Bilal Sevinc

Toonpen – Privacy Policy

Effective Date: November 12, 2025
Version: 1.0
Applies to: Toonpen iOS application and backend services operated by Bilal Sevinc

This Privacy Policy explains how Toonpen collects, uses, discloses, and protects information when you interact with the Toonpen iOS app, our servers, and any related websites or support channels. It also describes the choices and rights available to you. By using Toonpen you agree to the practices described below. If you do not agree with this Policy, please do not use the app.

1. Who We Are

Data Controller: Bilal Sevinc
Address: Uskudar, 34004, Istanbul
Contact: toonpen@googlegroups.com
Policy URL: https://bilalsevinc.com/ios-apps/privacy

Bilal Sevinc is responsible for the personal data processed via Toonpen. Questions, complaints, or requests about privacy should be sent to the email address above. We respond to all verified requests as required by applicable law.

2. Scope of This Policy

This Policy covers data collected through the Toonpen iOS application, related backend APIs, Firebase services, and official support channels. It applies to every feature in the app, including AI image generation, account management, purchases, and analytics. This Policy does not apply to third-party websites, services, or content that may be referenced or linked from within the app. When you leave our environment, their privacy policies govern your use.

3. Data We Collect

We collect only the data needed to operate Toonpen, keep it secure, and comply with legal requirements. Data is grouped into the categories below.

User Content

  • Images or photos you upload when requesting AI transformations, which may include faces or other personal information present in the photo.
  • AI-generated outputs produced for you.
    User content remains tied to your user ID and is never used to train models.

Identifiers

  • Firebase Authentication user identifier (UID) created when you sign in with Apple or other supported methods. The UID is used solely to link your content, purchases, and settings to your account.

Purchases

  • Apple In-App Purchase receipt payloads and transaction identifiers shared by Apple to confirm subscription status, provide access to premium styles, and comply with tax and accounting rules.

Analytics

  • Aggregated and anonymized event data through Google Analytics for Firebase. Events include generic actions such as session start, feature taps, or crash/screen metrics. We do not collect the Identifier for Advertisers (IDFA), device advertising identifiers, or precise location for analytics purposes.

Data Not Collected

We intentionally do not collect contact lists, messages, precise GPS coordinates, biometric templates, or push notification tokens. Diagnostic logs are limited to Firebase defaults and are not linked to identifiable individuals.

4. How We Use Your Data

We process personal data only for the purposes outlined below and rely on the minimum necessary scope for each activity.

  • Provide the Service: Authenticate users, store uploads securely, submit images to selected AI models, and deliver the resulting artwork back to your device.
  • Process Purchases: Validate IAP receipts, manage subscriptions, and unlock premium features. No third-party payment processors receive your purchase data; all payments occur within Apple’s ecosystem.
  • Improve Reliability: Use aggregated analytics to understand feature performance, plan capacity, and resolve crashes or service disruptions. All analysis remains account-agnostic.
  • Protect the Service: Detect malicious usage, enforce security rules, and comply with legal requests where necessary.

We never sell personal data, use it for unrelated marketing, or allow third parties to profile our users.

5. AI & Face-Image Processing

Purpose and Limitations

Toonpen transforms the images you upload into stylized artwork through AI models. Processing occurs on-demand and images are not fed back into training datasets. The app does not attempt to identify individuals, extract facial geometry, or compare faces across users.

Processing Pipeline

  1. The Toonpen iOS client uploads your image to Firebase Storage over an encrypted connection.
  2. Our backend receives a processing request tied to your UID.
  3. The backend transmits your image or a derivative to Google Gemini or OpenAI image APIs for inference.
  4. The AI provider returns a base64 or binary rendition of the generated artwork.
  5. We convert the output to JPEG/PNG, store it in your user-scoped Firebase path, and provide a secure download link to the app.
  6. Completed jobs remain accessible in-app until you delete them.

Service Providers

  • Google Firebase: Authentication, secure storage, and analytics in Google Cloud’s US regions.
  • Google AI (Gemini) & OpenAI: Perform image model inference. These providers act as processors under their data protection agreements.

Safeguards

All transfers use TLS, Firebase encrypts content at rest, and access is restricted via Firebase Security Rules and least-privilege service accounts. No human reviewers manually inspect your images unless legally required.

6. Sharing and Disclosure

We only disclose personal data to the processors named above or when required to comply with law, protect our rights, or respond to lawful requests from authorities. We do not sell, rent, or otherwise share personal data for advertising or cross-context behavioral targeting. Sub-processor changes will be reflected in an updated version of this Policy before they take effect.

7. Retention and Deletion

  • Uploads: Original images are automatically purged 30 days after upload unless you delete them sooner.
  • Generated Artwork: Retained until you remove it through the app or request deletion.
  • Account Data (UID, receipts, logs): Retained as long as your account remains active and for a reasonable period afterward to comply with accounting, fraud prevention, or legal obligations.

You may request deletion of all account-linked data by emailing toonpen@googlegroups.com from the address associated with your Apple ID. Once verified, we strive to fulfill requests within 30 days and will confirm completion via email.

8. Children's Privacy

Toonpen is designed for users aged 13 and older. We do not knowingly collect personal data from children under 13 (or the equivalent age of digital consent in your jurisdiction). If we learn that such data was collected, we will promptly delete it and disable associated access. Parents or guardians can contact us to request deletion of data mistakenly submitted by a child.

9. Legal Bases (GDPR/UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following lawful bases:

  • Contractual Necessity: Running the app, generating images, authenticating access, and providing customer support are necessary to deliver the service you request.
  • Legitimate Interests: Securing the platform, measuring aggregated performance, and improving the user experience rely on our legitimate interest in maintaining a reliable service. We balance these interests against your rights and implement safeguards such as minimized analytics.
  • Legal Obligation: We retain purchase and tax records when required by law.
  • Consent: We do not rely on consent for core processing. If any regional law requires consent for analytics, we will request it in-app or disable analytics for that region.

10. International Data Transfers

Toonpen is hosted primarily in the United States on Google Cloud (Firebase). When data originates in the European Economic Area, the United Kingdom, or other jurisdictions with transfer restrictions, we rely on Standard Contractual Clauses, Google and OpenAI data processing addenda, and technical safeguards such as encryption and access controls. These measures help ensure an equivalent level of protection wherever your data is processed.

11. Security Measures

We use a layered security program that includes TLS encryption for every network call, encryption at rest for Firebase Storage and Firestore, per-user storage paths enforced through Firebase Security Rules, and least-privilege credentials for backend services. Our infrastructure is continuously monitored for suspicious access, and we review permissions whenever architectures change.

Incident Response

If we become aware of unauthorized access or disclosure of personal data, we will investigate promptly, notify affected users within five business days of confirming the breach, and cooperate with regulators when required. Notifications may be delivered via email, in-app banners, or push notifications (if enabled in the future).

12. Your Rights

Depending on your location, you may have the right to access, correct, delete, or restrict processing of your personal data. You may also request a portable copy of the data tied to your UID or object to processing based on legitimate interests. Submit all requests to toonpen@googlegroups.com, and we will verify your identity using your account credentials or by requesting additional information. You also have the right to lodge a complaint with your local data protection authority if you believe we have not resolved your concern.

13. In-App Purchases

Toonpen relies on Apple’s in-app purchase system. We receive only the receipt data necessary to confirm the product, expiration, and transaction history so we can provide entitlements. We do not receive or store full payment details such as credit card numbers. Fraud checks are limited to ensuring that receipts are valid and tied to the correct UID.

14. Tracking and Advertising

Toonpen does not incorporate advertising SDKs, does not request App Tracking Transparency (ATT) permission, and does not collect the IDFA or similar advertising identifiers. Google Analytics for Firebase is configured for aggregated measurement only, with IP masking and data retention limits provided by Google. There is no cross-app or third-party profiling.

15. Changes to This Policy

We may update this Privacy Policy to reflect new features, legal requirements, or operational practices. When we make material changes, we will update the effective date at the top of the document, post the new version at the Policy URL, and provide in-app notice before the revised terms take effect. Continuing to use the app after changes become effective constitutes acceptance of the updated Policy.

16. Contact Us

For privacy-related questions, data requests, or complaints, contact:

Bilal Sevinc
Email: toonpen@googlegroups.com

We are committed to resolving issues directly. If you are not satisfied with our response, you may have the right to escalate the matter to your local data protection authority.