Privacy Policy

Last updated: April 27, 2026

This Privacy Policy describes how Antoni Ciechanowicz DGC E-COM ("we", "us", or "our") collects, uses, and protects your personal data when you use the cutlabAI mobile application ("the App"). We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), Polish data protection law, and other applicable regulations.

1. Data Controller

The data controller is Antoni Ciechanowicz DGC E-COM, ul. Bosmanska 32 lok. 19, 81-116 Gdynia, Poland. NIP: 9581754483. Contact: support@cutlabai.pl.

2. Information We Collect

We collect the following categories of data:

a) Account Data

When you sign in via Google or Apple (through Clerk authentication), we receive your name, email address, and profile picture. We store a unique user identifier, your email, and display name.

b) Content Data

Photos you upload for AI transformation, text prompts you provide, and generated output images/videos. This content is stored to provide the service (history, re-downloading results).

c) Usage & Technical Data

Device type, operating system, app version, approximate location (country level), and diagnostic data. This is collected automatically to improve the service.

d) Subscription & Payment Data

Subscription status and credit balance. Payment processing is handled entirely by Apple (App Store) and RevenueCat — we do not collect or store credit card numbers or payment details.

e) Advertising and Attribution Data

If you grant consent through the App Tracking Transparency (iOS) system prompt or do not opt out of ad personalization (Android), we collect and share with TikTok for Business the following data for advertising effectiveness measurement:

  • Device advertising identifier — IDFA (iOS) or AAID (Android) — only with consent.
  • TikTok click ID (`ttclid`) — captured from deep link `cutlabai://open?ttclid=...` after clicking a TikTok ad.
  • Hashed email address (SHA-256) — used to match the user to ad campaigns.
  • Hashed user identifier (SHA-256) — internal anonymous ID from our system.
  • Purchase events — productId, purchase value and currency (e.g., "29.99 USD"), purchase date — excluding payment data.
  • General device data — device model, OS version, IP address, user agent, timezone.
  • SKAdNetwork attribution identifiers (iOS) — Apple's anonymous ad attribution system, contains no personal data.

3. How We Use Your Data

We use your data for the following purposes:

  • Providing and operating the App — processing your photos with AI, maintaining your generation history, and managing your account.
  • Managing subscriptions — tracking your premium status and credit balance via RevenueCat.
  • Improving the service — analyzing aggregated, anonymized usage patterns to enhance features and performance.
  • Measuring advertising effectiveness and optimizing marketing campaigns — sharing information about installs, registrations, and purchases with advertising partners (TikTok for Business) so they can measure ad effectiveness and better target users.
  • Communications — sending important service updates and responding to support requests.
  • Legal compliance — fulfilling our legal obligations under applicable laws.

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b) GDPR) — processing necessary to provide the App's services you requested.
  • Legitimate interests (Art. 6(1)(f) GDPR) — improving our service, preventing fraud, ensuring security, and measuring advertising campaign effectiveness using data that does not directly identify the user (e.g., SKAdNetwork, aggregated data, ttclid without ad identifier).
  • Consent (Art. 6(1)(a) GDPR) — where you have given explicit consent, in particular: ad tracking using IDFA/AAID (confirmed by ATT prompt on iOS) for ad personalization and conversion measurement; optional marketing communications.
  • Legal obligation (Art. 6(1)(c) GDPR) — when required by law.

5. Data Sharing

We do not sell your personal data. We share data only with the following categories of service providers, solely to operate the App:

RecipientPurposeBasisLocation
ClerkAuthentication and user managementContract performanceUSA (SCC)
ConvexBackend database and real-time data storageContract performanceUSA (SCC)
RevenueCatSubscription and purchase managementContract performanceUSA (SCC)
AI model providersPhoto processing (images are sent for transformation and not retained beyond processing)Contract performanceGlobal (SCC)
Apple (App Store)Subscription payment processingContract performanceUSA / Ireland
PostHogProduct analytics, usage statisticsLegitimate interestEU (Germany)
TikTok for Business (TikTok Technology Limited / TikTok Pte. Ltd.)Advertising effectiveness measurement, conversion attribution, campaign optimizationConsent (IDFA/AAID, behavioral tracking data) + legitimate interest (non-identifying attribution data such as ttclid, SKAdNetwork)Ireland (EEA), USA, Singapore (SCC)

We may also disclose data when required by law, court order, or to protect our legal rights.

6. Advertising, Tracking, and Your Choices

6.1. How ad tracking works

The App is advertised through TikTok for Business. To measure advertising effectiveness (e.g., whether a user purchased a subscription after seeing our ad), we use two attribution channels:

  1. TikTok Business SDK — native library that sends events about app installation, registration, and purchases to TikTok. It uses the device advertising identifier (IDFA on iOS, AAID on Android) only with your consent. Without consent, it uses non-identifying methods (e.g., device model, IP, timestamps).
  2. Deep links with `ttclid` — when you click a TikTok ad and the App opens, TikTok passes us a unique click identifier (`ttclid`). We store it locally and re-send it on purchase so TikTok can link the click to a conversion.

Additionally, iOS uses Apple's SKAdNetwork system — an anonymous, aggregate attribution method that does not identify you personally and operates regardless of ATT.

6.2. App Tracking Transparency (ATT) on iOS

On first launch on iOS, we will show the system-level prompt:

"We use this data to measure advertising effectiveness and show you better-matched offers."
  • If you tap "Allow" — we share IDFA with TikTok (highest attribution quality, ~95% match rate).
  • If you tap "Ask App Not to Track" — IDFA is not shared. TikTok receives only hashed identifiers + fingerprint data (~70% match rate).

Refusing consent does not affect App functionality.

6.3. How to withdraw consent

You can withdraw tracking consent at any time:

  • iOS: Settings → Privacy & Security → Tracking → toggle off cutlabAI.
  • Android: Settings → Privacy → Ads → Delete advertising ID or Opt out of ad personalization.
  • Directly with TikTok: manage preferences at https://www.tiktok.com/legal/page/eea/privacy-policy/en.

6.4. TikTok's privacy policy

TikTok is an independent data controller for the data it receives. We encourage you to review:

  • TikTok for Business Privacy Policy: https://ads.tiktok.com/i18n/official/policy/privacy
  • Data Processing Terms: https://ads.tiktok.com/i18n/official/policy/data-processing
  • TikTok Privacy Policy for EEA: https://www.tiktok.com/legal/page/eea/privacy-policy/en

7. Data Retention

We retain your personal data for as long as your account is active and as needed to provide services. Generated content (photos, videos) is retained in your history until you delete it or your account. Upon account deletion request, we will delete or anonymize all personal data within 30 days, except where retention is required by law.

Data shared with TikTok for Business is retained by TikTok according to their policy (typically up to 13 months for event data). We have no direct control over retention on TikTok's side — requests regarding such data should be directed to TikTok directly (contact details in their privacy policy).

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), secure authentication via Clerk, and access controls on our backend systems. However, no method of electronic transmission or storage is 100% secure.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

  • United States — Clerk, Convex, RevenueCat, parts of TikTok infrastructure.
  • Singapore — TikTok Pte. Ltd. (for users outside EEA).
  • Ireland — TikTok Technology Limited (for EEA users).

These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission or other appropriate safeguards as required by GDPR (Art. 46).

10. Your Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of your personal data.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure — request deletion of your data ('right to be forgotten').
  • Right to restriction — request limitation of processing.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests, including processing for direct marketing purposes.
  • Right to withdraw consent — withdraw previously given consent at any time (e.g., disable ATT — see section 6.3).

To exercise any of these rights, contact us at support@cutlabai.pl. We will respond within 30 days. You also have the right to lodge a complaint with the Polish supervisory authority (UODO — Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland).

11. Children's Privacy

cutlabAI is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy in the App or on this page. The 'Last updated' date at the top indicates the most recent revision.

13. Contact

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: Antoni Ciechanowicz DGC E-COM, ul. Bosmanska 32 lok. 19, 81-116 Gdynia, Poland. Email: support@cutlabai.pl.