Noir AI
Privacy Policy
How Noir AI collects, uses, and protects your personal information.
NOIR — Privacy Policy
Effective Date: April 3, 2026 Last Updated: April 8, 2026
1. Introduction
This Privacy Policy explains how Vebilisim Teknoloji A.S. ("Company," "we," "us," or "our"), operating under the brand NOIR, collects, uses, stores, shares, and protects your personal data when you use the NOIR mobile application ("App") available on Apple App Store and Google Play Store.
NOIR is an AI-powered lifestyle photo generator. Due to the nature of our service, we process facial photographs, which may constitute biometric data and special category personal data under applicable laws.
We are committed to protecting your privacy in compliance with:
- KVKK — Turkish Personal Data Protection Law (Law No. 6698)
- GDPR — EU General Data Protection Regulation (Regulation 2016/679)
- COPPA — U.S. Children's Online Privacy Protection Act
- CCPA/CPRA — California Consumer Privacy Act / California Privacy Rights Act
- EU AI Act — Regulation (EU) 2024/1689
By creating an account or using NOIR, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the App.
Data Controller: Vebilisim Teknoloji A.S. Republic of Turkey
Istanbul Office: Maslak Mahallesi, Dereboyu Cad. Meydan Sok. No:1 Beybi Giz Plaza D:33, Sarıyer/Istanbul Izmir Office: Adalet Mah. Manas Bulvarı No:47/2, Folkart Towers A Kule, Kat:25, D:2503, Bayraklı/Izmir
Phone: 0 850 888 70 35 Email: info@prismindmedia.com
2. Definitions
| Term | Definition |
|---|---|
| Personal Data (Kişisel Veri) | Any information relating to an identified or identifiable natural person. |
| Special Category Data (Özel Nitelikli Kişisel Veri) | Personal data including biometric data and other categories defined under KVKK Article 6 and GDPR Article 9. |
| Biometric Data | Facial photographs used for AI-based image generation. |
| Processing (İşleme) | Any operation performed on personal data, including collection, storage, use, transfer, and deletion. |
| Data Controller (Veri Sorumlusu) | Vebilisim Teknoloji A.S., the entity that determines the purposes and means of processing personal data. |
| Data Processor (Veri İşleyen) | A third party that processes personal data on behalf of the Data Controller. |
| Data Subject (İlgili Kişi) | The individual whose personal data is processed. |
3. Eligibility and Age Restrictions
NOIR is intended for users aged 13 and older.
- Users under 13 are prohibited from creating an account or using the App. We do not knowingly collect personal data from children under 13. If we discover that data has been collected from a child under 13, we will promptly delete the account and all associated data.
- Users aged 13–16 in the European Economic Area (EEA): Parental or guardian consent is required for processing personal data, in accordance with GDPR Article 8.
- Users under 18 in Turkey: Processing of special category data (biometric/facial) requires explicit consent from a legal guardian under Turkish law.
- COPPA Compliance (Updated April 2026): In accordance with the Federal Trade Commission's updated COPPA rules effective April 22, 2026, biometric data is included in the definition of "personal information." We do not target or knowingly collect data from children under 13.
4. Data We Collect
4.1 Account Data
When you create an account, we receive and store a unique user identifier and, optionally, your gender selection for template personalization. We also record account creation and last login timestamps.
4.2 Facial / Biometric Data
IMPORTANT — BIOMETRIC DATA NOTICE
NOIR collects and processes your facial photograph ("selfie") as biometric data. This constitutes Special Category Personal Data under KVKK (Law No. 6698, Article 6) and Special Category Data under GDPR (Article 9).
How your facial data is processed:
-
On-device face detection and analysis: When you use the camera to capture a selfie, face detection technology runs entirely on your device. This analysis extracts real-time facial metrics — including face position, head orientation, and eye-open state — solely to guide you toward a well-framed, high-quality photograph. These facial detection metrics are processed exclusively in your device's volatile memory and are immediately discarded once the capture is complete. They are never stored on your device, never written to disk, and never transmitted to any server or third party.
-
Selfie photograph upload and storage: Once your selfie passes on-device validation, the photograph itself (not the detection metrics) is securely uploaded to our cloud infrastructure and stored as part of your account. We store your selfie for the duration of your account so that you can generate multiple AI images over time without re-uploading a new photograph for each request. This eliminates the need for repeated biometric data collection and provides a seamless user experience.
-
AI image generation (third-party processing): Each time you request an AI-generated image, a secure reference to your stored selfie is transmitted to our AI image generation service provider along with your selected template or prompt. The provider uses your selfie solely to produce the requested image. See Section 6.1 for details on third-party data handling and retention.
Legal basis for processing:
| Jurisdiction | Legal Basis |
|---|---|
| KVKK (Turkey) | Explicit consent (açık rıza), obtained at the point of selfie capture (Article 6(2) of Law No. 6698). |
| GDPR (EU/EEA) | Explicit consent per Article 9(2)(a). |
| General | Necessary for the performance of the service you have requested. |
Your right to refuse: You may choose not to provide a selfie; however, the AI photo generation features will not be available without it. You may withdraw consent at any time by deleting your selfie or your account through Settings > Account Settings > Delete Account.
4.3 AI-Generated Content
- Images generated using your selfie and selected templates or custom prompts.
- Associated metadata such as generation status, timestamps, and processing duration.
Default sharing: Generated images are not shared publicly by default. You may choose to share them to the public Explore feed.
4.4 Community / Explore Feed Data
When you share content to the Explore feed, your generated image, display name, and profile photo become publicly visible to other users. We also collect likes and content reports for moderation purposes.
4.5 Device Data
We collect certain device information for abuse prevention and service integrity purposes, including:
- A persistent device identifier stored in your device's secure storage. This identifier survives app uninstallation.
- A hashed device fingerprint generated from general device attributes (model, operating system, etc.). We store only the hash, not the original values.
- Basic device metadata: device model, operating system version, and timezone.
4.6 Subscription and Payment Data
We use a third-party subscription management service to track your subscription status, purchase history, and trial eligibility. We do not receive or store your payment card details. All payment processing is handled by Apple App Store or Google Play Store.
4.7 Analytics and Diagnostics
We use analytics and crash reporting tools to collect aggregated app usage data and error reports. This data is used to improve the App experience and fix technical issues.
4.8 Push Notification Data
We collect a notification token and your platform identifier (iOS/Android) to deliver push notifications. You can disable push notifications at any time through your device's system settings.
4.9 Referral Program Data
We store your unique referral code, referral status, and the number of successful referrals. We do not share your personal data with referred users beyond displaying the referral code.
4.10 Local Storage
Certain preferences and flags (e.g., language selection, onboarding status, notification preferences) are stored locally on your device and are not transmitted to our servers unless otherwise stated in this policy.
5. How We Use Your Data
| Purpose | Data Used | GDPR Legal Basis | KVKK Legal Basis |
|---|---|---|---|
| Provide AI image generation | Selfie, prompts, templates | Explicit consent (Art. 9(2)(a)) for biometric data; Contract performance (Art. 6(1)(b)) for service delivery | Explicit consent (Art. 6(2)) for special category data |
| Account management | User identifier, account data | Contract performance (Art. 6(1)(b)) | Necessary for contract performance |
| Community Explore feed | Generated images, profile info | Consent (Art. 6(1)(a)) | Consent |
| Subscription management | Purchase data, user identifier | Contract performance (Art. 6(1)(b)) | Necessary for contract performance |
| Abuse prevention | Device identifier, fingerprint | Legitimate interest (Art. 6(1)(f)) | Legitimate interest |
| Analytics and improvement | Aggregated usage data | Legitimate interest (Art. 6(1)(f)) | Legitimate interest |
| Push notifications | Notification token | Consent (Art. 6(1)(a)) | Consent |
| Content moderation | Prompts, reported content | Legitimate interest (Art. 6(1)(f)) | Legitimate interest |
| Legal compliance | All data as required | Legal obligation (Art. 6(1)(c)) | Legal obligation |
6. Third-Party Service Providers
We work with trusted third-party service providers who process data on our behalf to deliver and improve the Service. These providers fall into the following categories:
- Cloud infrastructure providers — Secure data storage and backend processing
- AI service providers — Image generation and content moderation
- Subscription management providers — In-app purchase and subscription handling
- Authentication providers — Secure sign-in services
- Analytics and diagnostics providers — App performance and crash reporting
- Push notification providers — Notification delivery
We have entered into Data Processing Agreements (DPAs) with our processors where required under KVKK and GDPR. A detailed list of our current processors is available upon request by contacting info@prismindmedia.com.
We do not sell your personal data. We do not share your data with third-party advertisers. No advertising SDKs are integrated into the App.
6.1 Face Data: Third-Party Disclosures
Because your selfie constitutes biometric data, we provide the following specific disclosures regarding how it is shared with and handled by third-party service providers.
Which Third Parties Receive Your Selfie and Why
| Service Provider Category | Why They Receive Your Selfie | What They Receive |
|---|---|---|
| Cloud infrastructure provider | Secure storage of your selfie and backend orchestration of generation requests | Selfie photograph (stored for the duration of your account) |
| AI image generation service provider | Processing your selfie with selected templates to produce AI-generated portraits | Secure reference to your selfie (transmitted per generation request) |
Whether Third Parties Store Your Selfie
-
Cloud infrastructure provider: Stores your selfie as the primary storage location for the duration of your account. Upon account deletion, your selfie and all associated files are permanently deleted. This provider maintains industry-standard security certifications and processes data exclusively under our Data Processing Agreement (DPA).
-
AI image generation service provider: Receives a secure reference to your selfie to process each generation request. This provider does not permanently store your selfie. Per our contractual agreements, input data — including selfies — is used solely for the requested processing operation and is not retained after the generated image is delivered. This provider does not use your selfie to train AI models.
All service providers that process your selfie are bound by Data Processing Agreements (DPAs) that contractually require them to: (i) process your data only as instructed by us; (ii) implement appropriate technical and organizational security measures; and (iii) delete or return your data upon termination of the service relationship.
A detailed list of our current data processors and their privacy practices is available upon request at info@prismindmedia.com.
7. International Data Transfers
Your personal data may be transferred to and processed in countries outside of Turkey and the European Economic Area, including the United States.
Transfers from Turkey (KVKK Article 9)
We conduct cross-border transfers using Standard Contractual Clauses (SCC) published by the Turkish Personal Data Protection Board, or where applicable, based on your explicit consent after informing you of the potential risks.
Transfers from the EEA (GDPR Chapter V)
We rely on our processors' certifications under the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses (Decision 2021/914).
Data Locations Summary
| Data Type | Primary Location |
|---|---|
| Account data, generated images | European Union |
| Selfie (for AI processing) | EU (stored); US (during processing) |
| Analytics and diagnostics | United States |
| Subscription data | United States |
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account |
| Selfie / facial photograph | Duration of account (see Face Data Retention rationale below) |
| Generated images | Until individually deleted or account deletion |
| Explore feed shared images | Until unshared or account deletion |
| Device identifier (local) | Indefinite (survives app deletion) |
| Device fingerprint (server) | Duration of account |
| Analytics data | Up to 14 months |
| Crash reports | Up to 90 days |
| Subscription/purchase data | Minimum 5 years (tax/financial regulations) |
| Content moderation logs | Duration of account + 1 year |
Important: Certain device-level data (device identifier, trial flags) is stored locally on your device in encrypted storage and is not deleted when you delete your account. This data persists to prevent abuse of promotional offers and can only be removed by factory resetting your device.
Face Data Retention Rationale: Your selfie photograph is retained for the duration of your account because the core functionality of NOIR — AI-powered portrait generation — requires access to your facial photograph each time you generate an image. Storing your selfie once and reusing it for subsequent requests eliminates the need for repeated biometric data collection, thereby minimizing privacy impact while providing a seamless experience. We do not retain your selfie indefinitely; it is stored only while your account is active. You may delete your account at any time through Settings > Account Settings > Delete Account, which permanently removes all copies of your selfie from our systems. Facial detection metrics (face position, head orientation, eye-open state) generated during the on-device capture process are never stored and are immediately discarded — they exist only momentarily in device memory during the selfie validation step.
9. Your Rights
9.1 Rights Under KVKK (All Users)
In accordance with Article 11 of Law No. 6698, you have the right to:
- Learn whether your personal data is being processed
- Request information about data processing activities
- Learn the purpose of processing and whether it is used in accordance with its purpose
- Know the third parties to whom your data is transferred, domestically or abroad
- Request correction of incomplete or inaccurate data
- Request deletion or destruction of your data under Article 7
- Request that corrections or deletions be notified to third parties
- Object to any result arising exclusively from automated processing that is to your detriment
- Claim compensation for damages arising from unlawful processing
How to exercise your rights: Send an email to info@prismindmedia.com with the subject line "KVKK Data Request" or use the in-app account deletion feature (Settings > Account Settings > Delete Account).
Response time: Within 30 days of receiving your verified request.
Supervisory authority: Kişisel Verileri Koruma Kurumu (KVKK), kvkk.gov.tr
9.2 Rights Under GDPR (EEA Users)
If you are located in the European Economic Area, you have the following rights:
- Right of access (Article 15) — Obtain a copy of your personal data
- Right to rectification (Article 16) — Correct inaccurate data
- Right to erasure (Article 17) — Request deletion of your data
- Right to restriction (Article 18) — Restrict processing in certain circumstances
- Right to data portability (Article 20) — Receive your data in a structured, machine-readable format
- Right to object (Article 21) — Object to processing based on legitimate interests
- Right to withdraw consent (Article 7(3)) — Withdraw consent at any time without affecting the lawfulness of prior processing
How to exercise your rights: Email info@prismindmedia.com or use Settings > Account Settings > Delete Account for erasure requests.
Response time: Within one month, extendable by two additional months for complex requests.
Supervisory authority: You may lodge a complaint with your local data protection authority in the EEA.
9.3 Rights Under CCPA/CPRA (California Users)
- Right to know what personal information we collect and how it is used
- Right to delete your personal information
- Right to opt-out of sale — We do not sell your personal information
- Right to non-discrimination — We will not discriminate against you for exercising your rights
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit and at rest, secure authentication protocols, access controls, rate limiting, and secure management of service credentials.
While we take reasonable precautions, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
11. Account Deletion
You may delete your account at any time through Settings > Account Settings > Delete Account in the App.
What is deleted:
- Your user profile and all account data
- All generated images and videos
- All transaction and purchase records
- Referral data and device records (server-side)
- All stored files including selfies and generated images
What is NOT deleted:
- Device-level data stored locally on your device (device identifier, trial flags)
- Images that other users may have saved or screenshotted from the Explore feed
- Anonymized or aggregated analytics data
- Data required for legal or financial record-keeping (up to 5 years for tax compliance)
Alternative method: Email info@prismindmedia.com with the subject "Account Deletion Request."
Processing time: In-app deletion is processed immediately. Email requests are processed within 30 days.
12. Content Moderation
We employ automated and manual content moderation measures to maintain a safe environment. Prompts containing prohibited content (e.g., explicit, violent, hateful, or illegal content) may be automatically rejected. Users can report inappropriate content in the Explore feed. Moderation logs are retained for safety and compliance purposes.
13. AI-Generated Content Transparency
In accordance with Article 50 of the EU AI Act (Regulation 2024/1689), effective August 2, 2026:
- All images generated by NOIR are produced using artificial intelligence technology.
- Generated images are marked as AI-generated in their metadata where technically feasible.
- Users are responsible for disclosing the AI-generated nature of images when required by applicable law.
14. Cookies and Tracking Technologies
- The NOIR mobile application does not use browser cookies.
- We use device identifiers for analytics and crash report correlation.
- No third-party advertising SDKs are integrated into the App.
- We do not participate in cross-app tracking or ad networks.
15. Automated Decision-Making
- Content moderation: Automated systems may reject prompts deemed inappropriate. Users may appeal by contacting info@prismindmedia.com.
- AI image generation: Involves automated processing of biometric data to produce images. This does not produce decisions with legal or similarly significant effects on you.
- Abuse detection: Automated systems may flag accounts for suspicious activity. Flagged accounts are reviewed before any action is taken.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through in-app notification and/or email. For material changes to biometric data processing, we will seek renewed consent as required by KVKK and GDPR.
Continued use of the App after the effective date of changes constitutes acceptance. Previous versions are available upon request.
17. Contact Information
Data Controller: Vebilisim Teknoloji A.S. Republic of Turkey
Istanbul Office: Maslak Mahallesi, Dereboyu Cad. Meydan Sok. No:1 Beybi Giz Plaza D:33, Sarıyer/Istanbul Izmir Office: Adalet Mah. Manas Bulvarı No:47/2, Folkart Towers A Kule, Kat:25, D:2503, Bayraklı/Izmir
Phone: 0 850 888 70 35 Email: info@prismindmedia.com
Turkish Supervisory Authority: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr
EU Supervisory Authority: Users in the EEA may lodge a complaint with their local data protection authority.
This Privacy Policy is provided in English. In the event of any conflict between translated versions and the English version, the English version shall prevail.