Pawfie - Privacy Policy
Last Updated: February 1, 2026
Effective Date: February 1, 2026
At a Glance
- We collect only what is needed to operate Pawfie: account basics, uploaded/base images, generated images, and essential diagnostics.
- Face data is not stored indefinitely. Images are automatically deleted after 12 months of account inactivity.
- You control your content and can delete uploads and generated images at any time from within the app.
- Payment is processed by Apple; we do not store your card details.
- We do not sell personal data or run third-party advertising.
- You can request access, correction, export, or deletion by emailing support@pawfie.app.
1. Introduction
Pawfie (“we,” “us,” “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services.
Who We Are (Data Controller)
Pawfie, Inc. is the controller for your personal data unless stated otherwise. You can contact us at support@pawfie.app for privacy questions or rights requests.
Children and Eligibility
- The Service is intended for users 16 years and older.
- If you are 16 or 17, you must have consent from a parent or legal guardian.
- We do not direct the Service to children under 16 and do not knowingly collect their data. If we learn we have collected data from someone under 16, we will delete it. You can request deletion via support@pawfie.app.
2. Information We Collect
2.1 Information You Provide
| Data Type | Purpose | Retention |
|---|---|---|
| Account Information | Email, name (from Apple Sign-In) | Until account deletion |
| Base Images | Photos you upload for processing | Until you delete them |
| Generated Images | AI-created content | Until you delete them |
| Payment Information | Handled by Apple (we don’t store payment details) | N/A |
2.2 Information Collected Automatically
| Data Type | Purpose | Retention |
|---|---|---|
| Device Information | App functionality, debugging | 90 days |
| Error Logs | Bug fixing, support | 30 days |
| IP Address | Security, abuse prevention | 30 days |
2.3 Information from Third Parties
- Apple Sign-In: Authentication data (email, user ID)
- App Store: Subscription status, purchase verification
2.4 Face Data Collection and Use
We take the collection and use of face data seriously. This section explains exactly how we handle facial images.
Face Data Summary
| Question | Answer |
|---|---|
| Is face data retained? | Yes, but not indefinitely. Face data is stored until you delete it or for a maximum of 12 months after your last account activity, whichever comes first. |
| Why do we store face data? | To allow you to generate new AI images from your uploaded photos without re-uploading, and to let you access your previously generated images. |
| How long is face data stored? | Maximum 12 months of account inactivity. Active users retain their images until they choose to delete them. |
| Why this specific retention period? | 12 months provides reasonable time for users to return to the app while ensuring data from abandoned accounts is automatically cleaned up. |
| Which third parties receive face data? | Google Gemini AI (for image generation) and Cloudflare (for secure storage). |
| Why do we share with third parties? | Google Gemini AI generates the styled images—this is the core service. Cloudflare provides secure, encrypted storage infrastructure. |
| Do third parties store face data? | Yes. Google retains images up to 55 days for abuse monitoring only—not for AI training or facial recognition. Cloudflare stores images on our behalf following our 12-month retention policy—not for training or recognition. See details below. |
What Face Data We Collect
- User-Uploaded Photos (Selfies): You voluntarily upload photos containing your face to generate AI-styled images. These are referred to as “Base Images” throughout this policy.
- On-Device Face Detection: We use Apple’s Vision framework (VNDetectFaceLandmarksRequest and VNRecognizeAnimalsRequest) to analyze photo quality metrics locally on your device before upload.
What We Do NOT Collect
- No Facial Recognition: We do not perform facial recognition or identification
- No Biometric Data: We do not extract, store, or transmit facial biometric templates, face encodings, or facial embeddings for identification purposes
- No Face Matching: We do not compare faces against databases or perform person identification
- No Biometric Analysis: We do not perform age estimation, emotion detection, gender inference, or other biometric profiling
How We Use Face Data
-
Quality Analysis (On-Device Only): Before upload, the app analyzes photos locally to provide feedback about face presence, centering, head angle, and size. This analysis happens entirely on your device using Apple’s Vision framework and is not stored or transmitted to our servers.
-
AI Image Generation: Your uploaded face photos are transmitted to Google Gemini AI for the sole purpose of generating stylized images based on your selected scene and style preferences. This is the core functionality of our Service.
-
Storage: Base images and generated images are stored on Cloudflare’s encrypted infrastructure until you delete them.
Why We Store Face Data
We store your face photos (Base Images) for the following reasons:
- To enable image generation: Your uploaded photos are required to generate AI-styled images based on your selected scenes and styles.
- To allow re-generation: Stored photos let you create new styled images without re-uploading the same photo.
- To provide access to your content: You can view, download, and manage your uploaded and generated images at any time.
We do not store face data indefinitely. You control when your data is deleted—images are retained only until you delete them, after which they are permanently removed within 90 days.
Third-Party Sharing of Face Data
Face images are shared only with:
| Provider | Purpose | Safeguards |
|---|---|---|
| Google Gemini AI | AI-powered image generation | Contractual restrictions prevent use for AI training; processed per Google’s Privacy Policy |
| Cloudflare | Secure storage and content delivery | Enterprise-grade encryption (TLS 1.3 in transit, encryption at rest); data processing agreement in place |
Third-Party Face Data Retention Practices
Google Gemini AI:
- Does Google store face data? Yes, temporarily.
- How long? Up to 55 days, with in-memory caching up to 24 hours.
- Why this length? Google retains images for this period solely for abuse monitoring, safety review, and policy enforcement. The 55-day window allows Google to investigate flagged content and comply with legal requirements. The 24-hour cache improves processing speed for repeated requests.
- Google does not use face images from paid API services to train, fine-tune, or improve AI models.
- Google does not use human reviewers to annotate or process images submitted via paid API services.
- For more information, see Google’s Gemini API Terms of Service.
Cloudflare:
- Does Cloudflare store face data? Yes, as our infrastructure provider.
- How long? Until you delete the image, or 12 months after account inactivity (matching our retention policy), plus 90 days for permanent deletion.
- Why this length? Cloudflare stores images on our behalf to deliver the service. They follow our retention instructions and do not independently decide how long to keep data.
- Cloudflare does not independently retain, access, or use face data beyond our instructions.
- Cloudflare does not use your face images to train AI models or for any purpose other than secure storage and delivery.
- For more information, see Cloudflare’s Privacy Policy.
We do NOT:
- Sell face images to third parties
- Share face images with data brokers or advertisers
- Use face images for marketing or profiling
- Provide face images to law enforcement except under valid legal process
Storage Location
Face images are stored on:
- Cloudflare infrastructure: United States, European Union, and global edge locations
- In-transit: Encrypted via TLS 1.3
- At-rest: Encrypted using enterprise-grade encryption
- Device cache: Temporary local cache (up to 500MB) for performance; automatically managed by the app
Retention Period
| Data Type | Retention Period | Deletion Process |
|---|---|---|
| Base Images (Face Photos) | Until you delete them, or 12 months after last account activity, whichever comes first | Immediate soft delete, permanent hard delete after 90 days |
| Generated Images | Until you delete them, or 12 months after last account activity, whichever comes first | Immediate soft delete, permanent hard delete after 90 days |
| On-Device Analysis Data | Not retained; discarded immediately after quality feedback | N/A |
| Deleted Content Archive | 90 days (secure archive) | Permanent deletion after archive period |
Face data is not stored indefinitely. All face images (Base Images) and Generated Images are automatically deleted after 12 months of account inactivity. This retention period exists because:
- Users need their uploaded photos available to generate new styled images without re-uploading
- Users expect to access their previously generated images when returning to the app
- 12 months provides reasonable access while ensuring abandoned account data is cleaned up
You can delete any image at any time from within the app. When you delete your account, all associated images are marked for deletion immediately and permanently removed after 90 days.
Your Rights Regarding Face Data
Under GDPR, CCPA, and LGPD, you have specific rights regarding your face data:
- Access: Request copies of all face images we store
- Deletion: Delete individual images or your entire account at any time
- Portability: Export your generated images in standard formats
- Objection: Object to processing (though this may prevent use of the Service)
- Non-discrimination: Exercise these rights without penalty
To exercise these rights, email support@pawfie.app from your registered email address.
AI Training Restrictions
We contractually require all AI providers, including Google, NOT to:
- Use your face images to train, fine-tune, or improve AI models
- Retain your images beyond what’s necessary for generation
- Use your images for any purpose other than generating your requested output
If you have questions about how Google processes face data, see Google’s Privacy Policy at https://policies.google.com/privacy.
Legal Compliance
Our face data practices comply with:
- GDPR (EU): Explicit consent, legitimate interest for service delivery, data minimization
- CCPA/CPRA (California): No sale of sensitive personal information; limited use for service delivery
- LGPD (Brazil): Lawful processing, transparency, user rights
- BIPA (Illinois): No biometric identifiers or biometric information collected as defined by BIPA
3. How We Use Your Information
3.1 Primary Uses
- Service Delivery: Process your images and generate content
- Account Management: Maintain your account and subscription
- Communication: Send important service updates
- Security: Prevent fraud and abuse
- Improvement: Analyze usage to improve the Service
3.2 AI Processing
Your Base Images are processed by:
| Service | Purpose | Data Shared |
|---|---|---|
| Google Gemini AI | Image generation | Base image |
| Cloudflare | Infrastructure | All data (encrypted) |
Important: Your images may be processed by Google’s AI services subject to their terms. We do not use your images to train AI models, and we contractually restrict providers from using your images for training or fine-tuning.
3.3 We Do NOT
- Sell your personal data
- Share your images publicly without consent
- Use your data for targeted advertising
- Train AI models on your personal images
- Share data with data brokers
3.4 Legal Bases (GDPR/LGPD)
- Contract: To provide the Service you request (processing images, account, payments).
- Legitimate interests: Security, fraud prevention, service improvement (balanced against your rights).
- Consent: Optional analytics cookies on the website (where shown) and any marketing emails (not currently sent).
- Legal obligation: Responding to lawful requests and compliance with financial, tax, and consumer protection laws.
4. Data Sharing
4.1 Service Providers
We share data with trusted service providers:
| Provider | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Hosting, CDN, Security | All service data (encrypted) |
| Google Gemini AI | AI processing | Base images you provide |
| Apple | Payments, authentication | Account, subscription |
We update this Privacy Policy when we materially add new categories of service providers that receive personal data.
4.2 Legal Requirements
We may disclose data when required by:
- Valid legal process (subpoena, court order)
- Law enforcement with proper authority
- Protection of our legal rights
- Emergency situations involving safety
4.3 Business Transfers
In case of merger, acquisition, or sale, your data may be transferred to the new entity with equivalent privacy protections.
5. Data Security
5.1 Technical Measures
- Encryption: All data encrypted in transit (TLS 1.3) and at rest
- Access Control: Role-based access, principle of least privilege
- Infrastructure: Enterprise-grade Cloudflare security
- Authentication: Secure token-based authentication
5.2 Organizational Measures
- Regular security reviews
- Employee access logging
- Incident response procedures
- Vendor security assessments
5.3 Your Responsibilities
- Keep your Apple ID secure
- Don’t share your account
- Log out on shared devices
- Report suspicious activity
6. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account data | Until deletion requested, or 12 months of inactivity | Immediate soft delete, 90-day hard delete |
| Generated images | Until you delete, or 12 months of inactivity | Immediate soft delete, 90-day hard delete |
| Base images (face photos) | Until you delete, or 12 months of inactivity | Immediate soft delete, 90-day hard delete |
| Usage logs | 90 days | Automatic purge |
| Anonymized analytics | Indefinite | N/A (not personally identifiable) |
6.1 Deleted Content
When you delete content:
- Immediately removed from your account
- Moved to secure archive (90 days)
- Permanently deleted after archive period
We retain deleted content temporarily for:
- Legal compliance requirements
- Abuse investigation if flagged
- Technical backup recovery
7. Your Rights
7.1 All Users
You have the right to:
- Access: Request a copy of your data
- Correction: Update inaccurate information
- Deletion: Delete your account and data
- Portability: Export your generated images
- Objection: Object to certain processing
7.2 California Residents (CCPA)
Additional rights under CCPA:
- Right to know what data is collected
- Right to know if data is sold (we don’t sell data)
- Right to non-discrimination for exercising rights
We do not “sell” or “share” personal information (including for cross-context behavioral advertising) as defined by the CCPA/CPRA, and we do not use or disclose sensitive personal information (e.g., face images) for purposes other than providing the Service, security, short-term analytics, and other limited uses permitted by law. If these practices change, we will provide required notices and opt-out mechanisms.
7.3 European Residents (GDPR)
Additional rights under GDPR:
- Right to restrict processing
- Right to withdraw consent
- Right to lodge complaint with supervisory authority
7.4 Brazil (LGPD)
Additional rights under LGPD:
- Confirmation of processing and access to data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary or excessive data
- Portability to another provider where applicable
- Deletion of data processed with consent
- Information about public and private entities with which we share data
- Revocation of consent and review of automated decisions where legally required
7.5 Exercising Your Rights
- Email support@pawfie.app from the address linked to your account.
- Specify which rights you want to exercise (access, correction, deletion, portability, or objection).
- We will verify your identity via your account email and, if needed, a follow-up confirmation.
- We will respond within 30 days (GDPR) or 45 days (CCPA), and tell you if more time is required.
If we deny your request, you may appeal by replying to our response. If you are unsatisfied after appeal, you may contact your local data protection authority.
8. International Transfers
Your data may be processed in:
- United States (Cloudflare, Google)
- European Union (Cloudflare)
- Other regions (Cloudflare edge locations)
We ensure adequate protection through:
- Standard Contractual Clauses
- Data Privacy Framework or other applicable adequacy decisions (where available)
- Vendor privacy certifications
For transfers from the EEA, UK, and Brazil, we rely on Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework or equivalent safeguards. You can request a copy of applicable transfer safeguards (with confidential terms redacted) by emailing support@pawfie.app.
9. AI-Specific Privacy
9.1 AI Processing Transparency
When you use our Service:
- Your Base Image is sent to Google Gemini AI
- AI generates a new synthetic image
- Original and generated images are stored in our systems
- Google may process data per their Privacy Policy
9.2 AI Training
- We do not use your images to train our own AI models.
- We contractually require Google and other AI providers not to use your images for training or fine-tuning.
- You can request deletion of all your data at any time.
9.3 AI Output Ownership
- Generated images are derivative works
- You have a license to use them per our Terms
- Copyright status varies by jurisdiction
10. Cookies and Tracking
10.1 Mobile App
Our mobile app uses:
- Local storage: App preferences, authentication tokens
- Analytics: Anonymized usage metrics
- No third-party advertising trackers
10.2 Website (if applicable)
Our website may use:
- Essential cookies (functionality)
- Analytics cookies (with consent)
- No advertising or tracking cookies
11. Changes to This Policy
We may update this Privacy Policy periodically. Changes will be communicated via:
- In-app notification
- Email to registered users
- Updated “Last Modified” date
Continued use after changes constitutes acceptance.
12. Contact Us
Privacy Inquiries
Email: support@pawfie.app
Data Protection Officer
Email: support@pawfie.app
General Support
Email: support@pawfie.app
Mailing Address
Pawfie, Inc. (mailing address available upon request via support@pawfie.app)
13. Additional Disclosures
13.1 Do Not Track
We do not respond to “Do Not Track” browser signals as there is no industry standard for compliance.
13.2 Third-Party Links
Our Service may contain links to third-party services. We are not responsible for their privacy practices.
13.3 Data Breach Notification
In case of a data breach affecting your personal data, we will:
- Notify affected users within 72 hours (GDPR requirement)
- Notify relevant authorities as required by law
- Provide information about protective measures
Where other laws apply (e.g., U.S. state laws, Brazil’s LGPD), we will follow those notification timelines and requirements.
This Privacy Policy is designed to comply with GDPR, CCPA, and Apple’s App Store guidelines. For questions about specific regional requirements, contact our Data Protection Officer.