Privacy Policy
Last updated: January 4, 2026
This Privacy Policy describes how Lukas Vaičiulis, operating as Mend ("Mend," "we," "us," or "our"), collects, uses, shares, and protects information about you when you use our mobile application Mend: AI Photo Editor ("App") and related services (collectively, the "Services"). We are committed to protecting your privacy and ensuring transparency about our data practices.
Important Privacy Commitments
We do NOT sell, rent, or trade your personal information to third parties for monetary or other valuable consideration.
- Your photos and data are used solely to provide the AI photo editing service you requested
- Photos you upload are automatically deleted within 24 hours after processing
- Your generated images are stored in your private gallery until you delete them
- You can delete your account and all data at any time
- You can export a copy of your data at any time
- You can withdraw consent for biometric processing without deleting your account
Quick Summary
- We process your photos using OpenAI's GPT-Image model (via Replicate's API infrastructure) to apply effects
- Your uploaded photos are deleted within 24 hours; generated images are kept until you delete them
- We collect minimal data needed to operate the service
- We use Supabase for secure data storage and RevenueCat for subscription management
- You have rights to access, correct, delete, and export your data
- This policy is designed to comply with GDPR, CCPA/CPRA, LGPD, BIPA, and other applicable privacy regulations
1. Data Controller
The data controller responsible for your personal data is:
- Name: Lukas Vaičiulis (Individual Developer)
- App Name: Mend
- Location: Vilnius, Lithuania, European Union
- Email: support@usemend.app
- Website: https://usemend.app
For any questions or concerns regarding this Privacy Policy, your personal data, or to exercise your privacy rights, please contact us at the email address above.
2. Information We Collect
2.1 Information You Provide Directly
| Data Type | Description | Purpose |
|---|---|---|
| Account Information | Email address and display name (from Apple or Google Sign-In) | Account creation, authentication, communications |
| Photos | Images you select or capture for AI processing | AI photo editing service |
| Prompts | Text prompts you enter for AI effects (e.g., "AI Pranks") | AI generation, content moderation |
| Consent Records | Your consent to AI processing and terms acceptance | Legal compliance, consent management |
| Support Requests | Messages you send to customer support | Customer support, service improvement |
2.2 Information Collected Automatically
| Data Type | Description | Purpose |
|---|---|---|
| Device Information | Device type, operating system version, app version | Service compatibility, debugging |
| Installation ID | Random unique identifier per app installation | Abuse prevention, rate limiting |
| Timestamps | When actions occurred (generation times, account creation) | Service operation, auditing |
Note: As of the date of this policy, we do not use third-party analytics SDKs (such as Firebase Analytics, Amplitude, or similar). We collect only minimal operational data necessary to provide the service.
2.3 Information from Third Parties
| Source | Data Received | Purpose |
|---|---|---|
| Apple / Google (Authentication) | Email, display name, unique identifier | Account creation and login |
| RevenueCat | Subscription status, product purchased, transaction dates | Subscription management, entitlement |
| Apple App Store / Google Play | Purchase confirmation, subscription status | Payment processing, subscription management |
Note: We do not receive or store your payment card details. All payment processing is handled by Apple and Google.
3. How We Use Your Information
We use your information for the following purposes:
3.1 Service Provision
- Provide and operate the AI photo transformation features
- Process and deliver your generated images
- Manage your account and subscription
- Store your generated images in your private gallery
- Manage your favorites and preferences
3.2 Service Improvement
- Improve the App and develop new features
- Fix bugs and resolve technical issues
3.3 Security and Compliance
- Ensure security and prevent fraud or abuse
- Moderate content for safety compliance
- Enforce our Terms of Service
- Comply with legal obligations
3.4 Communications
- Provide customer support
- Send service-related notifications (e.g., subscription expiry)
- Respond to your inquiries
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:
| Processing Activity | Legal Basis | Details |
|---|---|---|
| Providing AI photo editing services | Contract Performance (Art. 6(1)(b)) | Necessary to provide the service you requested |
| Processing photos with third-party AI (including biometric data) | Explicit Consent (Art. 6(1)(a), Art. 9(2)(a)) | You explicitly consent before your first AI generation |
| Managing subscriptions and payments | Contract Performance (Art. 6(1)(b)) | Necessary to fulfill your subscription agreement |
| Fraud prevention and security | Legitimate Interest (Art. 6(1)(f)) | Protecting our service and users from abuse |
| Content moderation | Legitimate Interest (Art. 6(1)(f)) | Ensuring platform safety and legal compliance |
| Legal compliance | Legal Obligation (Art. 6(1)(c)) | When required by applicable law |
5. AI Photo Processing and Third-Party Services
Important Information About AI Processing
When you use Mend to transform your photos, your images are transmitted to and processed by third-party AI services. By using Mend, you explicitly consent to this processing.
5.1 Third-Party Data Processors
We use the following third-party services to operate Mend:
| Service Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account data, generated images, preferences | EU / US |
| Replicate | API infrastructure that hosts and runs AI models | Photos, text prompts (passed through to OpenAI) | US |
| OpenAI | AI image generation (GPT-Image model via Replicate), content moderation, prompt processing, safety filtering | Photos, text prompts, moderation requests | US |
| RevenueCat | Subscription and payment management | Subscription status, purchase history | US |
| Apple / Google | Authentication, app distribution, payments | Account info, payment processing | US |
Each of these services has their own privacy policy. These providers operate under their own data protection commitments and standard contractual terms.
5.2 How AI Processing Works
- You select or capture a photo in the App
- Your photo is uploaded securely to our servers (Supabase Storage)
- Text prompts are checked by OpenAI for content moderation and safety filtering
- We send your photo and selected effect to OpenAI's GPT-Image model (via Replicate's API) for AI image generation
- The generated image is saved to your private gallery
- Your original uploaded photo is automatically deleted within 24 hours
5.3 AI Model Training Disclosure
Important: How Your Data May Be Used for AI Training
We want to be transparent about how your data may be used by AI service providers:
- Mend (Us): We do NOT train any AI models on your photos, prompts, or generated content.
- Replicate: Provides API infrastructure to run AI models. They pass your data through to OpenAI and may retain data for a limited period per their data retention policy. See the Replicate Privacy Policy.
- OpenAI: Provides the GPT-Image model for image generation and moderation APIs. By default, OpenAI does NOT use API data to train their models (as of March 2023). Data may be retained up to 30 days for abuse monitoring. See the OpenAI Privacy Policy.
For complete and current details, please review the Replicate Privacy Policy and OpenAI Privacy Policy.
5.4 Content Moderation
We use automated systems to review content for safety and policy compliance. This includes:
- Checking uploaded images for prohibited content before processing
- Reviewing text prompts for policy violations
- Screening generated outputs before delivery
Content that violates our guidelines may be rejected. We store moderation decisions (pass/fail status and reason codes) but NOT the flagged content itself for abuse prevention purposes.
6. Biometric Data Processing
Important Notice Regarding Facial Data
When you upload photos containing faces, this may include facial geometry data. Important: We do NOT process facial data for the purpose of uniquely identifying individuals. We use it solely to apply AI visual effects to your photos.
Because we do not use facial data for identification, this processing may not constitute "special category data" under GDPR Article 9. However, out of an abundance of caution, we treat all facial data with heightened protection and obtain explicit consent before processing.
Relevant legal classifications that may apply:
- BIPA (Illinois): Biometric information requiring explicit consent
- CCPA/CPRA: Sensitive personal information
For detailed information about how we handle biometric data, please see our dedicated Biometric Data Policy.
6.1 Summary of Biometric Practices
| Aspect | Our Practice |
|---|---|
| Purpose | We process facial data solely to provide the AI photo editing service you requested (applying effects, transformations, etc.) |
| Consent | Before your first AI generation, you provide explicit consent via our in-app consent screen |
| Retention | Uploaded photos (including facial data) are automatically deleted within 24 hours. Generated images are retained until you delete them or your account |
| Third-Party Processing | Photos are processed by OpenAI's GPT-Image model (via Replicate's API infrastructure) for image transformation, and by OpenAI's moderation API for safety filtering |
| No Biometric Templates | We do NOT create, store, or use biometric templates, face embeddings, or identity models |
| No Sale | We do NOT sell, lease, trade, or otherwise profit from biometric information |
7. Consent Management
7.1 How to Withdraw Consent
You may withdraw your consent for data processing at any time. We offer multiple ways to withdraw consent:
Options for Withdrawing Consent
- Withdraw Biometric Consent Only: Contact us at support@usemend.app to withdraw consent for biometric data processing while keeping your account. You will no longer be able to use AI photo features but can retain access to your existing generated images.
- Delete Your Account: Use Settings > Delete Account in the App to delete all your data and withdraw all consents.
- Delete Individual Content: Delete specific generated images from your gallery at any time.
Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal.
Note: When you delete your account, we retain anonymized consent records for legal compliance purposes. See Section 8.3 for details.
8. Data Storage and Retention
8.1 Where We Store Data
Your data is stored on secure servers provided by Supabase, with data centers in the European Union and United States. We implement appropriate technical and organizational security measures to protect your information.
8.2 Data Retention Periods
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Account Information | Until account deletion | You delete your account |
| Generated Images (Outputs) | Until deletion | You delete the image or your account |
| Original Uploaded Photos (Inputs) | Maximum 24 hours | Automatic deletion after job completion |
| Thumbnails | Until deletion | You delete the image or your account |
| Favorites | Until deletion | You remove favorite or delete account |
| Job Metadata | Until account deletion | You delete your account |
| Credit Transaction History | Until account deletion | You delete your account |
| Security/Moderation Logs | 90 days | Automatic purge (metadata only, no content) |
| Consent Records | 7 years (anonymized on account deletion) | Legal compliance (GDPR Art. 17(3)(e)) |
8.3 Consent Records Retention
Important: Consent Records After Account Deletion
When you delete your account, we retain anonymized consent records (the date and version of your AI processing consent) for up to 7 years. This retention is necessary for:
- Legal Defense: To demonstrate that valid consent was obtained for data processing, in case of legal claims (GDPR Article 17(3)(e))
- Regulatory Compliance: To comply with legal obligations and respond to regulatory inquiries
These anonymized records cannot be linked back to you after account deletion. They contain only:
- A random identifier (not your original user ID)
- Consent timestamp and version
No personal information, photos, generated content, or identifiable data is retained.
9. Data Sharing and Disclosure
9.1 We Do NOT Sell Your Data
No Sale of Personal Information
We do NOT sell your personal information. We do NOT share your personal information with third parties for their direct marketing purposes or for cross-context behavioral advertising.
9.2 When We May Share Data
We may share your information only in the following circumstances:
- Service Providers: With third-party processors listed in Section 5.1 to operate our services, under contractual obligations to protect your data
- Legal Requirements: When required by law, subpoena, court order, or governmental authority
- Safety: To protect the rights, property, or safety of Mend, our users, or the public
- Business Transfers: In connection with a merger, acquisition, or sale of assets (with notice to you)
- With Your Consent: When you have given explicit permission
10. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place:
10.1 Transfer Safeguards
Our service providers (Supabase, Replicate, OpenAI, RevenueCat) maintain their own international data transfer mechanisms, which may include:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
- Adequacy decisions where applicable
We select service providers who commit to appropriate data protection standards. For details on each provider's transfer mechanisms, please refer to their respective privacy policies linked in Section 5.1.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in Transit: All data transmitted using TLS/SSL encryption
- Encryption at Rest: Stored data is encrypted
- Access Controls: Strict authentication and authorization controls
- Private Storage: All user content stored in private buckets, accessible only via signed URLs
- Row-Level Security: Database policies ensuring users can only access their own data
- Secure Infrastructure: Enterprise-grade cloud infrastructure (Supabase)
However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
12. Data Breach Notification
In the event of a data breach affecting your personal information:
- We will notify relevant supervisory authorities within 72 hours where required by GDPR;
- We will notify affected users without undue delay when the breach is likely to result in high risk to rights and freedoms;
- We will provide information about the nature of the breach, likely consequences, and measures taken;
- We will document all breaches internally regardless of notification requirements.
13. Your Privacy Rights
13.1 Rights for All Users
Regardless of your location, you have the following rights:
- Access: View your personal data through the App or request a copy
- Delete Individual Content: Delete specific generated images from your gallery
- Delete Account: Permanently delete your account and all associated data (Settings > Delete Account)
- Export Data: Request a portable copy of your data
- Withdraw Consent: Withdraw previously given consent (including biometric consent without deleting your account)
13.2 Additional Rights (GDPR - EEA/UK/Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under GDPR:
- Right of Access (Art. 15): Request a copy of your personal data
- Right to Rectification (Art. 16): Request correction of inaccurate data
- Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
- Right to Restriction (Art. 18): Request restriction of processing
- Right to Data Portability (Art. 20): Receive your data in a machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interests
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing
- Right to Lodge a Complaint: File a complaint with your local supervisory authority
13.3 How to Exercise Your Rights
To exercise any of these rights:
- In-App: Use Settings > Delete Account or Settings > Export Data
- Email: Contact us at support@usemend.app
We will respond to your request within 30 days (or as required by applicable law), though responses may take up to 45 days for complex requests. We may need to verify your identity before processing certain requests.
14. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
14.1 Your California Rights
- Right to Know: Request information about the categories and specific pieces of personal information we have collected about you
- Right to Delete: Request deletion of your personal information (available via Settings > Delete Account)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: Opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information (including biometric data)
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
14.2 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information:
| Category | Examples | Collected | Sold/Shared |
|---|---|---|---|
| Identifiers | Email (if signed in), user ID, app install ID | Yes | No |
| Commercial Information | Subscription history, credits | Yes | No |
| Biometric Information | None extracted or stored by Mend* | No* | No |
| Audio/Visual Information | Photos you upload (may contain faces) | Yes | No |
| Sensitive Personal Information | Photos containing faces (sent to third-party AI for processing) | Yes | No |
*Biometric Information Note: Mend does not extract, measure, or store facial geometry or biometric identifiers. However, photos you upload (which may contain faces) are sent to third-party AI services for processing. See our Biometric Data Policy for details.
We Do Not Sell or Share Your Information
We do NOT sell your personal information. We do NOT share your personal information with third parties for cross-context behavioral advertising. Your photos and data are only processed by our service providers to deliver the AI photo editing service you requested.
14.3 How to Exercise California Rights
To exercise your California privacy rights, contact us at support@usemend.app or use the in-app account deletion feature. You may also designate an authorized agent to make a request on your behalf.
15. Brazil Privacy Rights (LGPD)
If you are a resident of Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including:
- Confirmation of the existence of data processing
- Access to your data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary data
- Data portability to another service provider
- Deletion of personal data processed with consent
- Information about public and private entities with which we share data
- Information about the possibility of denying consent and the consequences
- Withdrawal of consent
To exercise your LGPD rights, contact us at support@usemend.app.
16. Children's Privacy
16.1 Age Requirement
Mend is intended for users 16 years of age and older. By using this App, you confirm that you meet this age requirement.
16.2 COPPA Compliance
We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from children under 13 years of age.
If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at support@usemend.app. We will promptly:
- Delete the child's personal information from our systems
- Terminate the child's account
- Delete any content created by the child
16.3 Parental Guidance
AI-generated content can be unpredictable and may occasionally produce unexpected results. We recommend parental guidance for users under 18 years of age.
17. Automated Decision-Making
We use automated systems for the following purposes:
- Content Moderation: Automated scanning of images and prompts for policy violations
- AI Photo Processing: Automated application of effects to your photos
- Subscription Management: Automated entitlement verification
- Abuse Prevention: Automated rate limiting and cooldown enforcement based on usage patterns
These automated processes:
- Are necessary for service operation and abuse prevention
- Do not make decisions with significant legal effects on you
- May result in temporary service restrictions (such as cooldown periods) that lift automatically
- Can be appealed by contacting our support team
17.1 Rate Limit Data
To prevent abuse and ensure fair access for all users, we track:
- Number of requests and generations per time period
- Content moderation decisions (pass/fail) and rejection counts
- Account status (active, warned, suspended)
This data is used solely for abuse prevention and is subject to automatic decay (records improve over time with good behavior). We do not use this data for profiling or share it with third parties.
18. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes:
- We will update the "Last updated" date at the top of this policy
- We will notify you through the App or by email (for significant changes)
- We may request renewed consent where required by law
Your continued use of the App after changes become effective constitutes acceptance of the updated policy. We encourage you to review this policy periodically.
19. Supervisory Authority
If you are located in the EEA, UK, or Switzerland and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
Our lead supervisory authority in the EU is:
- State Data Protection Inspectorate (Lithuania)
- Website: https://vdai.lrv.lt
20. Do Not Track
Some browsers have a "Do Not Track" feature. We do not currently respond to Do Not Track signals because there is no industry standard for mobile applications. Our data practices are described in this Privacy Policy regardless of any Do Not Track setting.
21. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Data Controller: Lukas Vaičiulis (Individual Developer)
- App Name: Mend
- Email: support@usemend.app
- Website: https://usemend.app
- Support: https://usemend.app/support.html
- Location: Vilnius, Lithuania, European Union
We aim to respond to all privacy inquiries within 30 days, though complex requests may take up to 45 days. Response times may vary during peak periods or holidays.
By using Mend, you acknowledge that you have read and understood this Privacy Policy.