InstaCheat← Back
Legal

Privacy Policy

Last updated · April 21, 2026
01

Data Controller

The data controller responsible for the processing of your personal data is NODE Piotr Nowicki, a sole proprietorship registered under the laws of the Republic of Poland, with its registered address at al. Aleja Komisji Edukacji Narodowej 36, lok. 112B, 02-797 Warszawa, Poland, NIP: 9512304601, REGON: 147233931 (hereinafter "Controller," "we," "us," or "our").

This Privacy Policy is issued pursuant to Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Polish Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2018, item 1000, as amended).

For all data protection inquiries, please contact us at hello@instacheat.io.

02

Categories of Personal Data Collected

We collect and process the following categories of personal data:

2.1 · Data Provided Directly by You
  • Biometric-adjacent data (facial imagery): Photographs containing your facial likeness ("Source Images") that you voluntarily upload for the purpose of AI image generation. While Source Images contain facial features, they are not processed for biometric identification purposes within the meaning of Article 9(1) GDPR and are therefore processed under Article 6(1)(b) GDPR (contract performance).
  • Payment data: Transaction identifiers, payment method type, billing address (if applicable), and transaction amounts. Full payment card details are processed exclusively by our payment processor, Stripe, Inc., and are never stored on our servers.
  • Communication data: Email address, message content, and metadata when you contact us via email or other communication channels.
  • Archive opt-in data (email + pack reference): If, after a successful purchase, you voluntarily provide an email address on the delivery page to enable the optional Pack Archive feature, we store that email together with the purchase session identifier and pack metadata so we can email you a time-limited download link and you can later recover the pack you purchased. See Section 3 and Section 5.1 for retention and sub-processors.
2.2 · Data Collected Automatically
  • Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
  • Technical request data: Basic request metadata, rate-limiting information, error logs, and session identifiers generated as part of the operation and security of the Service.
  • Cookies and similar technologies: As described in Section 9 of this Policy.
03

Purposes and Legal Bases for Processing

We process your personal data for the following purposes and on the following legal bases under Article 6(1) GDPR. The table below applies to both the free preview (1 photo) and the paid full pack (15 photos) unless otherwise noted:

PurposeLegal BasisRetention
Provision of AI image generation service (processing Source Images, generating and delivering content)Art. 6(1)(b) — performance of a contractSource Images: processed in-memory, not persisted to disk, discarded promptly after generation (see Section 4). Generated Content: delivered directly to your browser during the active session and not intentionally retained by us after delivery, except where you opt in to the Pack Archive feature (see next row).
Optional Pack Archive — storage of the delivered pack (ZIP) together with your email and purchase reference, to enable self-service re-downloadArt. 6(1)(a) — explicit consent; Art. 6(1)(b) — contract performanceUp to 90 days from the time you submit the email. After 90 days the archive is deleted automatically. You may request earlier deletion at any time by writing to hello@instacheat.io.
Abuse prevention counters (rate limiting of free preview and API endpoints)Art. 6(1)(f) — legitimate interestShort-lived counters keyed to your IP address; typically 5 minutes to 24 hours, then auto-expired.
Payment processing, transaction records, and checkout legal acknowledgementsArt. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (tax/accounting)Payment records: 5 years from end of fiscal year (Polish Accounting Act, Art. 74). Checkout legal acknowledgements: for the period necessary to establish, exercise, or defend legal claims.
Customer support and communicationArt. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interestDuration of correspondence + 12 months
Fraud prevention, abuse detection, and securityArt. 6(1)(f) — legitimate interest12 months
Compliance with legal obligations (tax, regulatory)Art. 6(1)(c) — legal obligationAs required by applicable law
Establishment, exercise, or defense of legal claimsArt. 6(1)(f) — legitimate interestDuration of statute of limitations (generally 3 years under Polish Civil Code, Art. 118)
04

Source Image Processing — Specific Safeguards

Given the sensitive nature of facial imagery, we implement the following specific safeguards for Source Image processing. These safeguards apply equally to free preview generation and paid pack generation.

  • Purpose limitation: Source Images are used solely for the purpose of generating the requested AI content. They are not used for facial recognition, biometric profiling, surveillance, or any other secondary purpose.
  • Transient processing: Source Images are processed in-memory and are not written to persistent storage on our servers. They are held only for the duration of the generation process and discarded promptly after completion — typically within minutes. Generated Content is delivered directly to your browser during the active session. Source Images are transmitted to our AI sub-processor (Google Gemini API) for real-time processing; Google's data retention practices for API inputs are governed by their terms of service and data processing agreements.
  • No training use: We do not use your Source Images or Generated Content containing your likeness to train AI models. We do not control whether our third-party AI sub-processors use API inputs for their own model improvement; however, we select providers whose API terms exclude training on customer data.
  • Encryption in transit: All Source Images are transmitted over encrypted connections (TLS 1.2 or higher).
  • Access controls: Source Images are processed by automated systems and are not routinely accessed by personnel. Human access may occur only in exceptional circumstances (e.g., investigating a reported technical failure), subject to strict access controls and logging.
05

Recipients and Data Transfers

We share personal data with the following categories of recipients:

5.1 · Sub-processors
  • Google LLC (United States) — AI model provider for image generation. Source Images are transmitted to Google's Gemini API for processing. Data transfer to the US is governed by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914.
  • Stripe, Inc. (United States) — Payment processing (both the initial pack purchase and any optional in-session regeneration charges). Stripe is PCI DSS Level 1 certified. Data transfer governed by EU-US Data Privacy Framework and SCCs.
  • Vercel, Inc. (United States) — Website hosting and infrastructure. Vercel also provides the Vercel Blob storage service used to hold the opt-in Pack Archive (private blobs, token-gated). Data transfer governed by SCCs.
  • Upstash, Inc. (United States) — Serverless Redis / key-value store used to hold abuse-prevention counters, Pack Archive index (email ↔ token mapping), and payment-intent replay guards. Data transfer governed by SCCs.
  • Resend, Inc. (United States) — Transactional email delivery, used only to send the Pack Archive confirmation and recovery-link emails to addresses that you voluntarily provide. Data transfer governed by SCCs.
  • Functional Software, Inc. d/b/a Sentry (United States) — Application error monitoring and performance tracing. We forward technical exception data (stack traces, browser and environment metadata, request URLs, and — for a statistical sample of sessions or sessions that encountered an error — session-replay recordings of the affected page. Sensitive form inputs are masked by default) so we can diagnose and fix defects. Retention is capped at 90 days. Data transfer governed by SCCs.
  • Meta Platforms Ireland Limited (Ireland; onward transfers to Meta Platforms, Inc. in the United States) — Advertising measurement and audience building via the Meta Pixel. Loaded only after your explicit opt-in consent (see Section 9). When active, transmits pageview and event data including IP address, browser user agent, and referring URL. Joint controllership under Art. 26 GDPR; US onward transfers governed by EU-US Data Privacy Framework and SCCs.
5.2 · International Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

  • Adequacy decisions by the European Commission (Art. 45 GDPR)
  • Standard Contractual Clauses adopted by the European Commission (Art. 46(2)(c) GDPR)
  • EU-US Data Privacy Framework certification (where applicable)

Copies of the relevant safeguards may be obtained by contacting us at hello@instacheat.io.

06

Your Rights Under GDPR

As a data subject, you have the following rights under Articles 15–22 of the GDPR. These rights are not absolute and are subject to the conditions and exceptions set out in the GDPR:

  • Right of access (Art. 15): You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to access such data and receive a copy thereof.
  • Right to rectification (Art. 16): You have the right to obtain the rectification of inaccurate personal data without undue delay.
  • Right to erasure (Art. 17): You have the right to obtain the erasure of personal data where one of the grounds specified in Article 17(1) applies.
  • Right to restriction of processing (Art. 18): You have the right to obtain restriction of processing where one of the conditions in Article 18(1) applies.
  • Right to data portability (Art. 20): You have the right to receive personal data you have provided in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object (Art. 21): You have the right to object, on grounds relating to your particular situation, to the processing of personal data based on Article 6(1)(f) (legitimate interest). You also have the right to object to processing for direct marketing purposes at any time.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right not to be subject to automated decision-making (Art. 22): The AI image generation process does not constitute automated decision-making within the meaning of Article 22 GDPR.

To exercise any of these rights, please contact us at hello@instacheat.io. We will respond within one month of receiving your request, as required by Article 12(3) GDPR, subject to extension by two further months where necessary given the complexity of the request.

07

Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

The competent supervisory authority for the Controller is:

Prezes Urzędu Ochrony Danych Osobowych (PUODO)
President of the Personal Data Protection Office
ul. Stawki 2, 00-193 Warszawa, Poland
08

Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including but not limited to:

  • Encryption of personal data in transit (TLS 1.2+) and use of industry-standard encryption for data at rest where applicable
  • Access controls based on the principle of least privilege
  • Transient, in-memory processing of Source Images with no persistent server-side storage
  • Incident response procedures for personal data breaches (Art. 33–34 GDPR)
  • Delegation of payment processing to PCI DSS compliant infrastructure (Stripe)
09

Cookies and Tracking Technologies

We use cookies and similar technologies in accordance with Directive 2002/58/EC (ePrivacy Directive) as transposed into Polish law by the Telecommunications Act of 16 July 2004 (Art. 173).

9.1 · Categories of Cookies
  • Strictly necessary cookies: Required for the operation of the Service (e.g., session management, security tokens). These do not require consent under Article 5(3) of the ePrivacy Directive.
  • Advertising and measurement cookies (consent-gated): With your explicit opt-in consent, we deploy the Meta Pixel (operated by Meta Platforms Ireland Limited) to measure the effectiveness of our advertising campaigns on Facebook and Instagram and to build audiences for future campaigns. The Meta Pixel sets cookies on your device (such as _fbp) and transmits event data to Meta, including your IP address, browser user agent, referring URL, and pages viewed on our Service. Legal basis: Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy Directive — consent. The Meta Pixel is not loaded until you click "Accept" in our cookie banner. You may withdraw consent at any time by clearing the cookie-consent entry from your browser's local storage and declining on the next visit, or by blocking third-party cookies in your browser. For more information on Meta's processing, see Meta's Privacy Policy.
  • Browser-local transient storage (not a cookie): The Service uses your browser's sessionStorage to pass your uploaded Source Images from the checkout flow to the delivery page after payment, and localStorage to record your cookie consent choice. This data lives entirely on your device, is never transmitted to our servers as a persistent cookie, and (for the selfie data) is cleared automatically when the generation completes or the browser tab is closed. No consent is required under Art. 5(3) ePrivacy because the storage is strictly necessary for the service explicitly requested by you.
9.2 · Cookie Management

On your first visit we present a cookie banner with equally prominent "Accept" and "Decline" controls. No advertising or measurement cookies are set before you make an active choice. You may change your preference at any time using the button below, which clears your stored choice and re-opens the banner immediately. You can also manage cookie preferences through your browser settings. Disabling strictly necessary cookies may affect the functionality of the Service.

9.3 · Joint Controllership with Meta

When you consent to the Meta Pixel, Meta Platforms Ireland Limited and the Controller act as joint controllers within the meaning of Article 26 GDPR for the collection and transmission of event data. The essential terms of this joint controllership are set out in the Meta Controller Addendum. You may exercise your data subject rights against either controller.

10

Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will take immediate steps to delete such data from our systems. If you believe we may have collected data from a child, please contact us at hello@instacheat.io.

11

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy on the Service with a revised "Last updated" date. Where required by applicable law, we will obtain your renewed consent for material changes to the processing of your personal data.

12

Contact Information

For any questions regarding this Privacy Policy or the processing of your personal data, please contact:

NODE Piotr Nowicki
al. Aleja Komisji Edukacji Narodowej 36, lok. 112B
02-797 Warszawa, Poland
NIP: 9512304601 · REGON: 147233931
← Back to InstaCheat