Back to home

Privacy & GDPR

Last updated: 4 April 2026

This notice describes how HeroMeAI ("we", "us", "our") processes personal data when you use our mobile application, related websites (including this site), and associated services (together, the "Service"). It is designed to meet the transparency requirements of the EU and UK General Data Protection Regulation ("GDPR") and to give useful information to users elsewhere. It is not legal advice; have it reviewed for your entity, processors, and jurisdictions before launch.

For contractual terms, see our Terms & conditions.

1. Data controller

The data controller for the HeroMeAI service is Devnative S.R.L., a Romanian company, VAT identification number RO37358122. Correspondence and identification details (including registered office where we publish them) are available on our Contact page. The same entity appears as the publisher of HeroMeAI in the Apple App Store and Google Play, where applicable.

2. What personal data we process

Depending on how you use the Service, we may process:

  • Account and identity data: when you sign in with Apple or Google, we receive identifiers and profile details those providers share with us (for example a stable user ID, email address if you choose to share it, and display name), as described in their privacy notices.
  • Photos and visual content: portrait images you upload from your library for generation, and the AI-generated images stored in your in-app gallery.
  • Preferences: interests or hobbies you select (up to five) and the country you choose to personalise hero-style images.
  • Usage and device data: app interactions, feature use, crash diagnostics, performance data, approximate location derived from IP where collected, device type, operating system version, language, and similar technical data needed to run and secure the Service.
  • Communications: content of messages you send us (for example support requests).

We do not require you to provide special categories of data under GDPR Article 9 (such as health data). Please do not upload photos or text that reveal such information unless we explicitly ask for it and provide a separate legal basis.

3. Why we use your data and legal bases (GDPR)

We process personal data for the following purposes and, where GDPR applies, on these bases:

  • Providing the Service (Art. 6(1)(b) GDPR — performance of a contract): account creation and authentication; storing and displaying your gallery; generating and delivering personalised hero-style images from your photo, interests, and country selection; enabling full-screen viewing and sharing flows supported by the app.
  • Security and abuse prevention (Art. 6(1)(f) GDPR — legitimate interests): detecting fraud, enforcing rate limits, investigating violations of our terms, and protecting users and infrastructure. We balance these interests against your rights.
  • Improving the Service (Art. 6(1)(f) GDPR — legitimate interests, or (a) consent where required): analytics, product development, and quality assurance, including understanding how features are used. Where cookies or similar technologies on the website require consent under the ePrivacy rules, we will ask before non-essential use.
  • Legal compliance (Art. 6(1)(c) GDPR): meeting tax, accounting, or regulatory obligations, and responding to lawful requests from public authorities.
  • Marketing (Art. 6(1)(a) or (f) GDPR): we will only send promotional communications where permitted by law, with opt-in where required.

AI processing. Generating images involves automated processing, including profiling in the broad sense of using your interests and country to personalise output. This is core to the product you request. You can stop such processing by discontinuing use or deleting relevant content or your account, subject to retention below.

4. Sign in with Apple and Google

Authentication is handled by Apple and/or Google. We receive only the data they transmit to our app according to your choices and their policies. We encourage you to review Apple's and Google's privacy notices. We do not receive your third-party account password.

5. Recipients and subprocessors

We use trusted service providers to host the Service, run infrastructure, process payments if applicable, perform analytics, provide customer support tools, and run AI inference and related workloads. They process data only on our instructions and under contractual terms required by GDPR (Article 28) where applicable. Maintain an up-to-date list of subprocessors (names, roles, and locations) and link it here or in the app so users can see who supports your processing.

We may disclose data if required by law, to protect rights and safety, or in connection with a merger or asset sale subject to appropriate safeguards.

6. International transfers

If personal data is transferred outside the European Economic Area or United Kingdom, we implement appropriate safeguards such as the EU Commission Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, or adequacy decisions, and we assess supplementary measures where needed. Document the countries and mechanisms that apply to your stack in this section or an annex when finalised.

7. Retention

We keep personal data only as long as necessary for the purposes above. Indicative periods (adjust to match your real practice):

  • Account data: for the life of the account and a short period afterwards unless law requires longer retention.
  • Uploaded photos and generated images: until you delete them or delete your account, unless we must retain copies for legal claims or compliance, or securely retain backups for a limited technical window.
  • Logs and security records: typically a limited number of months unless a longer period is needed for investigations.

When data is no longer needed, we delete or anonymise it in line with our internal schedules.

8. Security

We implement technical and organisational measures appropriate to the risk, such as encryption in transit, access controls, and vendor due diligence. No method of transmission or storage is completely secure; we encourage you to use device security features and strong account protection with Apple and Google.

9. Children

The Service is not directed at children below the age at which they may lawfully consent to data processing in their country (often 13, 14, or 16 depending on jurisdiction). We do not knowingly collect personal data from children below that threshold. If you believe we have done so, contact us and we will take steps to delete the information.

10. Your rights (EEA, UK, and similar laws)

Where GDPR or comparable laws apply, you may have the right to:

  • access a copy of your personal data;
  • rectify inaccurate data;
  • erase data ("right to be forgotten") in certain circumstances;
  • restrict processing in certain circumstances;
  • object to processing based on legitimate interests, including profiling;
  • data portability for data you provided and that we process by automated means under contract or consent;
  • withdraw consent at any time, where processing is based on consent, without affecting earlier lawful processing;
  • lodge a complaint with a supervisory authority in your country.

To exercise these rights, contact us using the details below. You may also be able to delete some content or your account directly in the app.

11. Automated decision-making

Image generation is automated, but we do not use it to make solely automated decisions that produce legal or similarly significant effects on you within the meaning of GDPR Article 22. If that changes, we will update this notice and explain any rights you have.

12. Other regions

California (CCPA/CPRA):Residents may have rights to know, delete, and correct personal information, and to opt out of certain sharing. We do not "sell" personal information as defined in California law in the traditional sense; adjust this sentence if your practices change.

If you need region-specific addenda (Brazil LGPD, Switzerland, etc.), add them here after legal review.

13. Changes to this notice

We will update this page when our practices change and revise the "Last updated" date. For material changes we will provide additional notice where required (for example in-app or by email).

14. Contact and supervisory authority

For privacy questions and requests: [email protected]. You may also use our contact page.

You have the right to lodge a complaint with a data protection authority in the EEA or UK, in particular in the member state of your habitual residence, place of work, or the alleged infringement. In Romania, the supervisory authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP / Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal); see dataprotection.ro.