Privacy Policy

Last updated: February 12, 2025

At Imago ("we", "our", or "App"), we place great importance on protecting your personal data. This Privacy Policy explains how your personal data is processed in accordance with the Personal Data Protection Law No. 6698 (KVKK), the European Union General Data Protection Regulation (GDPR), and other relevant legislation.

1. Data Controller

The data controller responsible for processing your personal data:

Company/Person: Alihan Kayhan
Email: support@octo8.app

2. Personal Data Collected

2.1 Data We Collect Directly From You

Data Type	Example	Purpose
Identity Information	Email, Username	Account creation and authentication
Password	Stored as hash	Account security
Usage Data	Editing history, templates used, feature usage, number of generated photos	Personalized experience and app improvement
Photos and Face Data	User-uploaded photos containing faces	AI-powered photo enhancement and transformation

2.2 Face Data Collection and Use

Imago collects and processes photos that may contain face data as part of its core AI photo enhancement functionality. This section provides detailed information about how face data is handled.

What face data we collect: When you upload a photo for AI enhancement, we collect the photo you provide, which may contain your face or the faces of others. We perform automated face validation using Google Cloud Vision API to verify that the uploaded photo contains a clearly visible face and meets quality standards. This validation is used solely to ensure suitable photos are processed and to prevent inappropriate content from being uploaded. We do not perform facial recognition, biometric identification, or create facial feature templates (faceprints).

How we use face data:

AI Photo Generation and Enhancement: Your uploaded photos are sent to our AI processing provider (Fal.ai) to generate AI-enhanced or AI-transformed versions of the photo using generative AI technology.
Face Validation: Before AI processing, your photo is analyzed by Google Cloud Vision API to confirm that a clear face is present in the uploaded photo. This validation ensures quality results and prevents inappropriate content from being uploaded. Google Cloud Vision does not store your photos after validation is complete.
Before/After Comparison: Your original uploaded photo is temporarily stored on Supabase for 30 days so you can view side-by-side before-and-after comparisons of the AI enhancement. After 30 days, the original photo is automatically and permanently deleted.

Face data is NOT used for:

Facial recognition or biometric identification
Creating facial feature maps or faceprints
Tracking or identifying individuals across sessions
Advertising, profiling, or marketing purposes
Training AI or machine learning models
Sharing with third parties for their own purposes

Storage and retention of face data: Your original uploaded photos are stored securely on our database provider (Supabase) for a maximum of 30 days to enable before-and-after comparison. After 30 days, the original photos are automatically and permanently deleted. AI-generated result images are retained in your account for as long as your account remains active. Upon account deletion, all photos (both originals and AI-generated results) are permanently deleted within 30 days.

Third-party processing of face data: Your photos are processed by two AI service providers:

Google Cloud Vision API — Used for face validation only. Your photo is sent to Google Cloud Vision to detect whether a clear face is present. Google Cloud Vision does not retain your photos after the validation check is complete and does not use your photos for model training. For more information, see Google Cloud Privacy Notice.
Fal.ai — Used for AI photo generation and enhancement. Your photo is sent to Fal.ai to generate the AI-enhanced result. Fal.ai processes photos only as instructed and does not retain your photos after processing is complete. Fal.ai does not use your photos for training AI models or for any purpose other than generating your requested result. For more information, see Fal.ai Privacy Policy.

Your original uploaded photos are stored on Supabase for 30 days to provide before-and-after comparison functionality. Face data is not shared with any other third parties beyond these service providers.

Consent for face data processing: By creating an account, you agree to our Terms of Service and this Privacy Policy, which clearly describe how your photo and face data will be collected, processed by AI, and temporarily stored. Additionally, each time you upload a photo, you voluntarily provide your face data for AI processing. The app also requests your device's photo library permission through the operating system before any photo can be accessed. You may withdraw your consent at any time by contacting us at support@octo8.app or by deleting your account, which will result in the permanent deletion of all your photos within 30 days.

Security of face data: All photo data is encrypted in transit using SSL/TLS and encrypted at rest using AES-256 encryption. Access to stored photos is restricted through authentication and authorization controls.

2.3 Automatically Collected Data

Data Type	Collecting Service	Purpose
Device Information	Firebase Analytics	Technical support and optimization
App Usage Statistics	Firebase Analytics	App improvement
Push Token	Firebase Cloud Messaging	Notification delivery

3. Third-Party Service Providers

Our third-party service providers that process your personal data:

3.1 Google Cloud Vision API (Face Validation)

Purpose: Automated face validation to confirm a clear face is present in uploaded photos before AI processing
Data Processed: User-uploaded photos containing faces
Retention: Photos are not retained by Google after validation is complete
Location: US servers
Privacy Policy: Google Cloud Privacy Notice

3.2 Fal.ai (AI Photo Generation and Enhancement)

Purpose: AI-powered photo generation, enhancement, and transformation using generative AI
Data Processed: User-uploaded photos containing faces
Retention: Photos are processed in real time and are not retained by Fal.ai after processing is complete
Location: US servers
Privacy Policy: fal.ai/privacy

3.3 Supabase (Database and Photo Storage)

Purpose: Storage of user accounts, progress data, app content, and temporary storage of original uploaded photos (30 days) for before-and-after comparison
Location: US/EU servers
Privacy Policy: supabase.com/privacy

3.4 Firebase Analytics (Google)

Purpose: App usage analysis, performance monitoring
Collected Data: Device model, operating system, app version, usage duration, screen views
Location: US servers
Privacy Policy: firebase.google.com/support/privacy

3.5 Firebase Cloud Messaging (Google)

Purpose: Push notification delivery
Collected Data: Device push token
Privacy Policy: firebase.google.com/support/privacy

4. Purposes and Legal Bases for Data Processing

Processing Purpose	Legal Basis (KVKK/GDPR)
Account creation and management	Contract performance
Progress tracking and synchronization	Contract performance
Push notification delivery	Explicit consent
App analysis and improvement	Legitimate interest
Photo and face data processing for AI enhancement	Explicit consent

5. Data Retention Periods

Account data: Retained as long as your account is active
Original uploaded photos (face data): Automatically deleted after 30 days
AI-generated result photos (which may also contain face data): Retained as long as your account is active
Photos during face validation (Google Cloud Vision): Not retained after validation is complete
Photos during AI generation (Fal.ai): Not retained after processing is complete
After account deletion: All data including photos permanently deleted within 30 days
Analytics data: 14 months (Firebase default)
Backups: Maximum 90 days from deletion request. Backups may contain face data; however, backups are encrypted, access-restricted, and permanently purged within this 90-day period

6. User Rights (KVKK Article 11 / GDPR Articles 15-22)

You have the following rights regarding your personal data:

Right of access: Learn which of your data is being processed
Right to rectification: Request correction of incorrect or incomplete data
Right to erasure ("Right to be forgotten"): Request deletion of your data, including immediate deletion of your uploaded photos and face data without waiting for the 30-day automatic deletion period
Right to restrict processing: Request stopping of processing in certain situations
Data portability: Receive your data in a structured format
Right to object: Object to processing based on legitimate interest
Withdraw consent: Withdraw your consent at any time

To exercise these rights, please contact support@octo8.app. Your request will be answered within 30 days.

7. Children's Privacy

Our app is intended for a general audience and does not specifically target children under 13. If children under 13 use the app, parental or guardian consent is required.

If we discover that a child under 13 has provided personal data without parental consent, we will immediately delete this data. If you detect such a situation, please contact us.

8. International Data Transfers

Your data may be transferred to servers outside Turkey (especially the US and EU) through our service providers. These transfers are made:

Using Standard Contractual Clauses (SCC) approved under GDPR
Taking necessary security measures under KVKK

9. Data Security

We implement the following measures to protect your data:

SSL/TLS encryption (in transit)
AES-256 encryption (at rest)
Password hashing with bcrypt
Regular security updates
Access control and authorization

10. Privacy Policy Changes

We reserve the right to update this policy. When significant changes are made:

In-app notification will be sent
Email notification will be provided
"Last updated" date will be updated

11. Contact and Complaints

For questions or complaints regarding privacy:

Email: support@octo8.app

Your right to file a complaint with the Personal Data Protection Authority (kvkk.gov.tr) under KVKK or with your local data protection authority under GDPR is reserved.