Privacy Policy

• Photos you upload. Face photos you provide as input for AI generation. We process these only for the purpose of generating your TinyUs portrait and delete the originals from our servers within 24 hours of generation.
• Generation outputs. The AI-generated portraits we return to you. We retain a temporary record (typically less than 30 days) for service quality, fraud prevention, and dispute resolution.
• Account & subscription information. If you subscribe, we record subscription status via Apple App Store and RevenueCat receipts. We do not store credit-card numbers; Apple handles all payments.
• Device & usage data. App version, OS version, anonymous usage events (screens viewed, generations completed), and crash reports. Aggregated and not used to identify individuals.
• What we do NOT collect. Government ID, home address, financial card details, contacts, voice recordings, location data, or any persisted biometric template derived from your photos beyond the transient processing required to produce your portrait.

• To generate AI portraits from the photos you submit.
• To deliver and improve the Service, including fraud prevention.
• To honor subscription and consumable purchase entitlements.
• To comply with legal obligations and respond to lawful requests.
• We do not use your photos or personal information to train third-party AI models or sell them to data brokers.

You consent to our collection and processing of your photos when you upload them and tap Generate. On first launch you also provide explicit in-app consent to share your photos with fal.ai via a dedicated onboarding checkbox that names fal.ai as our third-party AI processing partner and discloses the 24-hour auto-deletion retention policy, before any photo is uploaded. You can withdraw consent at any time by stopping use of the Service and requesting deletion of any retained outputs by emailing support@aurabionics.com.

Photos are processed by our third-party AI provider fal.ai running the PhotoMaker model. fal.ai processes images solely for inference and, under its paid API tier, does not retain your photos for training or any other purpose. See fal.ai/legal/privacy-policy for their practices.

Before reaching fal.ai, every uploaded photo is screened by OpenAI's Moderation API (free tier) and a face-presence classification step to enforce our Acceptable Use rules (adults only, no nudity, no violence, face required). Moderation responses are not stored.

Our servers temporarily hold the photos in memory during processing and on disk for at most 24 hours, then delete them. Generated output portraits are stored only as long as needed to deliver them to your device.

The Service requests Photos library access on iOS only when you tap a slot to choose a face. We do not access your camera roll in the background and do not request location, contacts, microphone, or any other sensitive permission.

We do not use your photos to train our own AI models. Our third-party processors follow the same rule:

• fal.ai paid API tier does not train on customer data by default.
• OpenAI Moderation and Vision APIs (paid tier) do not use submitted images for model training.

Your photos and outputs are never added to public training datasets.

Every upload is screened for prohibited content (nudity, sexual content, violence, hate, illegal material) and for face presence (objects, screenshots, drawings, group photos are rejected). Rejected uploads do not reach fal.ai and are deleted immediately.

You may only upload photos of yourself or photos of other adults for which you have explicit consent. You may not upload photos of anyone under 18 under any circumstances. Violations may result in immediate account termination.

• Uploaded face photos: auto-deleted within 24 hours.
• Generated portrait outputs: typically less than 30 days.
• Account/subscription status: kept for the duration of your account; deleted within 30 days of a verified account deletion request.
• Anonymized / aggregated analytics: may be retained indefinitely for service improvement.

Upon verified request, we delete your personal data within 30 days. You can request deletion by emailing support@aurabionics.com.

TinyUs is designed for users aged 18 and over. Our onboarding flow requires you to confirm you are 18 or older before any generation is possible. We do not knowingly collect personal information from anyone under 18. If we become aware that a minor has provided personal information, we will delete it promptly and suspend the account.

TinyUs portraits are artistic interpretations produced by a generative AI model. They are not, and are not intended to be, predictions of the actual appearance of any real or future child. They have no medical, genetic, or biological forecasting value. Do not rely on TinyUs outputs for any decision-making, medical, or legal purpose.

We comply with applicable data protection laws including the EU/UK GDPR, California CCPA/CPRA, and Illinois BIPA (where biometric-related provisions apply). We respond to lawful requests from law enforcement under the relevant legal process.

Universal rights (all users):

• Access: request a copy of your personal data.
• Correction: request correction of inaccurate data.
• Deletion: request deletion of your account and any associated data we retain.
• Withdrawal of consent: revoke consent for data processing at any time.

EU/UK/EEA (GDPR) additional rights:

• Data portability: receive your data in a machine-readable format.
• Restriction of processing: limit how we process your data.
• Objection: object to certain processing activities.
• Lodge a complaint with your local data protection authority.

California (CCPA / CPRA) additional rights:

• Right to know what personal information we collect and how it is used.
• Right to opt out of the sale or sharing of personal information. We do not sell data.
• Right to non-discrimination for exercising any of your rights.

To exercise any right, email support@aurabionics.com. Include "GDPR Request" or "CCPA Request" in the subject if applicable. We respond within 30 days (or sooner where required by law). We may need to verify your identity first.

We use industry-standard encryption (HTTPS in transit, encrypted storage at rest) and limit employee access to user data. No system is perfectly secure. In the event of a breach affecting your data, we will notify affected users within 72 hours where required by law.

Our servers and third-party providers may be located outside your country (primarily in the United States and the European Union). Where required by law, we use Standard Contractual Clauses (SCCs) or equivalent mechanisms for cross-border transfers.

We may update this Privacy Policy from time to time. When we do, we will update the date above and, for material changes, notify you in-app or by email. Continued use after the effective date means you accept the updated policy.

Privacy questions and data requests: support@aurabionics.com.