Privacy Policy

Last Updated: May 20, 2025

This Privacy Policy ("Privacy Policy") describes the privacy practices of PicFlow in connection with the PicFlow mobile applications (each, an "App," and collectively, the "Apps"). Welcome to PicFlow;s Privacy Policy! If you decide not to read the entire Privacy Policy, we want you to remember a few key points about PicFlow's privacy practices:

The Apps are photo or video editors that allow users to perform highly realistic facial transformation edits on portraits.
We do not use the photos or videos you provide when using the Apps for any reason other than to provide you with the editing features of the Apps.
We use third-party cloud service providers, specifically Google Cloud Platform and Amazon Web Services, to process and edit photos and videos.
Only the photos or videos you specifically select for editing are sent to the cloud.
During the editing process, photos or videos are temporarily cached on cloud servers and encrypted using a key stored locally on your mobile device.
To improve performance, reduce bandwidth, and allow you to optimally make further modifications to recently selected photos or videos, photos or videos may be retained in the cloud for up to 24 to 48 hours.

Here are more details about our privacy practices.

1. Information We Collect

1.1. When You Select Photos/Videos for Editing Using the App

When you use the App and select photos or videos for editing, we cache them for processing to provide you with the editing services you request: photos or videos you select either via your camera, photo library (if you have granted the App permission to access your camera or photo library), or through the in-App internet search feature. We only process the specific photos and videos you choose to modify with the App; we do not collect your entire photo or video library, even if you grant us access. We protect each photo or video you select with an encryption key stored locally on your device, which means the only device that can view that photo or video is the device that submitted it through the App, i.e., the user;s device. Please note that while we do not require or request any metadata attached to the photos or videos you select for editing, metadata (such as geotags) may be associated with your photos or videos by default. We take steps to remove any metadata that may be associated with the photos or videos you provide when using the App. Photos or videos may be cached in the cloud for a limited period, up to 24 to 48 hours after your last edit, so you can return to make further modifications if you wish.

1.2. When You Use the App and Website

When you use the App and our website, we may collect the following information:

App Usage and Online Activity Data: For example, 1) how you use the App and interact with it, including features you use, preferred language, the date and time you first installed the App, and the date and time you launch the App; 2) the referral source of the website.
App-Related Purchase History: If you choose to purchase an App subscription, we do not receive billing addresses, credit card information, etc. (as we do not directly distribute subscriptions), but only confirmation from the respective app store that you are a paid subscriber to the App, so we can provide professional services.
Device Data: Such as your computer and mobile device operating system type and version number, manufacturer and model, push token, browser type, screen resolution, IP address (and the associated city/country you are in), and the website you visited before Browse to our website. Generally, all data is associated only with an App Instance ID (assigned to the instance of the App installed on your mobile device). Online identifiers like IP addresses and App Instance IDs are generally considered personal data, but we cannot identify you by name or address from such identifiers.

This information may be collected through our website and App using Cookies and similar technologies. We may collect it directly or through the use of third-party Software Development Kits ("SDKs"). SDKs may enable third parties to collect information directly from the App.

1.3. When You Contact Us via Email

When you contact us via email, we may also collect:

Contact information, such as your name and email address, and information related to your communications.

2. Information Collection and Use

Generally, we do not collect personally identifiable information unless you voluntarily provide it, such as when you provide us with feedback or in a user registration process. To provide you with a better experience, when you use our Service, we may require you to provide certain information, including but not limited to:

Device identifiers
Product interaction data
Performance data
Advertising data
Crash data
Other diagnostic data

2.1 What face data does the App collect?

Face information from the images you upload, including, for example, information about the estimated position and shape of facial features ("Face Data"). Depending on the applicable laws in your jurisdiction, Face Data may be considered biometric data. We only use Face Data to enhance your photos and create the AI images you request, unless you specifically consent to other processing of this data. In no event does PicFlow process Face Data to identify or authenticate any person in the images you upload.

2.2 Reasons for Storing Face Data

User Convenience and Experience: The primary reason for storing user-uploaded photos is to enhance the user experience by providing convenience. By caching these images, users can quickly access their previously uploaded photos without needing to re-upload them each time they want to use them for editing or creative purposes. This feature significantly improves the efficiency of the user;s creative process and reduces the time spent on repetitive tasks.
Efficiency in Photo Editing and Creation: Our application is designed to assist users in photo editing and creation. By storing photos, we enable users to have a seamless workflow. They can easily select images from their gallery to apply various editing tools, filters, or incorporate them into new creations. This feature is crucial for maintaining a smooth and efficient user journey within the app.
Performance Optimization: Storing photos allows us to optimize the app;s performance. Loading images from a local cache is much faster than fetching them from the cloud or requiring users to re-upload them. This optimization ensures that the app runs smoothly and provides a responsive user interface, which is essential for a positive user experience.

2.3 How long will Face Data be retained?

We apply different retention periods depending on the data category and the purpose of its use. For AI Generation:

Images you upload will be retained for a maximum of ninety (90) days (if you subscribe to PicFlow) or for a maximum of thirty (30) days (if you do not subscribe to PicFlow) from your most recent use of PicFlow features to generate AI images.
Face Data used to generate AI images will be retained to ensure the functioning of PicFlow's generative AI features for a maximum of ninety (90) days (if you subscribe to PicFlow) or for a maximum of thirty (30) days (if you do not subscribe to PicFlow) from your most recent use of PicFlow features to generate AI images. In any case, it will be deleted within two (2) years after generation.
AI images generated by PicFlow will be retained for a maximum of thirty (30) days.
After the retention periods described above, the data will be deleted from our servers and our service providers' servers, unless you specifically consent to other processing of this data.

We retain other categories of personal data as described above for no longer than three (3) years after your most recent interaction with the App, or from the expiration of your subscription. If you access the App after your subscription expires, the retention period starts from this most recent interaction. After this period, the data will be deleted or anonymized, unless any legal obligation requires longer data retention.

We value our users; privacy and data security. Herein, we explicitly state that our application does not share any Face Data with any third parties. We strictly adhere to data protection regulations and are committed to safeguarding users; personal information from disclosure or misuse.

2.5 Data Storage Location:

User Face Data will be securely stored on our servers. We employ industry-standard encryption technologies and security measures to protect the stored data from unauthorized access and data breaches. Our data storage facilities are located in [Specify Country or Region] and comply with local data protection laws and regulations.

2.6 User Control:

We respect users; control over their data. Users can review, update, or delete their Face Data at any time. If users have any questions about data storage and processing, or wish to exercise their rights, they can do so through the application settings or by contacting our customer service department.

3.1. Photo and Video Information

We do not disclose users; photos or videos to third parties (other than temporarily caching encrypted versions with cloud service providers Google Cloud Platform and Amazon Web Services to provide the App's photo and video editing features). Because we do not store the encryption keys, we cannot disclose the photos and videos cached for processing.

3.2. Non-Photo and Non-Video Information

We do not sell personal information. We may share your non-photo and non-video information in the following circumstances:

Affiliates: We may share information collected from you with our subsidiaries and affiliates for purposes consistent with this Privacy Policy.
Service Providers: We may share your information with service providers who perform services on our behalf or assist us in operating the App (such as customer support, hosting, analytics, email delivery, marketing, and database management services). These third parties may use your information only as directed or authorized by us and in a manner consistent with this Privacy Policy, and are prohibited from using your information for any other purpose.
Third-Party Platforms and Social Media Networks: You may choose to post edited photos or videos to your social media accounts. We do not control the third-party platform's use of your information, which is governed by that third party's privacy policy and terms and conditions.
Professional Advisors: We may disclose your information to professional advisors, such as lawyers and auditors, where necessary in the course of the professional services that they render to us.
Business Transfers: We may also transfer or assign your personal data in the course of a corporate divestiture, consolidation, merger, acquisition, reorganization, or other disposition of assets, or in the event of bankruptcy or dissolution.
Compliance and Protection: We may be required to disclose your information to comply with applicable laws, lawful requests, and legal processes, such as to respond to subpoenas or requests from government authorities, or for the compliance, fraud prevention, and safety reasons described above. Because your photos or videos are cached in an encrypted format with the key stored on the user's device, we cannot access and therefore cannot disclose such content.

4. Your Choices

Opt-out of Push Notifications: You can opt-out of push notifications we may send you by changing the settings on your mobile device.
Device Permissions: You can revoke any permissions you have previously granted to us, such as access to your camera, photo library, or microphone, through the settings on your mobile device.
Cloud Processing: You can request that we delete your information, including photos and videos temporarily cached on Google Cloud Platform or Amazon Web Services, before the 24 to 48-hour period prior to automatic deletion after editing, by tapping the "Request Deletion of Cloud Data" button in the "Support" section of the App settings.
Personal Information Requests: We also offer you choices that affect how we handle the personal information we control. Depending on your jurisdiction, you may request the following in relation to your personal information:
- Information about how we have collected and used your personal information. We have made this information available to you in this Privacy Policy without you having to request it.
- Access to a copy of the personal information that we have collected about you. Where applicable, we will provide the information in a portable, machine-readable, readily usable format.
- Correction of personal information that is inaccurate or out of date.
- Deletion of personal information that we no longer need to provide the services or for other lawful purposes.
- Additional rights, such as to object to and request that we restrict our use of your personal information. To make a request, please email us at shannon.liu@the-tomato.com. We may ask you for specific information to help us confirm your identity. California residents can empower an "authorized agent" to submit requests on their behalf. We will require authorized agents to confirm their identity and authority in accordance with applicable laws. You are entitled to exercise the rights described above free from discrimination. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us or submit a complaint to the data protection regulator in your jurisdiction. If you are in Europe, you can find your data protection regulator here. If you are in the UK, the Information Commissioner's Office is the competent authority.
Choosing Not to Share Your Information: If we need your information to provide our services to you, or if we are required by law to collect your information, and you do not provide it when requested (or later ask to delete it), we may not be able to provide our services to you.
Limitations on Your Choices: In some instances, your choices may be limited, such as where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with our legal obligations and assert our legal rights. If you are not satisfied with how we address your request, you may submit a complaint by contacting us as described in the "How to Contact Us" section below. Please note that we may require additional information from you to verify your identity and process your request.

5. Other Websites, Mobile Applications, and Services

The App may contain links to other websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages, mobile applications, or online services that are not associated with us. We do not control third-party websites, mobile applications, or online services, and we are not responsible for their actions. Other websites, mobile applications, and online services follow different rules regarding the collection, use, and sharing of your personal information. We encourage you to read the privacy policies of the other websites, mobile applications, and online services you use.

6. Security Practices

We employ commercially reasonable security practices to help protect the security of information collected through our services. However, like any app, we cannot guarantee the absolute security of any information you provide, as malicious actors may attempt to access, disclose, alter, or destroy your information. Please do your part as well. You are always responsible for maintaining the secrecy of your own information and for controlling access to communications between you and us. We are not responsible for the functionality, privacy, or security measures of any other organization.

7. Retention Period

We configure Google Cloud Platform and Amazon Web Services to delete photos, videos, and associated information within 24 to 48 hours after the last edit of the photo or video using the App. This allows you to revisit the photo or video during this period to make further modifications. For non-photo and non-video information we collect, we retain such information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a different retention period is permitted or required by applicable law. You can also request that we delete your information using the "Request Deletion of Cloud Data" option in the "Support" section of the App settings.

8. Cross-Border Data Transfers

If we transfer your personal information across borders, the countries to which it is transferred may not provide the same level of data protection as the laws in your region. When we engage in international information transfers, we:

Ensure that the data transfer complies with applicable law;
Ensure that relevant safeguards are in place to provide an adequate level of protection for your personal information. We use a variety of protection measures for each data transfer, as appropriate. For example, we use:
Standard Contractual Clauses (or alternative legal tools such as the UK government-approved International Data Transfer Agreement or Addendum) to require third parties to protect your data and provide you with EU and UK-level rights and protections;
Technical safeguards, such as automatic deletion, encryption, and pseudonymization;
Policies and processes to challenge disproportionate or unlawful government authority requests. Please note that our technical support teams may also access your information, such as App usage information, from locations outside your state, province, or country.

9. Children

We have a minimum "Age Limit." Our App and Website are not directed to children under 12, or individuals for whom:

Processing their personal data is unlawful due to their age;
Parental consent is required to process their personal data. We do not knowingly collect data from individuals below the Age Limit. Do not upload photos or videos of children below the Age Limit unless you are their parent or guardian. If you are below the Age Limit, please do not use our App or Website. If you are a parent or guardian of someone below the Age Limit, please do not allow such individuals to use our App or Website. If you believe we have received personal data from a child below the Age Limit, please contact us at shannon.liu@the-tomato.com.

10. Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will update the date of the Privacy Policy and post it on the App and Website to notify you. We may, and if required by law, will, provide notification of changes in another way that we believe is reasonably likely to reach you, such as via the App. Any modifications to this Privacy Policy will be effective upon our posting of the new terms and/or upon implementation of the new changes on the App and Website (or as otherwise indicated at the time of posting). In all cases, your continued use of our services after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.

11. How to Contact Us

If you have any questions or suggestions about my Privacy Policy, do not hesitate to contact me at shannon.liu@the-tomato.com.