Privacy Policy

This Privacy Policy explains how ZEITARC ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the LINEORA mobile application ("App"). This Policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data-protection laws.

LINEORA converts photos to line drawings using AI image generation. To produce a drawing, the App uploads your photo over a TLS-encrypted connection directly to ZEITARC's cloud storage (Hetzner Object Storage in the European Union), using a short-lived signed URL issued by our API. A background service then sends a copy of the stored photo to third-party AI image-generation providers for stylization and writes the generated drawing back to your cloud library, where the App fetches it for display. We have designed the App so that the information we hold about you is pseudonymous: your account is identified only by a random UUID, never by a name or email, unless you choose to provide one (for example, when contacting support).

Important: By using LINEORA, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the App.

1. Data Controller

The data controller responsible for your personal data is:

ZEITARC Islamabad, Pakistan Website: zeitarc.com

As the data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with applicable data-protection laws.

1.1 EU Representative (Article 27 GDPR)

ZEITARC is based outside the European Union. Under GDPR Article 27(2)(a), a representative in the EU is not required where processing is occasional, does not include large-scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of data subjects.

We believe this exemption applies to LINEORA because:

• We do maintain a server-side record of your account — a randomly generated UUID, your remaining credit balance, your uploaded photos and generated drawings, sketch metadata, push-notification tokens, support correspondence, and legal acceptances — but this record is pseudonymous: it is not linked to your name, email, government ID, or any other real-world identifier unless you choose to share one with us. Storage of your photos and drawings is hosted within the European Union (Hetzner Object Storage), is encrypted in transit and at rest, and is accessible only via short-lived signed URLs issued to your authenticated session.
• We do not process special categories of personal data (such as health data) within the App.
• The nature, context, and scope of our processing is unlikely to result in a risk to the rights and freedoms of data subjects, given the technical and organisational safeguards we have in place.

We keep this assessment under regular review. Should our processing activities change in nature or scale, we will appoint an EU representative and update this Policy accordingly. In the meantime, you may contact us directly at privacy.line@zeitarc.com for any data-protection matters.

2. Personal Data We Process

We process the categories of personal data described below.

2.1 Photos and Generated Drawings

When you select a photo and tap a style, the App reads the photo from your camera or photo library, downscales it to a maximum dimension of 1500 pixels to limit upload size, and uploads the resulting image over a TLS-encrypted connection directly to ZEITARC's cloud storage (Hetzner Object Storage in the European Union) using a short-lived signed URL issued by our API. A background service then sends a copy of the stored photo to third-party AI image-generation providers for stylization, receives a generated drawing, and writes it back to your cloud library, where the App fetches it for display. Both your uploaded photo and the generated drawing are retained in our cloud library, hosted in Hetzner Object Storage in the European Union, so your gallery follows you across devices and the App's compare-with-original view can re-fetch the source photo. Stored images are encrypted in transit and at rest, are accessible only via short-lived signed URLs issued to your authenticated session, and are deleted from our storage when you delete the corresponding sketch from the in-app gallery.

2.1a Device Identifier

On first launch the App calls our API to mint a brand-new anonymous account. Our API generates a random UUID for the account and returns it along with a bearer token; the App stores both in the operating system's secure storage. Every subsequent API call authenticates with the bearer token, and our server resolves your account from the token. Server-side enforcement covers your credit balance only — the small free-render allotment is tracked locally on your device, which is why uninstalling the App or clearing its data resets the allotment. The UUID is not derived from any hardware or OS-level identifier; if you want to keep your account and credits across reinstalls, save the recovery code we offer in Settings.

2.2 Purchase and Entitlement Data

When you buy a credit pack, the transaction is processed by Apple Inc. (App Store) on iOS or by Google LLC (Google Play Store) on Android, and validated through RevenueCat, Inc. We receive confirmation that you own the entitlement, plus an anonymous app-user identifier assigned by RevenueCat so that we can restore your purchases on reinstall and across devices signed in to the same Apple ID or Google Account. We do not receive your payment-method details, billing address, or full account identifiers.

2.3 Anonymous Usage Events

We use PostHog, Inc. to record how features of the App are used (for example: which drawing styles are tapped, whether the paywall was opened, whether a render succeeded). Events do not contain photo content, file names, or text you have entered. PostHog assigns an anonymous installation identifier scoped to the device.

2.4 Crash and Error Reports

We use Sentry, Inc. to record uncaught errors and crashes so we can investigate and fix them. A typical report contains the error message, a stack trace, and basic device information (model, operating-system version, App version). It does not contain photo content.

3. Permissions

The App may request the following operating-system permissions, each only when the corresponding feature is invoked. You may grant or deny each permission from your device settings; denying a permission disables the feature it covers, and the rest of the App continues to function.

• Camera. Used solely when you tap the camera button to capture a photo. The App does not access the camera at any other time.
• Photo Library. Used solely when you pick a photo from the library or save a generated drawing back to it.
• Push Notifications. Requested the first time you tap Generate so we can ping you when a render finishes (renders are processed in the background and can take a couple of minutes). The push payload contains only a brief notice that your sketch is ready — no photo content.

4. Purposes and Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Performance of a contract with you (Art. 6(1)(b) GDPR) — to deliver the App, fulfil purchases, and validate entitlements.
• Our legitimate interests (Art. 6(1)(f) GDPR) — to keep the App stable (crash reporting), to understand how features are used (anonymous analytics), and to detect or prevent fraud or abuse. We have weighed these interests against your rights and freedoms and concluded that the processing is proportionate.
• Your consent (Art. 6(1)(a) GDPR) — where required by law, for example for any optional permission you grant.
• Compliance with a legal obligation (Art. 6(1)(c) GDPR) — to retain transaction records as required by tax or consumer-protection law.

Where we rely on legitimate interests, you have the right to object to processing on grounds relating to your particular situation (see Section 9). Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

5. How We Use the Information

• To run the conversions you request.
• To honor your purchases across reinstalls and devices.
• To diagnose and fix crashes and other defects.
• To understand which features are used so we can prioritize improvements.
• To prevent, investigate, and respond to fraud, abuse, or violations of the Terms of Service or applicable law.

We do not sell, rent, or trade your personal data to third parties for marketing or any other purpose. We do not use your data to build profiles for cross-context behavioral or targeted advertising.

6. Data Sharing and International Transfers

6.1 Categories of Recipients

We may share limited data with the following categories of recipient, each governed by its own privacy policy:

• App Store (Apple Inc.) on iOS and Google Play Store (Google LLC) on Android — purchase processing.
• RevenueCat, Inc. — purchase validation and entitlements: https://www.revenuecat.com/privacy
• PostHog, Inc. — anonymous product analytics: https://posthog.com/privacy
• Sentry, Inc. — crash and error reporting: https://sentry.io/privacy/
• Third-party AI image-generation providers — your stored photo is forwarded to these providers' image-generation APIs to produce the requested drawing. We contract only with providers whose API terms commit to not using inputs to train their models.
• Hetzner Online GmbH — object storage in the European Union for your uploaded photos and generated drawings, used to power the cross-device gallery and the in-app compare-with-original view: https://www.hetzner.com/legal/privacy-policy
• Google LLC (Firebase Cloud Messaging) — delivery of push notifications to your device. We register your device's push token against your account so we can notify you when a background render finishes; the payload itself contains no photo content: https://firebase.google.com/support/privacy

6.2 International Transfers

The third parties listed above may process data in the United States or other regions outside your country of residence. Where required by GDPR or UK GDPR, we and our providers rely on European Commission Standard Contractual Clauses (or the UK International Data Transfer Addendum), and on the EU–U.S. Data Privacy Framework where applicable, to provide an adequate level of protection.

6.3 Access from Pakistan

ZEITARC is headquartered in Islamabad, Pakistan, which does not currently have an EU adequacy decision. Our team in Pakistan may access aggregate analytics and crash data, and may handle support enquiries you send us, for the operational purposes described in this Policy. Where this involves any transfer of personal data, we rely on the safeguards described in Section 6.2 and the technical and organisational measures described in Section 8. You may request a copy of the safeguards in place by contacting us at privacy.line@zeitarc.com.

6.4 Legal Disclosures

We may disclose your data if required by law, to comply with legal process or government requests, to protect our rights or safety, to enforce our Terms of Service, or in connection with a merger, acquisition, or sale of assets (with notice to you where required).

7. Data Retention

• Uploaded photos and generated drawings are stored in Hetzner Object Storage (European Union) until you delete the corresponding sketch from the in-app gallery, at which point the underlying objects are removed from our storage. Photos that are uploaded but never successfully processed are cleaned up automatically within a short retention window. You can request server-side deletion of all of your stored images by contacting privacy.line@zeitarc.com.
• Anonymous usage events and crash reports are retained by PostHog and Sentry under their default retention windows (typically up to 12 months for events and 90 days for full error context), then aggregated or deleted.
• Purchase and entitlement records are retained by Apple (for App Store purchases), Google (for Google Play Store purchases), and RevenueCat for as long as your purchase remains valid and for any further period required by tax or accounting law.
• Your account record (the random UUID, current credit balance, hashed recovery code, sketch metadata, push-notification tokens, support correspondence, and your legal-acceptance history) is retained for as long as your account is active. When you request account deletion under Section 9.3 we erase your stored images, your account record, and your push tokens; support correspondence is retained with the user link severed so we can keep an internal audit trail without continuing to associate it with you.

8. Data Security

8.1 Technical Measures

• Encryption in transit — all data exchanged with our service providers, including our cloud storage and our AI image-generation providers, is encrypted using TLS 1.2 or higher.
• Pre-upload downscale — photos are resized to a maximum dimension of 1500 pixels on your device before any network upload, limiting the data exposed.
• Encryption at rest — uploaded photos and generated drawings are stored in Hetzner Object Storage with server-side encryption applied by the provider, and are accessed only via short-lived presigned URLs scoped to your authenticated session.
• No passwords or personal identifiers collected — your account is identified by a random UUID issued by our API and the bearer token paired with it. We do not ask for, or store, a password, name, email, or phone number; the only way to access your account from another device is the recovery code you can mint in Settings.
• Hardened service-provider configurations — we have reviewed each provider's settings to minimise the data they receive.

8.2 Organisational Measures

• Limited employee access to provider dashboards on a need-to-know basis.
• Confidentiality obligations for all team members with access to any personal data.
• Documented incident-response procedures.
• Regular review of third-party providers and their practices.

8.3 Data-Breach Notification

In the event of a personal-data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours where required by GDPR Article 33.
• Notify affected users without undue delay if there is a high risk to their rights and freedoms (GDPR Article 34).
• Document the breach and all remedial actions taken.

9. Your Rights Under GDPR

As a data subject, you have the following rights. We will respond to valid requests within one month, extendable by two further months for complex requests (with notification to you within the first month).

9.1 Right of Access (Article 15)

You may obtain confirmation of whether we process your personal data and request a copy of that data. Email privacy.line@zeitarc.com to request your data.

9.2 Right to Rectification (Article 16)

You may correct inaccurate personal data or complete incomplete data we hold about you.

9.3 Right to Erasure (Article 17)

You may request deletion of personal data we hold about you. You can delete individual sketches and their stored original photos from the in-app gallery, which removes the underlying objects from our cloud storage. For a full account-level erasure (including any remaining stored images, anonymous identifiers, and feedback or support history we have attached to your account), email privacy.line@zeitarc.com and we will action your request within the timeframes set out in this Section 9.

9.4 Right to Restriction of Processing (Article 18)

You may request that we limit how we use your data — for example while we verify the accuracy of the data or consider an objection you have raised.

9.5 Right to Data Portability (Article 20)

Where applicable, you have the right to receive personal data you provided to us in a structured, commonly used, machine-readable format. Email privacy.line@zeitarc.com to request a portable export.

9.6 Right to Object (Article 21)

You may object to processing based on legitimate interests on grounds relating to your particular situation. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests, or unless we need to process the data to establish, exercise, or defend legal claims. We do not use your data for direct marketing or profiling.

9.7 Automated Decision-Making (Article 22)

We do not make any decisions based solely on automated processing that produce legal or similarly significant effects on you. The image-conversion model runs on a third-party AI service in response to your direct tap, and the resulting drawing is returned to you for review.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority — for EEA users, your national data-protection authority; for UK users, the Information Commissioner's Office (ico.org.uk). We encourage you to contact us first so we can address your concerns.

9.9 How to Exercise Your Rights

To exercise any of these rights, email privacy.line@zeitarc.com with the right(s) you wish to exercise. Because the App does not link the data we hold to your real-world identity, we may ask for additional information needed to verify your request. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

10. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the right to (i) know what personal information we collect, use, disclose, and (where applicable) sell or share; (ii) request deletion of your personal information; (iii) correct inaccurate personal information; (iv) opt out of any sale or sharing of personal information for cross-context behavioral advertising; and (v) limit use of sensitive personal information.

We do not sell or share personal information for cross-context behavioral advertising and we do not knowingly collect "sensitive personal information" as defined by the CPRA. We do not discriminate against you for exercising any of these rights.

11. Children's Privacy

The App is intended for use by adults aged 16 and older, and is not directed to children. We do not knowingly collect personal data from children under 16 (or the equivalent age in your country). If you become aware that a child has used the App in a way that caused us to receive their personal information, contact privacy.line@zeitarc.com and we will delete it promptly.

12. Cookies and Local Storage

The App is a native mobile application and does not use cookies. It uses the following local-storage mechanisms on your device:

• Local preferences — App settings, the random UUID and bearer token issued by our API for your account (stored in the operating system's secure storage), the free-tier counter, and your purchase entitlements.
• Cache — temporary in-memory storage for previously rendered drawings so that re-tapping a style returns instantly without a new request.

We honor Do Not Track signals where applicable. We do not track users across third-party websites or apps.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.1 Notification of Changes

We will notify you of material changes by updating the "Last updated" date at the top of this Policy and displaying a notice in the App before the change takes effect.

13.2 Your Continued Use

Continued use of the App after the effective date constitutes acceptance of the updated Policy. If you do not agree with the updated Policy, you should stop using the App and uninstall it.

14. Contact Information and Complaints

For privacy questions or to exercise your rights, please contact us using the addresses below. We aim to respond to standard requests within one month, complex requests within three months (with notification within the first month), and urgent security matters within 72 hours.

Contact

Data Protection: privacy.line@zeitarc.com Support: support.line@zeitarc.com Legal: legal.line@zeitarc.com