Pencil2Reality
Home/Privacy Policy

Privacy Policy

Last updated: June 19, 2026

This Privacy Policy explains how Pencil2Reality (“we”, “us”, “our”) collects, uses, and protects information when you use the Pencil2Reality mobile application (“App”) and website at pencil2reality.app (“Site”).

By using the App or Site you agree to the practices described in this policy. If you do not agree, please do not use the App.

1. Who we are

Pencil2Reality is operated by the legal entity identified in our Imprint. We are the data controller for personal data processed through the App and Site.

We have assessed that we are not required to appoint a Data Protection Officer (DPO) under GDPR Art. 37 given the scale of our operations. For all privacy-related enquiries, contact us at support@pencil2reality.app.

2. Information we collect

Account information

When you create an account we collect your email address and optionally a display name and profile picture. If you sign in with Google or Apple, we receive your name and email address (and, for Google, your profile picture) from the respective OAuth service. Apple may provide a private relay email address at your discretion.

User-uploaded content

When you use the App you upload drawings (photos or images). These are stored in our private cloud storage and sent to OpenAI's gpt-image-1 API to generate transformed images. Generated images are also stored in your private storage area.

Usage and transaction data

We track image generation jobs, AI title generation requests, credit balances, and credit transactions associated with your account to operate the service.

Analytics data

We use PostHog to collect anonymised product analytics including in-app events (e.g. screens visited, features used), device type, operating system, and app version. This helps us understand how the App is used and improve it. PostHog analytics are disabled in local debug builds. You may opt out by contacting us.

Push notification tokens

If you grant notification permissions, we collect a Firebase Cloud Messaging (FCM) push notification token associated with your device. This token is used solely to deliver in-app notifications (e.g. when your image generation is complete) and is not used for advertising.

Crash and error data

We use Sentry to collect anonymised crash reports and error logs to improve the App's stability. This may include device type, OS version, and a stack trace, but never the content of your images.

Payment data

All payments are processed by Apple App Store or Google Play via RevenueCat. We never see or store your payment card details. RevenueCat shares purchase status (e.g. subscription active, credits purchased) with us to update your credit balance.

3. Legal basis for processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases under GDPR Art. 6:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide you with the App — account creation, image generation, credit management, subscription administration, and transactional emails.
  • Legitimate interests (Art. 6(1)(f)): Crash reporting and error monitoring (Sentry) to ensure App stability; security and fraud prevention. Our legitimate interests are not overridden by your rights because the data is anonymised and the purpose is proportionate.
  • Consent (Art. 6(1)(a)): Product analytics (PostHog) and push notifications (Firebase FCM). Where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Legal obligation (Art. 6(1)(c)): Retention of billing and transaction records as required by applicable tax and commercial law.

4. How we use your information

  • To provide and operate the App and its image transformation service
  • To manage your account, credits, and subscriptions
  • To generate AI images and AI titles from your uploaded drawings using OpenAI gpt-image-1
  • To send transactional emails (e.g. password reset) — no marketing emails without your consent
  • To send push notifications about your generation results (only if you grant permission)
  • To diagnose bugs and improve the App using anonymised crash reports and product analytics
  • To comply with legal obligations

5. Third-party service providers

We share data with the following processors only to the extent necessary to operate the service. Each processor has signed a Data Processing Agreement (DPA) or equivalent contractual safeguard:

ProviderPurposeData shared
SupabaseDatabase, authentication, and cloud storageAccount data, images, job and transaction records
OpenAIgpt-image-1 image generation and AI title generationUploaded drawings (images); subject to OpenAI's Privacy Policy
RevenueCatSubscription and in-app purchase managementUser ID, purchase events
GoogleGoogle Sign-In (OAuth) and Firebase Cloud Messaging (push notifications)Name, email, profile picture (Google Sign-In); device push token (FCM)
AppleSign In with Apple (OAuth) and App Store payment processingName, email or relay email (Apple Sign-In); as required by the platform for payments
SentryCrash reporting and error monitoringAnonymised error and device data; no image content
PostHogProduct analyticsAnonymised usage events, device type, OS version, app version

We do not sell your personal data to any third party.

6. Children's privacy

The App may be used by children aged 13 and over, provided a parent or guardian holds the account and supervises use for users under 18. Account holders must be at least 13 years old.

We do not knowingly collect personal information directly from children under 13. If a parent or guardian becomes aware that their child under 13 has provided personal data without their consent, they should contact us at support@pencil2reality.app and we will promptly delete it.

Drawings uploaded through the App may depict children's artwork. These images are processed solely to generate the requested AI transformation and are stored privately for the account holder only. They are never used for advertising or shared with third parties beyond the processors listed in Section 5.

7. Data retention

We retain personal data for the following periods:

  • Account data and uploaded content: For as long as your account is active. If you delete your account, personal data and associated images are deleted within 30 days.
  • Transaction and billing records: Retained for 10 years from the transaction date as required by Portuguese and EU tax law.
  • Crash and error logs: Retained by Sentry for up to 90 days in line with Sentry's standard retention policy.
  • Analytics data: Retained by PostHog for up to 12 months in anonymised form.
  • Push notification tokens: Deleted when you delete your account or revoke notification permissions.

8. Your rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access (Art. 15 GDPR): Request a copy of the data we hold about you
  • Correction (Art. 16 GDPR): Request correction of inaccurate or incomplete data
  • Deletion (Art. 17 GDPR): Request deletion of your account and data
  • Restriction (Art. 18 GDPR): Request restriction of processing in certain circumstances
  • Portability (Art. 20 GDPR): Request your data in a portable, machine-readable format
  • Objection (Art. 21 GDPR): Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent (analytics, push notifications), you may withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at support@pencil2reality.app. We will respond within one month as required by GDPR Art. 12(3).

Supervisory authority: If you are located in Portugal or the EEA, you have the right to lodge a complaint with your local data protection supervisory authority. In Portugal, the competent authority is the Comissão Nacional de Proteção de Dados (CNPD) at www.cnpd.pt.

California residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA): the right to know what personal information we collect and how it is used; the right to request deletion of your personal information; and the right to non-discrimination for exercising your privacy rights. We do not sell your personal information. To exercise these rights, contact us at support@pencil2reality.app.

9. Data security

We apply industry-standard security measures including:

  • Encrypted connections (TLS/HTTPS) for all data in transit
  • Row-Level Security on all database tables, ensuring only you can access your data
  • Private cloud storage buckets with signed URL access
  • Access controls limiting employee access to personal data to those with a need to know

In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will notify you without undue delay as required by GDPR Art. 34.

10. International transfers

Your data is stored and processed by Supabase, PostHog, Sentry, OpenAI, Firebase, and RevenueCat, which may operate servers in the United States and other countries outside the European Economic Area (EEA). Where data is transferred outside the EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c), or the provider's participation in an applicable adequacy framework.

11. Automated decision-making

We do not make decisions about you that produce legal or similarly significant effects solely through automated means (GDPR Art. 22). The AI image transformation is a creative tool operated at your explicit request and does not constitute automated profiling or decision-making.

12. Cookies and local storage

The App uses device local storage to store your authentication session and preferences. No advertising or tracking cookies are used in the App.

The Site (pencil2reality.app) may use cookies for session management and to understand general site traffic via analytics. No advertising cookies are used. You can control cookies through your browser settings.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice in the App or on this page with a revised “Last updated” date. Continued use of the App after changes constitutes acceptance of the updated policy.

14. Contact

For any privacy questions, requests, or to exercise your rights, please contact us at:
support@pencil2reality.app

For complaints, you may also contact the Portuguese supervisory authority:
CNPD — Comissão Nacional de Proteção de Dados
www.cnpd.pt