This Privacy Policy describes how Cari-Me ("we", "us") collects, uses, and shares personal data when you use the Cari-Me web app at carime.app or the Cari-Me mobile app (the "Service"). We are committed to GDPR compliance and transparent data handling.
1. Data Controller
Tom Dmitriev (individual data controller), Belgium.
Contact: dmitriev.tom@gmail.com
2. Data We Collect
Photos and generated caricatures
Photos you take or upload are transmitted to the Google Gemini API for processing. We do not store original photos on our servers — they are sent directly to the AI provider and discarded after the caricature is generated.
Generated caricatures are stored only if you are a Pro subscriber, so you can revisit them in your history. Free users' caricatures are not saved on our servers.
Account and identity
- Anonymous user ID: when you first use the app, we create an anonymous Supabase session identifier. No email or password is required to use the free tier.
- Email address: optionally collected if you subscribe to Pro (provided directly to Stripe during checkout).
Subscription data
- Payment information (card number, billing address): handled directly by Stripe. We do not store and have no access to your full card details.
- Subscription status: we store whether your account is Pro and your Stripe customer ID to manage billing.
Usage data
Generation timestamps linked to your anonymous user ID, used to enforce the free quota (3 generations per 24 hours) and prevent abuse.
Technical data
Standard request metadata (IP address, browser type, device info) collected by our hosting provider (Vercel) for security and reliability.
3. Legal Basis (GDPR Art. 6)
- Contract performance (Art. 6.1.b): to provide caricature generation and subscription services.
- Legitimate interest (Art. 6.1.f): to enforce quotas, prevent abuse, and ensure security.
- Consent (Art. 6.1.a): where required (e.g., camera or photo library permission on mobile).
4. Sub-processors
We share data with the following sub-processors, all of which provide adequate safeguards through GDPR-compliant Standard Contractual Clauses (SCCs) where applicable:
- Google (Gemini API) — AI caricature generation. Receives your photo transiently during processing.
- Supabase — anonymous authentication, caricature storage for Pro users, quota tracking. Data is hosted in the Singapore region; international transfers are protected by SCCs.
- Stripe (Ireland) — payment processing and subscription management.
- Vercel (USA) — application hosting; receives standard request metadata.
- Apple App Store / Google Play Store — when you subscribe via a mobile app, payment is processed by the relevant app store and not by Stripe.
5. Data Retention
- Original photos: not stored.
- Generated caricatures (Pro users): stored until you delete them or your account.
- Usage logs: kept for 30 days, then automatically deleted.
- Subscription and billing data: kept as long as your subscription is active, plus seven (7) years to comply with Belgian tax law.
- Anonymous user IDs: kept until you request deletion or after three (3) years of inactivity.
6. Your GDPR Rights
Under GDPR Articles 15–22, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erasure ("right to be forgotten")
- Restrict processing
- Data portability
- Object to processing based on legitimate interest
To exercise these rights, email dmitriev.tom@gmail.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Belgian Data Protection Authority:
Autorité de protection des données (APD-GBA)
Rue de la Presse 35, 1000 Bruxelles
www.autoriteprotectiondonnees.be
7. Cookies and Local Storage
Cari-Me uses minimal browser storage:
- Supabase auth session (essential, stored in localStorage): keeps you signed in to your anonymous session.
- No analytics cookies, no advertising trackers.
8. Children
Cari-Me is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, contact us and we will delete it promptly.
9. Mobile App Permissions
The Cari-Me mobile app requests:
- Camera access: only to take a photo for caricature generation. The photo is used in-app and only transmitted when you tap "Generate".
- Photo library: only to import an existing photo, with your explicit selection.
You can revoke these permissions anytime in your device settings.
10. Security
- HTTPS-only transport (HSTS preload)
- Strict Content-Security-Policy
- Row Level Security on our database (your data is isolated)
- PCI-DSS compliant payment processing via Stripe
11. Changes to This Policy
We may update this policy. Material changes will be communicated via in-app notification. The "Effective date" at the top reflects the latest version.
12. Contact
Email: dmitriev.tom@gmail.com