Privacy Policy

Last updated: May 8, 2026

Shot by AI (the “App”) is operated by Jeferson Araujo Studio (“we,” “us,” or “our”). This policy explains, in plain language, what data the App collects, how and why we use it, every third party that receives any of it, and the rights you have over it. We do not sell your data and we do not use your photos to train any model.

1. Face data

Shot by AI does not collect, store, sell, or share face data, facial recognition data, facial geometry data, or any biometric identifier of any kind. We do not run facial recognition, face matching, face identification, or face-tracking on user photos. We do not build or maintain a database of faces, face embeddings, face templates, or face vectors. The App does not use Apple's ARKit face tracking, Vision face landmarks, or any equivalent biometric framework.

On-device, the App runs Apple's Sensitive Content Analysis framework (a privacy-preserving safety check that runs locally and never leaves the device) to flag sexually explicit photos before transmission. That check is performed entirely on the user's iPhone using Apple's built-in API; no face recognition, face geometry, or biometric extraction is performed.

2. Data we collect

An anonymous device identifier (UUID + device model) generated locally on first launch. Used to enforce free-tier quotas, attach subscription state to the right device, and prevent abuse. Not linked to your name, email, or Apple ID.
The photograph you explicitly choose to process. Sent over HTTPS/TLS 1.2+ to our backend and forwarded to Google's Gemini AI for the duration of one generation. Original input is deleted from our servers immediately after the result is returned; orphan inputs older than 24 hours are purged by a daily cleanup job. See Section 5 for the full list of recipients.
Anonymous usage data. Number of generations, which filters were tapped, which screens were opened, in-app purchase events, and crash diagnostics. Used to improve the service and measure feature performance. Routed via PostHog (see Section 5).
Subscription & purchase metadata. Plan code, trial state, renewal date, transaction id. Routed via RevenueCat and Apple StoreKit (see Section 5). We never see or store credit card numbers — payment is handled entirely by Apple.
Push notification token (when you grant push permission). An opaque Apple-issued string that lets us send you notifications when a generation finishes. Routed via Expo's push service.
Optional, only if you provide them: device locale, device timezone, and a referral code if you arrived via a friend's invite link. Used to localize push copy and credit referral bonuses.

3. How and why we use data

To run the App. Process the photo you submitted into the styled output you asked for, using the AI provider listed in Section 5.
To enforce quotas and entitlements. Make sure free-tier limits are respected and that paid users see the features they paid for.
To improve the App. Aggregate, anonymous usage data tells us which filters resonate and which screens lose attention.
To send you transactional notifications (when push permission is granted): “your photo is ready,” new-filter drops, referral credit confirmations.
To prevent abuse. Rate-limit generation, detect credential stuffing, log moderation events.
To comply with legal obligations when applicable.

We do not use your data for behavioral advertising. We do not sell or rent it. We do not use your photos to train any AI model — ours or anyone else’s.

4. Legal basis

Processing is based on your explicit consent (which you grant when you accept the in-app consent screen and again when you tap Allow on the AI data sharing dialog before your first generation), and on the performance of the service contract you enter into when you use the App.

5. Third parties that receive your data

The list below names every third-party service the App relies on, what data each one receives, and why. We share data only with vendors strictly necessary to operate the service. Each vendor is contractually bound to protect your data and use it only to provide the service to us.

Google LLC — Gemini AI (United States). Receives the photograph you submit and the prompt for the chosen filter. Generates the styled output and returns it. Does not retain your photo for training. Privacy policy: policies.google.com/privacy.
fal.ai (United States, Featherless AI Inc.). Used as a fallback image-generation provider when Google's endpoint is unavailable. Receives the same input as Google for the duration of one generation. Privacy policy: fal.ai/privacy.
Topaz Labs, LLC (United States). Used for the optional Upscale (HD) feature when you request a 2× resolution boost on a generated photo. Receives the generated image (not your original photo) and returns the upscaled version. Privacy policy: topazlabs.com/privacy-policy.
RevenueCat, Inc. (United States). Manages subscription state and entitlements. Receives device id, purchase events, and the Apple-anonymized App Account Token. Does not see your Apple ID or payment details. Privacy policy: revenuecat.com/privacy.
Apple Inc. (United States). Handles payment for subscriptions and the editor-unlock IAP via StoreKit, delivers push notifications via APNs, and serves the App via the App Store. Apple handles all billing and never shares your payment details with us. Privacy policy: apple.com/legal/privacy.
PostHog Inc. (United States). Receives anonymous usage events keyed by your device id (not name or email). Used to understand which features are tapped most, which paywalls convert, and which crashes happen. Does not run third-party trackers, ads, or fingerprinting. Privacy policy: posthog.com/privacy.
Supabase, Inc. (United States). Hosts the database that stores your device usage row, generation history metadata (filter id, timestamp, plan), and referral attributions. Does not store the original photos you upload. Privacy policy: supabase.com/privacy.
Cloudflare, Inc. (United States). Provides storage (R2) and CDN edge caching for filter previews, before/after thumbnails, and the brief temporary upload window where your input photo lives before it's forwarded to the AI provider (deleted within seconds, or by the daily cleanup job at most 24 hours later). Privacy policy: cloudflare.com/privacypolicy.
Vercel Inc. (United States). Hosts the API that the mobile app calls. Receives request metadata (IP, user-agent, request path) at the edge for routing and DDoS protection. Privacy policy: vercel.com/legal/privacy-policy.
Expo (650 Industries, Inc.) (United States). Routes push notifications via the Expo Push API and delivers JS bundle updates over the air via EAS Update. Receives your push token and the EAS update group id. Privacy policy: expo.dev/privacy.
Anthropic, PBC (United States). The Claude API is used by internal admin tooling for filter similarity scoring and translation fallback (filter names + descriptions across the 11 supported locales). It does not receive any user photos or personal data — only filter catalog text. Privacy policy: anthropic.com/legal/privacy.
Slack Technologies, LLC (United States). Operations alerting only. Receives device IDs, generation IDs, filter IDs, and high-level error codes/timings for the team to monitor outages and feature health. No photos. Privacy policy: slack.com/trust/privacy/privacy-policy.
Upstash, Inc. (United States). Provides distributed rate-limiting (Redis) for the API. Stores hashed device tokens and short-lived rate-limit counters keyed on device. Privacy policy: upstash.com/trust/privacy.pdf.
CallMeBot (third-party WhatsApp gateway). Used by internal critical-alert plumbing only. Receives the same operational telemetry as Slack — never user photos. Used only for SEV1/SEV2 paging.

What we do NOT use: we do not use Google Analytics, Firebase, Facebook SDK, AdMob, Meta Pixel, TikTok, AppsFlyer, Branch, Adjust, or any advertising / cross-app tracking SDK. There are no in-app ads. We do not engage in cross-app or cross-website tracking.

6. Storage and retention

Your submitted photograph is held temporarily by Cloudflare R2 only for the seconds needed to forward it to the AI provider, and is deleted as soon as the result is returned. A daily cleanup job removes any orphan input older than 24 hours. The AI provider processes your photo transiently and is contractually prohibited from retaining it for training.

The generated output image is delivered to your device, which is the only place it is permanently stored — in your iPhone's photo library and the App's in-app gallery. Device identifier and anonymous usage data are retained until you request deletion.

7. Your rights

You have the right to:

Confirm the existence of data processing;
Access, correct, or delete your data;
Withdraw consent at any time;
Request data portability.

You can delete all data associated with your device at any time from the App’s Settings → Data → Delete my data. This permanently erases your generation history, server-side device row, and local preferences. Apple-side subscriptions are managed separately in your Apple ID settings.

To exercise any other right, contact hello@jefersonaraujo.com.

8. Security

We adopt technical and organizational measures to protect your data against unauthorized access, loss, or destruction: HTTPS / TLS 1.2+ in transit, encrypted-at-rest storage on Supabase and Cloudflare R2, device-token authentication on every API call, and rate limiting on sensitive endpoints.

9. Children’s privacy

Shot by AI is not directed to children under 13 (under 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided data, contact us and we will delete it.

10. International transfers

We are based in Brazil. The third parties listed in Section 5 are located in the United States. By using the App you understand that your data may be transferred to and processed in those regions. We rely on standard contractual clauses or equivalent mechanisms where required by law (GDPR, LGPD, CCPA).

11. Data controller

Responsible: Jeferson Araujo
Contact: hello@jefersonaraujo.com

12. Changes

This policy may be updated periodically. We will notify significant changes via the App.