Privacy Policy — InstaCheat

1. Data Controller

The data controller responsible for the processing of your personal data is NODE Piotr Nowicki, a sole proprietorship registered under the laws of the Republic of Poland, with its registered address at al. Aleja Komisji Edukacji Narodowej 36, lok. 112B, 02-797 Warszawa, Poland, NIP: 9512304601, REGON: 147233931 (hereinafter "Controller," "we," "us," or "our").

This Privacy Policy is issued pursuant to Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Polish Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws 2018, item 1000, as amended).

For all data protection inquiries, please contact us at: hello@instacheat.io

2. Categories of Personal Data Collected

We collect and process the following categories of personal data:

2.1 Data Provided Directly by You

Biometric-adjacent data (facial imagery): Photographs containing your facial likeness ("Source Images") that you voluntarily upload for the purpose of AI image generation. While Source Images contain facial features, they are not processed for biometric identification purposes within the meaning of Article 9(1) GDPR and are therefore processed under Article 6(1)(b) GDPR (contract performance).
Payment data: Transaction identifiers, payment method type, billing address (if applicable), and transaction amounts. Full payment card details are processed exclusively by our payment processor, Stripe, Inc., and are never stored on our servers.
Communication data: Email address, message content, and metadata when you contact us via email or other communication channels.

2.2 Data Collected Automatically

Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
Technical request data: Basic request metadata, rate-limiting information, error logs, and session identifiers generated as part of the operation and security of the Service.
Cookies and similar technologies: As described in Section 9 of this Policy.

3. Purposes and Legal Bases for Processing

We process your personal data for the following purposes and on the following legal bases under Article 6(1) GDPR. The table below applies to both the free preview (1 photo) and the paid full pack (15 photos) unless otherwise noted:

Purpose	Legal Basis	Retention
Provision of AI image generation service (processing Source Images, generating and delivering content)	Art. 6(1)(b) — performance of a contract	Source Images: processed in-memory, not persisted to disk, discarded promptly after generation (see Section 4). Generated Content: delivered directly to your browser during the active session and not intentionally retained by us after delivery.
Payment processing, transaction records, and checkout legal acknowledgements	Art. 6(1)(b) — contract; Art. 6(1)(c) — legal obligation (tax/accounting)	Payment records: 5 years from end of fiscal year (Polish Accounting Act, Art. 74). Checkout legal acknowledgements: for the period necessary to establish, exercise, or defend legal claims.
Customer support and communication	Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interest	Duration of correspondence + 12 months
Fraud prevention, abuse detection, and security	Art. 6(1)(f) — legitimate interest	12 months
Basic infrastructure, security, and performance logging	Art. 6(1)(f) — legitimate interest	Only for as long as reasonably necessary for security, troubleshooting, and abuse prevention
Compliance with legal obligations (tax, regulatory)	Art. 6(1)(c) — legal obligation	As required by applicable law
Establishment, exercise, or defense of legal claims	Art. 6(1)(f) — legitimate interest	Duration of statute of limitations (generally 3 years under Polish Civil Code, Art. 118)

4. Source Image Processing — Specific Safeguards

Given the sensitive nature of facial imagery, we implement the following specific safeguards for Source Image processing. These safeguards apply equally to free preview generation and paid pack generation.

Purpose limitation: Source Images are used solely for the purpose of generating the requested AI content. They are not used for facial recognition, biometric profiling, surveillance, or any other secondary purpose.
Transient processing: Source Images are processed in-memory and are not written to persistent storage on our servers. They are held only for the duration of the generation process and discarded promptly after completion — typically within minutes. Generated Content is delivered directly to your browser during the active session. Source Images are transmitted to our AI sub-processor (Google Gemini API) for real-time processing; Google's data retention practices for API inputs are governed by their terms of service and data processing agreements.
No training use: We do not use your Source Images or Generated Content containing your likeness to train AI models. We do not control whether our third-party AI sub-processors use API inputs for their own model improvement; however, we select providers whose API terms exclude training on customer data (see Google's Cloud Data Processing Addendum).
Encryption in transit: All Source Images are transmitted over encrypted connections (TLS 1.2 or higher).
Access controls: Source Images are processed by automated systems and are not routinely accessed by personnel. Human access may occur only in exceptional circumstances (e.g., investigating a reported technical failure), subject to strict access controls and logging.

5. Recipients and Data Transfers

We share personal data with the following categories of recipients:

5.1 Sub-processors

Google LLC (United States) — AI model provider for image generation. Source Images are transmitted to Google's Gemini API for processing. Data transfer to the US is governed by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914.
Stripe, Inc. (United States) — Payment processing. Stripe is PCI DSS Level 1 certified. Data transfer governed by EU-US Data Privacy Framework and SCCs.
Vercel, Inc. (United States) — Website hosting and infrastructure. Data transfer governed by SCCs.

5.2 International Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

Adequacy decisions by the European Commission (Art. 45 GDPR)
Standard Contractual Clauses adopted by the European Commission (Art. 46(2)(c) GDPR)
EU-US Data Privacy Framework certification (where applicable)

Copies of the relevant safeguards may be obtained by contacting us at hello@instacheat.io.

6. Your Rights Under GDPR

As a data subject, you have the following rights under Articles 15–22 of the GDPR. These rights are not absolute and are subject to the conditions and exceptions set out in the GDPR:

Right of access (Art. 15): You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to access such data and receive a copy thereof.
Right to rectification (Art. 16): You have the right to obtain the rectification of inaccurate personal data without undue delay.
Right to erasure (Art. 17): You have the right to obtain the erasure of personal data where one of the grounds specified in Article 17(1) applies (e.g., data is no longer necessary for the purposes for which it was collected).
Right to restriction of processing (Art. 18): You have the right to obtain restriction of processing where one of the conditions in Article 18(1) applies.
Right to data portability (Art. 20): You have the right to receive personal data you have provided in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to object (Art. 21): You have the right to object, on grounds relating to your particular situation, to the processing of personal data based on Article 6(1)(f) (legitimate interest). You also have the right to object to processing for direct marketing purposes at any time.
Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Right not to be subject to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The AI image generation process does not constitute automated decision-making within the meaning of Article 22 GDPR.

To exercise any of these rights, please contact us at hello@instacheat.io. We will respond within one month of receiving your request, as required by Article 12(3) GDPR, subject to extension by two further months where necessary given the complexity of the request.

7. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

The competent supervisory authority for the Controller is:

Prezes Urzędu Ochrony Danych Osobowych (PUODO)

President of the Personal Data Protection Office

ul. Stawki 2, 00-193 Warszawa, Poland

Website: https://uodo.gov.pl

8. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including but not limited to:

Encryption of personal data in transit (TLS 1.2+) and use of industry-standard encryption for data at rest where applicable
Access controls based on the principle of least privilege
Transient, in-memory processing of Source Images with no persistent server-side storage
Incident response procedures for personal data breaches (Art. 33–34 GDPR)
Delegation of payment processing to PCI DSS compliant infrastructure (Stripe)

9. Cookies and Tracking Technologies

We use cookies and similar technologies in accordance with Directive 2002/58/EC (ePrivacy Directive) as transposed into Polish law by the Telecommunications Act of 16 July 2004 (Art. 173).

9.1 Categories of Cookies

Strictly necessary cookies: Required for the operation of the Service (e.g., session management, security tokens). These do not require consent under Article 5(3) of the ePrivacy Directive.
No non-essential cookies at present: As of the date of this Policy, we do not intentionally deploy analytics, advertising, or personalization cookies that are not strictly necessary for the operation of the Service.

9.2 Cookie Management

You can manage cookie preferences at any time through your browser settings. Disabling certain strictly necessary cookies may affect the functionality of the Service. Most browsers allow you to refuse or accept cookies, delete existing cookies, and set preferences for certain websites. If we introduce non-essential cookies in the future, we will update this Policy and, where required, request consent before deploying them.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will take immediate steps to delete such data from our systems. If you believe we may have collected data from a child, please contact us at hello@instacheat.io.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by posting the updated policy on the Service with a revised "Last updated" date. Where required by applicable law, we will obtain your renewed consent for material changes to the processing of your personal data.

12. Contact Information

For any questions regarding this Privacy Policy or the processing of your personal data, please contact:

NODE Piotr Nowicki

al. Aleja Komisji Edukacji Narodowej 36, lok. 112B

02-797 Warszawa, Poland

NIP: 9512304601 | REGON: 147233931

Email: hello@instacheat.io