Photo Whisper AI — Privacy Policy
Effective date: 01 Jul 2026
Last updated: 01 Jul 2026
This policy explains what personal data we collect when you use Photo Whisper AI (the "App"), why we collect it, who we share it with, and what rights you have. We've written it in plain language. If anything is unclear, email us at privacy.photowhisperai@ezalabs.io.
1. Who we are
Photo Whisper AI is operated by EZA Labs SRL, a company registered in Romania. We are the data controller for the personal data described in this policy — that means we decide what data is collected and what it's used for.
For any privacy question or request, email us at privacy.photowhisperai@ezalabs.io. Our full company and contact details are at the end of this policy (Section 10).
2. What data we collect and why
2.1 When you create an account
- Email address — so you can sign in, receive transactional emails, and recover your account.
- Name (optional, only if your sign-in provider shares it) — shown in the App as your display name.
- Apple or Google account identifier — when you sign in with Apple or Google, we receive a provider-specific identifier we use to link your account to that sign-in method.
- Age band — at signup we ask which age band you're in (we don't ask for or store your exact date of birth). We use this to set up your account correctly and to know which consent-based features — such as marketing emails — we may offer you (see Section 6).
Legal basis: performance of the contract (Art. 6(1)(b) GDPR) — we need this to give you an account. For the age band: compliance with our legal obligations around children's consent (Art. 6(1)(c) GDPR) and our legitimate interest in providing an age-appropriate service (Art. 6(1)(f) GDPR).
2.2 When you use AI features
- Images you upload — stored in our cloud storage and sent to our AI inference providers to generate your requested output.
- Text prompts you write — sent to our AI inference providers along with the image (if any).
- Generated images and videos — stored in our cloud storage so you can access them.
Important: our AI inference providers are based in the European Union and the United States. When you use AI features, your uploaded images and prompts are transmitted to them for processing. We don't sell your content, and we don't use it to train our own AI models. The third-party providers who generate your output process your content to create the result you request under their own terms; we select providers under data-protection terms where available, and your content is encrypted in transit.
Legal basis: performance of the contract (Art. 6(1)(b) GDPR) — this is the service you're paying for.
2.3 When you purchase credits or subscribe
- Purchase receipts — we receive receipt data from Apple or Google when you buy credits or subscribe.
- Subscription and credit state — whether you're subscribed, on what plan, and how many credits you have.
We do not receive your credit card number, bank account, or any payment credentials. Apple and Google process all payments.
Legal basis: performance of the contract (Art. 6(1)(b) GDPR); and for keeping invoice records, legal obligation (Art. 6(1)(c) GDPR).
2.4 Marketing emails (only if you opt in)
If you opt in, we send you occasional emails about new features, tips, and offers. You can opt in at signup or later in Settings. You can unsubscribe at any time using the link in any marketing email or by emailing us. Withdrawing your consent doesn't affect the lawfulness of any processing we did before you withdrew it.
Legal basis: consent (Art. 6(1)(a) GDPR). Withdrawing consent is as easy as giving it, and never affects your ability to use the App.
2.5 Transactional emails (always sent)
We send you emails you need to use the App — such as sign-in links, receipts, subscription renewal reminders, and important account or policy changes. These are essential to the service, so you can't turn them off while your account is active. We don't send non-essential messages disguised as transactional.
Legal basis: performance of the contract (Art. 6(1)(b) GDPR); and for some notices, legal obligation (Art. 6(1)(c) GDPR).
2.6 Security and abuse prevention
To keep the App secure, we collect limited technical data:
- IP address and basic device information when you connect to our servers (logged temporarily)
- Activity patterns that help us detect abuse, such as automated scraping or attempts to generate prohibited content
Legal basis: our legitimate interest (Art. 6(1)(f) GDPR) in keeping the service secure and preventing abuse. We've assessed this and believe it doesn't override your rights because the data we use is minimal and kept only as long as needed.
2.7 Automated content moderation
Before we process your AI generation request, we automatically analyse the image you upload and the prompt you write using a content-classification model. This is an automated safety check that decides whether your request complies with our rules. If it doesn't, we block the request and your image is not processed by our AI providers.
- What goes in: the image and prompt you submit.
- What comes out: a verdict (allowed / blocked) and, if blocked, a reason category we keep internally.
- Retention: if a submission is blocked, we delete the flagged image from our systems within 24 hours — except where the law requires us to preserve it (for example, suspected child sexual abuse material, which we preserve and report to the authorities as required by law). We otherwise keep only the verdict record (no image content) to detect repeat abuse.
- Where it runs: on our cloud-hosting infrastructure, using a standard open-weight vision model run by our hosting provider acting only as our processor under contract. Like our other cloud processing, it may take place outside the EU under the safeguards described in §3; your image is not sent to the third-party AI providers that generate your outputs.
- Appeals: blocks are applied automatically and aren't individually explained. If you believe your content was blocked in error, you can contact us at privacy.photowhisperai@ezalabs.io and we'll review.
This is not a decision about you with legal or similarly significant effects in the sense of Article 22 GDPR — it's a safety check on a single request, similar to how a comment platform filters spam.
Legal basis: performance of the contract (Art. 6(1)(b) GDPR) — safe operation of the AI service; and legitimate interest (Art. 6(1)(f) GDPR) — preventing misuse of the platform, protecting other users, and complying with app-store rules.
2.8 What we don't collect
To be clear about what's NOT happening:
- We don't track you across other apps or websites.
- We don't use advertising identifiers.
- We don't sell your personal data. Ever.
- We don't sell your content, and we don't use your uploaded images or prompts to train our own AI models.
- We don't collect health data, financial account details, or government ID numbers.
3. Who we share data with
We share personal data only with the categories of recipients described below, and only as far as we need to run the App. Some are service providers that process data on our behalf; others, such as Apple and Google, are independent providers that handle your data under their own terms. We put data-protection terms in place with our providers where appropriate, and we don't sell your personal data.
| Category | Purpose | Location |
|----------|---------|----------|
| Cloud hosting and storage | Storing your account data, uploaded images, and generated outputs | Storage in the European Union; processing and administrative access on a global network (including the United States) |
| AI inference providers | Processing your uploaded images and prompts to generate outputs | European Union and United States |
| Email delivery provider | Sending you transactional and (if you opted in) marketing emails | European Union |
| Subscription and purchase management | Validating Apple/Google receipts and managing your subscription state | United States |
| Apple and Google | Sign-in with Apple / Sign-in with Google, and in-app purchases | Worldwide |
When personal data is transferred outside the European Economic Area (mainly to the United States), we use appropriate measures to protect it. Depending on the provider, these may include the EU-US Data Privacy Framework (where the provider is certified), Standard Contractual Clauses approved by the European Commission, and technical safeguards such as encryption in transit and at rest.
You can ask us about the protections that apply to a particular transfer by emailing privacy.photowhisperai@ezalabs.io.
3.1 When we disclose data to authorities
We may disclose personal data to law enforcement, regulators, or courts when we have a legal obligation to do so, or when we reasonably believe it's necessary to protect the rights, property, or safety of our users, ourselves, or others.
4. How long we keep your data
| Data | Retention |
|------|-----------|
| Account data (email, name, provider ID) | While your account is active, plus up to 90 days after deletion to handle disputes and abuse investigations (establishment and defence of legal claims) |
| Age band and marketing-eligibility flag | While your account is active |
| Uploaded images, prompts, and generated media — while you have an active subscription | Saved and available in the cloud for as long as your subscription is active |
| Uploaded images, prompts, and generated media — when you have no active subscription (after a subscription ends, or for credit-pack-only users) | 10 days, then permanently deleted |
| Purchase and invoice records | Up to 10 years (required by Romanian accounting and tax law) |
| Security logs | Up to 90 days |
| Moderation verdicts (allowed/blocked + category; no image content) | Until account deletion, plus 90 days, to detect repeat abuse |
| Marketing-email consent records | 3 years after you withdraw consent or your account is deleted, so we can demonstrate that consent was validly obtained if questioned |
When we delete data, we remove it from our production systems; it may persist briefly in encrypted backups before those expire on their normal rotation.
5. Your rights
Under GDPR, you have the right to:
- Access — ask what personal data we hold about you, receive a copy, and find out which categories of recipients we've shared it with.
- Rectification — correct data that's wrong or incomplete.
- Erasure ("right to be forgotten") — ask us to delete your data. You can delete your account directly in Settings, which automatically deletes your data subject to the retention schedule above.
- Restriction — ask us to pause certain processing.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on our legitimate interests or for direct marketing.
- Withdraw consent — withdraw marketing consent at any time, free of charge.
- Not be subject to automated decision-making — Photo Whisper doesn't make automated decisions about you that have legal or similarly significant effects under Article 22 GDPR. Our automated content moderation (§2.7) is a per-request safety check, not a decision about you. Generating an image or video based on your prompt is content creation, not a decision about you either. Decisions that could significantly affect you — such as suspending or closing your account — are not made by automated means alone: a person is involved before we take account-level action.
How to exercise these rights: email privacy.photowhisperai@ezalabs.io. We respond within 30 days. If we can't act on your request, we'll explain why.
Right to complain: if you believe we've mishandled your data, you can lodge a complaint with the Romanian data protection authority (ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, https://www.dataprotection.ro), or with the data protection authority in your EU country of residence.
6. Who can use the App
Photo Whisper AI is rated 13+ and is not for children under 13. To use it, you must be at least 13, and old enough under the law of your country to agree to this Privacy Policy and our Terms.
Some things we do — like sending you marketing emails — rely on your consent. In most of the European Union, including Romania, you must be at least 16 to give that consent yourself; if you're younger, a parent or guardian must give it. For that reason, if you tell us you're under 16, we won't offer you marketing-email sign-up. You can still use the App's core features, which don't rely on consent.
The app store's age rating may also restrict who can download the App. We don't knowingly collect personal data from children under 13. If you're a parent or guardian and believe your child has created an account, email privacy.photowhisperai@ezalabs.io and we'll review and, where appropriate, delete it.
7. Security
We use industry-standard technical and organisational measures to protect your data, including:
- Encryption in transit (TLS) and at rest
- Access controls and logging on our production systems
- Use of reputable infrastructure providers with recognised security programmes (such as SOC 2)
- Contractual security obligations with our service providers where a data-processing agreement is in place
No system is perfectly secure, but we act quickly if we detect a problem. If a personal-data breach creates a high risk to your rights and freedoms, we'll notify you without undue delay as required by Article 34 GDPR. We'll also notify the Romanian data protection authority within 72 hours where required by Article 33 GDPR.
8. AI-specific transparency
Because Photo Whisper AI is an AI-powered service, some extra notes:
- AI outputs are labelled. Images and videos generated by the App are created by artificial intelligence, and we label them as AI-generated in the App. Where an output could resemble a real person, that AI marking also travels with the file you download or share.
- AI outputs can be wrong. They may be inaccurate, unrealistic, or inappropriate. Don't rely on them for anything legally, medically, or financially consequential.
- You are responsible for what you upload and generate. When you upload an image, you confirm you have the right to do so — including, where the image shows a person, that you are that person or have their consent. You're also responsible for how you use the outputs.
- We don't verify the people or things in your images. We have no way to know whether a photo depicts a real person, a fictional one, or something in between, and we do not try to find out. You use the App under your own responsibility.
- We run automated safety checks (described in §2.7) on every generation request to prevent misuse. Aside from these automated checks, we do not proactively monitor your content.
- Our Acceptable Use Policy (https://photowhisper.ai/acceptable-use-policy/) lists content and uses that are not permitted on Photo Whisper. If we become aware — for example, through a user report, a rights-holder complaint, or a legal order — that content violates our rules or the law, we may remove it, terminate the account, and where required by law cooperate with authorities.
9. Changes to this policy
When we make meaningful changes to this policy, we'll let you know by email or through an in-app notice at least 30 days before the change takes effect — unless the change is needed to comply with law, in which case we may need to move faster.
You can always find the current version at https://photowhisper.ai/privacy-policy/, with the effective date at the top.
10. Contact
Questions, requests, or complaints:
EZA Labs SRL
Str. Brașov 18, Bl. F1, Sc. 4, Et. P, Ap. 56, 061447 București, Romania
Trade registry: J2021013958409 (EUID: ROONRC.J2021013958409)
Email: privacy.photowhisperai@ezalabs.io