Guma Privacy Policy

1. Introduction

Welcome to Guma! This Privacy Policy explains how Guma ("we," "us," or "our") collects, uses, shares, and protects information when you use our products or services ("Service"). This policy applies to all visitors, users, and others ("Users," "you," or "your") who use our mobile application ("App"), visit our website, or interact and communicate with us through our online or social media channels.

Our Service is provided and controlled by ZhangQi Tao, and we are the data controller. By clicking “I Agree” or using our Service, you consent to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

We collect various types of information to provide and improve our Service to you.

A. Information You Provide to Us:

• Account Information: When you create a picut account, we collect your Apple ID.
• Communications: If you contact us directly (e.g., for customer support), we will receive your name, email address, the contents of your message, and any other information you choose to provide.
• User Input: When you use our Service, we may collect your text input, prompt, uploaded files, or other content that you provide to us. We generate responses (“Outputs”) based on your Inputs.

B. Information We Collect Automatically:

• Device and Technical Information: We collect your IP address and information about your mobile device (hardware model, operating system, unique device identifiers and system language). The information we collect may vary based on your device type and settings.
• Service Log Information: When you use our Service, we automatically collect and store certain information in server logs. This includes details of how you used our service, your IP address, and device event information such as crashes and system activity.
• Usage Data: We collect information about your activity on our Service, such as the types of content that you view or engage with,feature usage, session times, and interactions within the app.
• Transaction Information: If you choose to purchase (a product or prepaid service) or subscription (such as advanced membership), we will receive your transaction information such as orders and transaction status. We do not have access to your sensitive payment details, such as your credit card number or banking information.

Cookies and Similar technologies:

C. Information We Collect with Your Permission:

• Camera Access: We request camera access to enable you to use features such as taking photos and recording videos within the App. This may include collecting your personal photos and videos that you choose to capture.
• Photo & Media Library Access: We request photo and media library access so you can upload existing personal photos and videos from your library to the App or save content from the App to your device. For instance, this allows you to select a new profile picture, share images and edit media.
• File Read/Write Access: We request file read/write access when you import/export files for editing and rendering. We only access files you explicitly select for import or export and do not browse your gallery without your action.
• Audio File Access: We request access to your device's audio files when you upload existing music and other sound recordings to the App for use in features like creating video content or adding background music.
• External/SD Card Storage Access: We may request external storage access when you read and write media files on external storage (SD cards) for importing or exporting project files. We will only access files you select, and will not scan the entire SD card without your explicit action.

D. Face Data Policy:

• a) Special Notice [Guma] analyzes users’ photos to identify key facial feature points (such as eyes, nose, and mouth) for the purpose of providing face-processing effects. We do not collect or store any face data. Once the analysis process is completed, all related data will be permanently deleted. Refusal to provide such information may prevent you from using the app’s core features but will not affect your access to other functions and services.
• b) Purpose and Process of Face Data Use In order to provide “face-swapping” and related effects, we need to detect facial feature points (eyes, nose, mouth). The complete process is as follows:
  • The selected photo is securely transmitted in encrypted form to our servers.
  • The server analyzes the facial data within the photo and applies it to the chosen template.
  • Once rendering is completed, the server returns the final output (your “work”) to the application.
  • The generated output is temporarily stored in encrypted storage and permanently deleted after the rendering process is completed. At the same time, the original uploaded photo is immediately deleted from our servers.
• c) Face Data Sharing and Storage We do not share users’ facial data with any third parties. We also do not store any facial images submitted by users. All uploaded photos are deleted immediately after the analysis process is completed.

3. How We Use Your Information

We use the information we collect for the following purposes:

Provide, Operate, and Maintain the Service including to:

• process transactions and manage subscriptions for our paid services;
• provide the essential features of our application;
• ensure that our services are working as intended;
• provide personalized content, services, and recommendations.
• Manage Your Account: We use your data to create, secure, and manage your user account, allowing you to log in securely to access to different functionalities of the Service that are available to you.
• Improve and Optimize Our Service, including to:
  send you promotional emails or push notifications about new features, special offers, and events;
  display contextual ads which are shown based on the content you are currently viewing, not your personal profile；
  monitor the performance of the advertising campaigns：we use data about the ads that you interact with to help us and our advertising partners understand the performance of our ad campaigns.
• Market and Advertise（with your consent）,including to:
  send you promotional emails or push notifications about new features, special offers, and events;
  display contextual ads which are shown based on the content you are currently viewing, not your personal profile；
  monitor the performance of the advertising campaigns：we use data about the ads that you interact with to help us and our advertising partners understand the performance of our ad campaigns.
• Ensure the Safety and Reliability of Our Service. For example, we prevent and detect abuse, fraud, and illegal activity which could harm us, our users or the public by conducting troubleshooting, data analysis, testing, and research.
• To communicate with you: ●including for customer support and to send you service-related notices.
• To comply with legal obligations, including to: comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
  protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
  audit our compliance with legal and contractual requirements and internal policies.

We’ll ask for your consent before using your information for a purpose that isn’t covered in this Privacy Policy.

4. Legal Basis for Processing (For Users in the EEA, UK, and Brazil)

If you are a user in the European Economic Area (EEA), United Kingdom (UK), or Brazil, we process your personal information based on the following legal grounds under applicable laws(e.g., GDPR and LGPD)

• Consent: We process certain information based on your explicit consent, such as:
  access to camera, microphone, photo/media library, contacts, file，clipboard, location, bluetooth, SD card storage；
  sending targeted marketing communications and promotional offers；
  showing personalized ads.
• Performance of a Contract: We process your personal information to fulfill our contract with you, such as:
  creating and managing your account;
  providing app functionalities and services you request;
  processing subscriptions and purchases.
• Legitimate Interests: We process information for our legitimate interests, such as:
  service improvement, troubleshooting, and analytics;
  fraud detection and service security;
  measuring ad campaign performance.
• Legal Obligation: We process your information to comply with our legal obligations,such as:
  responding to lawful authority requests;
  meeting financial and audit requirements.
• Protection of Vital Interests: We process your information in emergency or safety-related situations.
• Exercise of Rights in Legal Proceedings:We process your information to defend our rights in legal disputes.

Where we rely on consent, you may withdraw it at any time. Where we rely on legitimate interests, you may object to such processing.

5. Sharing and Disclosure of Information

We do not sell, rent, or lease your personal information. We may share information in the following cases:

• With Your Separate Consent: We may share your information with third parties when we have obtained your separate and explicit consent to do so.
• Service Providers: We share information with third-party vendors that perform services on our behalf and we may integrate third-party software development kits (“SDKs”) for purposes such as analytics, crash reporting, authentication, cloud storage, emails delivering, payment process,customer support and advertising. Types of third-party service providers include:
  Analytics service providers:We may need analytics service providers(such as Firebase Analytics) to help understand how people are using our products and services and to improve our products and services;
  Cloud hosting providers:We use cloud hosting service providers(such as Alibaba Cloud) to securely store and manage user information and application data.
  Communication service providers:We use communication service providers(such as Iterable) to send notifications or emails to you.
  Payment processor:
  Promotions and advertising service providers: We partner with third-party ad service providers(such as Google Ads) for promotional campaigns or displaying ads.

We take commercially reasonable steps to ensure our service providers adhere to the security standards we apply to your personal information.

• Business Transfers:We will not transfer your personal information to any third party, except in the case of a merger, acquisition, asset sale, or judicial liquidation where your information may be transferred as part of the transaction. We will ensure the confidentiality of such information during the transfer process and require the new holder to continue to be bound by this Privacy Policy.
• Legal Compliance and Safety:We may disclose your information if required to do so by law or to protect the safety of any person or our rights or property.
• Professional Advisors:such as lawyers and accountants, where doing so is necessary to facilitate the services they render to us.
• Affiliates:We may share personal information with our current and future affiliates, meaning an entity that controls, is controlled by, or is under common control with us. Our affiliates may use the personal information we share in a manner consistent with this Privacy Policy.
• Your Sharing:Through the Services, you may be able to make your personal information available to others if you choose to do so, including:
  other users and the public:when you share or post content, or chose to engage in public transactions through our Service;
  social media platforms:when you choose to share content on social media.

6. Cross-Border Data Transfers

Our primary server is located in Virginia, United States. To keep our service safe and reliable, we may also back up or process data in other locations where our cloud providers operate. Please note that the Personal Information we collect from you may be stored on a server located outside of the country where you live and such jurisdiction may not provide the same protections as the data protection laws in your home country. By using our Service, you agree to transfer your information to countries where we and/or our service providers operate. Where required, relevant safeguards are in place to afford appropriate protection for your personal information and we will comply with applicable data protection laws. If you are a user in the EEA, UK, Brazil, please be aware that we rely on Standard Contractual Clauses (SCCs) for transfers of data from these regions.For more information about how we transfer personal information internationally, please contact us at picutapp@163.com.

7. Data Security

• We store your personal information on a secure server, with the latest firewall protection, saved in secure facilities. In addition, we implement administrative, technical and physical safeguards in line with commercially applicable and industry standards to protect the confidentiality and security of your personal information and to prevent unauthorized access.
• We have implemented appropriate, reasonable measures designed to protect the security of any personal information that we process，including：
  • In certain services(for example, services involving the collection of your personal photos and other sensitive information), we will use encryption technology (SSL) to protect your information, and isolate it using isolation technology;
  • We will employ multiple data anonymization techniques to enhance the security of information during use;
  • We will implement strict data access permission controls and multi-factor authentication technologies to protect information and prevent unauthorized use;
  • We will establish data classification and grading systems, data security management standards, and data security development standards to regulate the storage and use of information;
  • We will enforce comprehensive security controls through confidentiality agreements with information handlers and mechanisms about monitoring & audit;
  • We will organize security and privacy protection training programs to enhance employees' awareness of the importance of protecting personal information.
• However, despite our security measures and efforts to protect your information, any electronic transmission or information storage technology through the Internet cannot guarantee 100% security. We cannot promise or guarantee that no hackers, cyber criminals or other unauthorized third party destroy our security measures, nor can we promise that no third party improperly collect, access, steal or modify your information. Although we will do our best to protect your personal information, the risk of transferring your personal information to or from our services is at your own expense. You should access the service only in a secure environment. If you have any reason to believe that your interaction with us is no longer safe, please notify us by email immediately.

8. Data Retention

• In short: We will retain your information if necessary to achieve the purpose outlined in this Privacy Policy, unless otherwise required by law.
• We will retain your personal information only for the time required for the purposes specified in this Privacy Policy, unless legally required or permitted for longer retention periods (e. g., tax, accounting or other legal requirements).
• Anonymous, aggregated, and other data uncertain of your personal identity, such as your activity data, may be retained indefinitely and shared in any way with third parties.
• When we have no ongoing legal business to process your personal information, we will delete or anonymize such information, or if this is impossible (for example, because your personal information is stored in a backup file), we will securely store your personal information and isolate it from any further processing until it can be deleted.

9. Your Privacy Rights

We believe in giving you control over your information. For users from certain jurisdictions (e.g., EU/EEA, UK, California), additional rights or requirements may apply in accordance with local privacy laws.This section outlines your rights and the choices you have regarding your personal information. You can exercise these rights yourself through the app and your device, or by contacting us directly. Note that some of these rights may not be absolute. For example, if this means that we will no longer be able to fulfill our contractual obligations to you, or if this will prevent us from fulfilling our legal obligations, we may reject the request.

A. Rights You Can Exercise Yourself

You can access and manage much of your information directly through your account and device settings:

• Access and Update Your Account Information: You can review and change your account information, such as your avatar, username, and password, at any time through your account settings.
• Manage Device Permissions: You have control over the data you share with us through your device's permissions system. You can enable or disable our access to your Camera, Photo and Media Library, Clipboard, Location, Microphone, Contacts, Files, Audio Files，Bluetooth, and External/SD Card Storage at any time through your mobile device's settings menu. Please note that disabling certain permissions may affect the functionality of some features within the app.
• Delete Your Account:You can permanently delete your account and associated personal information via the “Delete Account” option in account settings.
• Manage Cookies: You can manage or disable cookies and similar tracking technologies through your web browser or device settings.
• Opt-Out of personalized Advertising: Navigate to the advertising settings within the app to manage your preferences. You will still see ads, but they will be contextual (based on what you're currently viewing) rather than based on your personal interests and activity.
• Opt-out of Marketing Notifications:You can disable promotional emails or push notifications in the app settings or through unsubscribe links.
• Manage Third-Party Logins:You can manage the information we receive from third-party services like Google or Facebook by reviewing and adjusting your privacy settings on those platforms. You can also disconnect your third-party account from our Service through your account settings.

B. Rights You Can Exercise by Contacting Us

To exercise the rights below, or if you have any questions about them or you have special request, please contact us via email at [DPO or contact email address]. For your protection, we may need to verify your identity before fulfilling your request.

• Right to Access and Data Portability:You have the right to request a copy of the personal information we hold about you. You may also have the right to receive this information in a structured, commonly used, and machine-readable format to transmit to another service.
• Right to Deletion:You can request the deletion of your account and personal information. Upon receiving and verifying your request, we will delete your data, subject to certain exceptions. For instance, we may be required to retain some information to comply with legal obligations, resolve disputes, or for security and fraud prevention purposes.
• Right to Correct Inaccurate Information:If you believe that any personal information we hold about you is incorrect or incomplete, you have the right to request that we correct it.

C. Region-Specific Rights

Depending on where you reside, you may have additional rights under local law. To exercise the rights below, or if you have any questions about them or you have special request, please contact us via email at picutapp@163.com.

• For Residents of California and Virginia of the USA (under CCPA/CPRA and VCDPA):In addition to the rights above, residents of California and Virginia have the following rights:
  • Right to Know:You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources from which we collected it, the purposes for collecting it, and the categories of third parties with whom we have shared it.
  • Right to Opt-Out of "Sale" or "Sharing": You have the right to direct us not to “sell” or “share” your personal information as defined by California law.
  • Right to Limit Use of Sensitive Personal Information:You have the right to request that we limit the use and disclosure of your sensitive personal information. As stated in our policy, we do not use sensitive information like race or religion for personalized advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights, including by denying you services, charging you different prices, or providing you a different level or quality of service.
  • Right to Lodge a Complaint:You have the right to lodge a complaint with a supervisory data protection authority about our collection and use of your personal information.
  • Right to Object (under VCDPA):You have the right to object to our processing of your personal information when it is based on our legitimate interests.
• For Residents of the European Economic Area (EEA), United Kingdom, and Switzerland (under GDPR/GDPR(UK)/FADP)
• If you are a resident of the EEA, UK, or Switzerland, you have the following data protection rights:
  • Right to Object:You have the right to object to our processing of your personal information when it is based on our legitimate interests. You also have an absolute right to object to your data being processed for direct marketing purposes.
  • Right to Restrict Processing:You can ask us to suspend the processing of your personal information in certain circumstances.
  • Right to Withdraw Consent:Where we have collected and processed your information with your consent, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal.
  • Right to Object Automated Decision-Making:You have the right to object automated decisions and profiling that significantly affect you, or ask for human review for such decisions.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory data protection authority about our collection and use of your personal information.
• For Residents of Brazil (under LGPD)
• If you are a resident of Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD):
  • Confirmation of Processing: You have the right to confirm the existence of processing of your data.
  • Anonymization, Blocking, or Deletion: You have the right to request the anonymization, blocking, or deletion of unnecessary or excessive data or data processed in noncompliance with the LGPD.
  • Information on Data Sharing: You have the right to request information about the public and private entities with which we have shared your data.
  • Information on Consent:You have the right to be informed about the possibility of denying consent and the consequences of such denial.
  • Revocation of Consent:You have the right to revoke your consent at any time.
  • Review Automated Decision-Making: You have the right to request information about automated decisions and profiling that significantly affect you, and ask for human review.
  • Lodge a Complaint:You have the right to lodge a complaint with a supervisory data protection authority about our collection and use of your personal information.

10. Social Media and Third Party Services

We may offer a blog with ‘comments’ section and various social media features, such as a ‘share’ button or links to third party websites and services, including Twitter, LinkedIn, Google and Facebook. When using any such features, certain information may be collected by such third parties, and such third parties may set a cookie to enable the feature to function properly. Any data collected by such third parties is governed by such third party’s privacy policy. You are encouraged to carefully review such third party privacy policies before using such features.

11. Children's Privacy

Our Service is not directed to children, and we do not knowingly process personal information from them. If we learn that we have collected personal information online from a child or an adolescent under age threshold of parent consent required by local laws(normally, the age threshold is 13, but it may vary in certain countries or regions), we will promptly delete that information. If you believe that we processed Personal Information about or collected from a child without parent consent, please contact us by sending email to picutapp@163.com.

12. Changes to This Privacy Policy

Our Privacy Policy may be amended or updated.

• Without your explicit consent, we will not reduce the rights you are entitled to under this Privacy Policy. We will post any changes to this Privacy Policy on this page.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

For privacy-specific requests and to contact our Data Protection Officer (DPO): picutapp@163.com