Privacy Policy
Last updated: 2026-05-05
This Privacy Policy explains how AppVisual (“we”, “our”, or “us”) collects, uses, stores, and shares your personal data when you use appvisual.dev. AppVisual is a globally available SaaS — wherever you are based, we apply the EU General Data Protection Regulation (GDPR) standard as our baseline. Where your local law (e.g. UK GDPR, California CCPA / CPRA, Brazil LGPD) gives you additional rights, those rights apply on top.
1. Who we are
The data controller is Batuhan Ayhan, an individual operating AppVisual as a sole trader, based in Turkey.
- Contact email: batuhanayhan98@gmail.com
- Website: https://appvisual.dev
If you have a question about how we handle your data, email us and we will respond within 30 days.
2. What data we collect
| Category | Examples |
|---|---|
| Account data | Email address, display name, password hash (if email/password auth), or Google profile picture URL (if Google sign-in). Email verification status. |
| Content data | Brand assets you upload (icon and screenshot images, inspiration images), text you provide (project names, headlines, brand directions), generated creative assets, structured specs. |
| App store data | When you connect an App Store / Play Store URL, we scrape the public listing for app name, description, category, icon URL, screenshot URLs, developer name, rating, and similar-app suggestions. This data comes from the public store listings. |
| Usage data | Pages visited, features used, generation counts (via Firebase Analytics — only if you consent) |
| Payment data | Stripe customer ID, subscription status, billing period. We never store raw card numbers. |
| Technical data | IP address, browser type, crash reports and stack traces (via Sentry) |
3. Why we collect each category
| Category | Purpose | Lawful basis |
|---|---|---|
| Account data | Create and manage your account; authenticate you | Contract (Article 6(1)(b) GDPR) |
| Content data | Deliver the core service — generating and storing creative assets | Contract (Article 6(1)(b) GDPR) |
| Usage data | Understand how people use the product so we can improve it | Consent (Article 6(1)(a) GDPR) — only if you accept analytics cookies |
| Payment data | Process subscription payments and issue invoices | Contract + Legal obligation (Article 6(1)(b/c) GDPR) |
| Technical data | Monitor service health, diagnose bugs | Legitimate interest (Article 6(1)(f) GDPR) |
4. AI processing
AppVisual uses AI image and vision models to generate creative assets and analyse inspiration uploads. Concretely:
- Generation pipeline: When you generate an asset, the prompt text and any reference images you have uploaded (your app icon, your screenshots, your inspiration images) are sent to OpenAI’s API (
gpt-image-1family). OpenAI processes these as files and returns a generated PNG. - Inspiration vision analysis:When you upload an inspiration image to your brand board, we send it to OpenAI’s vision model (
gpt-4o) to extract style descriptors (palette, composition, mood, keywords). The descriptors are stored alongside the image in your project. - OpenAI API data usage:Per OpenAI’s API platform terms (openai.com/policies/api-data-usage-policies), data submitted via the API is not used to train OpenAI’s models and is retained only for abuse-monitoring (up to 30 days, then deleted).
- What we do NOT send to OpenAI: your name, email, password, payment data, or any account-level identifier. Only the prompt text, your reference images, and the inspiration image you uploaded.
5. Who we share with
We do not sell your data. We share it only with the following sub-processors, each operating under a Data Processing Agreement:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud (Firebase / GCS) | Hosting, authentication, file storage, analytics | US / EU |
| Stripe | Payment processing, subscription management | US / IE |
| Sentry | Error monitoring and crash reporting | US |
| OpenAI | AI image generation (gpt-image-1) and inspiration vision analysis (gpt-4o). Receives prompt text + any reference / inspiration images you upload. No account identifiers sent. Per OpenAI API terms, submitted data is not used for model training. | US |
6. How long we keep data
- Account and content data: Kept for as long as your account is active. Upon deletion we purge it within 90 days.
- Payment records: Kept for up to 7 years to comply with applicable tax, accounting, and commercial-record retention laws.
- Crash/error logs (Sentry): 90 days rolling retention.
- Analytics data (Firebase): 14 months, then automatically deleted by Google.
7. Your rights under GDPR
You have the following rights. To exercise any of them, email us.
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate data.
- Erasure (“right to be forgotten”): Ask us to delete your data. You can also trigger this directly via Settings → Account → Delete account. We complete erasure within 30 days.
- Portability: Receive your data in a machine-readable format.
- Restriction: Ask us to pause processing while a dispute is resolved.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Withdraw analytics consent at any time via the cookie banner (bottom of page).
You also have the right to lodge a complaint with your local data-protection supervisory authority — for example, the ICO in the UK, the CNIL in France, the BfDI in Germany, or the California Attorney General for CCPA / CPRA. The full EU list is on the European Data Protection Board.
Additional rights for California residents (CCPA / CPRA)
If you are a California resident, you also have the right to (i) know what personal information we collect, (ii) delete it, (iii) correct it, (iv) limit use of sensitive personal information, and (v) opt out of any “sale” or “sharing” of your personal information. We do not sell or share your personal information for cross-context behavioural advertising. You will not be discriminated against for exercising any of these rights.
8. Automated decisions
We do not use your personal data to make solely automated decisions that produce legal or similarly significant effects on you (GDPR Article 22). The AI-generated assets you receive are creative outputs, not decisions about your rights or eligibility — you remain in control of whether to use, edit, or discard them.
9. Data breach notification
If a personal data breach occurs and is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it (GDPR Article 33). Where the breach is likely to result in a high risk, we will also notify you directly without undue delay (Article 34).
10. Cookies
We use two categories of cookies. See our Cookie Policy for the full list.
- Essential cookies: Required for authentication and security. No consent needed.
- Analytics cookies:Set by Firebase Analytics to understand usage. Only activated if you click “Accept all” in the cookie banner.
11. International transfers
Some of our sub-processors (Google, Stripe, Sentry, OpenAI) are based in the United States. Where EU/UK personal data is transferred to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-US Data Privacy Framework where applicable.
12. Sub-processor changes
We may, from time to time, add or replace sub-processors as our infrastructure evolves. When we do, we will update the table in section 5 and, for material changes, notify registered users by email at least 30 days before the new sub-processor begins handling personal data. You may object to a new sub-processor in writing; in that case we will work with you in good faith on alternatives or, if no reasonable alternative exists, you may terminate your subscription with a pro-rata refund of any unused prepaid period.
13. How to contact us
For any privacy-related questions or to exercise your rights, contact us at batuhanayhan98@gmail.com. We aim to respond within 30 days.
14. Children
AppVisual is not directed at anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us immediately and we will delete it.
15. Changes to this policy
We may update this policy from time to time. When we do, we will update the “Last updated” date above and, for material changes, notify you by email at least 30 days before they take effect.