SpritePals

Privacy Policy

Version: 1.3
Last updated: 12 February 2026

1. Who we are

SpritePals is an iOS app by Ivo van der Zee ("we"). We are the data controller for the personal data we process in the app, which means we decide why and how that data is processed. Third parties like Apple, Cloudflare, and OpenAI process data under their own policies for their services.

2. What data we process

  • Photos you pick or capture (and the generated sprite images).
    • Before upload, we run an on-device animal check; those results are not uploaded.
    • To support retries / restoring an in-progress flow, the app may temporarily store the selected source photo on your device (in the app's cache) and removes it when the flow completes or is cleared.
    • You should only upload photos you have the right to use and avoid sensitive or unlawful content.
  • Generated sprite images: we use these to provide app features such as displaying your SpritePal, animations, and optional widgets / Live Activities (if enabled).
  • App data and sync data (your characters, token balance, Pro bonus entitlement status, optional associated StoreKit transaction identifier, and timestamps) stored on your device. When iCloud is enabled in your device settings, your characters and token balance metadata are stored in iCloud via CloudKit. Settings are not synced.
  • Device identifier: a random device ID generated on first launch, used for support, security (App Attest), and consent logging.
  • App Attest / security data: cryptographic assertions and related identifiers used to help protect the service against abuse.
  • Consent logs: the policy version, consent status, app version, and timestamp. We store a local record on your device and queue an authenticated server record for compliance logging (with automatic retry if delivery fails).
  • Network/technical data processed by providers: IP address and request metadata (e.g., for security and reliability).
  • Diagnostics (optional): Apple may provide us with aggregated crash and diagnostic information (such as crash reports and basic device/OS details) through App Store Connect, depending on your iOS settings (e.g., "Share with App Developers"). We do not run a separate third-party crash reporting SDK in the app.

3. Legal basis and purpose

  • Performance of the contract: to provide the app features, manage your SpritePals, and sync data.
  • Consent: to upload a photo to OpenAI for sprite generation.
  • Legal obligation: to keep a record of your consent.
  • Legitimate interests: to keep the app secure and troubleshoot issues.

4. Sharing with third parties

  • Cloudflare, Inc. (United States) runs our Worker proxy and relays requests to OpenAI. Our proxy is designed to process the image in transit and not intentionally store it, but Cloudflare may process and log limited technical data (e.g., IP address, timestamps) to operate and secure the service.
  • OpenAI, LLC (United States) receives the photo over TLS to generate your sprite; OpenAI may retain data for safety/abuse monitoring under their policies. See https://openai.com/policies/privacy-policy.
  • Apple Inc. provides iCloud CloudKit for sync and StoreKit for purchases; see https://www.apple.com/legal/privacy.

5. International transfers

Some providers are based outside the EEA (notably the United States). Where applicable, we rely on appropriate safeguards offered by our providers, such as Standard Contractual Clauses, to protect your data.

6. Retention

  • Photos: the app may store a temporary cached copy of the selected source photo on your device during an in-progress generation flow (to support retries / restore). This cache is best-effort and is cleared when the flow completes or is cleared. We do not store your photos on our own servers; they are forwarded to OpenAI via our proxy for generation. We cannot delete a photo after it has been sent to OpenAI, but you can contact us and we will submit a request to OpenAI where possible.
  • App data, purchase metadata, and sprites: stored on your device and in iCloud until you delete them in the app or from iCloud.
  • Consent logs: kept locally until you remove the app and stored on our server as long as needed to meet legal obligations.
  • Diagnostics (optional): retained according to Apple's crash reporting retention, where applicable.

7. Your rights

You can request access, correction, deletion, restriction, objection, and data portability for data we control. Most data is stored on your device and in iCloud; you can delete it in the app or via iCloud settings. For our server-side consent logs, email support@spritepals.app and include your Device ID (shown in the settings of the app); we may ask for additional information to verify your request. For data controlled by Apple, Cloudflare, or OpenAI under their own policies, you may also contact them directly. We can help forward requests where applicable, but we cannot guarantee outcomes for data we do not control. You have the right to lodge a complaint with your local supervisory authority.

8. Children

SpritePals is not directed at children. If you are under the minimum age required in your country, please ask a parent or guardian before using the app.

9. Contact

Questions about privacy or your rights? Email support@spritepals.app.

We update this statement whenever features or processors change by updating the Version and Last updated fields above. For significant updates we will ask for your consent again.