Privacy Policy
Pyrography Patterns, LLC · Effective Date: May 20, 2026
Pyrography Patterns, LLC, an Indiana limited liability company ("Pyrography Patterns," "we," "our," or "us"), provides a digital library and generator of woodburning (pyrography) patterns through our website at https://www.pyrographypatterns.com (the "Site"), our iOS and Android applications (the "Apps"), and our progressive web app (the "PWA") (collectively, the "Service").
This Privacy Policy explains what information we collect, how we use and share it, how long we keep it, and the rights you have. By using the Service, you acknowledge this Policy. If you do not agree, please discontinue use of the Service.
1. The Short Version
The Service is designed to collect as little personal data as possible:
- No mandatory accounts. You are identified by a random, anonymous User ID stored on your device by default. You may optionally create a web account with your email address for web-based sign-in; see Section 2.10.
- Analytics. The Pyrography Patterns website (pyrographypatterns.com) uses Google Analytics to understand how visitors find and use the site (page views, traffic sources, general usage patterns). Google Analytics may set cookies and collect standard web analytics data subject to Google's Privacy Policy. The in-app experience (iOS and Android apps and the PWA) does not use Plausible, Mixpanel, Amplitude, or similar tools. Usage counters used for paywall enforcement are kept on your device.
- No advertising. We do not show ads and do not sell or share data for cross-context behavioral advertising.
- Subscriptions are processed by Apple and Google. We never receive your payment card details.
- AI features send your prompts and (for AI photo edit) the photo you choose to OpenAI. OpenAI acts as our subprocessor. See Section 4.
The remainder of this Policy explains the details.
2. Information We Collect
2.1 Device Identifier (anonymous User ID)
On first launch, the Service generates a random User ID and stores it in localStorage (web/PWA) or local app storage (Apps). It is not derived from your name, email, phone number, or any other personal identifier. The User ID is sent to:
- our Cloudflare backend (via the
X-Pattern-Userheader) to associate your saved patterns and generation history with your device; - OpenAI as the
userparameter (sanitized) for abuse monitoring; and - RevenueCat as the
appUserID, so your Premium entitlement can follow your store account across devices.
If you reinstall the Apps or wipe local storage, your User ID is regenerated and your locally saved data is lost. Your Premium subscription can be restored via the "Restore Purchases" function (which queries Apple/Google and RevenueCat).
2.2 Subscription and Purchase Information
We do not receive or store your full payment-card details. When you subscribe through the Apple App Store or Google Play, those platforms process your payment under their own terms. Through RevenueCat, we receive:
- a transaction or subscriber identifier,
- subscription status, plan, renewal/expiration date, and entitlement information ("Premium"),
- the store of purchase (Apple or Google), and
- general purchase metadata such as country/currency.
Purpose: to grant and verify access to Premium features and manage renewals.
2.3 Prompts and Other Generation Inputs
When you generate or edit a pattern, we collect and transmit to OpenAI:
- the text prompt you entered (and any project-pattern parameters such as shape, dimensions, and style options);
- for AI photo edit only, the photo you upload to be edited; and
- the anonymous User ID described in Section 2.1.
For prompt-text moderation, the prompt is also sent to OpenAI's moderation endpoint (omni-moderation-latest).
Purpose: to produce the AI image you requested and to enforce content policies.
2.4 Generated Images and Pattern Metadata
Generated images (and their associated metadata — prompt, style, size, output format, skill level, theme tags, project geometry, panel layout, etc.) are stored in Cloudflare R2 and indexed in Cloudflare KV.
- Patterns you save locally are indexed under your anonymous User ID.
- Patterns published to the in-app public gallery are indexed globally and visible to other users of the Service (see Section 2.6).
Purpose: to deliver and persist the images you generate, and to operate the public gallery.
2.5 Locally Uploaded Photos
If you upload a photo for the local (canvas-based) pattern conversion, the photo stays on your device unless you separately invoke the AI photo-edit feature. AI photo edits transmit the photo to OpenAI; the edited result (not the source) is stored in Cloudflare R2. If you save a project-pattern that includes a source image, that source image is also stored in Cloudflare R2.
2.6 Public Gallery Submissions
The Service includes an in-app public gallery. Two flows interact with it:
- "Create Patterns → Pattern Description" generations are not published by default (opt-in toggle, with a first-time confirmation modal).
- "Pattern Ideas" generations are published by default to the "Curated from Pattern Ideas" section (opt-out toggle, presented in-flow).
When a pattern is published, the image and its prompt/metadata become visible to other users of the Service. For non-Premium users, prompt text is masked; Premium users see the full prompt.
2.7 Network and Device Metadata
Like nearly every internet service, our Cloudflare edge automatically receives request metadata for each request (IP address, user agent, country, CF-Ray ID, accept-language, referer). We do not persistently log this metadata for analytics. We do retain it in two limited circumstances:
- Content reports (see Section 2.9): network/device metadata is included in the report email so we can investigate.
- Security investigations and abuse mitigation (short-term Cloudflare edge logs; see Section 7).
2.8 On-Device Usage Counters
The Service keeps simple counters on your device (e.g., number of generations attempted, number of successful generations, session count, paywall triggers). These are stored in localStorage / app storage only and are used to enforce the free-generation limit. They are not transmitted to our servers and are not transmitted to any analytics provider.
2.9 Content Reports
If you tap "Report" on a pattern in the gallery, the following is sent to our support email via Resend (a transactional email provider):
- the reported image URL,
- the prompt text and any "revised prompt" returned by the AI,
- pattern source labels and panel layout,
- your IP address (
cf-connecting-ip), user agent, accept-language, country, andCF-RayID, - your anonymous User ID,
- the page URL and app version.
Purpose: to investigate the report and remove inappropriate content. Resend's only role in the Service is to deliver these report emails to our support team. We do not use Resend (or any other service) to send marketing emails.
2.10 Web Account Data (If You Create a Web Account)
Creating a web account is entirely optional. If you choose to create one, we collect:
- your email address, used solely to send magic-link sign-in emails;
- session tokens, which keep you signed in on the web (each session token expires and is invalidated after 30 days of inactivity); and
- optionally, a RevenueCat user identifier if you link your app subscription to your web account (used only to verify your Premium subscription status on the web).
Purpose: web authentication only. We do not use your email address for marketing or any other purpose. Magic-link authentication tokens expire after 15 minutes.
If you have not created a web account, no email address is collected. The anonymous User ID system (Section 2.1) and the web account system coexist: if you create a web account, your app continues to use the anonymous User ID for its local and API functions, while your web account is identified by your email address.
2.11 What We Do Not Collect
- No name, phone number, postal address, profile photo, bio, or password is required to use the Service. An email address is collected only if you voluntarily create a web account (see Section 2.10).
- No third-party tracking SDKs are present in the apps or PWA (no no Sentry, no PostHog, no Plausible, no Crashlytics, no Mixpanel, no Amplitude).
- No advertising identifiers are collected by us. (Apple's
IDFAand Google's advertising ID are not used.) - No social-login data. The Service does not currently use Sign in with Apple, Sign in with Google, or similar.
- No location data beyond the coarse country derived from your IP address by Cloudflare for routing and abuse-mitigation purposes.
3. How We Use Your Information
We use the information described in Section 2 to:
- Provide the Service: generate, edit, save, and display patterns; operate the public gallery; deliver Premium features.
- Process subscriptions: verify entitlements via RevenueCat, the Apple App Store, and Google Play.
- Maintain safety and integrity: screen prompts via OpenAI moderation; investigate content reports; detect and mitigate abuse, fraud, and security incidents.
- Improve the Service: debug issues and improve features based on on-device counters and content reports.
- Comply with law: meet legal, regulatory, tax, and accounting obligations and respond to lawful requests.
Legal bases (EEA / UK / Switzerland users)
We rely on the following legal bases under the GDPR:
- Contract — to provide the Service and process Subscriptions you have purchased.
- Legitimate interests — to operate, secure, and improve the Service, prevent fraud and abuse, and respond to content reports.
- Consent — for push notifications (if/when we add them) and any other opt-in features where consent is required. You may withdraw consent at any time.
- Legal obligation — to meet legal, regulatory, and tax requirements.
4. Subprocessors and Third Parties
We do not sell your personal information for money. We share personal information only with the providers below, each of which acts on our behalf or processes payments for our products.
| Provider | Role | Data Categories Involved |
|---|---|---|
| OpenAI, L.L.C. | AI image generation (gpt-image-1.5), image edits, prompt optimization (gpt-5-mini), and content moderation (omni-moderation-latest). |
Prompt text, uploaded photos (AI edit only), anonymous User ID. |
| Cloudflare, Inc. | Hosting (Cloudflare Pages), serverless backend (Workers / Pages Functions), object storage (R2, for generated images), key-value storage (KV, for indexes), CDN, DDoS protection, edge security. | All HTTP traffic; request metadata (IP, UA, country, CF-Ray); generated images; pattern metadata; anonymous User ID. |
| RevenueCat, Inc. | Subscription receipt validation and cross-platform Premium entitlement sync. | Anonymous app user ID; store receipt and entitlement data; optionally, a RevenueCat user identifier stored alongside a web account email address to verify subscription status for web access. |
| Apple Inc. | In-app purchases via the App Store; App Store distribution; App Store–side purchase analytics. | Purchase / receipt data (handled by Apple under its own terms). |
| Google LLC | In-app purchases via Google Play Billing; Google Play distribution; Play Console–side purchase analytics. | Purchase / receipt data (handled by Google under its own terms). |
| Resend (Resend.com, Inc.) | Transactional email for magic-link authentication (web account users) and user-submitted content reports. | Email address (for magic-link delivery to web account users); report payload described in Section 2.9 (image URL, prompt, IP, UA, country, CF-Ray, User ID, etc.). |
| OneSignal (planned) | Push notification delivery, if and when we enable push notifications. | Device push token and notification preferences (only if you opt in). |
| jsDelivr / Google Fonts | CDN-hosted libraries and web fonts loaded by the Site and PWA. | IP and user agent of the browser fetching the asset (handled by the CDN). |
We may add, remove, or replace providers over time. Material updates will be reflected in this Policy.
4.1 Legal and safety
We may disclose information when we believe it is necessary to (a) comply with applicable law, legal process, or lawful government requests; (b) enforce our Terms of Service and other agreements; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Pyrography Patterns, our users, or others.
4.2 Business transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality protections.
4.3 With your direction
When you publish a pattern to the public gallery (either by opting in for prompt-description generations, or by not opting out for Pattern Ideas generations), the image and its metadata become visible to other users of the Service.
5. International Data Transfers
Pyrography Patterns is based in the United States. Our subprocessors process data in the United States and other countries (including, for OpenAI and Cloudflare, multiple regions). If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. and other countries that may have different data-protection laws than your own. Where required, we rely on the European Commission's Standard Contractual Clauses (and the UK addendum / Swiss equivalents, as applicable) and other appropriate safeguards to protect personal data transferred outside the EEA, UK, or Switzerland.
EU Representative. We have not yet appointed an EU representative under Article 27 of the GDPR. We will designate one as required by our level of EU-resident activity. In the meantime, EEA/UK residents may contact us directly using the information in Section 13.
6. Data Retention
We keep information only as long as needed for the purposes described in this Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Typical retention windows:
- Locally saved patterns and favorites (indexed under your anonymous User ID in Cloudflare KV): retained until you delete the pattern or we delete it administratively. If your User ID is reset (e.g., reinstall, cleared storage), the index becomes orphaned and is subject to administrative cleanup.
- Generated images in Cloudflare R2: stored with immutable cache headers. We retain generated images until the user (or we, administratively) deletes them; we may run periodic cleanup of orphaned objects.
- Public gallery patterns: gallery-shared images are permanent platform content and are not removed on user request (see Terms of Use §5.3); they may be removed for policy violations or administratively.
- Web account email addresses: retained until account deletion.
- Web account session tokens: expire and are invalidated after 30 days of inactivity; deleted upon account deletion.
- Magic-link authentication tokens: expire 15 minutes after issuance and are discarded thereafter.
- Subscription/billing records (via RevenueCat / app stores): retained for the period required by applicable tax and accounting law (typically up to 7 years).
- Content reports (Resend inbox + our support records): typically 24 months after resolution, longer if needed for ongoing abuse mitigation.
- Cloudflare edge logs / security logs: typically hours to 30 days, longer where retained for active security investigations.
- Aggregated or de-identified data: may be retained indefinitely.
OpenAI does not use API data submitted through the Service to train its models by default, per OpenAI's API data-handling policies. Prompts and any uploaded photo passed to OpenAI for AI photo edit may be retained briefly by OpenAI for abuse-monitoring purposes, per OpenAI's then-current data policy.
7. Data Security
We use commercially reasonable administrative, technical, and physical safeguards to protect the information we handle — including HTTPS in transit, scoped API keys, access controls, and reputable infrastructure providers. No system is 100% secure, however, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal information, we will notify affected users and applicable regulators where and as required by law.
8. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information through the Service, contact support@pyrographypatterns.com and we will delete it.
For users in the EEA, UK, and other jurisdictions where the digital-services age of consent is higher than 13, the applicable minimum age is the higher local age (e.g., 16 in some EU member states). Where the user is under the local minimum, a parent or guardian must consent on their behalf.
Subscription purchases require the user to be at least 18 years old (or the local age of majority, if higher).
9. Your Privacy Rights
Because the Service does not collect names, emails, or other identifying account information, our ability to find personal information specifically tied to "you" is limited. To exercise the rights below, please contact support@pyrographypatterns.com and include your anonymous User ID (available in the App's debug or help screens) so we can locate any data linked to your device.
9.1 All users
You can:
- delete locally saved patterns from within the App;
- delete your web account (email address and associated session tokens) by visiting the account deletion page or contacting support@pyrographypatterns.com — deletion removes your email and session data; anonymized usage data such as gallery images you have shared may be retained per our Terms of Use;
- contact us to request access to, correction of, or deletion of information we hold linked to your User ID; and
- cancel a Subscription at any time via the Apple App Store or Google Play (see Terms of Use §3.4).
9.2 EEA, UK, and Swiss residents (GDPR)
You have the right to:
- Access the personal data we hold about you;
- request rectification of inaccurate or incomplete data;
- request erasure ("right to be forgotten");
- restrict or object to processing in certain circumstances;
- request data portability for data you provided to us;
- withdraw consent at any time where processing is based on consent (without affecting prior lawful processing); and
- lodge a complaint with your local data-protection authority.
9.3 California residents (CCPA / CPRA)
California residents have additional rights with respect to personal information we collected in the preceding 12 months.
Categories collected and disclosed for a business purpose: identifiers (anonymous User ID, device identifiers, IP address, and email address for users who create a web account); commercial information (Subscription status and history obtained via RevenueCat / app stores); internet/network activity (request metadata, on-device usage counters used for paywall gating); geolocation (coarse country derived from IP); and User Content (prompts and uploaded photos for AI edit). These categories are disclosed to the service providers listed in Section 4.
Sale / sharing of personal information: We do not sell personal information for monetary value, and we do not "share" personal information for cross-context behavioral advertising under the CPRA. We do not engage in targeted advertising.
Sensitive personal information: We do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA without offering a right to limit.
You have the right to:
- Know the categories and specific pieces of personal information we have collected and disclosed;
- Delete personal information we have collected (subject to legal exceptions);
- Correct inaccurate personal information;
- Limit the use of sensitive personal information (where applicable);
- Opt out of sale or sharing (not applicable in our case, but if this ever changes we will provide an opt-out); and
- be free from discrimination for exercising these rights.
To exercise a right, email support@pyrographypatterns.com with the subject line "California Privacy Request" and include your User ID. We may need to take additional steps to verify your relationship to the device. Authorized agents may submit requests on your behalf with written permission.
9.4 Other U.S. state privacy laws
If you reside in a U.S. state with a comprehensive privacy law (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with similar laws), you may have rights similar to those described above (access, correction, deletion, portability, opt-out of targeted advertising or sale, and appeal of a denial). We do not engage in targeted advertising or sales of personal information. Submit requests to support@pyrographypatterns.com with your User ID.
10. Marketing and Push Notifications
We do not send marketing emails. Resend, the only transactional email provider we use, sends two types of emails: magic-link authentication emails to users who create a web account, and user-submitted content reports to our support team. We do not send newsletters, promotional emails, or other marketing communications.
The Service does not currently send push notifications. If we enable push notifications in a future release (anticipated provider: OneSignal), they will be opt-in, and you can disable them in your device settings at any time. We will update this Policy before enabling push notifications.
11. Cookies and Similar Technologies
The Apps do not use browser cookies; they use comparable on-device storage (localStorage, app-managed storage) for preferences and the anonymous User ID. The Site and PWA may set cookies set by Cloudflare for anti-abuse / bot-detection purposes (e.g., __cf_bm). We do not use cookies for analytics, advertising, or cross-site tracking.
Where required by law, we will request consent before setting non-essential cookies and provide a way to withdraw consent.
12. Changes to This Policy
We may update this Policy from time to time. The "Effective Date" at the top will reflect the most recent update. If a change is material, we will provide reasonable additional notice (e.g., in-app or on the Site). Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
13. Contact Us
For privacy questions, complaints, or to exercise any of your rights, contact us at:
Pyrography Patterns, LLC
PO Box 113
Lewisville, IN 47352
Email: support@pyrographypatterns.com
If you are in the EEA, UK, or Switzerland and have an unresolved concern, you also have the right to lodge a complaint with your local data-protection authority.