Privacy Policy

1. Introduction

Welcome to Shotexa, an AI-powered product photo transformation and background generation mobile application developed and operated by Rockuno (a brand of Oemer Kaya, Einzelunternehmen, Germany). This Privacy Policy explains how we collect, use, process, store, and share your personal data when you download, install, and use the Shotexa iOS mobile application — whether you use the App as a registered user, as a guest without creating an account, or as a user who makes purchases without registering.

This policy applies exclusively to the Shotexa mobile application (available on the Apple App Store). It does not govern any other products, services, or websites operated by Rockuno unless explicitly stated.

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the German Bundesdatenschutzgesetz (BDSG), and all applicable data protection laws.

By using Shotexa, including as a guest, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the app.

2. Data Controller

The entity responsible for the processing of your personal data (the "Data Controller") is:

If you have any questions or concerns about how your data is handled, please contact us at info@rockuno.com.

3. Data We Collect

We collect only the personal data necessary to provide and improve the Shotexa mobile application. The data we collect depends on whether you use the App as a guest or as a registered user.

3.1 Account and Identity Data (Registered Users)

If you choose to create an account, we collect:

• Email address – collected when you register an account via Supabase Auth.
• User ID – a unique identifier generated and assigned to your account upon registration.
• Authentication tokens – session tokens managed by Supabase Auth to keep you securely signed in.

Account creation is optional. You may use core features of Shotexa without registering.

3.2 Guest and Anonymous Usage Data

If you use Shotexa without creating an account ("guest mode"), the following data is processed:

• Anonymous session ID / anonymous user ID – Shotexa uses Supabase Anonymous Auth to assign you an anonymous session identifier. No email address, name, or password is required or collected for guest usage. This ID is used to provide the App, manage your credits, associate your generated content with your current session, and prevent abuse of free-credit limits.
• Guest credit grant record – a record indicating whether the free guest credit has been granted for your session/device environment, used to enforce the one-credit-per-eligible-guest limit and prevent repeated claiming.
• Hashed device identifier – a one-way hashed representation of your device's iOS identifierForVendor (IDFV). The raw identifier is not stored. The hash is used solely for fraud prevention and free-credit abuse prevention. It is not used for advertising or tracking across apps.
• Hashed IP address – a one-way hash of your IP address (with a server-side salt), used for rate limiting and anti-abuse purposes. Raw IP addresses are not stored for this specific anti-abuse function where avoidable. However, your IP address may still be processed transiently by our hosting infrastructure (Vercel) and security systems as part of normal server operation, as described in Section 7.3.
• App version and build number – used to apply version-appropriate anti-abuse rules and for diagnostics.
• Usage and security events – timestamped records of credit grant events, generation attempts, and security-relevant actions within your guest session, used to enforce limits and detect suspicious behavior.

3.3 User-Uploaded Content

• Photos and images – images you voluntarily upload to the App for AI-based generation. These are transmitted to third-party AI processing APIs for the sole purpose of generating results. Images uploaded during a guest session may be stored temporarily to deliver your result; registered users' images may be stored longer in Supabase Storage as described in Section 8.

3.4 Device and Technical Data

• Device type and model
• Operating system version
• App version and build number
• IP address – may be processed transiently by hosting/infrastructure/security systems as part of normal server operation. A hashed form of your IP address may be stored for rate limiting and anti-abuse purposes (see Section 3.2). Raw IP address logs at infrastructure level are retained for up to 7 days.
• Hashed device identifier – one-way hashed identifierForVendor for fraud prevention (see Section 3.2).
• Crash reports and error logs – anonymous technical data to help us diagnose and fix issues.

3.5 Usage Data

• Features used within the app (e.g., which AI tools you interact with)
• Session duration and frequency of use
• In-app navigation patterns (aggregated and pseudonymized where possible)

Usage data is collected for both registered and guest users, associated with pseudonymous or anonymous identifiers.

3.6 Purchase and Subscription Data

• Subscription status (active, expired, trial)
• Purchase history (plan type, renewal date, credit pack purchases)
• RevenueCat app user ID – which may be your registered user ID or an anonymous RevenueCat-assigned ID for guest purchases. RevenueCat uses this to manage subscription entitlements and restore purchases for both registered and guest users.
• Data provided to us by RevenueCat regarding in-app purchase events, receipts, and subscription status.

3.7 Data We Do Not Collect

• Precise real-time GPS location
• Contact list or address book
• Microphone or audio recordings
• Browsing history outside the app
• Raw IP addresses stored for anti-abuse (we use hashed IP with server-side salt for this purpose)

4. Purposes of Processing

5. Legal Basis for Processing (GDPR Art. 6)

Under the GDPR, we are required to identify a valid legal basis for each processing activity. We rely on the following legal bases:

5.1 Performance of a Contract (Art. 6(1)(b))

Processing your account data, uploaded images, guest session data, subscription information, and credit records is necessary to perform the contract between you and Rockuno — that is, to provide you with the Shotexa app's core functionality, whether you use it as a guest or as a registered user. Without this processing, we cannot deliver the service.

5.2 Legitimate Interests (Art. 6(1)(f))

We process technical data, device data, hashed fraud-prevention identifiers, and usage analytics based on our legitimate interests in:

• Maintaining and improving the security, reliability, and performance of the app
• Detecting and preventing fraud and abuse
• Enforcing free-credit limits and preventing repeated guest-credit farming through reinstalls, session manipulation, device/IP abuse, or automation
• Rate limiting suspicious activity to protect the service and all users
• Understanding aggregate usage to improve product features

These interests are carefully balanced against your rights and freedoms. We use minimized, hashed signals for anti-abuse purposes rather than storing raw identifiers where avoidable. You may object to processing based on legitimate interests at any time (see Section 11).

5.3 Compliance with Legal Obligations (Art. 6(1)(c))

Where required by applicable law, we process personal data to fulfill our legal obligations, including retention requirements under German tax and commercial law (HGB, AO), and accounting records related to purchases and subscriptions.

5.4 Consent (Art. 6(1)(a))

For any optional processing activities not strictly required to deliver the service (such as marketing communications, if we introduce them in the future), we will always ask for your explicit, freely given, and informed consent. You may withdraw consent at any time.

6. AI Processing Disclosure

6.1 How AI Processing Works

Shotexa's core functionality relies on artificial intelligence models to generate, transform, and edit photos. When you submit an image for AI processing — whether as a guest or as a registered user — that image is transmitted over an encrypted connection to our backend API (hosted at api.rockuno.com on Vercel), which in turn sends your image to a third-party AI provider's API for processing. The AI model analyzes your image and returns a generated or edited result.

6.2 Data Transmitted to AI Providers

The following data is transmitted to third-party AI APIs for the purpose of processing your request:

• The image(s) you upload – transmitted securely for AI inference
• Your prompts or instructions (if text-based parameters are used)

We do not transmit your name, email address, or other identity data to AI providers. This applies equally to guest and registered users. Your anonymous session ID or registered user ID is not shared with AI providers.

6.3 AI Provider Data Retention

Third-party AI providers (currently including fal.ai) may process your images on their servers. We select AI providers that:

• Do not use your submitted images to train their models without explicit consent
• Process data only for the duration necessary to return the result
• Maintain appropriate security and confidentiality measures

Please refer to Section 7 (Third-Party Services) for information on specific AI providers. We will update this section when our AI providers change.

6.4 No Automated Decision-Making with Legal Effect

The AI processing in Shotexa is used solely for creative image generation and editing. It does not make automated decisions that produce legal effects or significantly affect you as defined under GDPR Art. 22.

6.5 Responsibility for Uploaded Content

You are solely responsible for the images you upload for AI processing, whether you use the App as a guest or as a registered user. By submitting an image, you confirm that you have the right to share that image and that it does not contain content that violates our Terms of Service.

7. Third-Party Services

Shotexa integrates with the following third-party services. Each service acts as either a data processor (processing data on our behalf) or an independent data controller. We have entered into appropriate Data Processing Agreements (DPAs) with processors where required.

7.1 Supabase, Inc.

Role: Data Processor

Services used: Supabase Auth (registered authentication and anonymous authentication for guest users), Supabase Database (PostgreSQL), Supabase Storage (image and file storage)

Data processed: Email address and User ID (registered users); anonymous session ID and anonymous user ID (guest users); authentication tokens; uploaded images; app data including credit records, generation history, and session data stored in the Supabase Database

Data location: Supabase-managed infrastructure (AWS regions; EU region configured for this application — see Section 10)

Privacy Policy: https://supabase.com/privacy

DPA: https://supabase.com/legal/dpa

7.2 RevenueCat, Inc.

Role: Data Processor

Services used: Subscription management, in-app purchase tracking, restore purchases

Data processed: App user ID (which may be your registered User ID or an anonymous RevenueCat-assigned ID for guest users), subscription status, purchase events, receipts, transaction identifiers, device identifiers, restore-purchase data. RevenueCat supports purchases and entitlement management for both registered and guest users.

Data location: United States (with appropriate safeguards — see Section 10)

Privacy Policy: https://www.revenuecat.com/privacy

DPA: https://www.revenuecat.com/dpa

7.3 Vercel, Inc.

Role: Data Processor (infrastructure/hosting)

Services used: API hosting at api.rockuno.com

Data processed: API requests (which may include images and user or session identifiers in transit); request metadata including IP addresses, which may be processed transiently by Vercel's infrastructure and security systems as part of normal server operation. Our backend may also transmit hashed IP and hashed device identifier signals to fraud-prevention logic running on this infrastructure.

Data location: United States and globally distributed edge nodes

Privacy Policy: https://vercel.com/legal/privacy-policy

7.4 fal.ai (AI Processing Provider)

Role: Data Processor

Services used: AI image generation and transformation inference

Data processed: Images you upload, text prompts or parameters you provide. fal.ai may process uploaded images and generation-related data for the purpose of producing AI-generated image results. fal.ai acts as a data processor on our behalf for these operations. fal.ai does not receive your email address, name, or session identifier.

We may update or change our AI processing provider(s) over time. We will update this section when providers change. All AI providers are contractually bound to:

• Process your images only as instructed by us (inference only)
• Not use your images for model training without your explicit consent
• Delete images promptly after processing unless storage is explicitly requested
• Implement appropriate technical and organizational security measures

7.5 Apple, Inc.

Role: Independent Data Controller (for App Store distribution and billing)

Services used: App Store distribution, In-App Purchase billing for both registered and guest users

Apple independently collects and processes data as part of App Store operations and billing. Apple's data practices are governed by Apple's own Privacy Policy: https://www.apple.com/legal/privacy/

7.6 PostHog, Inc. (Analytics)

Role: Data Processor

Services used: Product analytics, usage tracking, performance monitoring

Data processed:

• Device type and operating system
• App usage events (e.g., feature interactions, in-app navigation) — for both registered and guest users, associated with pseudonymous or anonymous identifiers
• Session duration and frequency of use
• Approximate location (derived from IP address at request time; not stored long-term)
• Technical diagnostics data

Shotexa uses PostHog to understand how users interact with the application, identify errors, and improve product performance. PostHog is used exclusively for internal product analytics. Guest users may also generate analytics events, associated with pseudonymous or anonymous identifiers rather than personal identity data.

We do NOT use PostHog for:

• Advertising or ad targeting purposes
• Behavioral profiling for marketing
• Cross-app or cross-website tracking

Legal basis: Processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in improving the stability, usability, and performance of the app. This processing is limited and proportionate.

Data location: United States (with appropriate safeguards — see Section 10)

Privacy Policy: https://posthog.com/privacy

8. Data Storage and Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by applicable law.

Guest credit grant records, hashed device identifiers, and hashed IP anti-abuse records are generally retained for up to 24 months, unless a longer retention period is necessary to investigate abuse, enforce our Terms, or comply with legal obligations.

When data is no longer required, it is securely deleted or anonymized. Anonymized aggregate data (with no link to any individual) may be retained indefinitely for product improvement.

9. Data Sharing

We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes. We share your data only in the following circumstances:

• With service providers (processors): as described in Section 7, solely to enable the app's functionality under our instructions. Anti-abuse data (hashed identifiers) is not sold and is only shared with processors strictly necessary to operate and protect the service.
• Legal obligations: if required by law, court order, or government authority. We will notify you of such requests unless legally prohibited from doing so.
• Protection of rights: to enforce our Terms of Service, prevent fraud, or protect the safety of our users or the public.
• Business transfers: if Rockuno undergoes a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice and, where required, seek your consent before such transfer. Your rights under GDPR will be preserved.

10. International Data Transfers

As Rockuno is based in Germany (EU), your data is generally processed within the European Economic Area (EEA). However, some of our third-party processors (including RevenueCat, Vercel, PostHog, and fal.ai) are based in the United States or operate globally. This applies equally to data from registered and guest users.

When we transfer your personal data outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V:

• Standard Contractual Clauses (SCCs): We rely on EU-approved SCCs with processors in third countries, including Supabase and RevenueCat.
• Adequacy decisions: Where the European Commission has recognized a third country as providing adequate data protection.
• Supplementary measures: Additional technical and contractual safeguards, including encryption in transit and at rest, are applied.

You may request a copy of the applicable transfer safeguards by contacting us at info@rockuno.com.

11. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at info@rockuno.com. We will respond within 30 days.

Guest users may also contact us to exercise their privacy rights. Because guest usage does not involve an email address or other registered identity, we may need additional information (such as your approximate usage date, app version, or other context) to identify and process the relevant records.

Right of Access (Art. 15)

You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed.

Right to Rectification (Art. 16)

You have the right to request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure ("Right to be Forgotten") (Art. 17)

You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent (where processing is based on consent), or when you object and there are no overriding legitimate grounds. Please see Section 12 for how to request data deletion.

Right to Restriction of Processing (Art. 18)

You may request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests while your request is being assessed.

Right to Data Portability (Art. 20)

Where processing is based on your consent or a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to Object (Art. 21)

You have the right to object at any time to processing based on our legitimate interests (Art. 6(1)(f)), including processing of hashed fraud-prevention signals. Upon your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.

Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Shotexa does not engage in such decision-making. Note: automated anti-abuse checks (e.g., detecting repeated guest credit claiming) may result in denial of a promotional credit, but do not result in account suspension without human review where feasible.

12. Account and Data Deletion

We respect your right to erasure. Shotexa provides accessible means to delete your account and associated data.

12.1 How to Delete Your Account In-App (Registered Users)

1. Open the Shotexa app and navigate to Settings.
2. Select "Delete Account".
3. Confirm your decision when prompted.

Account deletion may be subject to a 30-day grace period, during which your account is scheduled for deletion. If you sign in again before the grace period expires, the deletion request may be cancelled. After the grace period ends, the following data will be permanently deleted:

• Your email address and User ID
• All uploaded images stored in Supabase Storage
• All AI-generated images associated with your account
• All Supabase Database records linked to your account

12.2 Requesting Deletion by Email (Registered Users)

If you are unable to access the in-app deletion option, you may submit a deletion request by emailing info@rockuno.com from the email address associated with your account. We will process your request within 30 days.

12.3 Guest User Data Deletion Requests

Guest users do not have a registered account to delete. However, you may contact us at info@rockuno.com to request deletion of any guest session data or anti-abuse records associated with your use of the App. Because guest sessions are not linked to an email address, we may need additional information (such as approximate usage date, app version, or device type) to identify the relevant records. We will use reasonable efforts to fulfill such requests.

Please note: deleting the app from your device does not automatically delete server-side guest records immediately. Anti-abuse records (hashed device identifier and hashed IP) may be retained for up to 24 months to prevent abuse, as described in Section 8.

12.4 Data Retained After Deletion

Following account or data deletion, we may retain the following data as required by applicable law or legitimate interest:

• Purchase and billing records – retained for up to 10 years under German commercial law. Retained in anonymized or pseudonymized form where possible.
• Anti-abuse records (hashed device identifier, hashed IP, guest credit grant records) – retained for up to 24 months to prevent repeated abuse, protect the service, and enforce our Terms, unless a longer period is necessary for fraud investigation or legal compliance.
• Legal hold data – if required by a court order, legal process, or ongoing dispute, certain data may be retained until the matter is resolved.

12.5 Canceling Your Subscription

Deleting your account does not automatically cancel your App Store subscription. To cancel your subscription, go to your iPhone Settings → Apple ID → Subscriptions and cancel the Shotexa subscription. You will continue to have access until the end of the current billing period.

13. Security Measures

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, loss, destruction, or alteration.

• Encryption in transit: All data transmitted between the Shotexa app and our servers, and between our servers and third-party services, is encrypted using TLS 1.2 or higher.
• Encryption at rest: Data stored in Supabase Database (PostgreSQL) and Supabase Storage is encrypted at rest using AES-256.
• Authentication security: Supabase Auth handles both registered user sessions and anonymous guest sessions with industry-standard OAuth 2.0 and JWT tokens. Passwords for registered accounts are hashed using bcrypt. We do not store plaintext passwords.
• Access controls: Access to personal data is restricted on a need-to-know basis. Only authorized personnel and systems may access your data.
• Row Level Security (RLS): Supabase Database and Storage are protected by PostgreSQL Row Level Security policies. Credit grant and anti-abuse tables are additionally protected with service-role restrictions where applicable, preventing unauthorized read or write access.
• Hashed identifiers: Device identifiers and IP addresses used for anti-abuse are stored only in hashed (one-way, salted) form where possible, reducing the risk of re-identification.
• API security: Our backend API at api.rockuno.com enforces authentication on all protected endpoints and is hosted on Vercel's secure infrastructure.
• Server-side fraud prevention: Anti-abuse logic runs server-side, ensuring that free-credit enforcement cannot be bypassed by client-side manipulation.
• Regular security reviews: We periodically review our security practices and update them in response to new threats.

Despite our best efforts, no security system is impenetrable. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with GDPR Art. 33 and Art. 34 within 72 hours of becoming aware of the breach.

14. Children's Privacy

Shotexa is not directed to children. The App is rated 4+ on the Apple App Store, meaning it may be downloaded by users of all ages where permitted by applicable law and App Store rules.

If you are under the age at which you can legally consent to digital services in your country, you may use Shotexa only with the involvement and consent of a parent or legal guardian. In the European Economic Area, where GDPR child consent rules apply, users under the applicable national digital age of consent must have the consent of a parent or legal guardian where required by law.

We do not knowingly collect personal data from children without the required parental or guardian consent. If we become aware that personal data has been collected from a child without required consent, we will take appropriate steps to delete it from our systems.

If you are a parent or guardian and believe your child has used Shotexa and provided personal data without your consent, please contact us immediately at info@rockuno.com.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via an in-app notification or email (for registered users) at least 14 days before the changes take effect
• Where required by law, ask for your consent to new processing activities

Your continued use of Shotexa after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must stop using the app.

Previous versions of this Privacy Policy are available upon request.

16. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. As Rockuno is based in Germany, the competent lead supervisory authority depends on your state of residence. For general complaints, you may contact:

You may also contact the supervisory authority of the EU member state in which you habitually reside, work, or where the alleged infringement occurred.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days. For urgent matters, please indicate "URGENT" in your email subject line.