in-app purchases, app distribution platform
• Vercel Inc.: Hosting for the marketing website (https://www.avatoy.ai) and privacy-friendly, cookie-less web analytics

All subprocessors are bound by data processing agreements and applicable privacy standards. Google Cloud and Firebase participate in the EU-U.S. Data Privacy Framework (DPF) and UK Extension to the EU-U.S. DPF, where applicable. For other service providers, we use appropriate safeguards such as standard contractual clauses or equivalent mechanisms.

ANALYTICS

We may use third-party Service Providers to monitor and analyze the use of our Service.

Firebase (Mobile App)

Firebase is an analytics service provided by Google Inc., used only in the iOS application.

We use Firebase Analytics to understand how users interact with our Service and to improve user experience. Analytics events are associated with your anonymous user identifier (UID) to track feature usage, subscription events, generation performance, and user engagement. This data is processed under our legitimate business interest to operate and improve the Service.

For more information on what type of information Firebase collects, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en

Vercel Web Analytics (Website)

For the https://www.avatoy.ai website, we use Vercel Web Analytics, a privacy-focused, cookie-less analytics service provided by Vercel Inc.

Vercel Analytics collects aggregated, pseudonymous usage information such as:

• pages visited and paths
• referrer URL
• timestamps
• browser and device type
• approximate location (country/region) based on IP address

Vercel Analytics does not use cookies or similar tracking technologies, and we do not use it for advertising, cross-site tracking, or profiling of individual users. The data is used solely to understand overall website traffic and performance and to improve our website.

For more information about Vercel's privacy practices, please refer to Vercel's privacy documentation and policies available on their website.

PAYMENTS

We may provide paid products and/or services within Service. In that case, we use third-party services for payment processing (e.g. payment processors).

We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

The payment processors we work with are:

Apple Store In-App Payments:

Their Privacy Policy can be viewed at: https://www.apple.com/legal/privacy/en-ww/ / https://support.apple.com/en-us/HT203027

LINKS TO OTHER SITES

Our Service may contain links to other sites that are not operated by us.

If you click a third party link, you will be directed to that third party's site.

We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

CHILDREN'S PRIVACY

Our Service is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will delete it from our systems as soon as reasonably possible, subject to any legal obligations to retain certain information.

Photos Containing Minors

You must not upload photos containing images of minors (any person under 18 years of age), including yourself if you are under 18. The Service is intended only for photos of adults.

We do not use automated minor-detection systems. If we become aware that a photo containing a minor has been uploaded, we will delete the photo and associated data where technically possible and may suspend or terminate the associated account. You may contact us at support@avatoy.ai if you believe we have taken action in error.

CHANGES TO THIS PRIVACY POLICY

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the effective date. Changes are effective when posted.

CONTACT US

If you have any questions about this Privacy Policy, please contact us:

By email: support@avatoy.ai

Last Updated: December 6, 2025