Privacy Policy
Effective date: August 22, 2025
This Privacy Policy describes how Flip AI ("FlipAI", "we," or "us"), a service provided by Metaspeed A.S., collects, uses, discloses, and otherwise processes information about you when you access or use our app, website and other online products and services that link to this Privacy Policy (collectively, our "Services") and when you otherwise interact with us such as through our customer support channels.
We may change this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of this policy. If we make material changes, we will provide you with additional notice (such as by adding a statement to the Services or sending you a notification). We encourage you to review this Privacy Policy regularly to stay informed about our information practices and the choices available to you.
Who We Are
Metaspeed A.S. is the data controller for processing carried out via Flip AI unless stated otherwise in this Policy.
Registered address: Üniversiteler Mah. 1606 Cad. B 2 Blok No: 4b Iç Kapi No: 705 Çankaya / Ankara Turkey
Contact: customer@generator.pics
EU Data Protection Officer (DPO): Naq Cyber B.V., Attn: Nadia Kadhim, Vlamingstraat 4, 2712BZ Zoetermeer, Netherlands – privacy@naqcyber.com
1. How Do We Collect Personal Data
In the operation of Flip AI, we collect and process various types of personal data to provide and improve our Services. This data is collected in the following ways:
Directly from You: data you actively provide (e.g., uploaded photos and videos, prompts, contact information, support messages). When you create AI avatars or transformations, facial features may be processed.
Automatically Through App Usage: device data (hardware model, OS version), unique identifiers (e.g., IDFA/AAID where available), IP address, language, time zone, crash logs, performance data, in-app events.
From Third Parties: service providers and partners (e.g., analytics, advertising networks, cloud storage providers) may send event and performance data related to your use of our Services. We do not purchase data from data brokers.
From Your Platform Provider: limited purchase/receipt metadata from Apple App Store or Google Play (e.g., transaction or subscription status) to fulfill your purchase.
2. Types of Personal Data We Collect and Why
We collect the following categories of data. Where required by law, we request your consent before collection/processing. Special category data (biometric data inferred from facial images) is processed only with your explicit consent (Art. 9(2)(a) GDPR).
Category | Examples | Purpose(s) | Legal Basis | Retention |
Identifiers & Account Data | Name/alias, email, user ID, in-app identifiers, login credentials, subscription/account status | Create and manage your account, provide customer support, prevent fraud | Contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) | Up to 10 years of inactivity |
Device & Technical Data | Device model, OS version, IDFA/AAID (with consent), IP, language, timezone | Ensure app functionality, troubleshoot issues, measure performance, improve services | Legitimate Interests (Art. 6(1)(f)), Consent for advertising IDs (Art. 6(1)(a)) | Up to 10 years of inactivity |
Usage & Interaction Data | In-app actions, feature usage, session data, app navigation | Improve features, develop new services, personalization, analytics (where consented) | Consent (Art. 6(1)(a)), Legitimate Interests for strictly necessary usage | Up to 10 years of inactivity |
Advertising & Attribution Data | Advertising identifiers, campaign source, ad interactions (with consent) | Marketing measurement, retargeting, advertising | Consent (Art. 6(1)(a)) | Up to 10 years of inactivity (deleted sooner if consent withdrawn) |
Photos, Videos, Outputs & Facial Data | Photos/videos uploaded, AI-generated avatars and outputs | Provide requested features (avatar generation, transformations) | Explicit Consent for biometric/facial data (Art. 9(2)(a)), Consent (Art. 6(1)(a)) | Retained for as long as account is active, then deleted after 10 years of inactivity |
Payment & Transaction Data | Purchases, receipts, subscription details, billing records | Process payments, manage subscriptions, comply with legal obligations | Contract (Art. 6(1)(b)), Legal Obligation (Art. 6(1)(c)) | Up to 10 years, where required by law |
Support Communications | Emails, in-app support messages | Respond to requests, improve customer service | Contract (Art. 6(1)(b)), Legitimate Interests (Art. 6(1)(f)) | 5 years after ticket closure |
3. How We Use Your Information
We use your information to:
- Provide the Services: create avatars/transformations; maintain your session; enable core features. (Contract/Consent as applicable)
- Operate, Maintain & Improve: troubleshooting, crash prevention, consented analytics, feature development, quality assurance. (Legitimate interests/Consent)
- Personalize Experience: recommended features, remembering preferences, localized content. (Legitimate interests/Consent)
- Communicate with You: respond to support requests; service notices; with your consent, send marketing messages. (Contract/Legitimate interests/Consent)
- Security & Fraud Prevention: detect abuse, spam, unauthorized access, financial fraud. (Legitimate interests; Legal obligation where applicable)
- Compliance & Recordkeeping: invoices, tax, and legal obligations; to establish, exercise or defend legal claims. (Legal obligation; Legitimate interests)
We do not use your biometric data to identify you, authenticate you, or to train generalized AI models.
4. Marketing and Advertising Practices
a) Direct Marketing (email/push)
We may send you marketing communications about our own apps and features only if you have given us your explicit consent (Art. 6(1)(a) GDPR).
For emails: you can withdraw your consent at any time by clicking the unsubscribe link included in every email.
For push notifications: you can withdraw your consent by adjusting your device or in-app notification settings.
b) Targeted Advertising & Cross-Context Behavioral Ads
We use third-party SDKs for ads only with your prior consent. Without your consent, no targeted advertising SDKs will run.
You can withdraw consent at any time on your device settings (e.g., iOS: Settings → Privacy & Security → Tracking).
5. In-app Tracking Technologies and SDKs
We integrate third-party software development kits (SDKs) into our Services. These SDKs allow us to provide core functionality (such as photo processing), analyze performance, and deliver advertising.
The SDKs we use may collect data such as device identifiers, app usage events, IP address, and, where you provide your explicit consent, photos and biometric features necessary for AI processing.
Categories of SDKs We Use
- Photo and AI Processing Providers – We use trusted third-party AI processing services to generate avatars, photo transformations, and other AI-based effects. These providers act solely as processors, and any photos or derived biometric features are processed only to deliver the outputs you request.
- Infrastructure and Analytics SDKs – We use infrastructure services such as Firebase (for crash reporting, app stability) and Databricks (for secure internal analytics and reporting). These SDKs help us operate, maintain, and improve the app. Strictly necessary technical data (e.g., crash logs) is processed under our legitimate interests or contractual necessity. For analytics that are not strictly necessary, we only process data if you have provided consent.
- Attribution and Measurement SDKs – We use AppsFlyer to measure the effectiveness of our marketing campaigns (e.g., which ad networks generate app installs). This SDK requires your consent for processing identifiers or event data for attribution.
- Advertising SDKs – We integrate SDKs provided by Meta (Facebook), TikTok, Snapchat, and AppLovin to deliver advertising and measure engagement. These SDKs operate only with your prior consent, and you can withdraw consent at any time through the in-app Privacy Settings or your device settings (for example, on iOS under Settings → Privacy & Security → Tracking).
International transfers:
Some SDK providers are based outside the European Economic Area (EEA), including in the United States. Where this occurs, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and implement supplementary safeguards such as encryption, access controls, and data minimisation.
6. Who We Share Your Data With
We share data only as necessary and do not sell your personal data:
- Service Providers (Processors):
- Cloud hosting/storage (EU, primarily Germany).
- Google Firebase / Crashlytics (EU/US transfers subject to SCCs).
- AppsFlyer (Israel/US transfers subject to SCCs).
- Meta Audience Network (EU/US transfers subject to SCCs) – ads only with consent.
- Customer support and email delivery providers (EU/US with SCCs).
- Public Authorities & Legal Requests: where required by law or to protect rights/safety.
- Corporate Transactions: audits, mergers, acquisitions, or asset sales under appropriate confidentiality protections.
We maintain Data Processing Agreements with all processors and require appropriate security and privacy commitments.
7. International Data Transfers
Our primary servers are located in Germany (EU). Some processors may transfer data to third countries where different data protection standards may apply.
Safeguards we apply:
- Standard Contractual Clauses (SCCs) approved by the European Commission with Transfer Impact Assessments and supplementary measures (e.g., encryption in transit/at rest; strict access controls; data minimization).
- We disclose the likely destination countries (US, Turkey, Israel) and the relevant safeguards in accordance with Art. 13(1)(f) GDPR.
8. Compliance with Legal Requirements
We may process personal data to:
- Comply with legal obligations (e.g., tax, accounting, consumer protection).
- Respond to lawful requests from courts or authorities.
- Establish, exercise or defend legal claims and manage risk (e.g., fraud prevention, security incidents).
Where processing is based on legitimate interests, we conduct a balancing test and implement safeguards (pseudonymization, minimization, opt-out where applicable).
9. Your Rights Under GDPR
As an individual in the European Union (EU) or European Economic Area (EEA), you have certain rights under the General Data Protection Regulation (GDPR). These rights are subject to conditions in law, but we are committed to making them simple to exercise.
- Right to Access: You can request confirmation of whether we process your data and obtain a copy.
- Right to Rectification: You can ask us to correct inaccurate or incomplete data.
- Right to Erasure (“Right to be Forgotten”): You can request deletion of your personal data.
- Right to Restriction: You can ask us to temporarily stop processing your data in certain situations.
- Right to Data Portability: You can request your data in a structured, machine-readable format, or ask us to transfer it to another provider.
- Right to Object: You can object to processing based on our legitimate interests and to any direct marketing.
- Right not to be subject to Automated Decisions: You have the right not to be subject to decisions made solely by automated means that significantly affect you.
- Right to Withdraw Consent: If we process data based on consent, you can withdraw it at any time.
- Right to Lodge a Complaint: You can complain to your local data protection authority if you believe your rights have been infringed.
How to exercise your rights: You may exercise any of these rights by contacting us at customer@generator.pics. We will respond within one month, with possible extension in complex cases. For security reasons, we may request proof of identity before fulfilling your request. If you authorize someone to act on your behalf, we may require evidence of that authorization.
10. Additional Information for California Residents (CCPA/CPRA)
Categories collected: identifiers; device/technical; usage; purchase/subscription data; geolocation (coarse, via IP); inferences (only with consent for ads/analytics); biometric (facial vectors) used solely to provide requested features.
Business/commercial purposes: provide Services; security/fraud prevention; advertising/analytics with consent; customer support; compliance.
Sale and Sharing of Personal Information: We do not sell your personal information for money. However, under the California Consumer Privacy Rights Act (CPRA), allowing third-party advertising SDKs to use identifiers for cross-context behavioral advertising may be considered “sharing.” If you are a California resident, you may opt out of such “sharing” at any time by contacting us at customer@generator.pics.
Your rights: know, access, correct, delete, opt-out of sale/share, non-discrimination, and designate an authorized agent.
How to exercise: Contact us at customer@generator.pics.
Verification: we may verify via account information; government ID may be requested when necessary.
11. Additional Information for Illinois Residents (BIPA)
- Purpose for biometric data: solely to generate your requested ai photos/transformations.
- We do not use biometric data to train generalized models, identify you, or authenticate you.
- We do not sell, lease, trade, or otherwise profit from your biometric data.
Retention & destruction schedule:
- Biometric data is deleted once you delete your account.
- If statutory law requires a different retention, we comply; otherwise, data is permanently destroyed when the purpose is satisfied.
Disclosure limitations:
- Security: reasonable standards of care within our industry.
12. Children’s Privacy
Flip AI is not designed for use by individuals under the age of 16. Where local law sets a lower digital consent age between 13–16 (e.g., 13 in the United States), we apply the local rule. If you believe we collected data from a child, contact customer@generator.pics and we will promptly delete it.
13. Automated Decision-Making & Profiling
We do not make decisions based solely on automated processing that produce legal or similarly significant effects about you. Any profiling for advertising/analytics occurs only with your prior consent and can be withdrawn at any time.
14. Data Security
We implement appropriate technical and organizational measures to protect your data, including encryption in transit and at rest, access controls based on least privilege, network segmentation, logging and monitoring, employee confidentiality obligations, vulnerability management, and business continuity plans.
We conduct DPIAs (Data Protection Impact Assessments) for high-risk processing such as biometric processing and review our safeguards regularly.
15. Data Retention
We keep your personal data for as long as necessary to provide our Services and to comply with legal obligations. If you stop using your account, we will retain your data for up to 10 years of inactivity, after which it will be deleted or anonymized. All data associated with your account is deleted once you delete your account.
You can request deletion of your data at any time by contacting us at customer@generator.pics.
16. Changes to This Privacy Policy
Whenever we make changes that materially affect your rights or the way we process your personal data, we will provide prominent in-app notice and, where appropriate, seek renewed consent (e.g., for new purposes or new categories of processing). Please review this Policy periodically.
17. Contact Us
If you have any questions, comments, or concerns about our Privacy Policy or data processing practices, or if you wish to exercise any of your rights as described in this policy, please feel free to contact us. We are committed to addressing your concerns and ensuring the protection of your personal data.
E-mail: customer@generator.pics
Address: Üniversiteler Mah. 1606 Cad. B 2 Blok No: 4b Iç Kapi No: 705 Çankaya / Ankara - Turkey
Data Protection Officer: Naq Cyber B.V.; Attn: Nadia Kadhim; Vlamingstraat 4, 2712BZ Zoetermeer, Netherlands; privacy@naqcyber.com