Privacy Policy
Last updated: May 21, 2026
Miroglu Bilişim Ltd. Şti. (caraistudio.com, “CAR AI STUDIO”, “we”, “us”) values your privacy. This Privacy Policy describes which personal data we collect through our mobile app and website, how we use it, who we share it with, and how you can exercise your rights. It reflects our obligations under the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Turkey's Personal Data Protection Law (KVKK No. 6698).
1. Data Controller
Miroglu Bilişim Ltd. Şti., registered at Zeytinlik Mah. Odabaşı Sok. No:23 Ahenk Apt. Daire 9-10, İstanbul, Türkiye (registration number: 6211192654). Send privacy-related requests to info@caraistudio.com.
2. Data We Collect
a) Account Data
At sign-up we store your email and a one-way bcrypt hash of your password. When you sign in with Google or Apple we store only the email, name, and unique subject ID the provider shares; we never see your password.
b) Uploaded Content
Car photos you upload for rendering, optional logo images, and generated outputs (images and videos) are stored on Cloudflare R2 linked to your account. We forward this content to our AI providers only at render time, via short-lived pre-signed URLs.
c) Usage & Device Data
For service quality and fraud prevention we process: IP address, device type and OS, app version, sign-in timestamps, render request counts, and error logs. If you opt into push notifications we store the device token.
d) Purchase Data
Credit packs are sold through Apple App Store and Google Play; we never see your card details. Apple/Google sends us only an anonymized transaction ID, product ID, price, and verification signature; we credit your account on the strength of that proof.
3. Why We Process Data (Legal Basis)
- Performance of contract: account creation, rendering, credit management, purchase verification.
- Legitimate interest: fraud prevention, abuse detection (rate-limiting), service-quality improvements.
- Explicit consent: marketing push or email (opt-in only; toggle in settings).
- Legal obligation: financial recordkeeping (tax law), lawful disclosure to authorities.
4. Who We Share Data With
We use the following sub-processors to deliver the service:
- OpenAI — generation prompts + your uploaded images (openai.com/policies/privacy-policy).
- Google (Gemini Veo) — video generation (policies.google.com/privacy).
- Replicate — background removal (replicate.com/privacy).
- Cloudflare R2 — storage for uploads and rendered outputs.
- Apple App Store & Google Play — purchase verification.
- Sentry — crash and error reporting (PII fields auto-masked).
- Resend — transactional email (verification, password reset).
These providers process data only on our behalf under written agreements. Your data is never sold to data brokers or advertising networks.
5. Retention
- Account data: while the account is active; at most 30 days after a deletion request.
- Uploaded media and renders: until you request deletion or delete the account; 30-day grace before R2 wipe.
- Financial records (purchases): 10 years (tax law).
- Error logs (Sentry): 90 days, then auto-purged.
6. International Transfers
Some providers run servers outside the EU/UK/Turkey (e.g. United States). Such transfers rely on EU Standard Contractual Clauses or equivalent safeguards.
7. Children
CAR AI STUDIO is not directed at children under 13. If you believe we have processed a child's data, contact info@caraistudio.com.
8. Your Rights
Under GDPR Articles 15-22, CCPA §1798.100, and KVKK Article 11 you have the right to:
- Know whether and how we process your data, and request access
- Request correction of inaccurate data
- Request deletion (“right to be forgotten”)
- Restrict or object to processing
- Export your data in a portable format
- Withdraw consent at any time
Send written requests to info@caraistudio.com; we respond within 30 days. For self-service deletion see the account deletion page.
9. Security
Passwords are hashed with bcrypt, all traffic is encrypted in transit with TLS 1.2+, JWTs are signed with at least a 256-bit secret. Refresh tokens are stored in iOS Keychain / Android EncryptedSharedPreferences on your device.
10. Cookies
Our website does not use marketing or analytics cookies. The only “cookie-like” data is the session token stored in your browser's local storage when you are signed in.
11. Changes
We may update this policy from time to time. Material changes will be announced in-app or by email at least 14 days in advance.
12. Contact
Email: info@caraistudio.com
Post: Miroglu Bilişim Ltd. Şti., Zeytinlik Mah. Odabaşı Sok. No:23 Ahenk Apt. Daire 9-10, İstanbul, Türkiye