Privacy Policy

Last updated: March 23, 2026

MergArt ("App", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.

1. Data We Collect

a) Account Information

• Email address — provided during registration or via social login (Apple/Google).
• Display name — optionally provided by you.
• Authentication identifiers — Apple ID token or Google ID token used for sign-in.

b) Photos & Generated Images

• Uploaded photos — sent to our servers solely for AI processing. Uploaded photos are stored temporarily during generation and may be retained for up to 24 hours for processing reliability, after which they are automatically deleted.
• Generated images — stored in your generation history and linked to your account until you choose to delete them or delete your account.

c) Usage Data

• Generation history (preset used, timestamp, status).
• Subscription status and entitlement checks.
• Basic device information (OS version, app version) for debugging.

d) Data We Do NOT Collect

• We do not access your photo library beyond the specific photos you select.
• We do not collect location data.
• We do not sell your data to advertisers or data brokers.

2. How We Use Your Data

• Photo processing: To generate AI-transformed images based on your selected presets.
• Account management: To authenticate you, manage your subscription, and provide customer support.
• Service improvement: To monitor performance, fix bugs, and improve the generation quality (using aggregated, anonymized data only).
• Communication: To send essential service notifications (e.g., subscription changes, policy updates). We do not send promotional emails without your consent.

3. Third-Party Services

We use the following third-party services to operate MergArt:

• fal.ai — AI image processing. Your uploaded photos are sent to fal.ai servers for generation. fal.ai processes images on-demand and does not retain them after processing. See fal.ai Privacy Policy.
• RevenueCat — Subscription management. RevenueCat processes your purchase receipts to validate subscriptions. See RevenueCat Privacy Policy.
• Apple Sign-In / Google Sign-In — Authentication providers. We receive only the identifiers and email you authorize during sign-in.
• Google Cloud Platform — Cloud infrastructure. Your data is stored on Google Cloud servers located in Europe (europe-west1).
• Amazon SES — Transactional email delivery (eu-north-1 region).

4. Data Storage & Retention

• Uploaded photos: Automatically deleted within 24 hours of processing.
• Generated images: Retained until you delete them or delete your account.
• Account data: Retained for the lifetime of your account.
• After account deletion: All personal data, generation history, and associated images are permanently deleted within 30 days.

5. Data Security

We implement industry-standard security measures including:

• All data transmitted over HTTPS/TLS encryption.
• Authentication tokens stored securely on-device (Keychain).
• Server infrastructure secured with Google Cloud IAM and network policies.
• Admin API access protected with dedicated API keys and rate limiting.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

All Users

• Access: Request a copy of the data we hold about you.
• Deletion: Delete your account and all associated data directly from the App (Settings > Delete Account).
• Correction: Update your profile information at any time.

GDPR (European Economic Area)

• Legal basis: We process your data based on contractual necessity (to provide the Service) and legitimate interest (to improve the Service).
• Data portability: Request your data in a machine-readable format.
• Right to object: Object to processing based on legitimate interest.
• Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

CCPA (California)

• Right to know: Request details about the categories and specific pieces of personal information we collect.
• Right to delete: Request deletion of your personal information.
• No sale of data: We do not sell your personal information to third parties.
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

7. Children's Privacy

MergArt is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will promptly delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App or via email. The "Last updated" date at the top indicates the latest revision.

9. Contact Us

If you have questions, concerns, or requests regarding your privacy, contact us at:

Email: privacy@mergart.app