Privacy Policy

1. Scope and Age Restriction

1.1 Scope

This Privacy Policy applies to the “Mira KI Bild & Text Generator” mobile app (hereinafter “App”, bundle ID com.picasy.app), available via the Apple App Store and Google Play Store. It informs you about which personal data we process in the App, for what purposes, on what legal basis, and what rights you have.

1.2 Age Restriction and Consent for Minors

• Intended Age Restriction: The App is primarily designed for use by persons aged 12 and over. Persons under 12 years of age are prohibited from using it.
• Legal Requirements (GDPR Art. 8): For data processing that relies on consent (in particular analytics, crash reporting and personalized advertising), European law (typically between 13 and 16 years, depending on the country) may require additional parental/guardian consent.
• Consequence: If you are under 16 and a feature of the App requires your consent, please ensure that your parents or guardians also consent to the data processing.
• Deletion of Minor Data: If we become aware that persons under 12 (or under 16 without the required parental consent) are using our services, we will promptly delete their personal data or obtain the required consent.

2. Principles of Our Data Processing

We process personal data only on the basis of a valid legal ground pursuant to Article 6 GDPR and apply the principle of data minimization. Personal data is any information relating to an identified or identifiable natural person (e.g., email address, user ID, IP address). Within the App, users are identified by a pseudonymous user ID (UID); we do not require your real name.

3. Categories of Data Processed

3.1 Account Data (required)

• Email address – to create and manage your account, for password resets and support.
• Password – stored only as a hash by Firebase Authentication; we never see it in plaintext.
• Username – the display name you choose.
• User ID (UID) and, for social login, the provider ID (Google or Apple).

3.2 In-App Usage and Content Data

• Points and credits balance, premium/subscription status and history.
• Generated images – your prompts, the selected model, and the generated image files, stored in Firebase Cloud Storage.
• Uploaded source images – photos you take with the camera or pick from your photo library to use as a template for image generation, editing, inpainting or headshot/portrait features. These may depict faces or other people; see Section 6 on transfer to AI providers.
• Generated text / chat – prompts and chat history, and any custom chat roles you create.
• Image-to-video generations – the source image, prompt and the associated video-credit balance.
• Live feed activity – if you publish an image to the public live feed, your likes and any reports you submit or receive.
• Gamification data – streak, level, achievements and usage statistics.

3.3 Payment Information

In-app purchases (point packs, video credits, premium subscription) are handled by the Apple App Store or Google Play Store. We only receive token-based purchase confirmations and receipt data (purchase token, product IDs) – never your full credit card or bank details, which are held solely by Apple or Google.

3.4 Server and Security Logs (technically required)

• IP address on API calls (Firebase Functions / Google Cloud Logging).
• User ID, endpoint and timestamp for debugging and security auditing.
• Admin actions, recorded in an internal audit trail.

3.5 Device Information and Permissions

• Operating system, device model, app version.
• Advertising ID (Apple IDFA / Google Advertising ID) – only if you have enabled personalized advertising.
• IP address (possibly truncated) to provide functionality and prevent misuse.
• Camera and photo library – accessed only when you take or select a photo to use in the App, and to save generated results to your gallery.
• Microphone and speech recognition – accessed only when you use voice input; your speech is converted into a text prompt. On iOS this uses Apple’s speech recognition, which may transmit the audio to Apple for transcription; on Android, Google’s speech service may be used.

3.6 Optional Data (only with your consent)

• Analytics – anonymized usage events, screen views, device model (Firebase Analytics).
• Crash reports – stack traces on crashes, which may contain personal data if your input appears in the crash (Firebase Crashlytics).
• Personalized ads – advertising ID and device profile (Google AdMob); on iOS only after you grant App Tracking Transparency (ATT) permission.

All optional processing is off by default and is only activated by your active choice — see Section 7 (Consent Management).

3.7 Communication Data

• Support inquiries via email to support@kiassist.org or in-app support tickets.
• Push notifications – if you enable them in your operating system (for service or offer messages). You can disable them at any time in your device settings.

3.8 Special Categories of Personal Data

We do not intentionally collect special categories of personal data (Art. 9 GDPR). If such data appear in your free-text prompts or chat inputs, they may be transmitted to our and our providers’ servers. We strongly advise against entering especially sensitive data, and against using personal data of other people (e.g., names or descriptions of a real person) in prompts without their consent.

4. Purposes and Legal Bases

• Provision of App functions – account, AI image/text generation, image-to-video, live feed display, hosting and database. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
• Paid services and points accounting – in-app purchases, subscriptions, point and credit balances. Legal basis: performance of contract (Art. 6(1)(b) GDPR); for accounting records additionally Art. 6(1)(c) GDPR in conjunction with § 257 HGB.
• IT security and abuse prevention – server logs, content moderation, fraud prevention, enforcement of rights. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
• Analytics and crash reporting – product improvement and stability. Legal basis: consent (Art. 6(1)(a) GDPR; § 25 TTDSG).
• Advertising / monetization – reward-based ads via Google AdMob. Legal basis: consent (Art. 6(1)(a) GDPR) for personalized ads; legitimate interest (Art. 6(1)(f) GDPR) for non-personalized, contextual ads.

5. Consent Management and Tracking

Analytics, crash reporting and personalized advertising are disabled by default. On first launch you are shown a consent sheet where you can decide individually. You can change every choice at any time under Settings → Privacy & Tracking, with effect for the future (Art. 7(3) GDPR).

On iOS, access to the advertising identifier additionally requires your explicit permission via Apple’s App Tracking Transparency (ATT) prompt. If you decline ATT or do not consent, you only see non-personalized ads.

6. Third Parties and International Transfers

We use the processors listed below. Where data is transferred to the USA, the legal basis is the EU-US Data Privacy Framework (EU Commission adequacy decision of 10 July 2023, Art. 45 GDPR) for certified providers, and otherwise the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR); a residual risk of access by US authorities cannot be fully excluded (“Schrems II”). A transfer to China occurs only if you use the optional image-to-video feature with a model served by Kling — see Section 6.1.

• Google / Firebase (USA) – Authentication, Firestore database, Cloud Storage, Cloud Functions, App Check, Remote Config; account data, images, statistics.
• Firebase Analytics (USA) – anonymized usage statistics (consent only).
• Firebase Crashlytics (USA) – crash reports (consent only).
• Google AdMob (USA) – reward ads; advertising ID and device profile (consent only).
• OpenAI (USA) – generation of text/chat and images (e.g., GPT, DALL·E); receives your prompts and chat input.
• ModelsLab (USA) – image generation, editing, inpainting and headshot/portrait features; receives your prompts and any uploaded source images.
• Runway (USA) – image-to-video generation; receives your prompt and source image.
• Kling / Kuaishou (China) – image-to-video generation; receives your prompt and source image (see Section 6.1).
• Apple (USA) – iOS App Store, in-app purchases, App Tracking Transparency, and (on iOS) speech recognition; receipts, device ID, and voice audio for transcription.

Important: Prompts and any source images you submit are sent to the relevant AI provider to fulfill your request. Once data has been sent to an external AI provider, our ability to ensure its deletion is limited by that provider’s own terms.

6.1 Transfer to China (optional video feature)

If you use the image-to-video feature with a model served by Kling (operated by Kuaishou, China), the prompt and the source image you provide are transferred to and processed on servers in China. China is not covered by an EU adequacy decision. The transfer is based on Standard Contractual Clauses (Art. 46 GDPR) and/or, where applicable, on the necessity to perform the service you specifically requested together with your explicit consent (Art. 49(1)(a)/(b) GDPR). The level of data protection in China may not be equivalent to that in the EU, and access by Chinese authorities cannot be excluded. If you do not want this transfer, do not upload images that show identifiable persons to the video feature, or refrain from using video models served from China.

7. The Public Live Feed

The App includes an optional public live feed. If you choose to publish a generated image to the feed, the image and its associated metadata become visible to other users, who may like or report it. You can remove your own images from the feed at any time (see Section 9). We operate server-side content moderation and may remove content that violates our terms or applicable law.

8. Retention Periods

• Account data: until you delete your account.
• Generated images: images published to the live feed are deleted after 12 hours unless they have been liked; otherwise images are kept until you delete them or your account.
• Purchases / points transactions: active data until account deletion; accounting records are retained for 10 years (§ 257 HGB).
• Cloud Functions logs: 30 days.
• Admin search logs: 90 days (automatically deleted).
• Crash reports: 90 days (Firebase default).
• Analytics events: 14 months (Firebase default).
• Advertising ID data: 13 months (Google default).

9. Your Rights

Under the GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), to object (Art. 21), and to withdraw consent (Art. 7(3)). You can exercise most of these directly in the App:

• Access & portability: Settings → “Export My Data” generates a machine-readable JSON file containing your account data, statistics, custom roles, support tickets and images with metadata (one export per 24 hours; download link valid 24 hours).
• Rectification: username, profile and custom roles can be edited directly; other fields on request.
• Erasure: delete individual images via the trash icon in the live-feed fullscreen view, or your entire account under Settings. Account deletion uses a 7-day safety window during which you can revoke it; afterwards your user document, images (Firestore + Storage), username reservation and authentication account are permanently removed. System backups are purged within at most 30 days.
• Restriction / objection / withdrawal: consent choices under Settings → Privacy & Tracking; other requests by email.

You can also contact support@kiassist.org to exercise your rights; we may request proof of identity. Note that for data already transmitted to external providers (e.g., OpenAI), complete erasure from their systems may be outside our control; we will forward your request where feasible.

9.1 Right to Lodge a Complaint

You may lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), usually the authority at your place of residence. For our establishment in Baden-Württemberg, Germany:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart
https://www.baden-wuerttemberg.datenschutz.de

10. Security

• All app-to-server connections are encrypted via HTTPS/TLS 1.2+.
• Firestore security rules prevent cross-user access; user IDs are pseudonymous UUIDs.
• Points and purchases are verified server-side only; critical operations use distributed locks.
• Firebase App Check verifies that requests originate from the genuine app.
• Sensitive secrets (Apple receipts, Google Play API keys) are stored in Google Cloud Secret Manager, never in client code.

In the event of a data breach, we will notify you and the competent supervisory authority without undue delay where legally required (Art. 33, 34 GDPR).

11. Changes to This Privacy Policy

We may update this Privacy Policy when we introduce new features or when the legal situation changes. Material changes are announced in-app via the in-app announcement system. The current version is always available in the App.

12. Applicability

• This version is intended for use within the EU/EEA. If you use the App elsewhere, additional rules (e.g., CCPA/CPRA in California) may apply.
• In some EU countries the age threshold for consent to online services may be 13, 14 or 15 instead of 16.

Data Controller (Imprint)

Name: Eckhardt Filatov
Address: Dresdener Ring 43, 71522 Backnang, Germany
Email: support@kiassist.org

(Hereinafter “we,” “us,” or the “Controller.”)

We are subject to the GDPR and supplementary national data protection laws. As we do not exceed the statutory thresholds, no external Data Protection Officer has been appointed; we ourselves are responsible for compliance.

Last updated: 1 June 2026