Privacy Policy

Last Updated: January 13, 2025

1. Introduction

Welcome to SceneBooth AI. This Privacy Policy explains how Okan Demirkaya ("we," "us," or "our") collects, uses, discloses, and protects your information when you use the SceneBooth AI mobile application (the "App"). By using the App, you agree to the collection and use of information in accordance with this policy.

This Privacy Policy is designed to comply with:

• Apple App Store Guidelines and Requirements (including Guideline 5.1.1 for Data Collection)
• General Data Protection Regulation (GDPR) for European users
• California Consumer Privacy Act (CCPA) for California users
• Other applicable data protection laws

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us when using the App:

• User Identifier: A unique, automatically generated User ID to identify your account and manage your subscription
• Subscription Information: Your subscription status, plan type (weekly, monthly, quarterly, yearly), and credit balance
• Images and Photos (Temporarily Processed): Photos and images you upload from your device's photo library or camera. See Section 4 for detailed information about how we handle face data and images.

2.2 Information Collected Automatically

When you use the App, we automatically collect certain information:

• Device Information: Device model, operating system version (iOS version), unique device identifiers (IDFA/IDFV for analytics purposes only, respecting your App Tracking Transparency choices)
• Usage Data: Features used, templates selected, generation requests, number of images generated, app crashes, and performance data to improve the App
• Log Data: IP address (for security purposes), access times, app version, and diagnostic error logs

2.3 Information from Third Parties

We receive limited information from third-party services to provide our services:

• RevenueCat (Subscription Management): Subscription status, purchase history, subscription expiration dates, active entitlements. RevenueCat acts as our payment processor and subscription management service.
• Apple App Store: Purchase confirmations, refund requests, and subscription renewal information through Apple's in-app purchase system

3. How We Use Your Information

We use the collected information for the following legitimate purposes:

Purpose	Information Used	Legal Basis (GDPR)
Service Delivery	Process your image uploads and generate AI content	Contract Performance
Account Management	Manage credits, subscriptions, and user preferences	Contract Performance
Payment Processing	Process transactions via Apple and prevent fraud	Contract Performance
App Improvement	Analyze usage patterns to improve features and fix bugs	Legitimate Interest
Customer Support	Respond to your questions and technical issues	Contract Performance
Security	Detect and prevent fraud, abuse, and security incidents	Legitimate Interest
Legal Compliance	Comply with legal obligations and enforce our Terms	Legal Obligation

4. Face Data and Image Processing (Apple Guideline 2.1 Disclosure)

4.1 What Face Data Does the App Collect?

SceneBooth AI collects and processes the following face-related data when you voluntarily upload photos:

• User-Uploaded Photos: Photos and images that you select from your device's photo library or capture with your camera that may contain human faces
• Facial Features: When you upload a photo containing a face, our AI processing systems temporarily analyze facial characteristics including:
  • Facial structure and geometry
  • Facial features (eyes, nose, mouth, etc.)
  • Face positioning and orientation
  • Skin tone and complexion
  • Hair style and color
  • Other visual attributes necessary for AI image generation
• Important Note: We do NOT collect biometric identifiers or create biometric templates. We do NOT use face data for identity verification, authentication, or facial recognition purposes. Face data is used solely for AI-powered creative image generation.

4.2 Complete Explanation of All Uses of Face Data

We use the face data you provide exclusively for the following purposes:

Use Case	Detailed Explanation	Duration
AI Image Generation	Your uploaded photo (including any faces) is sent to third-party AI services (OpenAI DALL-E, Google AI models, or Replicate) to generate creative, AI-powered images based on your selected template or prompt. The AI analyzes facial features to create consistent, high-quality generated images.	10-60 seconds (processing time only)
Temporary Processing	Face data is held temporarily in our server's memory (RAM) during the AI generation process to facilitate the request to third-party AI providers.	10-60 seconds (immediately deleted after generation)
Service Delivery	Generated images (which may contain AI-modified versions of your face) are delivered back to your device and stored locally on your device only.	Stored on your device indefinitely until you delete them

What We Do NOT Do With Face Data:

• ❌ We do NOT use face data for biometric identification or authentication
• ❌ We do NOT use face data to train or improve AI models
• ❌ We do NOT store face data permanently on our servers
• ❌ We do NOT create databases or collections of faces
• ❌ We do NOT share face data with advertisers or data brokers
• ❌ We do NOT use face data for surveillance or tracking purposes
• ❌ We do NOT sell face data to any third party
• ❌ We do NOT use face data for any purpose beyond AI image generation

4.3 Will Face Data Be Shared With Third Parties?

Yes, face data is temporarily shared with third-party AI service providers exclusively for image generation processing. We share your uploaded photos (which may contain face data) with the following trusted AI service providers:

Service Provider	Purpose	Data Shared	Retention by Provider
OpenAI (DALL-E API)	AI image generation using DALL-E models	Uploaded photos (including faces) and text prompts	Per OpenAI API policy: Data sent via API is not used to train models and is retained for 30 days for abuse monitoring, then deleted. OpenAI Privacy Policy
Google AI (Imagen/Gemini)	AI image generation using Google's image generation models	Uploaded photos (including faces) and text prompts	Per Google Cloud API policy: Customer data is not used for training. Data may be temporarily cached for performance. Google Cloud Privacy Notice
Replicate	AI image generation using various open-source models hosted on Replicate platform	Uploaded photos (including faces) and text prompts	Per Replicate policy: Input data may be temporarily stored for processing but is not used for training. Replicate Privacy Policy

Important Clarifications:

• These AI service providers act as data processors on our behalf and are contractually required to use your face data only for the specific purpose of generating your requested images.
• We have selected providers with strong privacy commitments and data protection practices.
• We do NOT share face data with marketing companies, advertisers, social media platforms, or data analytics firms.
• We do NOT share face data with any party for purposes unrelated to AI image generation.
• Transmission of face data to these providers is encrypted using industry-standard TLS 1.3 encryption.

4.4 Where is Face Data Stored?

Face data storage locations and duration:

Storage Location	What is Stored	Duration	Geographic Location
Your Device (Local)	Original uploaded photos and generated images (stored in app's local storage)	Indefinitely, until you manually delete them from the app or uninstall the app	On your personal iOS device
Our Processing Servers (Temporary)	Uploaded photos (including faces) held in temporary memory (RAM) during processing	10-60 seconds (immediately deleted after AI generation completes or fails)	Cloud servers (AWS or Google Cloud, typically US or EU regions)
Third-Party AI Services (Temporary)	Uploaded photos sent to OpenAI, Google AI, or Replicate for processing	Per provider policies: OpenAI (30 days max for abuse monitoring), Google/Replicate (temporary processing only, typically minutes to hours)	Provider-specific data centers (typically US-based, but may include EU or other regions depending on provider's infrastructure)
Our Permanent Storage	NONE - We do NOT permanently store face data or uploaded photos on our servers or databases	Not applicable (no permanent storage)	Not applicable

4.5 How Long is Face Data Retained?

Detailed retention timeline for face data:

• During Upload & Processing (10-60 seconds):
  • Your photo is uploaded from your device to our processing server
  • Photo is held in temporary server memory (RAM) only
  • Photo is transmitted to third-party AI service for generation
  • AI service processes the photo and returns generated image
• After Processing (Immediate Deletion):
  • Original uploaded photo is immediately deleted from our server memory
  • No copies are saved to permanent storage (databases, file systems, backups)
  • Generated image is sent to your device and stored locally only
• On Your Device (User-Controlled):
  • Original photos remain in your device's photo library (you control deletion)
  • Generated images are stored in the app's local history (you can delete anytime via the app's delete function or by clearing app data)
• Third-Party AI Services:
  • OpenAI: Retains API inputs for up to 30 days for abuse and misuse monitoring, then permanently deleted
  • Google AI: Temporary processing cache only, typically deleted within hours
  • Replicate: Temporary processing only, not permanently stored

4.6 Privacy Policy Disclosure of Face Data Collection

This entire Section 4 of our Privacy Policy specifically addresses the collection, use, disclosure, sharing, retention, and storage of face data. Users are informed about face data practices through:

• This Privacy Policy (Section 4): Comprehensive explanation of all face data practices (this section)
• In-App Permissions: iOS system prompts requesting photo library access before any photo can be uploaded
• App Description: App Store description clearly states the app generates AI images from user photos
• First-Time Use: Users are informed that uploading a photo will send it to AI services for processing

4.7 User Control and Rights Regarding Face Data

You have complete control over your face data:

• Voluntary Upload: You choose which photos to upload. The app never accesses your photo library without explicit permission.
• Delete Generated Images: You can delete individual or all generated images from the app's history at any time via the in-app delete function.
• Revoke Photo Access: You can revoke the app's access to your photo library anytime via iOS Settings > Privacy > Photos.
• Account Deletion: You can request full account deletion by contacting support@okandemirkaya.com, which will remove all associated data (note: uploaded photos are already deleted after processing).
• Data Access Request: You can request information about what data we have collected by contacting support@okandemirkaya.com (note: face data is not permanently stored).

5. How We Handle Your Images (General)

5.1 Uploaded Images (Your Reference Photos)

• Upload: When you select a photo from your library or take a photo with your camera, it's uploaded to our processing servers via secure HTTPS connection
• Processing: The image is held in temporary server memory (RAM) only while being sent to the AI service and during AI generation (typically 10-60 seconds)
• Transmission to AI Service: Your photo is securely transmitted to one of our AI service providers (OpenAI, Google AI, or Replicate) for image generation
• Deletion: Immediately after the AI service returns the generated image (or if the request fails), your uploaded photo is permanently deleted from our server memory
• No Permanent Storage: We do NOT save your uploaded images to any database, file system, or backup storage

5.2 Generated Images (AI-Created Images)

• Generation: AI-generated images are created by third-party AI services (OpenAI, Google AI, or Replicate) based on your uploaded photo and selected template/prompt
• Delivery: Generated images are sent from the AI service to our server, then immediately forwarded to your device
• Device Storage: Generated images are stored ONLY on your device's local storage in the app's document directory
• No Server Copies: We do NOT store generated images on our servers after they are delivered to your device
• Your Control: You can view, share, or delete your generated images at any time from the app's gallery/history section

5.3 What We Do NOT Do With Your Images

• ❌ We do NOT store your images in databases or cloud storage
• ❌ We do NOT use your images to train or improve AI models (neither our own nor third-party models)
• ❌ We do NOT share your images with third parties except for the sole purpose of AI generation processing
• ❌ We do NOT sell your images to anyone
• ❌ We do NOT analyze your images for advertising or marketing purposes
• ❌ We do NOT create backups or archives of your images
• ❌ We do NOT allow employees to view your images (processing is fully automated)

6. Data Sharing and Disclosure

6.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information, images, face data, or any user data to third parties for their direct marketing purposes.

6.2 Service Providers We Use

We share limited information with trusted third-party service providers who help us operate the App. These providers are contractually obligated to protect your data and use it only for the specified purposes:

• OpenAI (DALL-E API): AI image generation service (receives: uploaded photos/face data temporarily, text prompts). OpenAI does not use API data to train models. See OpenAI Privacy Policy.
• Google AI (Imagen/Gemini): AI image generation service (receives: uploaded photos/face data temporarily, text prompts). Google Cloud does not use customer data for training. See Google Cloud Privacy Notice.
• Replicate: AI model hosting and execution platform (receives: uploaded photos/face data temporarily, text prompts). Input data not used for training. See Replicate Privacy Policy.
• RevenueCat: Subscription and payment management (receives: User ID, subscription status, purchase history, device identifiers). See RevenueCat Privacy Policy.
• Apple App Store: Payment processing and subscription management (receives: Apple ID, purchase information as per Apple's policies). See Apple Privacy Policy.
• Cloud Infrastructure (AWS or Google Cloud): Server hosting for temporary image processing with strict data retention policies (receives: temporarily processed images in encrypted form in RAM, immediately deleted after use)

Important Notes on Third-Party Sharing:

• Face data and images are shared with AI service providers (OpenAI, Google AI, Replicate) only for the purpose of AI image generation
• These providers are prohibited from using your data for their own purposes (including model training, advertising, or resale)
• We have Data Processing Agreements with these providers to ensure GDPR and data protection compliance
• We do NOT share your images or face data with analytics services, advertising networks, social media platforms, or data brokers

6.3 Legal Requirements

We may disclose your information (excluding face data/images, which are not stored) if required to do so by law or in response to valid legal requests such as:

• Court orders or subpoenas
• Government or law enforcement requests
• Protection of our legal rights and safety
• Investigation of fraud or security issues

6.4 Business Transfers

If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice in the App before your information is transferred and becomes subject to a different privacy policy. Note: Face data and uploaded images are not stored and therefore would not be part of any business transfer.

7. Data Retention

We retain your information only as long as necessary to provide the App and fulfill the purposes outlined in this Privacy Policy:

• User Account Data: Retained while your account is active and for 30 days after account deletion (for recovery purposes)
• Uploaded Images & Face Data: Processed in temporary server memory (RAM) ONLY for 10-60 seconds during AI generation, then immediately and permanently deleted. NOT stored in any database or permanent storage.
• Generated Images: Stored ONLY on your device; we do NOT retain copies on our servers. You control deletion via the app.
• Third-Party AI Services Retention:
  • OpenAI: Retains API inputs (including your uploaded photos) for up to 30 days for abuse monitoring, then permanently deleted
  • Google AI: Temporary cache only, typically deleted within hours
  • Replicate: Temporary processing only, not permanently stored
• Subscription & Transaction Records: Retained for up to 7 years for tax, accounting, and legal compliance purposes
• Log Data & Diagnostics: Retained for 90 days for security and performance monitoring (does not include face data or images)
• Support Communications: Retained for 2 years to improve customer service

8. Data Security

We implement industry-standard security measures to protect your information, including face data:

• Encryption in Transit: All data transmitted between your device and our servers, and between our servers and AI service providers, uses TLS 1.3 encryption (HTTPS)
• Encryption at Rest: Sensitive data stored in databases (e.g., User IDs, subscription data) is encrypted using AES-256 encryption. Note: Uploaded images/face data are NOT stored at rest—they exist only in temporary memory.
• Secure Infrastructure: Servers hosted on reputable cloud providers (AWS/Google Cloud) with SOC 2 Type II compliance and industry-leading security practices
• Access Controls: Strict access controls limiting employee access to personal data on a need-to-know basis. Employees do NOT have access to view uploaded images or face data (processing is fully automated).
• Regular Security Audits: Regular security assessments, vulnerability testing, and security monitoring
• Secure API Design: API endpoints secured with authentication tokens, rate limiting, and request validation to prevent unauthorized access
• Temporary Data Handling: Uploaded images are held only in server RAM (volatile memory), not written to disk, ensuring automatic deletion if the server restarts or crashes

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

9. Your Privacy Rights

9.1 General Rights (All Users)

You have the following rights regarding your personal data:

• Access: Request a copy of your personal data (note: face data/images are not permanently stored, so we cannot provide copies of previously uploaded photos)
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your account and associated data (note: uploaded photos/face data are already automatically deleted after processing)
• Objection: Object to certain processing of your data
• Restriction: Request restriction of processing in certain circumstances
• Withdraw Consent: Revoke photo library access via iOS Settings at any time

9.2 European Users (GDPR Rights)

If you are in the European Economic Area (EEA), UK, or Switzerland, you have additional rights under GDPR:

• Right to Data Portability: Request your data in a structured, machine-readable format (limited to account data; face data is not stored)
• Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent, such as photo library access)
• Right to Lodge a Complaint: Lodge a complaint with your local data protection authority if you believe your rights have been violated
• Automated Decision-Making: We do not use automated decision-making or profiling that produces legal or similarly significant effects on you

Our Legal Basis for Processing Face Data (GDPR):

• Consent: By uploading a photo, you provide explicit consent for us to process your face data for AI image generation purposes. You can withdraw consent at any time by not uploading further photos or by deleting the app.
• Contract: Processing is necessary to provide the AI image generation service you requested (the core functionality of the app)

9.3 California Users (CCPA Rights)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about personal data (including face data) collected, used, shared, or sold in the past 12 months
• Right to Delete: Request deletion of personal information and face data (note: face data is automatically deleted after processing)
• Right to Opt-Out: Opt-out of the sale of personal information. Note: We do NOT sell personal information or face data.
• Right to Non-Discrimination: Right not to be discriminated against for exercising your CCPA rights
• Shine the Light: Request information about disclosure of personal data to third parties for marketing purposes. Note: We do NOT disclose data for third-party marketing.

CCPA Categories of Personal Information We Collect:

• Identifiers (User ID, device identifiers)
• Commercial Information (purchase history, subscription status)
• Internet Activity (app usage, features accessed)
• Biometric Information (face data from uploaded photos—collected temporarily for AI generation only, immediately deleted after processing)
• Geolocation Data (general location based on IP address for security only)

9.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at support@okandemirkaya.com with the subject line "Privacy Rights Request". Please include:

• Your User ID (found in the Profile/Settings screen of the App)
• The specific right you wish to exercise (e.g., "Delete My Account", "Access My Data")
• Any additional details to help us process your request

We will respond to your request within 30 days (or as required by applicable law). We may ask for additional information to verify your identity before processing your request.

9.5 Account Deletion

You can request account deletion by contacting us at support@okandemirkaya.com. Upon account deletion:

• Your account data (User ID, subscription info) will be permanently deleted within 30 days
• Your subscription will be cancelled (refunds subject to Apple's policies)
• Generated images stored on your device will remain until you delete the app or clear app data
• Note: Uploaded photos/face data are already automatically deleted after processing, so no additional action is needed
• Some data may be retained as required by law (e.g., transaction records for tax compliance, retained for up to 7 years)

10. Children's Privacy

SceneBooth AI is not intended for children under the age of 13. We do not knowingly collect personal information or face data from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@okandemirkaya.com, and we will delete such information from our systems.

For users between 13 and 18 years of age, we recommend parental guidance when using the App, especially regarding uploading photos containing faces.

11. International Data Transfers

Your information, including face data, may be transferred to and processed in countries other than your country of residence, including Turkey, the United States, and other countries where our AI service providers (OpenAI, Google, Replicate) operate their data centers. These countries may have different data protection laws than your jurisdiction.

By using the App, you consent to the transfer of your information (including face data) to these countries. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy, including:

• Standard contractual clauses (SCCs) with service providers for GDPR compliance
• Data Processing Agreements (DPAs) with AI service providers ensuring they act only as data processors
• Ensuring service providers have adequate data protection measures (e.g., SOC 2, ISO 27001 certifications)
• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Immediate deletion of face data after processing to minimize risk of cross-border data storage

12. Tracking and Analytics

12.1 App Tracking Transparency (iOS)

We respect Apple's App Tracking Transparency (ATT) framework. If we request permission to track you across apps and websites owned by other companies for advertising purposes, you will see Apple's ATT prompt. You can change your tracking preferences at any time in your device settings.

Current Status: We do NOT currently request tracking permission or use your data for cross-app advertising tracking. We do NOT use your face data or images for tracking purposes.

12.2 Analytics

We collect anonymized usage analytics to understand how users interact with the App and to improve performance. This includes:

• Feature usage statistics (which features are most popular, which templates are used most frequently)
• Crash reports and error logs (to fix bugs and improve stability)
• App performance metrics (load times, generation times, success/failure rates)

This data is anonymized and aggregated, and cannot be used to identify individual users. Analytics do NOT include your uploaded photos, generated images, or face data.

12.3 Do Not Track

Some browsers and devices include a "Do Not Track" (DNT) feature that signals your preference not to be tracked. Our mobile app does not currently respond to DNT signals because there is no common industry standard for DNT in mobile apps. However, we do not track you across third-party apps or websites.

13. Third-Party Links and Services

The App may contain links to third-party websites or services (e.g., social media sharing). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information to them.

When you share generated images to third-party platforms (e.g., Instagram, Facebook, Twitter), those platforms' privacy policies apply to any data they collect. We do not control how third parties use shared images.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We will notify you of any material changes by:

• Posting the new Privacy Policy in the App and at https://okandemirkaya.com/scenebooth/privacy.html
• Updating the "Last Updated" date at the top of this policy
• Sending you an in-app notification or email (for significant changes affecting face data processing)

Your continued use of the App after changes are posted constitutes your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

15. Data Controller and Contact Information

For the purposes of data protection laws (including GDPR), the data controller is:

Okan Demirkaya
Email: support@okandemirkaya.com

If you are in the European Economic Area and have concerns about our data processing practices (including face data processing), you have the right to contact your local data protection authority.

---