PRIVACY POLICY

Last Updated: February 21, 2026

ImagineIf ("we", "us", "our", "Platform"), operated individually by Tugay Pala, values the privacy of our users. This Privacy Policy explains how we collect, use, protect, and share personal data through the imagineif.app website and mobile application ("Service").

By using the Service, you consent to the processing of your personal data as described in this Privacy Policy. If you do not agree, please do not use the Service.

1. DATA WE COLLECT

1.1 Data You Provide Directly

• Account information: name, email address, username, profile photo
• When signing in via Google OAuth or Apple Sign-In: name, email, and profile picture associated with your account
• Content data: story chains you create, contributions, comments, votes, and likes
• Communication data: support requests, feedback, and email correspondence
• Subscription preferences (your payment details are processed directly by Paddle; we do not store your credit card or bank information)

1.2 Data Collected Automatically

• Device information: IP address, browser type and version, operating system, device identifiers
• Usage data: pages visited, click behavior, session duration, interaction patterns
• Location data: approximate location based on your IP address (country and city level)
• Cookies and similar technologies: session cookies, preference cookies, analytics cookies
• Notification data: push notification tokens, email open and click rates

1.3 Data from Third Parties

• Google OAuth / Apple Sign-In: authentication information
• Paddle: payment status and subscription information
• Analytics services: aggregated usage statistics

2. HOW WE USE YOUR DATA

We use the personal data we collect for the following purposes:

1. To create, manage, and secure your account
2. To provide Service functionality (story chains, contributions, AI image generation)
3. To deliver personalized content and recommendations
4. To send notifications (push notifications, email digests, re-engagement emails)
5. To manage payment transactions and track your subscription status
6. To perform content moderation and ensure platform safety
7. To improve the Service, conduct analysis, and optimize performance
8. To fulfill our legal obligations
9. To prevent fraud and abuse
10. To provide customer support

2.1 Legal Basis for Processing (GDPR)

For users in the European Economic Area, our legal bases for processing are:

• Contract performance: processing necessary to provide the Service you signed up for
• Legitimate interests: analytics, security, fraud prevention, and service improvement
• Consent: marketing communications, non-essential cookies, and push notifications
• Legal obligation: tax records, fraud prevention, and regulatory compliance

3. AI DATA PROCESSING

3.1 AI Image Generation

Images are generated by AI based on your story segments. The text you write is sent to third-party AI service providers for image generation purposes only. This text is not used for any other purpose.

3.2 AI Content Moderation

Your contributions are automatically reviewed by AI-based moderation systems to ensure platform safety and content quality. This review is conducted to detect hate speech, spam, inappropriate content, and off-topic contributions.

3.3 AI Training

Your user data is not used for training any AI models. Under our agreements with AI service providers, data transmitted through our Platform is not used for model training.

4. DATA SHARING AND TRANSFERS

4.1 Third-Party Service Providers

We may share your personal data with service providers in the following categories:

• Hosting and infrastructure services (Vercel, server providers)
• Payment processing (Paddle as Merchant of Record)
• Email services (Gmail SMTP, Cloudflare Email Routing)
• AI service providers (for image generation and content moderation)
• Analytics services (anonymous and aggregated data)
• DNS and security services (Cloudflare)

4.2 Legal Requirements

We may share your personal data with authorities in the following circumstances:

• To fulfill a legal obligation
• In response to a court order or legal process
• To protect the safety of users or the public
• To protect the rights and property of the Platform

4.3 International Data Transfers

Our Service is provided globally. Your personal data may be processed on servers outside your country. We apply Standard Contractual Clauses (SCCs) and other appropriate safeguards to protect your data during these transfers.

5. DATA SECURITY

We implement the following technical and organizational measures to protect your personal data:

• HTTPS/SSL encryption for data transmission
• JWT and HMAC-based authentication
• Password hashing with bcrypt
• Rate limiting and DDoS protection
• Protection against SQL injection, XSS, and other attack vectors
• Regular security testing and audits
• Access control and authorization mechanisms
• Regular data backups

While no method of internet transmission or electronic storage is 100% secure, we apply commercially acceptable security standards to protect your data.

6. DATA RETENTION

We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy:

• Account information: as long as your account is active, plus 30 days after account deletion
• Content data: as long as your account is active (including hidden/archived chains)
• Usage data: up to 24 months
• Payment records: up to 5 years as required by law
• Communication records: up to 2 years
• Log records: up to 12 months

7. YOUR RIGHTS

7.1 All Users

All our users have the following rights:

• Right to information: learn what personal data is being processed
• Right of access: request a copy of your personal data
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data
• Right to object: object to data processing
• Right to data portability: receive your data in a structured, machine-readable format
• Right to manage your notification preferences

7.2 European Union Residents (GDPR)

If you reside in the EU, you have additional rights under GDPR. For details, please see our GDPR Notice. You may also lodge a complaint with your local data protection authority.

7.3 Turkish Residents (KVKK)

For your rights under Law No. 6698 (KVKK), please see our KVKK Notice.

8. COOKIES

We use cookies and similar technologies to provide and improve the Service. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.

9. CHILDREN'S PRIVACY

Our Service is not intended for children under the age of 13. We do not knowingly collect personal data from individuals under 13. If you become aware that a child under 13 has provided us with personal data, please contact us and we will delete the relevant data immediately.

Users between 13-18 years of age may use the Service with parental or guardian consent.

10. POLICY CHANGES

We may update this Privacy Policy from time to time. When significant changes are made, we will notify you by email or through a notification on the Platform. Your continued use of the Service after changes are published means you accept the updated policy.

11. CONTACT US

For all privacy-related questions and requests:

• Email: hey@imagineif.app
• Website: https://imagineif.app

We will respond to your requests within 30 days.