How Image Studio handles your data.

1. Who we are

The publisher of Muchita AI Image Studio is the Muchita AI team. We are the data controller for any personal data processed in connection with the app. A registered legal entity has not yet been incorporated; when it is, this section and any related references in our Terms will be updated and the policy version will be bumped so you are asked to review the change in‑app.

For any privacy question or data‑rights request, contact privacy@muchita.ai.

2. Scope

This policy applies to the Muchita AI Image Studio app for Android, including its on‑device features, the model and update services it talks to, and the optional feedback form built into the app. It does not cover third‑party services you reach by sharing an image out of the app (for example a messaging app, social network, or cloud drive); those services have their own privacy policies.

3. Data processed on your device only

The following data stays on your device and is never sent to us or any third party by the app itself:

• Photos you import from your gallery, camera, clipboard, or via Android share.
• Text prompts, sketches, masks, edit history, and undo/redo state.
• Images generated, edited, or upscaled by the app.
• Downloaded AI model files, stored in app‑private storage.
• Your settings and your consent choices.
• Temporary working files used by the editor and the on‑device AI runtime.

This data lives on your device until you delete it (by deleting outputs, clearing app data in Android settings, or uninstalling). Images you explicitly save are written to your device photo library and are then governed by Android's normal photo handling.

4. Data sent over the network

The app makes a small number of network requests. Each is described below, including what is transmitted, the purpose, the recipient, the legal basis under GDPR Article 6, and how long the recipient retains the information.

a. Model files and catalog

On launch and periodically thereafter, the app contacts image-studio-assets.muchita.ai to fetch a catalog of available AI models for your device's chipset and to download the model files themselves. The request body contains no user identifiers; the catalog request includes only the chipset family needed to choose the right model.

• Recipient: Muchita AI hosting infrastructure and its content‑delivery provider.
• Standard technical data visible to the recipient: your IP address, request time, app version, and User‑Agent string. This is unavoidable for any HTTPS request and is retained only as long as needed for security and abuse prevention.
• Purpose: deliver the on‑device AI runtime; without these files the app cannot generate or edit images.
• Legal basis (GDPR Art. 6(1)(b)): performance of our agreement with you to make the app work.

b. Update check

On launch the app reads https://muchita.ai/app/image-studio/update-manifest.json to learn the minimum supported version. The request body contains no user data.

• Recipient: Muchita AI hosting (Cloudflare Pages).
• Standard technical data visible to the recipient: as described above.
• Purpose: prompt you to update when an old version is no longer supported.
• Legal basis (GDPR Art. 6(1)(f)): our legitimate interest in keeping the app secure and functional.

c. Usage analytics — only if you opt in

If you turn on usage analytics, the app sends event data to Firebase Analytics (a Google service). Events include: app version, app build, locale, device model and chipset (SoC), generation‑stage timings, which features were used, screen interactions, and an anonymous Firebase‑assigned install identifier. The event body does not include your photos, prompts, masks, generated images, name, email, phone number, or precise location.

• Recipient: Google Ireland Limited and Google LLC (as joint processors of Firebase Analytics).
• Purpose: understand which features are used and how fast on‑device generation runs on different devices, so we can prioritise improvements.
• Legal basis (GDPR Art. 6(1)(a)): your explicit consent, given by enabling the toggle and revocable at any time in Settings → Data & Privacy.
• Retention: Google's default Firebase Analytics retention is currently 14 months. If you disable analytics, the app instructs Firebase Analytics to stop collection and reset the analytics identifier on the device.

d. Crash reports — only if you opt in

If you turn on crash reports, the app sends crash information to Firebase Crashlytics (a Google service). A crash report includes: Java and native (NDK) stack traces, app version, app build, device model and chipset, operating system version, locale, run‑time labels we attach to identify the failing operation (for example "diffusion step", "model load"), and Crashlytics' anonymous installation identifier. The body does not include your photos, prompts, masks, generated images, name, email, phone number, or precise location.

• Recipient: Google Ireland Limited and Google LLC.
• Purpose: diagnose and fix crashes that affect real users.
• Legal basis (GDPR Art. 6(1)(a)): your explicit consent, given by enabling the toggle and revocable at any time in Settings → Data & Privacy.
• Retention: Firebase Crashlytics retains crash data for up to 90 days. If you disable crash reports, the app instructs Crashlytics to stop collection and delete any unsent reports.

e. Feedback — only when you send it

If you choose "Send us feedback" from the menu, the message you type, plus your app version, app build, and device locale, are sent to Web3Forms, which relays it to the Muchita AI team.

• Recipient: Web3Forms and Muchita AI.
• Purpose: read and respond to your message.
• Legal basis (GDPR Art. 6(1)(b)): taking steps at your request before/during the use of the app.
• Retention: until the conversation is resolved plus up to 12 months, after which it is deleted or anonymised.
• What you should not include: sensitive personal information you do not want us to read, since the message is sent in clear text within the form's HTTPS connection.

5. What we do not collect

• Your name, email address, phone number, or any contact details (we do not have an account system).
• Your generated images, source photos, prompts, masks, or any other creative content.
• Your Android Advertising ID. Advertising identifiers are not read by the app.
• Your precise or approximate location.
• Your contacts, calendar, microphone audio, SMS, call logs, or installed‑app list.
• Your biometric data, health data, financial data, or government identifiers.
• Information from children. The app is restricted to adults 18 and over; see section 11.

6. Android permissions

The app declares the following permissions in AndroidManifest.xml. Android decides which require an on‑screen prompt.

• Internet and network state — to download model files and check for updates.
• Camera — only when you choose to capture a new photo from inside the app.
• Foreground service (data sync) and wake lock — so the model download can continue and the device stays awake while it does.
• Post notifications — to show you the progress of long‑running downloads or generations.

You can revoke any of these permissions at any time in Android Settings. Doing so disables the corresponding feature but does not delete your local data.

7. Sub‑processors and international transfers

We rely on the following service providers. They process data on our instructions under written data‑processing terms.

• Google Ireland Limited / Google LLC — Firebase Analytics, Firebase Crashlytics, Firebase Remote Config (used to deliver model‑catalog configuration; no user data is sent to it).
• Cloudflare, Inc. — hosting and content delivery for muchita.ai, the update manifest, and model files.
• Web3Forms — relay of optional feedback messages.
• Google LLC (Google Play) — distribution of the app on the Play Store; Google Play handles install events, the Play Integrity check, and any future in‑app purchases under its own terms and privacy policy.

These providers operate globally and may process data outside the European Economic Area (EEA), the United Kingdom, or Switzerland — primarily in the United States. Such transfers are protected by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU‑U.S. Data Privacy Framework.

8. Your rights under the GDPR and equivalent laws

Where the GDPR or a comparable law (UK GDPR, Swiss FADP, California CCPA/CPRA, Brazil LGPD, etc.) applies to you, you have the right to:

• Access the personal data we hold about you.
• Rectify data that is inaccurate or incomplete.
• Erase your data ("right to be forgotten") where one of the legal grounds in Art. 17 GDPR applies.
• Restrict our processing of your data in specific circumstances.
• Portability — receive your data in a structured, machine‑readable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Lodge a complaint with a supervisory authority in your country of residence.

Two practical ways to exercise these rights:

1. In the app, open Settings → Data & Privacy and toggle off analytics or crash reports. The app immediately asks Firebase to stop collection and delete locally queued reports.
2. Email privacy@muchita.ai, or follow the steps on the Data Deletion page. We respond within 30 days.

Because the app does not have an account system, identifying your data on our side typically requires details you can give us — for example a feedback message reference, an approximate date, or an analytics installation ID copied from the app's Settings screen.

9. Cookies and similar technologies

The Image Studio app itself does not use cookies. This website is a static site and does not set tracking cookies or use website analytics. Standard HTTPS access logs may exist at the hosting layer for security and abuse prevention.

10. Automated decision‑making and AI outputs

The app uses on‑device machine‑learning models to generate and edit images according to your inputs. These models can produce inaccurate, biased, or unintended results, and outputs may coincidentally resemble real people, brands, or copyrighted works. The app does not make automated decisions that produce legal or similarly significant effects on you within the meaning of Art. 22 GDPR.

11. Adults only

Muchita AI Image Studio is intended for adults aged 18 and over. By installing or using the app you confirm that you are at least 18. We do not knowingly collect data from anyone under 18, and we do not direct the app to children. If you believe a minor has provided us with information, contact privacy@muchita.ai and we will delete it.

12. Security

We use industry‑standard technical and organisational measures, including HTTPS for all network requests, app‑private storage for model files, and signed model‑integrity checks. The app is designed to minimise network exposure of your creative work by performing all generation and editing locally on your device. No method of transmission or storage is perfectly secure, but we work to keep the surface area as small as possible.

13. Advertising and in‑app purchases (future)

The current release does not show advertising and does not contain in‑app purchases. We may in the future offer an optional paid upgrade through Google Play, and we may show advertising in a free tier. If we add either, we will:

• Update this Privacy Policy to describe the data flows involved.
• Bump the policy version so the app re‑prompts you in‑app before any new data is collected.
• Where consent is required (for example for personalised advertising in the EEA/UK), present a clear consent prompt.

14. Changes to this policy

We may update this Privacy Policy when the app or our practices change. Material changes increase the version number shown at the top of this page. The app stores which version you accepted and will re‑prompt you on the next launch when a newer version is in effect. You can also revisit this page anytime from Settings → Data & Privacy → View Privacy Policy.

15. Contact

For any question, request, or complaint about your data, email privacy@muchita.ai. We do our best to respond within 30 days.

See also: Terms of Service · Data Deletion.