2. Who is responsible for your data
Wabihana is operated as an individual sole proprietorship based in Vietnam, and is the data controller ("we", "us") for the personal information described in this policy. Postal address: Lo 121 K98 Tran Nhat Duat, Nha Trang, Khanh Hoa, Vietnam. For any privacy-related question, access request, or complaint, contact [email protected].
3. What we collect
We try to collect as little as possible. The data we do collect falls into these groups:
3.1 Account data
- If you sign in with Google, Apple, or Telegram, we receive a stable account identifier and your email address (Google/Apple) or Telegram user ID (Telegram). We do not receive your contacts, calendar, or any other profile data.
- If you sign in with email magic-link, we store your email address and a hashed verification code.
- As a guest, we generate a random device-local identifier ("guest UUID") and a signed anonymous token so we can attribute your projects and balance to a session. No email, no name, no profile. The guest UUID persists on your device until you uninstall the app or clear app data. If you later sign in, your projects and balance are migrated to your account and the guest UUID is retired.
3.2 Content you upload
- The photo you upload for a painting. We strip EXIF metadata (location, camera model, timestamps) on your device before upload. The original photo is deleted from our servers within 7 days of successful processing.
- The derived assets we generate from your photo — the index map, colour palette, contour data, and the thumbnail — are kept so the painting stays playable. These are not the original photo.
- We do not use generative AI or machine-learning models to process your image. The photo-to-painting conversion is a deterministic image-processing algorithm (colour quantization and region detection) — not a generative AI or machine-learning model. Your photos are never used to train any AI model, ours or anyone else's.
- Your painting progress (which zones are filled). On free accounts this lives only on your device. On Pro accounts it's backed up to your account so you can sync across devices.
3.3 Economy and payments
- Your credit balance and a ledger of grants, spends, and purchases. The ledger is what lets us refund correctly when something goes wrong.
- If you buy credits or Pro on the web, Whop (our reseller and merchant of record) or PayPal processes the payment. We receive a record of the purchase (price, SKU, status, the provider's order and transaction IDs) and a customer reference — not your full card number. The processor's own privacy policy applies to the data it collects at checkout (Whop, PayPal).
- On mobile, in-app purchases are processed by the platform store (Google Play, Apple App Store, or Telegram Stars). We receive a verified receipt from the store; the store sees the payment details.
3.4 Device + diagnostic data
- Standard server logs — IP address, user-agent, timestamp, requested route, status code. We keep these for up to 30 days for security, abuse investigation, and debugging, then they roll off.
- Crash reports (Sentry). Sent on errors so we can fix bugs. Contain the stack trace and limited environment data. We try to scrub anything that looks like personal data on the way out.
3.5 Cookies and similar storage
- Strictly necessary: a session token (keeps you signed in) and a consent record (remembers what you chose in the cookie banner).
- Functional: IndexedDB (web) or SQLite (mobile) to store your projects, painting progress, and queued uploads on your device.
- Crash & error reporting: only set after you opt in (EU / UK / EEA) or until you opt out (everywhere else).
- Advertising: for free users, Google AdSense (web) and AdMob (Android) set cookies or device identifiers to serve ads, cap how often you see them, and measure them — this happens even for non-personalised ads, and Google also reads your IP address. Ads are non-personalised by default; personalised advertising cookies are used only if you consent (and in the EU / UK / EEA we ask before any ads load). Pro users see no ads and no advertising cookies. See Google's "How Google uses information from sites or apps that use our services".
Wabihana does not set its own advertising or cross-site tracking cookies.
4. How we use what we collect
- To run the service — generate paintings, save your gallery, sync Pro projects across devices, deliver push notifications you opted into.
- To process payments and apply refunds.
- To moderate uploaded content (see section 5).
- To fix bugs, measure performance, and improve the product.
- To prevent abuse, fraud, and violations of our Terms of Service.
- To comply with legal obligations, including the mandatory CSAM reporting described in section 5.
Wabihana does not build behavioural advertising profiles of you and does not sell your personal data. Ads shown to free users are served by Google (AdSense on web, AdMob on Android); they are non-personalised by default, and personalised only where you have given consent. We never show ads while you're painting, and Pro removes them entirely.
5. Content moderation
Every uploaded photo is checked automatically before we generate a painting:
- A CSAM hash match runs on every upload, using Project Arachnid Shield, a service operated by the Canadian Centre for Child Protection. We only send a hash of the image for comparison, so your image stays private. Matches are blocked and reported to the appropriate authorities (e.g. NCMEC) as required by law. It is a legal obligation, not a moderation preference.
- If an upload is blocked by any of these checks, we remove it and let you know it couldn't be used.
- Edge cases are reviewed by a human moderator. Reviewers see the image and your account identifier only.
6. Legal basis (EU / UK / EEA)
If GDPR or UK GDPR applies to you, our legal basis for processing is:
- Performance of a contract — running the service, processing your purchases, syncing your projects.
- Legitimate interests — preventing abuse, keeping the service secure, measuring aggregate usage, debugging.
- Consent — for crash reporting and non-essential cookies in regions where consent is required. You can withdraw consent at any time from Settings.
- Advertising — serving contextual ads to free users (legitimate interests); serving personalised ads where you have given explicit consent.
- Legal obligation — CSAM hash matching, retention for tax / accounting purposes, response to lawful requests.
7. Who we share data with
We share data only with the service providers we need to run the product, and only the minimum each one needs to do its job:
- Cloudflare R2 — object storage for derived assets and thumbnails.
- Cloudflare Web Analytics — privacy-friendly page performance metrics. No cookies; no cross-site tracking. (EU-US DPF certified.)
- Our managed database and Redis providers (e.g. Neon, Upstash) — store your account, balance, and project metadata.
- Whop — primary web payment processor and merchant of record (credit packs and Pro subscriptions); collects + remits tax and issues receipts.
- PayPal — secondary web payment processor (credit packs and Pro subscriptions).
- Google Play, Apple App Store, Telegram — mobile / Mini-App payments and authentication.
- Resend — outbound transactional email (verification codes, receipts).
- Sentry — crash & error reporting (subject to consent in EU / UK / EEA).
- Project Arachnid Shield (Canadian Centre for Child Protection) — receives a hash of uploaded images to check for known CSAM. Required by law; not optional.
- Google AdSense / AdMob — ads for free users on web and Android. Configured for non-personalised ads where consent is not given. In non-personalised mode, Google may still receive technical signals (device type, approximate location derived from IP, and page context) as described in Google's Privacy Policy (https://policies.google.com/privacy). (EU-US DPF certified.)
- NCMEC / equivalent agencies — where required by law, in the event of a confirmed CSAM hash match.
- Law-enforcement and regulators — only in response to a lawful, properly scoped request, and only the data the request actually covers.
We do not sell personal data and we do not share it with third parties for their own marketing purposes.
8. Where your data lives
Our primary infrastructure runs in the European Union. Some of the service providers listed in section 7 process data in other countries — including the United States. Where required, we rely on the European Commission's Standard Contractual Clauses (or the EU-US Data Privacy Framework, where the provider is certified) to cover those transfers. Providers certified under the EU-US Data Privacy Framework include Google, Cloudflare, Sentry, and Resend. Standard Contractual Clauses are in place with providers not covered by the DPF.
9. How long we keep it
- Original uploaded photo — deleted from our servers within 7 days of successful processing.
- Derived painting assets (index map, palette, thumbnail) — kept as long as the project exists in your gallery, so the painting stays playable.
- Account and balance data — kept while your account is active.
- Deleted accounts — soft-deleted immediately, hard-purged after 30 days (grace period for accidental deletion). Some records may be kept longer where law requires it.
- Payment and transaction records are retained for 7 years to comply with applicable tax and accounting obligations.
- Moderation records related to a confirmed policy violation or legal request are retained for 3 years, after which they are deleted unless a continuing legal obligation requires otherwise.
- Server logs — up to 30 days.
- Crash & error events — retained per the relevant provider's default (typically 90 days).
10. Your rights
Subject to your local law (GDPR / UK GDPR / CCPA / and similar), you can:
- Access the data we hold about you.
- Correct inaccurate data.
- Delete your account and the data tied to it.
- Export a copy of your data in a portable format.
- Object to or restrict processing based on legitimate interests.
- Withdraw consent for crash reporting and personalised ads at any time.
- Lodge a complaint with your local data-protection authority. We would, of course, much prefer you tell us first so we can fix the problem. EU residents can contact their national supervisory authority via edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents can contact the ICO at ico.org.uk/make-a-complaint/.
Most of these are self-service in Settings → Account:
- Export my data — generates a ZIP with your account info, project metadata, thumbnails, and payment history. We email you a download link that's valid for 7 days.
- Delete my account — soft-deletes immediately. After 30 days, all personal data is hard-purged.
For anything not available in-app, email [email protected]. We respond within 30 days, usually much sooner. For complex or multiple requests we may extend this by a further two months; we will inform you within the first 30 days if an extension is needed.
11. Children
Wabihana is not intended for children under 13. We block under-13 sign-ups at the age gate and don't knowingly collect personal data from children. If you are in the European Union or United Kingdom, you must be at least 16 years old to use the Service. If you believe a child has provided personal data, email [email protected] and we will delete it.
12. Security
We use industry-standard measures: HTTPS everywhere, encrypted-at-rest object storage, server-issued signed tokens, hashed credentials, short-lived signed URLs for asset access. No system is perfectly secure; we do our best, and we will tell affected users without unreasonable delay if a breach occurs. Where required by law, we will also notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach.
13. California residents (CCPA / CPRA)
If you live in California you have additional rights, including the right to know what personal information we collect about you and the right to delete it. The controls in section 10 also satisfy these requests. We do not "sell" personal information as that term is defined by the CCPA, and we do not share personal information for cross-context behavioural advertising.
14. Changes to this policy
We may update this policy from time to time. Material changes — for example, expanded data collection, new categories of recipients, or changes that reduce your rights — will be announced in the app or by email at least 30 days before they take effect, so you have a chance to review and, if you disagree, delete your account before they apply. Minor edits (clarifications, typo fixes, contact-detail changes) may take effect immediately.
15. Contact
Wabihana is operated as an individual sole proprietorship based in Vietnam.
Postal address: Lo 121 K98 Tran Nhat Duat, Nha Trang, Khanh Hoa, Vietnam.
Privacy questions, access requests, or anything you'd like us to know: email [email protected].