Privacy Policy

Version 2026-04-23 · Last updated: April 17, 2026

Catwalk ("we," "our") explains how we collect, use, store, and share information when you use our mobile application and related services (together, the "App"). The data controller for personal data processed through the App is the Catwalk service operator. Contact: support@catwalk.online.

1. Information we collect

We collect information in the categories below. Purposes align with Apple App Privacy declarations and our app's PrivacyInfo.xcprivacy manifest where applicable.

Account and identifiers

  • Firebase Authentication: user identifier (UID), and sign-in method (e.g. Sign in with Apple, email).
  • Firebase App Check: attestation signals to reduce abuse; processed by Google as part of Firebase.
  • Firebase Installations / instance IDs: used for Firebase services and diagnostics.

Photos, videos, and face images

  • Photos and videos: You may upload images or videos for generation features.
  • Face photos (sensitive data): When you use a Catwalk generation feature, you may upload a photograph that contains your face. We treat these photos as sensitive. They are used solely as a visual input to produce the specific AI image or video you request. We do not perform facial recognition, extract face geometry, build a faceprint or face embedding, or use the photo for identification, authentication, advertising, profiling, training of our own models, or any other purpose. Face photos are transmitted over TLS, stored in Cloudflare R2, and sent to our AI inference provider (Replicate) over short-lived signed URLs (15 minutes) to run the generation. We do not share face photos with any other third parties. Face photos are automatically deleted from our storage within 30 days of upload and are deleted immediately when you delete your account from the App.

Generated outputs

  • Images or videos we generate for you may be stored so you can access history in the App ("Other User Content" in App Store privacy terms).

Purchases and billing

  • Apple In-App Purchase: subscriptions and credit packs are processed by Apple.
  • RevenueCat: we receive product identifiers, transaction-related data, and entitlement state to unlock features and credits. RevenueCat may send webhooks to our backend.

Push notifications

  • If you opt in, we store a device push token and related metadata. We send job completion updates via Firebase Cloud Messaging (FCM).

Diagnostics, analytics, and product analytics

  • Firebase Analytics, Crashlytics, Performance Monitoring: usage, crash, and performance data as described in Google's policies.
  • Mixpanel: product analytics, funnels, and optional Session Replay on a sample of sessions (sensitive screens may be masked in-app). Mixpanel may store events and user profile attributes (e.g. subscription-related fields synced from RevenueCat).
  • AppsFlyer: mobile measurement and attribution, including SKAdNetwork-related data. We do not request App Tracking Transparency (ATT) for advertising identifiers; we rely on privacy-preserving and aggregated measurement consistent with our App Store "tracking" disclosure.

Device and usage data

  • Device identifiers used by SDKs (e.g. app instance / analytics IDs) for analytics, attribution, and app functionality.
  • Product interaction and diagnostics as declared in App Store Connect.

2. Legal bases (EEA, UK, Switzerland)

Where GDPR applies, we rely on:

  • Contract — providing the App, processing uploads, fulfilling purchases.
  • Legitimate interests — security, fraud prevention, improving reliability, measuring aggregated usage (where not overridden by your rights).
  • Consent — where required for optional analytics or Session Replay in your region (you can withdraw consent in the App settings where available).
  • Legal obligation — when required by law.

3. How we use information

  • Provide generation features, history, and account features;
  • Process payments and manage credits or entitlements;
  • Send push notifications when you opt in;
  • Operate analytics, attribution, crash reporting, and product improvement;
  • Secure the service, enforce our terms, and comply with law.

4. AI and third-party processing

To generate images and video, your content may be transmitted from your device to our servers and then to third-party AI inference providers, including Replicate, fal.ai, and OpenAI where applicable. Those providers process inputs as needed to run models. Their retention and subprocessors are governed by their policies; we do not opt your content into provider model training where we can disable such use in our integration. We may be unable to delete data from provider logs beyond what each provider supports.

We host generated assets on Cloudflare R2 (object storage). We do not sell your personal information.

See Subprocessors for a list of categories of recipients.

5. Sharing

We share information with service providers that help us run the App, including hosting, storage, authentication, analytics, crash reporting, attribution, session replay, push delivery, and subscription management (e.g. Google/Firebase, Cloudflare, RevenueCat, Mixpanel, AppsFlyer, AI providers). We may disclose information if required by law or to protect rights and safety.

6. International transfers

We may process and store information in the United States and other countries where we or our providers operate. Where we transfer personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we use appropriate safeguards such as the EU Standard Contractual Clauses (and UK Addendum where applicable).

7. Retention and deletion

Media you upload and outputs we store may be kept for the time needed to operate the service and according to automated deletion and security settings. Job output links may be time-limited (signed URLs).

Uploaded face photos are automatically deleted from our storage within 30 days of upload and are deleted immediately when you delete your account from the App.

You can clear cached files on your device from the App settings. You may delete your account from the App; we will remove your account data from our systems and delete stored media we hold for your account where feasible, subject to reasonable backup and technical limits (backups may persist for a limited period).

8. Security

We use industry-standard safeguards designed to protect information in transit and at rest (e.g. TLS, access controls, rate limiting). No method of transmission or storage is completely secure.

9. Your rights

Depending on your region, you may have rights to access, rectify, delete, export, or restrict processing of your personal data, and to object to certain processing. You may also have the right to lodge a complaint with a supervisory authority.

California (CCPA/CPRA): We do not "sell" personal information as defined by California law. We do not share personal information for cross-context behavioral advertising in a way that constitutes "selling" or "sharing" under CCPA as described in our technical configuration (SKAN/aggregated measurement). You may request disclosure or deletion by contacting support@catwalk.online.

To exercise rights, contact support@catwalk.online. We will respond within the timeframes required by law (often 30 days under GDPR, up to 45 days under CCPA for eligible requests).

10. Children

The App is not directed at children under 13 (or the age required by your region). We do not knowingly collect personal information from children in violation of applicable law.

11. Breach notification

If we are required to notify you or regulators of a personal data breach, we will do so in accordance with applicable law (e.g. GDPR 72-hour regulator notification where applicable).

12. App Store privacy nutrition labels

Align App Store Connect "App Privacy" answers with this policy and with data actually collected by the App and integrated SDKs, including: User ID, Photos or Videos, Purchase History, Product Interaction, Crash Data, Performance Data, Device ID, Other User Content, and Email (if collected). Mark categories accurately for linking and tracking in line with Apple definitions.

13. Changes

We may update this Privacy Policy by posting a new version. Material changes will be reflected in the "Last updated" date and may require renewed notice in the App.

14. Contact

Privacy inquiries: support@catwalk.online
Support · Terms

Changelog

  • 2026-04-23Clarified that subscription cancellations may reset remaining credits to zero.
  • 2026-04-23Added Face photos section and 30-day retention.
  • 2026-04-17Initial comprehensive Terms, Privacy, Content Policy, EULA, DMCA, and subprocessors pages; GDPR/CCPA disclosures; SDK and AI processor details.