Privacy Policy

Last updated: May 24, 2026

MergArt ("App", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.

1. Data We Collect

a) Account Information

• Email address — provided during registration or via social login (Apple/Google).
• Display name — optionally provided by you.
• Authentication identifiers — Apple ID token or Google ID token used for sign-in.
• Anonymous device identifier — a randomly-generated UUID created on first launch, used to establish an anonymous session that can purchase subscriptions or credit packs before sign-in.
• Notification preference — whether you have opted in to receive in-app or push notifications, when this feature is enabled.

b) Photos & Generated Images

• Uploaded photos — sent to our servers and to our AI processing partner (see Section 3) solely to produce the AI output you request. The original upload is stored alongside the corresponding generation record and is retained until you delete that generation, delete your account, or the associated server file is purged through routine storage cleanup.
• Generated images — stored in your generation history and linked to your account until you choose to delete them or delete your account.

c) Usage Data

• Generation history (preset used, timestamp, status, wallet tier consumed, error code if a generation fails).
• Subscription & purchase state, including the RevenueCat App User ID and the original Apple transaction identifier associated with your active subscription. These are used to attribute purchases to the correct account, to enforce per-cycle quotas, and to detect abusive sign-up patterns (for example, opening multiple accounts on the same Apple ID to farm free credits — see Section 2).
• Basic device information (OS version, app version, IP address as received by our servers) for debugging, abuse prevention, and aggregated analytics.
• App Attest data: on iOS, we use Apple's App Attest framework to verify that requests come from a genuine, unmodified copy of the MergArt app. We store the resulting key identifier and public key for your device so subsequent requests can be verified without re-attestation.

d) Data We Do NOT Collect

• We do not access your photo library beyond the specific photos you select.
• We do not collect location data.
• We do not sell your data to advertisers or data brokers.

e) Anti-abuse fingerprint

At sign-up, we read your RevenueCat App User identifier and recent receipt history from RevenueCat in order to detect users who attempt to obtain free credits multiple times by creating additional accounts. If we detect a match against an existing account that has already consumed free credits, the new account will be flagged as ineligible for the free trial. We do not use this data for any other purpose and do not share it with advertisers.

2. How We Use Your Data

• Photo processing: To generate AI-transformed images based on your selected presets.
• Account management: To authenticate you, manage your subscription, and provide customer support.
• Service improvement: To monitor performance, fix bugs, and improve the generation quality (using aggregated, anonymized data only).
• Communication: To send essential service notifications (e.g., subscription changes, policy updates). We do not send promotional emails without your consent.

3. Third-Party Services

We use the following third-party services to operate MergArt:

• fal.ai — AI image processing. Your uploaded photos are sent to fal.ai servers for generation. fal.ai processes images on-demand and does not retain them after processing. See fal.ai Privacy Policy.
• RevenueCat — Subscription management. RevenueCat processes your purchase receipts to validate subscriptions. See RevenueCat Privacy Policy.
• Apple Sign-In / Google Sign-In — Authentication providers. We receive only the identifiers and email you authorize during sign-in.
• Apple App Attest / DeviceCheck — Used to verify that API requests originate from a genuine copy of the MergArt iOS app. Apple processes attestation challenges and signatures; we receive only the resulting verification status and device-bound public key.
• Google Cloud Platform — Cloud infrastructure. Your data is stored on Google Cloud servers located in Europe (europe-west1).
• Amazon SES — Transactional email delivery (eu-north-1 region).

4. Data Storage & Retention

• Uploaded photos: Retained alongside the corresponding generation record until you delete the generation, delete your account, or until removed through routine storage cleanup.
• Generated images: Retained until you delete them or delete your account.
• Account data: Retained for the lifetime of your account.
• After account deletion: Your account, profile, and generation history records are deleted from our database when you complete the in-app deletion flow. Image files stored on object storage are removed through routine cleanup and may persist for a short period after database deletion before they are fully purged. Backup snapshots that contain personal data are rotated and discarded on our standard backup retention schedule.
• Anonymous device sessions: Tied to a device-local identifier; if the device is reset or the app is reinstalled, the anonymous account becomes unrecoverable and any data associated with it remains in our system but is no longer linked to a usable session.

5. Data Security

We implement industry-standard security measures including:

• All data transmitted over HTTPS/TLS encryption.
• Authentication tokens stored securely on-device (Keychain).
• Server infrastructure secured with Google Cloud IAM and network policies.
• Admin API access protected with dedicated API keys and rate limiting.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

All Users

• Access: Request a copy of the data we hold about you.
• Deletion: Delete your account and all associated data directly from the App (Settings > Delete Account).
• Correction: Update your profile information at any time.

GDPR (European Economic Area)

• Legal basis: We process your data based on contractual necessity (to provide the Service) and legitimate interest (to improve the Service).
• Data portability: Request your data in a machine-readable format.
• Right to object: Object to processing based on legitimate interest.
• Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

CCPA (California)

• Right to know: Request details about the categories and specific pieces of personal information we collect.
• Right to delete: Request deletion of your personal information.
• No sale of data: We do not sell your personal information to third parties.
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

7. Children's Privacy

MergArt is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will promptly delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App or via email. The "Last updated" date at the top indicates the latest revision.

9. Contact Us

If you have questions, concerns, or requests regarding your privacy, contact us at:

Email: privacy@mergart.app