Welcome to Shotexa, an AI-powered photo generation and editing mobile application developed and operated by Rockuno (a brand of Oemer Kaya, Einzelunternehmen, Germany). This Privacy Policy explains how we collect, use, process, store, and share your personal data when you download, install, and use the Shotexa iOS mobile application.
This policy applies exclusively to the Shotexa mobile application (available on the Apple App Store). It does not govern any other products, services, or websites operated by Rockuno unless explicitly stated.
We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the German Bundesdatenschutzgesetz (BDSG), and all applicable data protection laws.
By creating an account or using Shotexa, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the app and delete your account.
The entity responsible for the processing of your personal data (the "Data Controller") is:
Oemer Kaya
Trading as: Rockuno (Einzelunternehmen)
Country: Germany
Email: info@rockuno.com
Website: https://shotexa.rockuno.com
If you have any questions or concerns about how your data is handled, please contact us at info@rockuno.com.
We collect only the personal data necessary to provide and improve the Shotexa mobile application. The following categories of data are collected:
| Purpose | Data Used |
|---|---|
| Account creation and authentication | Email, User ID, authentication tokens |
| Delivering AI photo generation and editing features | Uploaded images, User ID |
| Storing generated results for you to access | Uploaded images, generated images, User ID |
| Processing and managing subscriptions and purchases | User ID, subscription status, purchase events |
| App performance monitoring and crash diagnostics | Device data, error logs |
| Fraud prevention and security | IP address, User ID, device data |
| Customer support | Email, User ID, usage context |
| Legal compliance and enforcement of our Terms | All categories as necessary |
Under the GDPR, we are required to identify a valid legal basis for each processing activity. We rely on the following legal bases:
Processing your account data, uploaded images, and subscription information is necessary to perform the contract between you and Rockuno — that is, to provide you with the Shotexa app's core functionality. Without this processing, we cannot deliver the service.
We process technical data, device data, and usage analytics based on our legitimate interests in:
These interests are carefully balanced against your rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 11).
Where required by applicable law, we process personal data to fulfill our legal obligations, including retention requirements under German tax and commercial law (HGB, AO).
For any optional processing activities not strictly required to deliver the service (such as marketing communications, if we introduce them in the future), we will always ask for your explicit, freely given, and informed consent. You may withdraw consent at any time.
Shotexa's core functionality relies on artificial intelligence models to generate, transform, and edit photos. When you submit an image for AI processing, that image is transmitted over an encrypted connection to our backend API (hosted at api.rockuno.com on Vercel), which in turn sends your image to a third-party AI provider's API for processing. The AI model analyzes your image and returns a generated or edited result.
The following data is transmitted to third-party AI APIs for the purpose of processing your request:
We do not transmit your name, email, or other identity data to AI providers unless explicitly required for account verification by that provider (which is currently not the case).
Third-party AI providers may process your images on their servers. We select AI providers that:
Please refer to Section 7 (Third-Party Services) for information on specific AI providers and links to their data processing agreements.
The AI processing in Shotexa is used solely for creative image generation and editing. It does not make automated decisions that produce legal effects or significantly affect you as defined under GDPR Art. 22.
You are solely responsible for the images you upload for AI processing. By submitting an image, you confirm that you have the right to share that image and that it does not contain content that violates our Terms of Service (e.g., illegal content, images of minors in inappropriate contexts). We reserve the right to remove content that violates our policies.
Shotexa integrates with the following third-party services. Each service acts as either a data processor (processing data on our behalf) or an independent data controller. We have entered into appropriate Data Processing Agreements (DPAs) with processors where required.
Role: Data Processor
Services used: Supabase Auth (authentication), Supabase Database (PostgreSQL), Supabase Storage (image and file storage)
Data processed: Email address, User ID, authentication tokens, uploaded images, app data stored in the Supabase Database
Data location: Supabase-managed infrastructure (AWS regions; EU region available and configured for this application — see Section 10)
Privacy Policy: https://supabase.com/privacy
DPA: Supabase's Data Processing Addendum is available at https://supabase.com/legal/dpa
Role: Data Processor
Services used: Subscription management, in-app purchase tracking
Data processed: User ID, subscription status, purchase events, device identifiers
Data location: United States (with appropriate safeguards — see Section 10)
Privacy Policy: https://www.revenuecat.com/privacy
DPA: RevenueCat offers a DPA available upon request at https://www.revenuecat.com/dpa
Role: Data Processor (infrastructure/hosting)
Services used: API hosting at api.rockuno.com
Data processed: API requests (which may include images and user identifiers in transit)
Data location: United States and globally distributed edge nodes
Privacy Policy: https://vercel.com/legal/privacy-policy
Role: Data Processor
Services used: AI image generation and editing inference
Data processed: Images you upload, text prompts you provide
Shotexa uses one or more third-party AI API providers to perform image processing. The specific provider(s) in use may change as we update our technology stack. We maintain a current list of AI providers and will update this policy when providers change. Current providers and their data processing terms are referenced in our full sub-processor list, available upon request at info@rockuno.com.
All AI providers are contractually bound to:
Role: Independent Data Controller (for App Store distribution and billing)
Services used: App Store distribution, In-App Purchase billing
Apple independently collects and processes data as part of App Store operations and billing. Apple's data practices are governed by Apple's own Privacy Policy: https://www.apple.com/legal/privacy/
We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by applicable law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (email, User ID) | Until account deletion | Required to maintain your account |
| Uploaded images | Until deleted by you or account deletion | Required to provide the service |
| AI-generated images | Until deleted by you or account deletion | Required to deliver and display your results |
| Purchase / subscription records | Up to 10 years | German commercial and tax law (HGB §257, AO §147) |
| Crash and error logs | Up to 90 days | Diagnostic and security purposes |
| IP address logs (server) | Up to 7 days | Security and fraud prevention |
| Customer support records | 3 years from last contact | Legal claims and quality assurance |
When data is no longer required, it is securely deleted or anonymized. Anonymized aggregate data (with no link to any individual) may be retained indefinitely for product improvement.
As Rockuno is based in Germany (EU), your data is generally processed within the European Economic Area (EEA). However, some of our third-party processors (including Supabase, RevenueCat, Vercel, and AI providers) are based in the United States or operate globally.
When we transfer your personal data outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V:
You may request a copy of the applicable transfer safeguards by contacting us at info@rockuno.com.
As a data subject under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at info@rockuno.com. We will respond within 30 days.
You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed.
You have the right to request correction of inaccurate personal data or completion of incomplete data.
You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent (where processing is based on consent), or when you object and there are no overriding legitimate grounds. Please see Section 12 for how to delete your account and data.
You may request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests while your request is being assessed.
Where processing is based on your consent or a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
You have the right to object at any time to processing based on our legitimate interests (Art. 6(1)(f)). Upon your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.
Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Shotexa does not engage in such decision-making.
We respect your right to erasure. Shotexa provides clear and accessible means to delete your account and associated data.
Your account deletion request will be processed immediately. The following data will be deleted within 30 days of your request:
If you are unable to access the in-app deletion option, you may submit a deletion request by emailing info@rockuno.com from the email address associated with your account. We will process your request within 30 days.
Following account deletion, we may retain the following data as required by applicable law:
Beyond legal obligations, no personal data is retained after account deletion.
Deleting your account does not automatically cancel your App Store subscription. To cancel your subscription, go to your iPhone Settings → Apple ID → Subscriptions and cancel the Shotexa subscription. You will continue to have access until the end of the current billing period.
We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, loss, destruction, or alteration.
Despite our best efforts, no security system is impenetrable. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with GDPR Art. 33 and Art. 34 within 72 hours of becoming aware of the breach.
Shotexa is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16 years of age. In jurisdictions where the digital age of consent is set at 13 (including the United States), Shotexa is not directed at children under 13.
If we become aware that we have inadvertently collected personal data from a child under the applicable age threshold without verifiable parental consent, we will take immediate steps to delete that information from our systems.
If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at info@rockuno.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
Your continued use of Shotexa after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must stop using the app and delete your account.
Previous versions of this Privacy Policy are available upon request.
You have the right to lodge a complaint with a data protection supervisory authority. As Rockuno is based in Germany, the competent lead supervisory authority depends on your state of residence. For general complaints, you may contact:
The Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Str. 153
53117 Bonn, Germany
Website: https://www.bfdi.bund.de
Email: poststelle@bfdi.bund.de
You may also contact the supervisory authority of the EU member state in which you habitually reside, work, or where the alleged infringement occurred.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
Data Controller: Oemer Kaya (Rockuno, Einzelunternehmen)
Privacy Inquiries: info@rockuno.com
General Support: info@rockuno.com
App: Shotexa (iOS)
Country: Germany
Privacy Policy URL: https://shotexa.rockuno.com/privacy
We aim to respond to all privacy-related inquiries within 30 days. For urgent matters, please indicate "URGENT" in your email subject line.