Privacy Policy

Effective Date: February 20, 2026  |  Last Updated: March 10, 2026

1. Introduction

This Privacy Policy explains how StudioShots ("we," "us," or "our") collects, uses, stores, and protects information when you use our mobile application. StudioShots is an AI-powered photo studio app designed for parents and legal guardians to create fun, themed photos of their children.

We take the privacy of children extremely seriously. This app is designed to comply with the Children's Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

Please read this Privacy Policy carefully before using the app. By creating an account or using StudioShots, you agree to the practices described in this policy.

2. Who This App Is For

StudioShots is a parent-facing application. It is intended for use by parents and legal guardians who are at least 18 years of age. The app is not designed or intended to be operated directly by children. All account creation, photo uploads, and interactions with the app are expected to be performed by a parent or legal guardian.

3. Information We Collect

3.1 Information You Provide Directly

Data Type	Purpose	Required?
Email address	Account creation and authentication	Yes
Password	Account security (stored as a hash, never in plaintext)	Yes
Child's photo(s)	Uploaded by the parent for AI photo generation	Yes (to use generation features)
Child's name	Optional label stored in session metadata for your convenience	No

3.2 Information Generated Through the Service

Data Type	Purpose
AI-generated photos	The themed photos produced by the AI based on your uploads
Session metadata	Information about your generation sessions (theme selected, timestamps, status)

3.3 Information Collected Automatically

Data Type	Purpose	Contains PII?
Anonymous analytics events	Understanding how the app is used in aggregate	No
Crash and error data	Identifying and fixing bugs and app stability issues	No
Purchase transaction records	Processing and verifying in-app purchases	Limited (transaction IDs; no payment card data)

3.4 Information We Do NOT Collect

• We do not collect precise or coarse geolocation data.
• We do not collect device identifiers, advertising IDs, or hardware IDs for tracking purposes.
• We do not use cookies, browser fingerprinting, or cross-app tracking.
• We do not collect contact lists, phone numbers, or social media handles.
• We do not collect any behavioral data for advertising purposes.
• We do not use facial recognition, face detection, or biometric identification technology.

4. How We Use Your Information

We use the information we collect solely for the following purposes:

• To provide the service: Creating your account, authenticating your identity, generating AI photos based on your uploads, and storing your photos and sessions.
• To process payments: Verifying in-app purchases and managing your subscription or credit balance.
• To improve the app: Using fully anonymous, aggregated analytics to understand usage patterns and improve features.
• To maintain app stability: Using crash and error reports (containing no personal information) to identify and resolve technical issues.
• To communicate with you: Responding to support requests or sending essential service-related notices.

We do not use your information, including your child's photos, for advertising, marketing to third parties, user profiling, or any purpose not described above.

5. AI Photo Generation and Your Child's Photos

1. Upload: When you upload your child's photo(s), they are stored in encrypted cloud storage hosted by Firebase/Google Cloud Platform (see Section 7).
2. Processing: When you initiate a photo generation, your child's photo is processed by Google's Gemini AI via the Google Cloud Platform for the sole purpose of generating the themed AI photo.
3. Immediate deletion from processing servers: Your child's original photo is not retained by Google's AI processing service after the generation is complete. The photo is sent, processed, and the result returned — Google does not store your photos beyond the processing request.
4. No AI training: Your child's photos are never used to train, fine-tune, or improve any AI models — not by us, and not by our AI processing provider for this use case.
5. Storage: Both the original uploaded photos and the AI-generated results are stored in your account within Firebase Cloud Storage (Google Cloud Platform). They remain there until you delete them or delete your account.
6. AI disclosure: All AI-generated photos are clearly labeled with AI disclosure badges to distinguish them from original photographs.

6. Face Data

This section specifically addresses how StudioShots handles photos that contain faces, including children's faces. We provide this disclosure to be fully transparent about our practices.

6.1 What We Mean by "Face Data"

"Face data" refers to the photographic image data contained in the photos you upload that may depict a person's face. StudioShots does not perform facial recognition, face detection, facial mapping, or biometric identification of any kind. We do not extract, analyze, or store facial geometry, faceprints, or any biometric identifiers from your photos. The photos are processed as whole images by the AI generation service.

6.2 Why We Process Photos Containing Faces

The sole purpose of processing photos that contain faces is to generate creative, themed photos of your child. You upload a photo of your child, select a fun theme (such as "Superhero," "Princess," "Astronaut," etc.), and our AI generation service creates a new stylized image based on the uploaded photo and the selected theme. Processing photos containing faces is essential to the core functionality of the app.

6.3 How Face Data Is Processed

When you initiate a photo generation:

1. Your child's photo is uploaded from your device to Firebase Cloud Storage (Google Cloud Platform), where it is stored under your authenticated user account with encryption at rest.
2. The photo is sent to Google's Gemini AI API (specifically the Gemini 2.5 Flash Image model) via a secure, encrypted connection. The entire photo — not extracted face data — is transmitted as part of the generation request.
3. Google's Gemini AI processes the photo to understand the visual content and generates new creative, themed images based on your selected theme.
4. The AI processing takes approximately 5 to 10 seconds. During this brief window, the photo data exists in Google's API processing pipeline.
5. After processing is complete, the photo data is not retained by Google's Gemini API service. Google does not store the image data from API requests beyond the duration needed to process the request and return the result.
6. The generated images are returned to our server and stored in Firebase Cloud Storage under your account.

6.4 How Long Face Data Is Retained

Location	Retention Period
Google Gemini AI processing pipeline	Only during active processing (~5-10 seconds). Not retained after the generation request is complete.
Firebase Cloud Storage (original photo)	Retained in your account until you delete it or delete your account.
Firebase Cloud Storage (generated photos)	Retained in your account until you delete them or delete your account.
Our servers or app	We do not maintain any separate copy of face data. Photos exist only in Firebase Cloud Storage under your account.

We do not retain face data, facial features, or any biometric information in any database, cache, or storage system beyond what is described above. The only persistent copies of photos are those stored in your Firebase Cloud Storage account, which you control and can delete at any time.

6.5 Third Parties That Receive Photos Containing Faces

The following third parties receive or have access to photos containing faces:

Google Gemini AI (Google LLC)

• Purpose: To generate creative, themed photos based on the uploaded image.
• What is shared: The complete uploaded photo (as a whole image, not extracted face data) is sent to Google's Gemini API for processing.
• Why it is shared: Photo generation is the core service of StudioShots. Google's Gemini AI model is the technology that creates the themed images. Sharing the photo with the Gemini API is required to provide this service.
• Does Google store the face data? No. Per Google's Gemini API Terms of Service, image data submitted through the API is processed to fulfill the request and is not retained after processing is complete. Google does not store your photos beyond the brief processing window.
• Does Google use photos for AI training? No. Per Google's API data usage policies for paid API services, data submitted through the Gemini API is not used to train or improve Google's AI models.
• Google's privacy practices: Google processes API data in accordance with the Google Cloud Privacy Notice and the Google API Terms of Service. Google maintains SOC 2, ISO 27001, and other industry-standard security certifications. Data is transmitted via TLS-encrypted connections and processed in secure data centers.
• Privacy policy: https://cloud.google.com/terms/cloud-privacy-notice

Firebase / Google Cloud Platform (Google LLC)

• Purpose: Encrypted cloud storage for uploaded and generated photos.
• What is shared: Original uploaded photos and AI-generated photos are stored in Firebase Cloud Storage.
• Does Firebase retain face data independently? No. Firebase Cloud Storage acts as a file storage service. Photos are stored as encrypted files under your account and are not analyzed, scanned for faces, or processed by Firebase beyond storage and delivery.
• Privacy policy: https://firebase.google.com/support/privacy

No other third party receives, accesses, or processes your photos or any face data.

6.6 What We Do NOT Do With Face Data

• We do not perform facial recognition or face detection.
• We do not extract facial geometry, faceprints, or biometric identifiers.
• We do not build facial profiles or templates.
• We do not use face data for identification, authentication, or verification purposes.
• We do not sell, rent, or share face data with advertisers, data brokers, or any third party other than Google (as described above) for the sole purpose of providing the photo generation service.
• We do not use face data for behavioral tracking, profiling, or targeted advertising.
• We do not retain face data beyond the purposes described in this section.

7. Third-Party Services

We use the following third-party services to operate StudioShots. Each service has access only to the minimum data necessary to perform its function:

7.1 Firebase by Google (Authentication, Database, File Storage)

• Purpose: Manages user accounts (Firebase Authentication), stores session data (Cloud Firestore), and provides encrypted file storage for photos (Firebase Cloud Storage).
• Data accessed: Email, hashed password, session metadata, uploaded photos, generated photos.
• Server location: United States.
• Privacy policy: https://firebase.google.com/support/privacy

7.2 Google Gemini AI (AI Photo Generation)

• Purpose: Processes uploaded photos to generate themed AI photos via Google's Gemini API on Google Cloud Platform.
• Data accessed: Child's uploaded photo(s) during generation only.
• Data retention: Photos are not retained by Google's AI service beyond the processing request. Photos are not used for model training. See Section 6 for full details on face data handling.
• Privacy policy: https://cloud.google.com/terms/cloud-privacy-notice

7.3 Sentry (Error Tracking)

• Purpose: Captures crash reports and error logs to help us fix bugs.
• Data accessed: Error stack traces, app version, OS version, and general device type. No personally identifiable information (PII) is collected. No photos or face data are sent to Sentry.
• Privacy policy: https://sentry.io/privacy/

7.4 Aptabase (Analytics)

• Purpose: Collects anonymous usage analytics to help us understand how the app is used.
• Data accessed: Anonymous event data only. No PII, no device identifiers, no IP addresses are collected. No photos or face data are sent to Aptabase. Aptabase is designed to be GDPR-compliant and CCPA-compliant by architecture.
• Privacy policy: https://aptabase.com/legal/privacy

7.5 RevenueCat (Payment Processing)

• Purpose: Manages in-app purchases, subscriptions, and credit balances.
• Data accessed: Anonymous app user ID, purchase transaction data, subscription status. RevenueCat does not have access to your payment card information (that is handled by Apple). No photos or face data are sent to RevenueCat.
• Privacy policy: https://www.revenuecat.com/privacy

7.6 Apple (App Store and Sign In with Apple)

• Purpose: Distributes the app, processes payments, and provides optional Sign In with Apple authentication.
• Data accessed: Apple manages all payment card information directly. If you use Sign In with Apple, Apple provides us with an email address (which may be a private relay address) and a unique user identifier. No photos or face data are shared with Apple through our app.
• Privacy policy: https://www.apple.com/privacy/

8. Children's Privacy (COPPA Compliance)

8.1 Parental Consent

• StudioShots is designed for use by parents and legal guardians only.
• Before any child's photo can be uploaded for the first time, the app displays a parental consent modal that clearly explains what data will be collected, how it will be used, and how it will be processed — including that photos are processed by Google's Gemini AI. The parent must affirmatively consent before proceeding.

8.2 Minimal Data Collection

• We collect only the data strictly necessary to provide the photo generation service.
• A child's name is optional and is stored only as a convenience label in session metadata.
• We do not collect any data directly from children.

8.3 No Behavioral Advertising

• We do not display advertisements of any kind in the app.
• We do not share any data with advertising networks.
• We do not engage in behavioral advertising or interest-based profiling.

8.4 No Social Features

The app contains no social features, no chat, no public profiles, no user-to-user communication, no sharing to social media, and no public galleries.

8.5 Parental Rights Under COPPA

As a parent or legal guardian, you have the right to:

• Review the personal information we have collected related to your child.
• Request deletion of your child's personal information and photos.
• Refuse further collection of your child's information by deleting your account.
• Exercise these rights at any time by using the "Delete My Data" feature in the app or by contacting us at constructivecreativityllc@gmail.com.

We will respond to verified parental requests within 30 days.

8.6 Data Security for Children's Information

• All photos (uploaded and generated) are encrypted at rest in Firebase Cloud Storage (Google Cloud Platform).
• Data is transmitted using TLS/SSL encryption in transit.
• Access to stored photos is restricted to the authenticated parent account that uploaded them.

9. Data Retention and Deletion

9.1 How Long We Keep Your Data

• Original uploaded photos: Retained in your account until you delete them or until your account is deleted. You may delete them at any time using the "Delete My Data" feature in the app's settings.
• AI-generated photos: Retained in your account until you delete them individually or until your account is deleted.
• Face data in AI processing pipeline: Retained only during active processing (~5-10 seconds). Not retained by Google after processing is complete. See Section 6.4 for details.
• Account data (email, hashed password): Retained for as long as your account is active. Upon account deletion request, all account data is permanently deleted within 30 days.
• Session metadata: Retained for as long as your account is active or until you delete the associated sessions.
• Anonymous analytics data (Aptabase): Retained in aggregate form indefinitely. This data is fully anonymized and contains no personally identifiable information (PII), no device identifiers, and no IP addresses.
• Crash/error data (Sentry): Retained for 90 days per Sentry's standard retention period. This data contains no PII — only error stack traces, app version, OS version, and general device type.
• Purchase records: Retained as required for transaction verification and legal/tax compliance.

9.2 Deleting Your Data

You can delete your data at any time using the "Delete My Data" button within the app's settings. This action will immediately:

• Permanently delete all uploaded photos from storage.
• Permanently delete all AI-generated photos from storage.
• Permanently delete all session data and metadata.
• Permanently delete your user profile and account information.

This action is irreversible.

You may also request data deletion by emailing constructivecreativityllc@gmail.com.

9.3 Account Inactivity

We reserve the right to delete accounts and associated data that have been inactive for an extended period (12 months or more), after providing notice to the email address on file.

10. Data Security

We implement the following security measures to protect your data:

• Encryption at rest: All photos stored in Firebase Cloud Storage are encrypted at rest using Google Cloud Platform's default encryption.
• Encryption in transit: All data transmitted between the app and our servers uses TLS/SSL encryption. This includes photos sent to Google's Gemini AI for processing.
• Password security: Passwords are hashed using industry-standard algorithms and are never stored in plaintext.
• Access controls: Firebase Security Rules ensure that users can only access their own data.
• Minimal access principle: Each third-party service receives only the minimum data necessary to perform its function.
• No persistent face data storage: Face data exists in the AI processing pipeline only during the brief generation window and is not retained afterward.

While we take reasonable and appropriate measures to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

11. Data Transfers

Your data is processed and stored on servers located in the United States. If you are accessing the app from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States.

By using StudioShots, you consent to the transfer of your information to the United States and the processing of your data as described in this Privacy Policy.

12. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to access: You may request a copy of the personal data we hold about you.
• Right to correction: You may request that we correct inaccurate information.
• Right to deletion: You may request deletion of your personal data (or use the in-app "Delete My Data" feature).
• Right to data portability: You may request your data in a portable format.
• Right to object: You may object to certain processing of your data.
• Right to withdraw consent: You may withdraw consent at any time by deleting your account.

California residents (CCPA/CPRA): We do not sell personal information. We do not share personal information for cross-context behavioral advertising. You may exercise your rights under the CCPA by contacting us at constructivecreativityllc@gmail.com.

EU/EEA residents (GDPR): Our legal basis for processing personal data is your consent (provided during account creation and via the parental consent modal) and the performance of a contract (providing the service you requested).

To exercise any of these rights, contact us at constructivecreativityllc@gmail.com. We will respond within 30 days.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

• Posting the updated policy within the app.
• Updating the "Last Updated" date at the top of this policy.
• For material changes affecting children's data, providing notice via the email address associated with your account.

Your continued use of the app after changes are posted constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Developer: Constructive Creativity LLC
Email: constructivecreativityllc@gmail.com
Website: kidshots.app