Privacy Policy

Effective Date: April 28, 2026  ·  Version: 1.0

This Privacy Policy ("Policy") describes how PinaKoala LLC ("we", "us", or "our") collects, uses, and protects your personal information when you use the PinaKoala mobile application (the "App") and our website at pinakoala.ai.

This Policy complies with the General Data Protection Regulation (GDPR) (EU), the California Consumer Privacy Act (CCPA) (US), and other applicable data protection laws.

This Policy is publicly available within the App and on our website. We may update this Policy from time to time as described in Section 11.

1. Definitions

• Personal Data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• Data Controller — PinaKoala LLC, the entity that determines the purposes and means of processing personal data.
• User — any natural person who uses the App.
• App — the mobile application PinaKoala, available on the App Store.

Service-specific terms

• Product photo — an image uploaded by the user through the App showing a physical product (e.g., furniture, decor, accessories) intended to be placed into AI-generated scenes.
• AI-powered generation — the process by which the App produces studio-quality interior, studio, or outdoor scenes featuring the user's product, using third-party large language and image models.
• Matrix generation — a feature that runs multiple combinations of scene parameters (room, style, lighting, angle) in parallel to produce a set of variations from a single product photo.
• Project — a collection of generated images organized within the App for a specific product.
• Credits — consumable digital units purchased through the Apple App Store, deducted when performing paid actions in the App. See our Terms of Use for details.
• Safety check — automated review of uploaded images to detect content that violates our Acceptable Use policy.

2. Principles of data processing

We process personal data in accordance with the following principles:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

3. Information we collect

Information you provide

• Account information. Email address (when you sign up with email/password), or the email and name you choose to share when using Sign in with Apple. Apple's private email relay is supported.
• Product photos. Photos you upload to the App for AI generation.
• Generation parameters. Your selections for scene type, room, style, lighting, framing, and other parameters are stored alongside each generation.
• Support communications. Records of any messages you send us through the support page or email.

Automatically collected information

• Device information (model, OS version, app version, language settings)
• Usage data (features used, generation counts, errors, performance metrics, timestamps)
• Crash reports — yes
• IP address (used for fraud prevention and rate limiting; not stored long-term)

Purchase information

• Apple-issued purchase tokens and transaction identifiers
• Credit package type and date of purchase
• RevenueCat anonymous user identifier used to verify entitlements

We do not receive or store your credit card, bank account, or other payment instrument details. Payments are processed entirely by Apple.

Data we do not collect

• We do not collect biometric data.
• We do not collect location data.
• We do not use the IDFA (advertising identifier) and do not track you across other apps or websites.
• We do not use third-party analytics SDKs that build behavioral profiles.

We do not process special categories of personal data (race, ethnicity, political opinions, religious beliefs, health data) without your explicit consent or as required by law. The Service is not intended for children under 13 (or 16 in the EU), and we do not knowingly collect their data.

4. How we use your information

We use your personal data for the following purposes:

• To provide and maintain the App, including processing your photos through AI image generation models to deliver the renders you request.
• To authenticate you and manage your account, including credit balance.
• To process in-app purchases and prevent fraud.
• To communicate with you about your account, support inquiries, and (where you have consented) product updates.
• To diagnose technical problems and improve the quality and performance of the Service.
• To detect, investigate, and prevent abuse, illegal activity, and violations of our Terms of Use.
• To comply with legal obligations.

5. Legal basis for processing (GDPR)

We process your personal data based on the following legal grounds:

• Consent — for optional features such as AI processing of your photos through third-party providers
• Performance of a contract — to provide access to the App and the credit-based services you have purchased
• Legitimate interests — to improve the App, prevent fraud, and run aggregate analytics
• Legal obligations — to comply with tax, accounting, and other applicable laws

You may withdraw your consent at any time by contacting us at privacy@pinakoala.ai.

6. Data sharing and disclosure

We do not sell your personal data. We share your data only with the third-party providers listed below, each of whom processes data on our behalf or as an independent controller, subject to its own privacy policy.

We may also disclose your data when required by law, court order, or other legal obligation; to enforce our Terms of Use; to protect the rights, property, or safety of PinaKoala, our users, or others; or in connection with a merger, acquisition, or sale of all or part of our business, in which case we will notify you and ensure your information remains protected.

7. Third-party AI services

To provide AI-powered generation, we send your uploaded photo and prompt parameters to third-party AI services.

Data we send

• The product photo you upload
• The prompt assembled from your scene parameters (room, style, lighting, angle, etc.)

Data we do not send

• Your name, email, or account identifiers
• Location data
• Device identifiers
• Other photos in your library

Service providers

• Google Gemini API — large multimodal model used for image generation. Per Google's terms governing the Gemini API, content submitted through the API is not used by Google to train its generally available models. See ai.google.dev/terms.
• Google Cloud Vision API — automated detection of unsafe content in uploaded images. See cloud.google.com/vision/docs/data-usage.

Data retention by AI providers

We do not store the prompts we send to AI providers on our own servers beyond what is needed to deliver your generated image. Third-party providers retain data per their respective policies. Google's policies govern any retention by Gemini and Vision APIs.

User consent and control

• By using the AI generation feature, you consent to the transmission of the photo and prompt to the providers above.
• If you do not wish to have your photos processed by AI, do not upload them. Manual browsing and account features remain available without consenting to AI processing.

8. Data retention

• Account data. Retained while your account is active. After deletion, we permanently remove your data within 30 days.
• Uploaded photos and generated images. Retained while you keep them in your projects. Deleting a project or photo removes the underlying file from cloud storage within 30 days.
• Purchase records. Retained for the period required by tax and accounting law (up to 7 years).
• Server logs. Retained for up to 90 days for security and debugging purposes.

9. Your rights (GDPR / CCPA)

You have the following rights:

• Right to access — request a copy of your personal data
• Right to rectification — correct inaccurate data
• Right to erasure — request deletion of your data
• Right to restrict processing — limit how we use your data
• Right to data portability — receive your data in a structured format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — withdraw consent at any time

California residents (CCPA). You have the right to know what personal information we collect, delete your personal information, and opt-out of the sale of personal information (we do not sell personal information).

To exercise any of these rights, email us at privacy@pinakoala.ai. We will respond within one month. You may also delete your account and associated data directly from the App settings.

10. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (HTTPS/TLS) and at rest, role-based access controls, RLS-protected database tables, and audit logging. No method of transmission or storage is perfectly secure, however, and we cannot guarantee absolute security.

11. International data transfers

PinaKoala LLC is operated from the United States, and our service providers (Google Cloud, Supabase, RevenueCat, Apple) may process data in the United States and other countries. When we transfer data out of the European Economic Area (EEA), we rely on Standard Contractual Clauses approved by the European Commission to ensure adequate protection.

12. Changes to this Policy

We may update this Policy from time to time. We will notify you of material changes by posting the new Policy in the App and on our website, and, where feasible, by sending you an email. The "Effective Date" at the top indicates when it was last revised.

13. Contact us

For questions about this Policy or to exercise your rights, contact us: