Privacy Policy

Effective date: 2026-05-18
Last updated: 2026-05-18

Boketto Studio LLC, an Illinois limited liability company ("Boketto," "we," "us"), publishes the Boketto iOS app (the "App"). This Privacy Policy explains what information the App accesses, what we collect, how we use it, and the choices you have. If you do not agree with this Policy, please do not use the App.

We designed Boketto so that the things people are most sensitive about — their photos — stay on their device. The sections below describe exactly what does and does not happen.

1. Summary

Your photos never leave your device. Boketto reads your Photos library locally to analyze color and quality, but image bytes are not uploaded, transmitted, backed up to our servers, or shared with any third party.
No account, no sign-in. The App is anonymous. We do not create a user account for you and have no name, email, or password to associate with you.
Analytics are off until you say yes. We do not initialize our analytics provider until you explicitly grant consent during onboarding. You can change your mind anytime in Settings.
Subscriptions are processed by Apple. Boketto uses Apple's In-App Purchase system and RevenueCat to manage subscription state. Apple — not Boketto — receives your payment information.
No targeted advertising. We do not sell or share personal information for advertising, and we do not allow third parties to use your information for cross-context behavioral advertising.

2. Information we access on your device (and do not transmit)

When you grant Photos access during onboarding, the App reads your Photos library to compute, on your device:

A small color palette per photo (5 representative colors).
A perceptual hash (a 64-bit "fingerprint" used to deduplicate near-identical shots).
Quality scores derived from local image analysis (blur and brightness).
The local Photos asset identifier (an opaque, on-device-only ID assigned by iOS).

These values are stored in a private SQLite database inside the App's sandbox on your device (Application Support/aesthetic_picker.sqlite). The underlying image data is never uploaded to Boketto or to any third party as part of the App's normal operation.

The App requests read access to Photos (NSPhotoLibraryUsageDescription) and, only if you ask the App to save a result, write access (NSPhotoLibraryAddUsageDescription). Boketto never modifies, deletes, or rearranges photos in your library.

iCloud-resident photos that are not downloaded to the device are skipped.

3. Information we collect

The categories of information we — or service providers acting on our behalf — actually collect are limited to the following:

a. Product analytics (consent-gated)

If, and only if, you grant analytics consent on the onboarding analytics screen (or later toggle "Help improve Boketto" on in Settings → About), the App initializes our analytics provider (PostHog) and sends product-usage events. Examples of events include:

App lifecycle events (cold start, foreground / background).
Screen views and onboarding step progressions.
Permission outcomes (granted / denied).
Feature usage events such as palette selections, ranking runs, swipes, and result interactions.
Approximate timing of ingestion and ranking operations.
A randomly generated anonymous installation identifier (no Apple ID, IDFA, email, phone number, or real-world identity).
App version, iOS version, device model class, and locale.

Until you grant consent, events are buffered locally in memory and dropped if you decline. We do not initialize the analytics SDK and do not transmit any data to PostHog before consent.

We do not send raw image data, image thumbnails, file names, the contents of your Photos library, or anything that could be used to reconstruct your photos. Aggregate or numeric signals about a ranking run (for example, query palette colors, the size of the candidate pool, or asset identifiers used to track de-duplication within a session) may be included in events. These are useful for product debugging and do not contain photographic content.

b. Subscription information

The App offers an in-app subscription ("Boketto Pro"). When you purchase, restore, or manage a subscription:

Apple processes the transaction through your App Store account. We never see your payment card or full Apple ID.
RevenueCat, our subscription-management provider, receives the App Store receipt and a randomly generated anonymous user identifier so it can determine whether you have an active entitlement and surface the right state in the App (and in RevenueCat's Customer Center).
Apple sends Boketto aggregated, anonymized sales and subscriber data through App Store Connect.

c. Crash and diagnostic data

If you have analytics consent enabled, our crash-reporting provider (Sentry) may receive technical diagnostic information when the App crashes or hits an unexpected error: the stack trace, App and OS version, device model, and a random installation identifier. Stack traces do not include the contents of your Photos library.

d. Feedback you choose to send

If you tap "Give feedback" in Settings, the App opens our public feedback board (UserJot) in an in-app browser. Anything you choose to post there is processed by UserJot under its own terms and is, by design, publicly visible.

If you tap "Leave a review," the App opens the App Store. Any review you write is processed by Apple under its terms.

We do not see contact information for you unless you choose to email [email protected], in which case we receive the email address you sent from and the contents of your message.

e. Server-side processing (not in this version)

A future version of the App may briefly transmit image embeddings (numeric vectors derived from your photos) to a server we operate for the purpose of computing search results, and discard them immediately after computing the result. This is not active in the current version. When and if this capability ships, this Policy will be updated and you will be informed in-app before the feature is enabled.

4. How we use information

We use the limited information described in Section 3 to:

Operate, maintain, and debug the App.
Understand which features are used and where users encounter problems, so we can prioritize fixes and improvements.
Manage your subscription entitlement and provide support if you ask for it.
Detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms.
Comply with legal obligations and enforce our agreements.

We do not use any of this information to build advertising profiles, sell to data brokers, train third-party machine-learning models, or target ads.

5. How we share information

We share information only as described here:

Service providers we direct. PostHog (product analytics), RevenueCat (subscription management), and Sentry (crash reporting) process the information described above on our behalf, under contractual confidentiality and data-protection obligations. They are not permitted to use it for their own purposes.
Apple. Apple processes purchases, payments, and refunds. Apple's privacy policy governs that activity (https://www.apple.com/legal/privacy/).
Legal and safety. We may disclose information if required by law, valid legal process, or to protect the rights, property, or safety of Boketto, our users, or others.
Business transfers. If Boketto is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. Any successor will be bound by this Policy or a successor policy at least as protective.

We do not sell personal information for money, and we do not "share" personal information for cross-context behavioral advertising as those terms are used under U.S. state privacy laws.

6. Data retention

On-device data (your local index of photos, palettes, hashes, swipes, queries) lives only on your device and is deleted when you uninstall the App.
Analytics events sent to PostHog are retained per PostHog's standard retention; we do not retain raw event data ourselves.
Subscription records held by Apple and RevenueCat are retained as long as required for billing, accounting, and tax purposes.
Crash reports are retained for a rolling diagnostic window (typically 90 days).

7. Your choices

Photos access. You can revoke Photos access at any time in iOS Settings → Boketto → Photos. Without Photos access, the App's core functionality will not work, and an in-app banner will tell you so.
Analytics. Toggle analytics on or off anytime in Settings → About → "Help improve Boketto." Turning the toggle off stops further events from being sent.
Subscription. Manage, cancel, or restore your subscription from Settings → "Manage subscription" (which opens RevenueCat's Customer Center) or from your Apple ID's subscription page in the App Store.
Uninstall. Uninstalling the App deletes the on-device index and removes the local Photos permission.

Rights under U.S. state privacy laws (CCPA / CPRA and similar)

If you are a resident of California or another U.S. state with a comprehensive consumer privacy law, you may have the right to:

Know what personal information we have collected about you.
Request deletion of personal information we hold.
Request correction of inaccurate personal information.
Opt out of the "sale" or "sharing" of personal information (we do neither).
Limit the use of sensitive personal information (we do not use sensitive categories).
Not be discriminated against for exercising any of these rights.

To exercise a right, email [email protected]. Because the App is anonymous, we may have no information that is reasonably linkable to you; in that case we will let you know and, where appropriate, direct you to your device-side controls.

Rights under EU/UK GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights of access, rectification, erasure, restriction, portability, and objection in respect of your personal data, and a right to lodge a complaint with your local supervisory authority. The legal basis for our processing is your consent (for analytics) and our legitimate interests in operating, securing, and improving the App (for crash reporting and subscription management). Contact [email protected] to exercise any of these rights.

8. International transfers

Boketto Studio LLC is based in the United States. Our service providers (PostHog, RevenueCat, Sentry, Apple) may process information in the United States and in other countries. Where applicable, we rely on Standard Contractual Clauses or equivalent mechanisms for cross-border transfers.

9. Security

We use commercially reasonable administrative, technical, and organizational measures to protect information. Most user data simply never leaves your device, which is the strongest protection available. No method of electronic transmission or storage is 100% secure, however, and we cannot guarantee absolute security.

10. Children's privacy

The App is not directed to children under 13, and we do not knowingly collect personal information from children under 13 (or under 16 in the European Economic Area). If you believe a child has provided us with personal information, please contact us and we will delete it.

11. Third-party services

The App integrates the following third-party services. Each is governed by its own privacy practices:

Apple In-App Purchase / StoreKit — https://www.apple.com/legal/privacy/
RevenueCat (subscription management) — https://www.revenuecat.com/privacy/
PostHog (product analytics, consent-gated) — https://posthog.com/privacy
Sentry (crash reporting) — https://sentry.io/privacy/
UserJot (feedback board, opened in an in-app browser only if you choose) — https://userjot.com/privacy

The Firebase SDK is linked into the App to support a future feature but is not initialized in this version; no data is sent to Firebase by the current App.

12. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the "Last updated" date at the top and, if changes are material, provide a more prominent notice in the App. Continued use of the App after a change takes effect constitutes acceptance of the revised Policy.

13. Contact

Questions, requests, or concerns:

Boketto Studio LLC
Attn: Privacy
c/o Northwest Registered Agent Service, Inc.
2501 Chatham Rd, Suite N
Springfield, IL 62704-4188
United States
[email protected]

This Policy is intended to satisfy disclosure requirements applicable to iOS apps distributed through the Apple App Store, including the App Store Review Guidelines and App Privacy Details. It supplements — and does not replace — the App's App Privacy "nutrition label" in App Store Connect.