PicturePal
Studio Explore Models Feed Reels Blog Pricing
Sign in Get started

Privacy Policy

1. Overview 2. Information We Collect 3. How We Use Information 4. AI Processing by Third Parties 5. How Images Are Stored and Shared 6. When We Disclose Information 7. Cookies and Similar Technologies 8. Data Retention 9. Your Rights and Choices 10. Account Deletion 11. Regional Disclosures (EEA/UK, California, and Others) 12. International Data Transfers 13. Security 14. Children 15. Changes to This Policy 16. Contact Us

Privacy Policy

Last updated: July 6, 2026

1. Overview

This Privacy Policy explains how Atlas Rodin LLC ("Atlas Rodin," "we," "us," or "our") collects, uses, discloses, and protects information when you use the PicturePal service, including our website at https://picturepal.io, our mobile applications (including our iOS application), and related features and services (together, the "Service"). Atlas Rodin LLC, 400 W Deming Place, Chicago, IL 60614, USA, is the data controller of personal information processed through the Service.

By using the Service, you acknowledge this Privacy Policy. It is incorporated into our Terms of Service. If you do not agree with it, please do not use the Service. The Service is intended for adults aged 18 and over.

2. Information We Collect

2.1 Information you provide

  • Account information: email address, username, and password (stored only as a salted hash, never in plain text). If you sign in with Google, we receive your email address, name, profile picture, and a stable account identifier from Google.
  • Profile information: an optional profile photo (avatar).
  • Content you submit or create: text prompts, images and photos you upload (which may include photos of you or other people), images generated for you, generation settings, presets and filters you create, inputs to guided app workflows, and messages you send to the AI prompt assistant. Prompt assistant conversations are processed to answer you but are not stored in our database.
  • Payment and subscription information: your plan, billing interval, and transaction/credit history. Card and bank details are collected and processed directly by our payment processors (Stripe on the web; Apple for in-app purchases) and never touch our servers. We store only references such as a Stripe customer ID or an Apple transaction identifier.
  • Support communications: your name, email, and message when you contact support or submit the contact form.

2.2 Information collected automatically

  • Usage information: generations you run (model, mode, settings, status, credits spent), presets you use or like, content you share and the sharing channel, pages and features you interact with, and referral information when you arrive via a shared link.
  • Cookies and identifiers: a session cookie to keep you signed in, a security (CSRF) token, and a first-party anonymous visitor identifier used for A/B testing of our own product (see Section 7). Our iOS app stores an authentication token securely in the device keychain.
  • Log and device data: like most online services, our servers and infrastructure providers (e.g. Cloudflare and our hosting provider) automatically record technical data such as IP address, browser or device type, operating system, request timestamps, and error logs. We use this data for security, debugging, and operating the Service; we do not build advertising profiles from it.

2.3 Information from third parties

  • Sign-in providers: Google, as described above, when you choose Google sign-in.
  • Payment processors: Stripe and Apple send us confirmations of purchases, renewals, refunds, and subscription status so we can grant your plan and credits.

We do not use third-party advertising or analytics SDKs, and our iOS app does not use Apple's advertising identifier (IDFA) or App Tracking Transparency tracking.

3. How We Use Information

We use the information described above to:

  • provide, operate, and maintain the Service, including generating and editing images at your request, managing credits and subscriptions, and syncing entitlements across web and mobile;
  • process payments and prevent fraud, abuse, and misuse of free credits;
  • communicate with you, including transactional emails (verification, receipts, account notices) and responses to support requests;
  • personalize and improve the Service, including first-party A/B testing of our own features and pricing;
  • develop and improve our products and services, which may include using content you submit or generate to train, fine-tune, evaluate, and improve artificial intelligence and machine learning models, as described in our Terms of Service;
  • display content you choose to make public and operate sharing features you use;
  • monitor, secure, and debug the Service, enforce our Terms, and moderate content; and
  • comply with legal obligations and establish, exercise, or defend legal claims.

Where the GDPR or similar laws apply, we rely on the following legal bases: performance of our contract with you (providing the Service); our legitimate interests (securing and improving the Service, preventing abuse, marketing our own services); your consent where required (which you may withdraw at any time); and compliance with legal obligations.

4. AI Processing by Third Parties

Important: the Service does not run AI models on our own servers. When you use AI features, your prompts, uploaded images, and prompt-assistant messages are transmitted to third-party AI providers for processing.

Our current providers include WaveSpeed (image generation and editing) and OpenRouter (language model features such as the prompt assistant), which route requests to underlying model vendors, which may include Google, OpenAI, ByteDance, Alibaba, Black Forest Labs, Stability AI, and others shown in the model catalog in the Service. These providers:

  • receive the content necessary to fulfil your request (prompts, input images, recent prompt-assistant messages);
  • may temporarily store content while processing it; and
  • handle content under their own terms and privacy policies, which we encourage you to review and which we do not control.

Do not submit content you are not comfortable transmitting to these providers.

5. How Images Are Stored and Shared

  • Storage: images you upload and images generated for you are stored with our cloud storage provider (Cloudflare R2 or an equivalent S3-compatible service) and served from a content delivery network.
  • Public URLs: stored media files are addressable at long, unguessable URLs. These URLs are technically reachable by anyone who has them (this is required so our AI providers can fetch your input images and so link previews work). We do not publish these URLs except as you direct, but anyone you or the Service gives a URL to can view the file.
  • Private by default: your generations are private by default and appear only in your own history.
  • Public gallery: if you opt in to publishing a generation (or a preset), it becomes public, is shown with your username and avatar, may be indexed by search engines, and may be viewed, downloaded, remixed, or re-shared by others.
  • Share links: every generation has a share link; anyone with the link can view that generation even if it is not in the public gallery. Treat share links like the content itself.

6. When We Disclose Information

We do not sell your personal information, and we do not share it with third parties for cross-context behavioral advertising. We disclose information only as follows:

6.1 Service providers (processors)

ProviderPurposeData involved
WaveSpeed and underlying model vendorsAI image generation and editingPrompts, input image URLs, generation settings
OpenRouter and underlying model vendorsAI prompt assistant and content toolingPrompt-assistant messages, prompts
StripeWeb payments, subscriptions, billing portalEmail, name (if provided to Stripe), payment details (collected by Stripe directly), transaction data
AppleiOS in-app purchases and subscription managementTransaction identifiers, product identifiers
GoogleOptional sign-inOAuth profile data (email, name, picture, account ID)
Cloudflare (including R2)DNS, CDN, security, media storageTraffic data (including IP addresses), stored media
Hosting and infrastructure providers (e.g. AWS)Running the Service, databases, backupsAll Service data
Email delivery provider (SMTP)Transactional and support emailEmail address, message content

Service providers are permitted to use information only to provide services to us, except that AI model vendors process content under their own terms as described in Section 4.

6.2 Legal and safety

We may disclose information if we believe in good faith it is required by law, subpoena, or other legal process, or reasonably necessary to: enforce our Terms; detect, prevent, or address fraud, abuse, security, or technical issues; protect the rights, property, or safety of our users, the public, or Atlas Rodin LLC; or report suspected child sexual abuse material to the National Center for Missing & Exploited Children and law enforcement.

6.3 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all of our assets, information may be transferred as part of that transaction, subject to this Policy or a successor policy of which you will be notified.

6.4 With your direction or consent

We share information when you direct us to, for example when you publish content publicly or use sharing features.

7. Cookies and Similar Technologies

We use only first-party cookies and similar technologies. We do not use third-party advertising or analytics cookies.

Name / typePurposeDuration
Session / remember cookieKeeps you signed inSession; up to 30 days if "remembered"
CSRF tokenSecurity: prevents cross-site request forgerySession
pp_vidAnonymous visitor ID for first-party A/B testing of our own product; linked to your account when you sign up or log in1 year
Theme preference (localStorage)Remembers your light/dark theme choice on your deviceUntil cleared
Keychain token (iOS app)Keeps you signed in to the appUp to 90 days

You can block or delete cookies in your browser settings; the Service may not function properly without essential cookies. Because we only use first-party, non-advertising cookies, we do not respond differently to "Do Not Track" signals; where legally required, we treat browser-based opt-out preference signals (such as Global Privacy Control) as a valid opt-out of any applicable sharing (we do not sell or share personal information as defined by those laws).

8. Data Retention

We retain personal information for as long as your account exists and as needed for the purposes described in this Policy. In general:

  • account data, content, and generation history are retained until you delete them or your account;
  • transaction and credit records may be retained as required for tax, accounting, and audit purposes (typically 7 years);
  • support tickets, security logs, and abuse records may be retained as needed to run the Service, resolve disputes, and enforce our agreements;
  • backups and server logs are retained for limited periods and then deleted or overwritten in the ordinary course; and
  • aggregated, de-identified, or anonymized data, and improvements to AI/ML models made while your content was on the Service, may be retained indefinitely.

9. Your Rights and Choices

  • Access and update: you can view and update your profile, plan, and content in your account settings.
  • Content visibility: you control whether each generation is private or published to the public gallery, and can change this at any time in your history.
  • Delete content: you can request deletion of specific content by contacting us at [email protected].
  • Delete your account: see Section 10.
  • Email: transactional emails (receipts, security notices) are part of the Service; if we ever send marketing email, it will include an unsubscribe link.
  • Complaints: you may contact us at [email protected], and you may also have the right to lodge a complaint with your local data protection authority.

Depending on where you live, you may also have legal rights to access, correct, delete, port, or restrict or object to the processing of your personal information, and the right not to be discriminated against for exercising them (see Section 11). To exercise any right, email [email protected] from the address on your account (we may need to verify your identity). Authorized agents may submit requests with proof of authorization. If we deny a request, you may appeal by replying to our decision.

10. Account Deletion

You can delete your account at any time:

  • Web: Account → Delete account.
  • iOS app: Account tab → Delete account.
  • Email: send a request to [email protected] from your account email.

When you delete your account, we delete or de-identify your profile, credentials, generation history, uploaded and generated media stored by us, likes, and personal identifiers. We may retain: transaction records required for tax and accounting; support and abuse records where we have a legitimate need (e.g. fraud prevention, legal claims); residual copies in backups until those backups expire; and content that you made public and that others copied or re-shared, which we cannot recall. Deleting your account does not cancel an Apple subscription; manage that in your Apple ID settings. Deletion is permanent and cannot be undone, and any remaining credits are forfeited.

11. Regional Disclosures

11.1 European Economic Area, United Kingdom, and Switzerland

If you are in the EEA, UK, or Switzerland, you have the rights of access, rectification, erasure, restriction, portability, and objection under the GDPR/UK GDPR, and the right to withdraw consent at any time (without affecting prior processing). Our legal bases are described in Section 3. We transfer personal data to the United States and other countries as described in Section 12. You may lodge a complaint with your supervisory authority.

11.2 California

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you rights to know/access, correct, delete, and port your personal information, and to opt out of "sales" and "sharing." We do not sell personal information and do not share it for cross-context behavioral advertising, and we have no actual knowledge of selling or sharing personal information of consumers under 16. We do not use or disclose sensitive personal information for purposes requiring a right to limit. The categories of personal information we collect, the purposes, and the categories of recipients are described in Sections 2, 3, and 6; we collect identifiers, customer records, commercial information, internet activity, audio/visual information (images you upload), and inferences used only for first-party product testing. We retain each category as described in Section 8. To exercise your rights, email [email protected]; we will not discriminate against you for doing so.

11.3 Other U.S. states and other countries

Residents of other states or countries with comprehensive privacy laws (e.g. Virginia, Colorado, Connecticut, Texas, Canada, Australia, Brazil) may have similar rights, which we honor as required by the applicable law using the process in Section 9.

12. International Data Transfers

We are based in the United States and process information on servers in the United States and in the locations of our service providers. If you use the Service from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions that may not provide the same level of data protection as your home jurisdiction. Where required, we rely on appropriate safeguards for such transfers, such as the European Commission's Standard Contractual Clauses or our providers' equivalent mechanisms.

13. Security

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit (HTTPS), hashed passwords, signed session and API tokens, access controls, and reputable infrastructure providers. However, no method of transmission or storage is completely secure, and we cannot and do not guarantee absolute security. You are responsible for keeping your password confidential. If we learn of a breach affecting your personal information, we will notify you and the relevant authorities as required by law.

14. Children

The Service is restricted to users who are 18 or older. We do not knowingly collect personal information from anyone under 18, and children under 13 are strictly prohibited from using the Service consistent with COPPA. If you believe a person under 18 has provided us personal information, contact [email protected] and we will delete the account and associated information.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email, an in-product notice, or by updating the "Last updated" date above, and where required by law we will seek your consent. Your continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

16. Contact Us

Questions or requests about privacy? Contact us:

  • Email: [email protected]
  • Mail: Atlas Rodin LLC, 400 W Deming Place, Chicago, IL 60614, USA
  • Website: https://picturepal.io
PicturePal

Generate and edit images with AI, in seconds.

Product
Studio Apps Models Presets Filters Gallery Pricing
Learn
Blog Reels Create a preset Help and support
Legal
Terms of Service Privacy Policy Contact us
Account
Sign in Create account
© 2026 Atlas Rodin LLC. All rights reserved. · Terms · Privacy