1. Information We Collect

1.1 Account Information

What we collect:

Email address (required for account creation)
Display name (optional)
Profile picture / avatar (optional)
Profile preferences and settings
Account creation and last login dates

Why we collect it:

To provide and maintain your account
To communicate important service updates
To provide customer support
To prevent fraud and abuse

1.2 Payment and Billing Information

What we collect directly:

Billing email address
Subscription tier and status
Token purchase history and balance
Stripe customer ID (encrypted identifier)
General billing preferences

What Stripe collects on our behalf:

Credit card information (tokenized)
Billing address
Payment method details
Transaction history and receipts

Important: We never store full credit card numbers. All payment processing is handled securely by Stripe, our PCI-compliant payment processor.

1.3 Images and Content

Photos you upload for coloring page generation
Text prompts submitted through "Surprise Me" feature
Generated coloring page images
Albums and album metadata (titles, descriptions, public/private status)
Booklets and PDFs you create from coloring pages

1.4 Social Activity Data

Likes on coloring pages and albums
Comments you post
User follows and follower relationships
Content shared via social sharing features

1.5 Technical and Usage Data

IP address (used for rate limiting and fraud prevention)
Browser fingerprint for anonymous user rate limiting (screen resolution, timezone, language, browser type)
Device type, operating system, and browser information
Pages visited and features used
Session duration and interaction patterns
Performance metrics (page load times, generation times)
Error logs and crash reports

1.6 Camera Access

The Service may request access to your device camera for capturing photos to convert into coloring pages
Camera access is optional and requires your explicit permission
Photos captured are processed the same way as uploaded photos
We do not access your camera without your knowledge or consent

1.7 Local Storage and Offline Data

Browser localStorage is used to cache images, queue offline operations, and store preferences
Service worker caches are used for offline PWA functionality
Browser fingerprint identifier stored locally for rate limiting consistency
This data remains on your device and is not transmitted unless you initiate a sync operation

2. How We Use Your Information

2.1 Service Provision

Account Management: Maintain your account, profile, and preferences
AI Processing: Generate coloring pages from uploaded photos or text prompts using Google Gemini AI
Billing: Process payments, manage subscriptions and tokens, and handle refunds via Stripe
Communication: Send service updates, receipts, and support responses
Social Features: Display your likes, comments, follows, and profile to other users as applicable
Offline Sync: Process queued operations when your device reconnects to the internet

2.2 Service Improvement

AI Enhancement: Improve our coloring page generation quality (we do not use your photos to train AI models)
Feature Development: Develop new features based on aggregate usage patterns
Performance Optimization: Monitor and improve service speed and reliability
Quality Assurance: Test new features and fix bugs

2.3 Security and Compliance

Fraud Prevention: Monitor for suspicious activity and prevent abuse using IP addresses and browser fingerprints
Rate Limiting: Enforce usage limits per user, IP address, and browser fingerprint to prevent service abuse
Legal Compliance: Meet regulatory requirements and respond to legal requests
Security Monitoring: Protect against unauthorized access and data breaches

3. Third-Party Services

3.1 Google AI (Gemini)

Your uploaded photos are sent to Google Gemini AI models for coloring page generation
Text prompts from "Surprise Me" are sent to Google Gemini AI
Google's data processing is governed by Google's Privacy Policy
We use the API in a way that does not allow Google to use your data for model training

3.2 Stripe (Payments)

We partner with Stripe, a PCI DSS Level 1 certified payment processor:

No Card Storage: We never store your full credit card information
Tokenization: Payment methods are tokenized for security
Encryption: All payment data is encrypted in transit and at rest
Stripe's data handling is governed by Stripe's Privacy Policy

3.3 Firebase (Infrastructure)

User authentication is managed through Firebase Authentication
Data is stored in Firebase Firestore and Firebase Storage
Firebase services are provided by Google and governed by Firebase's Privacy Policy

3.4 What We Store vs. What Third Parties Store

We store (in Firebase):

Account profile and preferences
Generated images and albums
Social data (likes, comments, follows)
Stripe customer ID
Subscription status and token balance
Rate limit tracking data

Third parties store:

Stripe: Full payment method and transaction details
Google AI: Temporary processing of images/prompts
Firebase Auth: Authentication credentials

4. Cookies and Tracking Technologies

Authentication Cookies: Used to maintain your login session
Local Storage: Used to store preferences, offline queue, cached images, and browser fingerprint
Service Worker: Used for PWA functionality and offline caching of previously viewed content
Browser Fingerprinting: Used to identify anonymous users for rate limiting purposes; based on screen resolution, timezone, language, browser type, and hardware characteristics
We do not use third-party advertising or tracking cookies
We do not sell your data to advertisers

5. Data Security

5.1 Technical Safeguards

Encryption: All data encrypted in transit (TLS) and at rest
Access Controls: Role-based access with admin verification

Server-side Enforcement: All rate limiting and access control enforced server-side
Secure Infrastructure: Hosted on Firebase/Google Cloud infrastructure

5.2 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours
Notification will be sent via email and/or prominent notice on the Service
We will provide details of the breach and recommended protective actions

6. Your Privacy Rights

6.1 Access and Control

You have the right to:

Access: View all personal information we have about you
Correction: Update or correct inaccurate information
Deletion: Request deletion of your personal information
Portability: Export your data in machine-readable format
Objection: Object to certain processing activities
Restriction: Request restriction of processing in certain circumstances

6.2 Account Controls

In your account settings, you can:

Update personal information, display name, and profile picture
Manage payment methods and billing information
Set albums to public or private
Delete your account and associated data

6.3 Exercising Your Rights

To exercise your privacy rights:

Email: privacy@coloringit.com
Account Settings: Most rights can be exercised directly in your account
Response Time: We respond to requests within 30 days
Verification: We may need to verify your identity for security

7. Data Retention

Account Data

Active accounts: Retained while active
Inactive accounts: Deleted after 3 years
Deletion requests: Processed within 30 days

Payment Data

Transaction records: 7 years (legal requirement)
Payment methods: Deleted when removed
Billing history: Available during retention period

Usage and Content Data

Generated images: Retained until deleted by user or account deletion
Analytics: Anonymized data retained indefinitely
Rate limit logs: Retained for 90 days
Social data: Deleted with account

8. Children's Privacy

The Service is designed to be family-friendly but account creation requires users to be at least 13 years old
We do not knowingly collect personal information from children under 13
If you believe a child under 13 has provided us personal information, please contact us at privacy@coloringit.com
Parents or guardians may use the Service on behalf of their children under their own account

9. International Data Protection

9.1 GDPR (European Users)

Data Controller: Spare Matter Corp is the data controller for your personal information
Legal Basis: Legitimate interest, contract performance, and consent
Data Transfers: Data may be transferred to and processed in the United States where our infrastructure is hosted
Supervisory Authority: Right to file complaints with your local data protection authority

9.2 CCPA (California Users)

Categories of Information: Detailed in Section 1 above
Sale of Information: We do not sell personal information
Right to Know: You may request details about data collection and use
Right to Delete: You may request deletion of your personal information
Non-Discrimination: We will not discriminate against you for exercising CCPA rights

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements
Material changes will be communicated via email or prominent notice on the Service
The "Effective Date" at the top indicates when the policy was last updated
Continued use of the Service after changes constitutes acceptance

11. Contact Information

Spare Matter Corp

Operating as Coloring It

Privacy Inquiries

Email: privacy@coloringit.com

Response time: 30 days maximum

General Support

Email: support@coloringit.com

Billing: billing@coloringit.com

Summary for Quick Reference

Key Points:

✓Payment Security: All payments secured by Stripe (PCI Level 1)
✓Data Minimization: We collect only what's necessary
✓User Control: Access, correct, or delete your data
✓No Ads: We don't use advertising or tracking cookies

✓No Selling: We never sell your personal information
✓Security: Encryption in transit and at rest
✓Compliance: GDPR, CCPA, and COPPA compliance
✓Family-Safe: Designed with children's privacy in mind

Questions? Contact us at privacy@coloringit.com