Legal

Privacy Policy

How WhatsReal processes personal data across the public website, iOS application, share extensions, and backend API.

Last updated: May 6, 2026

This legal content is aligned to the audited codebase as of April 12, 2026. Operational processor details must be updated if the production stack changes.

1. Controller

The controller for personal data processed through WhatsReal is Manuel Thurner, Weinstraße 6, 39057 Girlan BZ, Italy, telephone +39 0471665635, email contact@03-studios.com.

2. Scope of This Policy

This policy covers the public website, the iOS app, the iOS share and action extensions, and the backend API used to authenticate users, receive uploads, manage subscriptions, administer referral credits, and return analysis results.

3. Categories of Personal Data We Process

Website usage and preference data. When you visit the website, we process standard connection data that your browser and hosting infrastructure necessarily transmit, such as IP address, user-agent, time of request, and page access metadata. The site also stores a consent cookie. The website code audited on April 12, 2026 did not contain website analytics or advertising trackers.

Authentication and account data. To use the app, you sign in through Sign in with Apple or Google via Supabase Auth. We therefore process your Supabase user identifier, access-token-related session state, and account email address where present in the identity payload. We do not provide a username/password registration flow in the audited app.

Media and submission metadata. When you request an analysis, we process the uploaded image or video, the file type, file size, detected MIME type, original filename if present, and the optional source-reference URL you choose to include for context.

Referral and entitlement data. The backend stores referral codes, referral-redemption state, subscription period metadata, quota counters, and premium-entitlement status required to decide whether a given account may access paid analysis features.

Diagnostics, security, and operational logs. The backend logs request IDs, request path, method, status, latency, actor identifiers, and authenticated user email when available. If configured, server-side exceptions may also be transmitted to Sentry. Within the app, Firebase Analytics, Crashlytics, and Performance may process app-interaction and diagnostic data only after you have expressly granted analytics consent.

Support and contact data. If you email us or submit information through the linked Google Form, we process the contact information and message content you provide so that we can respond and document the request.

4. Sources of Personal Data

  • directly from you when you browse the site, sign in, upload media, redeem a referral code, or contact us;
  • from Apple or Google as identity providers through Supabase authentication flows;
  • from RevenueCat and Apple purchase systems for subscription validation;
  • from your device and browser as part of ordinary network, app, and storage operations; and
  • from processors that return analysis, entitlement, telemetry, or diagnostics data to us.

5. Purposes and Legal Bases

  • Provide the service. We authenticate users, receive uploads, run the requested media analysis, return results, restore purchases, and manage referral credits. Legal basis: Article 6(1)(b) GDPR, performance of a contract or pre-contractual steps requested by you.
  • Maintain security and prevent abuse. We validate requests, enforce rate limits and quotas, keep server logs, and restrict unauthorized or abusive use. Legal basis: Article 6(1)(f) GDPR, legitimate interests in service security, fraud prevention, and infrastructure integrity.
  • Operate optional analytics and diagnostics. We process Firebase analytics, crash, and performance data only where you have expressly opted in inside the app. Legal basis: Article 6(1)(a) GDPR, consent.
  • Handle support and legal requests. We answer support messages, deletion requests, and rights requests, and preserve records where legally necessary. Legal basis: Article 6(1)(b), 6(1)(c), and 6(1)(f) GDPR, depending on the nature of the request.
  • Operate the website. We use the consent cookie to remember your banner preference. Legal basis: Article 6(1)(f) GDPR for essential site operation; where consent is legally required for a specific technology, Article 6(1)(a) GDPR and the applicable ePrivacy rule.

6. Analysis and Automated Processing Disclosure

WhatsReal performs automated content assessment using third-party AI-detection providers selected in backend configuration. Depending on configuration, uploaded media is sent to Hive or AI or Not, and certain images may also be sent to OpenAI or xAI for a secondary review path. This processing is part of the core service you request. The output is probabilistic and should not be treated as a definitive forensic, legal, or factual determination.

The audited service does not present these outputs as decisions producing legal effects or similarly significant effects under Article 22 GDPR. Users should not rely on the result as the sole basis for legal, employment, moderation, or law enforcement decisions.

7. Face Data and Uploaded Media

WhatsReal is an AI image and media detection tool. Users may voluntarily upload or share images or videos with the app so that WhatsReal can estimate whether the submitted media may have been generated or manipulated by artificial intelligence.

WhatsReal does not perform facial recognition, biometric identification, face tracking, facial geometry extraction, or any other biometric analysis.

If uploaded media contains a person’s face, WhatsReal does not specifically identify, recognize, authenticate, track, profile, or analyze that person’s face as biometric data. Any faces appearing in uploaded media are processed only as part of the overall image or video submitted for AI-generated media detection.

WhatsReal does not collect biometric face data, facial geometry, facial templates, faceprints, or facial recognition identifiers.

Uploaded media is not stored on our servers after analysis. The backend may create temporary processing files for validation, normalization, and analysis, and deletes those temporary files after analysis completes.

Any local analysis history, including previously analyzed images, videos, thumbnails, results, or related metadata, is stored exclusively on the user’s device and remains under the user’s control. Users may delete local history from within the app where available, by clearing app data where supported, or by deleting the app from the device.

WhatsReal does not sell uploaded media or face data. WhatsReal does not use uploaded media or faces appearing in uploaded media for advertising, biometric profiling, identity recognition, authentication, or user tracking.

Uploaded media may be sent to the processors listed in the “Recipients and Processors” and “Processor List” sections solely to provide the requested AI-generated media detection service.

8. Recipients and Processors

We disclose personal data only where needed to operate the service, comply with law, or protect legitimate interests.

  • Supabase supports authentication and database-backed application state.
  • Hive or AI or Not receive uploaded media and limited metadata required to perform detection.
  • OpenAI or xAI may receive certain uploaded images if optional secondary review is enabled.
  • RevenueCat, Superwall, and Apple support subscription and paywall operations.
  • Google Sign-In supports Google authentication where you choose that option.
  • Firebase services receive analytics and diagnostics only after explicit app-level consent.
  • Sentry may receive backend exception data if enabled.
  • Google Fonts receives website request data when remote fonts are loaded by the landing page.
  • Google Forms receives the data you choose to submit through the linked support form.

9. Processor List

  • Supabase. Authentication, session management, JWT validation infrastructure, and Postgres-backed storage for user accounts, referrals, quota periods, and rate-limit buckets. https://supabase.com/privacy
  • Hive. AI-generated and deepfake content detection for uploaded images or videos when Hive is the active analysis provider. https://thehive.ai/privacy
  • AI or Not. AI-generated and deepfake content detection for uploaded images or videos when AI or Not is the active analysis provider. https://www.aiornot.com/privacy-policy
  • Sightengine. AI-generated and manipulated media detection for uploaded images or videos when Sightengine is used as an analysis provider. https://sightengine.com
  • OpenAI. Optional secondary review of certain uploaded images when OpenAI-based security review is enabled in backend configuration. https://openai.com/policies/privacy-policy/
  • xAI. Optional secondary review of certain uploaded images when xAI/Grok-based security review is enabled in backend configuration. https://x.ai/legal/privacy-policy
  • RevenueCat. Subscription state, entitlement checks, purchase restoration, billing-period metadata, and app-user identifiers for premium access control. https://www.revenuecat.com/privacy/
  • Superwall. Paywall presentation, paywall event orchestration, and user-level paywall identification inside the iOS app. https://superwall.com/legal/privacy-policy
  • Google Sign-In. Google account authentication flow used by the iOS app through Supabase sign-in with ID tokens. https://policies.google.com/privacy
  • Google / Firebase. Optional in-app analytics, crash diagnostics, and performance telemetry, all gated behind explicit analytics consent in the audited app. https://policies.google.com/privacy
  • Google Fonts. Remote delivery of the DM Sans and Inter web fonts used by the public landing site, causing browser requests to Google on page load. https://policies.google.com/privacy
  • Google Forms. Collection of support, contact, or deletion feedback submissions if a user follows the settings link to the linked Google Form. https://policies.google.com/privacy
  • Sentry. Optional backend exception reporting and diagnostics if a Sentry DSN is configured in production. https://sentry.io/privacy/
  • Apple. App Store distribution, StoreKit purchases, Sign in with Apple, iCloud-adjacent platform services, and iOS extension/platform functionality. https://www.apple.com/legal/privacy/

10. International Transfers

Several service providers used by WhatsReal are established or operate infrastructure outside Italy or the EEA, including in the United States. International transfers may therefore occur, in particular in connection with Google, Firebase, RevenueCat, Superwall, Hive, AI or Not, OpenAI, xAI, Sentry, and Apple. Where required, such transfers must be covered by an adequacy decision, the EU-U.S. Data Privacy Framework where applicable, or appropriate safeguards such as the European Commission’s Standard Contractual Clauses together with supplementary measures.

Operational verification of which safeguards are actually in place for the production configuration remains necessary.

11. Retention

Uploaded media. The backend creates temporary processing files for validation and normalization and deletes those temporary files after analysis completes.

Account, referral, quota, and entitlement records. These are retained for as long as needed to operate the user account, administer subscriptions and referral credits, defend legal claims, and comply with tax or accounting duties. The audited repository did not contain a complete written production retention schedule for those data sets.

Backend logs. Server logs are generated in JSON format. The audited repository did not define a fixed production log-retention period.

Analytics consent records. The app stores the analytics-consent preference in local and shared user defaults until you change it, delete the app, or clear the relevant device storage.

Website preference storage. The `whatsreal_cookie_consent` cookie expires after 180 days.

Support requests. Messages sent by email or through Google Forms are retained for as long as necessary to respond, document the request, and meet legal retention obligations.

12. Deletion and Account Closure

The app provides a delete-account function. In the audited backend, that flow deletes the user from Supabase Auth and removes associated referral and quota records from the application database. The repository should still be supplemented with an internal deletion procedure covering support inboxes, Google Forms submissions, logs, backups, Sentry events, and any processor-side data that is not automatically removed by deleting the user account.

13. Cookies and Similar Technologies

The public website uses a consent cookie and remotely hosted Google Fonts. Further details are set out in the Cookie Policy.

14. Your Rights

Subject to applicable law, you may request:

  • access to your personal data;
  • rectification of inaccurate or incomplete data;
  • erasure of personal data;
  • restriction of processing;
  • objection to processing based on legitimate interests;
  • data portability where Article 20 GDPR applies; and
  • withdrawal of consent at any time for consent-based processing.

To exercise your rights, contact contact@03-studios.com. We may request information necessary to verify your identity before fulfilling the request.

15. Complaints

You also have the right to lodge a complaint with the competent supervisory authority, including the Italian data protection authority (Garante per la protezione dei dati personali): https://www.garanteprivacy.it.

16. Changes to This Policy

We may update this Privacy Policy to reflect changes in the law, the service, or our processor chain. The current version is published on this page with its effective date.