Privacy Policy
Last updated: May 19, 2026
Penna ("the App") is a coloring book page generator available on iOS and Android. The App allows users to upload photos, which are converted into coloring book pages using our API. This Privacy Policy describes how personal information is collected, used, and shared when you use the App.
Information we collect
Account information. When you create an account, we collect your email address and a securely-hashed password. Passwords are hashed using argon2id and never stored or transmitted in plain text. We use this information solely to authenticate you when you sign in and to send password-reset emails if you request one.
Photos. When you use the App to create coloring pages, your photos are sent to our API for processing. Photos are processed in real-time and are not stored on our servers. The resulting coloring pages are returned directly to your device and stored locally on your phone.
Optional feedback images. When you give thumbs-down feedback on a generated page, you can optionally choose (the toggle is off by default) to share the original photo and the resulting coloring page with us so we can investigate quality issues. If you opt in, those files are stored on our servers for up to 90 days and then automatically deleted. They are used solely for debugging the AI generation. They are never shared with third parties and never used to train any AI model.
Feedback data. When you submit thumbs-up or thumbs-down feedback on a generated page, we record your rating, the reasons you selected, any optional comment, and metadata about the generation (style used, app version, platform). Feedback is associated with an anonymous device identifier (see below), not with your name or email.
Device information. We collect an anonymous device identifier, operating system version, and app version for analytics and troubleshooting purposes. The device identifier is a random UUID generated locally on first launch and stored in your device's secure storage. It is not the Android Advertising ID or iOS IDFA. The same identifier is attached to install attribution, purchase analytics, feedback submissions, and Firebase Analytics events so we can recognise the same device across sessions; it does not identify you as a person.
Install attribution. When you install the App from a link that includes tracking parameters (e.g. an ad we ran or a referral link), the platform forwards those parameters to the App so we can understand which ad campaigns drive installs and measure their long-term performance (e.g. retention, lifetime value). On first launch we read the available parameters and POST them — along with your anonymous device identifier — to our servers. The standard UTM fields (source, medium, campaign, term, content) and any ad-network click ID present (such as Google's gclid) are recorded. If you install organically — without a tracked link — these fields are absent and "organic" is recorded as the source. We use the following attribution mechanisms:
- Android — Google Play Install Referrer API (active). Google Play forwards install-time tracking parameters to the App via the Install Referrer API.
- iOS — Apple Search Ads Attribution (Apple AdServices framework). When the App becomes available on iOS, we will use Apple's privacy-preserving on-device AdServices framework to receive attribution data for Apple Search Ads campaigns. AdServices does not require the iOS Advertising Identifier (IDFA), shows no App Tracking Transparency prompt, and exposes only campaign-level data — never device-level identifiers.
- AppsFlyer (Mobile Measurement Partner). For paid acquisition campaigns on ad networks that require a certified Mobile Measurement Partner (such as Pinterest or Quora), we include the AppsFlyer SDK. When AppsFlyer is enabled, it provides AppsFlyer with an AppsFlyer-generated device identifier, your device model and operating system version, the install timestamp, and an attribution callback containing the ad network and campaign that the install was attributed to. We receive the same attribution data back from AppsFlyer so we can join it to our analytics, and we record an AppsFlyer device identifier on our servers so we can reconcile data with AppsFlyer's dashboard. The AppsFlyer SDK is disabled by default and is only activated during paid acquisition campaigns; when no AppsFlyer-served ad networks are running, AppsFlyer is not active and no data is sent to it.
Purchase information. When you complete a subscription purchase through Google Play, we receive a confirmation from the platform containing a transaction identifier, the product purchased, the local price, and the currency. We POST a summary of this — together with your device identifier — to our servers so we can join purchase events to install attribution for marketing analytics (e.g. "ads from campaign X had a 4% subscription conversion rate"). Payment card details, billing addresses, and any other financial information remain entirely with Google Play and are never sent to or visible to us.
Analytics events. While you use the App, the App records events through Google Firebase Analytics (e.g. paywall shown, paywall dismissed, purchase completed, screen viewed). Events carry the device identifier, app version, locale, platform, and — for users who installed from a tracked ad — the marketing source and campaign. Firebase Analytics retains event data on Google's infrastructure subject to Google's privacy terms. We do not use these events for advertising personalisation, and we have not enabled any Google Signals integration.
Crash reports. If the App crashes, Google Firebase Crashlytics sends a stack trace, your device model, operating system version, app version, and a small breadcrumb log of recent in-app actions to Google so we can diagnose and fix the bug. Crash reports do not include the contents of your photos, your generated coloring pages, or your account credentials. Crashlytics retention follows Google's defaults.
Permissions
The App may request the following permissions:
- Camera — to take photos directly within the App for conversion to coloring pages.
- Photo Library — to select existing photos from your device for conversion.
The App does not request location, microphone, contacts, or any other permissions beyond those listed above.
Subscriptions and payments
The App offers yearly subscription plans. All payments are processed entirely through the Apple App Store or Google Play Store. We do not collect, process, or store any payment information such as credit card numbers or billing addresses. Subscription management, billing, and refunds are handled by Apple or Google according to their respective terms of service.
Data retention
| Data | Retention |
|---|---|
| Photos uploaded for generation | Deleted from our servers immediately after the coloring page is returned. Never retained. |
| Generated coloring pages | Stored only on your device. We never see them after they leave our generation server. |
| Optional feedback images (opt-in) | Up to 90 days, then automatically deleted. |
| Account email + hashed password | Until you delete your account. |
| Anonymous device identifier | Until you uninstall the App or sign out. |
| Feedback ratings + reasons | Indefinitely, for product quality. |
| Subscription purchase records (when launched) | As required by Apple / Google and applicable tax law. |
| Install attribution (UTM parameters + device ID + AppsFlyer ID + attribution provider) | Indefinitely, for campaign performance and lifetime-value analysis. Delete-account requests purge this row. |
| Purchase analytics rows (device ID + transaction ID + price) | Indefinitely, joined to install attribution for marketing analytics. Delete-account requests purge these rows. |
| AppsFlyer attribution data (held by AppsFlyer) | Per AppsFlyer's retention policies. Applies only when AppsFlyer is enabled for paid acquisition. |
| Apple AdServices token | Discarded immediately after the one-time attribution lookup completes on first launch. |
| Firebase Analytics events | Per Google's defaults (typically up to 14 months for event-level data, longer for aggregates). Configurable in our Firebase project settings. |
| Firebase Crashlytics reports | Per Google's defaults (typically 90 days for individual reports). |
If you delete your account, your email and associated account data will be permanently removed from our systems within 30 days.
Sharing your information
We do not sell your personal information. We do not share it with advertisers for advertising personalisation. Your information may be shared only in the following circumstances:
- Service providers strictly necessary to operate the App. Our AI generation provider receives each photo solely to convert it to a coloring page; photos are deleted immediately after generation. Our email delivery provider (Resend) is used only to send transactional emails such as password resets and email verifications. The Apple App Store and Google Play Store handle subscription purchases.
- Analytics and crash reporting. Google Firebase Analytics and Google Firebase Crashlytics receive the data described in the "Information we collect" section. These are operated by Google under their privacy terms; we receive aggregated and event-level data back from them through our own administrative dashboards.
- Install attribution providers. AppsFlyer (when enabled for paid acquisition campaigns) receives the install attribution data described above and provides attribution callbacks back to us. Apple AdServices, when the App is available on iOS, performs on-device attribution lookups against Apple's servers; the only data Apple receives in this lookup is a short-lived attribution token. These providers operate under their own privacy terms (AppsFlyer Privacy Policy, Apple Privacy Policy).
- User-initiated sharing. When you choose to share a coloring page using your phone's native share functionality, the sharing is performed entirely on your device. We have no involvement in or access to what you share.
- Legal requirements. We may disclose your information if required to do so by law or in response to valid requests by public authorities.
The App shows no advertisements. We do not display ads to you, and we do not use any data we collect for advertising personalisation. The attribution SDKs described above (AppsFlyer and Apple AdServices) measure the effectiveness of marketing campaigns we run elsewhere — they do not show ads inside the App, do not build advertising profiles about you, and do not personalise the App's content based on advertising data. Firebase Analytics and Crashlytics are operational telemetry, not advertising.
Your rights (GDPR and CCPA)
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — request that we correct any inaccurate personal data.
- Deletion — request that we delete your personal data.
- Portability — request a machine-readable copy of your personal data.
- Opt-out — California residents may opt out of the sale of personal information. We do not sell personal information.
To exercise any of these rights, please contact us at the email address below. We will respond within 30 days.
Children's privacy
The App is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13.
The App contains no in-app chat, social features, or user-to-user content sharing. Photos uploaded for generation are deleted immediately and are never used to train any AI model.
If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe your child has provided us with personal information, please contact us.
Changes to this policy
We may update this privacy policy from time to time to reflect changes to our practices or for other operational, legal, or regulatory reasons. We encourage you to review this policy periodically.
Contact us
If you have questions about this privacy policy or wish to exercise your data rights, please contact us at: support@getpenna.com