Privacy Policy

Last updated: 2025-09-29

This Privacy Policy explains how Mediaweb (“Mediaweb”, “we”, “us”, “our”) processes personal data when you use our image‑generation application that creates images from a personal photo (the “App”). We comply with the EU General Data Protection Regulation (GDPR) and applicable member‑state laws.

If you do not agree with this Policy, please do not use the App. For questions, contact privacy@mediaweb.global.

About Mediaweb (who we are)

Mediaweb is a digital product studio founded in 2006 with core expertise in low‑code platforms and UX/UI. As the data controller, Mediaweb determines what personal data is collected, how it is processed, and for what purposes.

1) Controller and contacts

Data protection contact/DPO: privacy@mediaweb.global

2) What personal data we process

Depending on how you use the App, we may process the following categories:

Account and identity: Email address, authentication identifiers (UID), email verification status, timestamps for account creation and updates.
Photos and prompts: The personal photo(s) you upload and any text instructions (“prompts”) you provide for generation. Photos may include facial features.
Generated Images: The images produced by the App from your inputs (including basic metadata such as format, size, and creation time).
Consents and preferences: Records of acceptance of Terms and Privacy Policy (including version), explicit consent for processing images containing facial/biometric data, and optional marketing preferences (opt‑in/opt‑out), with timestamps.
Usage and telemetry (minimised): Technical events (e.g., sign‑in, generation started/completed), device/browser type, language, coarse location derived from IP (anonymised where feasible), error and performance logs.
Support communications: Messages and related metadata when you contact us.

Special categories (biometric data): Photos containing faces can be “biometric data” if processed with the purpose of uniquely identifying a person. We do not process images to identify you; we process them to generate creative transformations at your request. Where such qualification may apply, we ask for your explicit consent (GDPR Art. 9(2)(a)).

3) Purposes and legal bases

Providing the App and generating images: contract performance (GDPR Art. 6(1)(b)).
Authentication, account management, abuse/fraud prevention, and “one‑shot” generation enforcement: legitimate interests (Art. 6(1)(f)) and/or contract performance.
Processing photos containing facial features: explicit consent (Art. 9(2)(a)), when applicable.
Product analytics and improvement (minimised/aggregated): legitimate interests (Art. 6(1)(f)) with safeguards.
Marketing communications (only if you opt in): consent (Art. 6(1)(a)); you can withdraw anytime.
Compliance with legal obligations and requests from authorities: legal obligation (Art. 6(1)(c)).

4) How we process your images

Photos are uploaded securely to our infrastructure. Image generation is performed by AI services acting as processors, such as Google Firebase/Google Cloud/Vertex AI (including Gemini models) or equivalent providers under data processing agreements (DPAs).
We do not use your photos or Generated Images to train AI models without your separate, explicit opt‑in consent.
We do not publish your images without a clear action by you (e.g., pressing “Share”).

5) “One‑shot” generation and first upload behaviour

To prevent abuse and manage capacity, we keep a flag in your profile indicating whether you have generated an image (“hasGenerated”). Once set, the App will block new generations for that account.
If the App stores a reference to your first uploaded photo (e.g., storage path) to support the “return/reload shows the first image” feature, this reference is saved to your user profile and used only to display your initial upload.

6) Sharing and recipients

We share data only as needed to operate the App:

Processors/sub‑processors (examples):
- Google Firebase/Google Cloud (authentication, database, storage, functions, App Check, analytics).
- Vertex AI / Google AI models for image generation.
- Email/notification providers (e.g., SendGrid/Mailchimp) if you opt in to marketing or request notifications.
- Optional marketing list sink (e.g., Supabase or an ESP) when you opt in; failures do not affect core App use.
Social sharing you initiate: If you choose to share, we send the selected content to the platform you chose; their terms and policies apply.
Authorities: We may disclose information if required by law or to protect users, rights, and systems.

A current list of processors is available on request at privacy@mediaweb.global and will be updated upon material changes.

7) International transfers

When processing occurs outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and, where applicable to the provider, the EU‑US Data Privacy Framework (DPF). Contact us to obtain copies of relevant safeguards.

8) Retention

Account and consents: for the life of your account.
Original uploaded photos: 30 days by default (or earlier if you delete them).
Generated Images: until you delete them or delete your account.
Technical logs/telemetry: up to 90 days; aggregated analytics up to 26 months.
Backups: rolling cycles up to 30 days.

When retention periods expire, we securely delete or anonymise the data.

9) Your rights (EU/EEA)

You have the rights to access, rectification, erasure, restrict processing, object to processing, and data portability. You may withdraw consent at any time (does not affect prior processing).

How to exercise: use the in‑App Privacy section to export your data and delete your account/content; or email privacy@mediaweb.global. We may ask you to verify your identity.

Supervisory authority: You may lodge a complaint with your local authority. In Portugal: CNPD (Comissão Nacional de Proteção de Dados) — www.cnpd.pt.

10) Security

Encryption in transit (HTTPS) and at rest where supported.
Access controls with least‑privilege, audit logging, and abuse monitoring.
App Check/reCAPTCHA or similar anti‑abuse protections for Firestore/Functions/Storage.

While we implement appropriate technical and organisational measures, no system is 100% secure. Please use strong authentication and keep your devices up to date.

11) Children

The App is not intended for children under 16. Where local law allows, users aged 13–15 may use the App only with verifiable parental consent.

12) Cookies and similar technologies

Essential: session, authentication, security, anti‑abuse (including App Check/reCAPTCHA).
Optional analytics/measurement: used only with your consent to improve the App with aggregated metrics.

Manage preferences in the App or your browser. For more details, see our Cookie Policy.

13) Automated decision‑making

We do not engage in automated decision‑making with legal or similarly significant effects. Image generation is an automated creative process initiated by you.

14) Marketing

We send marketing communications only with your consent. You can unsubscribe via in‑App settings or links in our emails. Transactional/service messages are not marketing.

15) Changes to this Policy

We may update this Policy to reflect legal, technical, or business changes. If changes are material, we will notify you via the App or email when required. The version in force is the one published here with the date above.

Notes for this App

Model training: we will never use your photos or outputs to train models without your explicit opt‑in.
Third‑party brands/marks in outputs: using third‑party logos, mascots, or event assets in your images may require separate permissions. You are responsible for obtaining these where necessary.
“One‑shot” enforcement: we maintain a hasGenerated flag to limit each verified account to a single generation. Legal basis: legitimate interests (abuse prevention and capacity management).