Legal

Privacy Policy

Effective date: April 11, 2026 · Last updated: April 11, 2026

1. Who We Are

StrongLight (“StrongLight”, “we”, “us”, or “our”) is an AI-powered photo lighting application designed for fitness creators, operated by an individual developer based in India. The app is available on iOS through the Apple App Store.

StrongLight is the data controller — and the Data Fiduciary under India’s Digital Personal Data Protection Act, 2023 — responsible for your personal data.

We are not established in the European Economic Area (EEA) or the United Kingdom. Given the limited nature and scale of the personal data we process — no special category data, no large-scale profiling — we believe we qualify for the exemption from appointing an EU representative under Article 27(2) of the GDPR. EEA and UK residents can contact us directly with any data-related requests.

Questions about this policy or requests relating to your personal data should be directed to: privacy@stronglight.app

2. Information We Collect

Account information. When you sign in using our supported sign-in method (currently Sign in with Apple), we receive a unique user identifier and — only on your first sign-in, and only if you choose to share them — your name and email address. Sharing your name and email is optional; the app functions without them.

Purchase and credit information. When you purchase credit packs or a monthly subscription via the Apple App Store, we store your credit balance, transaction identifiers issued by Apple, the product purchased, the type of transaction (one-time purchase, subscription renewal, refund, or promotional credit grant), and the timestamp. We do not receive or store your payment card details; all payment processing is handled exclusively by Apple.

Promo code usage. If you redeem a promo code, we record that a redemption occurred, the credits or access level granted, and the timestamp. This is stored as a transaction record alongside your other purchase history.

Photos you submit for enhancement. When you submit a photo, it is transmitted securely to our server solely for the purpose of applying the lighting style you selected. Photos are processed in memory and never written to disk or stored in any database by us. Once the enhanced image is returned to your device, we retain no copy of the original or the result.

Waitlist email (website only). If you enter your email address on the StrongLight website to join the early-access waitlist, that email address is stored for the sole purpose of notifying you when the app becomes available. This data is held separately from in-app account data.

Technical session data. We issue a time-limited authentication token when you sign in. This token is stored securely in your device’s iOS Keychain and is used to authenticate requests you make to our servers. We do not use cookies, device fingerprinting, or third-party tracking or analytics SDKs in the app or on our website. Our website may load fonts or assets from third-party CDN services, which may receive your IP address when the page loads; these services are governed by their own privacy policies.

3. How We Use Your Information

  • To authenticate your account and maintain a secure session.
  • To track your credit balance and process credit deductions when you enhance a photo.
  • To verify in-app purchases with Apple and apply the corresponding credits to your account.
  • To send you transactional emails — such as a welcome message, confirmation of credits added, refund notifications, a low-balance alert, lifetime access confirmation, or subscription renewal notifications — where you have provided an email address.
  • To process promo code redemptions and apply any associated credits or access grants.
  • To notify waitlist subscribers when early access becomes available.

We do not sell your personal data, use it for advertising, or share it with third parties for their own marketing purposes.

4. Legal Basis for Processing

Where the GDPR or UK GDPR applies, we are required to identify a legal basis for each type of processing. The table below sets out the basis we rely on for each activity.

Creating and authenticating your account Contract

Necessary to provide the service you signed up for — Art. 6(1)(b)

Tracking your credit balance and processing purchases Contract

Necessary to deliver the pay-per-use and subscription service — Art. 6(1)(b)

Processing promo code redemptions Contract

Necessary to honour a promotional offer — Art. 6(1)(b)

Processing your photo for lighting enhancement Contract

Necessary to perform the enhancement you requested. Processed in memory only — never stored — Art. 6(1)(b)

Sending transactional emails Legitimate interests

Keeping you informed about your account activity (welcome, credits, refunds, low balance, renewals). You may opt out at any time — Art. 6(1)(f)

Storing your waitlist email address Consent

You voluntarily provide your email to join the waitlist. You can withdraw at any time — Art. 6(1)(a)

Retaining transaction records after account deletion Legal obligation

Required under applicable tax and accounting law — Art. 6(1)(c)

Notifying you and authorities in the event of a data breach Legal obligation

Required under GDPR Art. 33/34 and applicable law — Art. 6(1)(c)

Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms given the limited and non-sensitive nature of the data involved. You have the right to object to processing based on legitimate interests at any time by contacting us at privacy@stronglight.app.

5. AI Image Processing

Applying a lighting style to your photo involves AI processing — which may be performed by our own systems, third-party services, or a combination of both. We want to be transparent about how that works:

  • Your photo is first transmitted over an encrypted connection (HTTPS/TLS) from your device to our server. Our server then forwards the image, also over an encrypted connection, for AI processing. At no point is the photo written to disk.
  • We do not store your photo at any point — it is held in memory only for the duration of the processing request and immediately discarded once the enhanced result is returned to you.
  • We do not use your photos to train, fine-tune, or evaluate AI models. Any service providers involved in processing are contractually restricted from using submitted images for model training purposes.
  • Your photos are not processed for the purpose of identifying you, measuring your body, or extracting any biometric or health-related data. The AI processing analyses the image solely to apply lighting adjustments. We do not perform facial recognition, body measurement, or any form of biometric processing.
  • The AI processing behind every enhancement is explicitly constrained to prohibit any alteration to body shape, size, proportions, or muscle structure. Only lighting, contrast, shadow, and colour are modified.
  • We do not enumerate every system or provider involved in processing in this policy. Any such providers operate under binding contractual terms that restrict their use of submitted images. If this changes materially, we will update this policy.

6. Email Communications

Transactional emails. If you have provided an email address, we may send you transactional messages related to your account activity (e.g., credits purchased, low balance, refund notifications, subscription status). These are not marketing emails and are sent via a third-party email delivery provider acting on our behalf.

Waitlist emails. If you signed up on the website, your email address is managed through a separate email marketing provider. You may unsubscribe at any time using the link in any email we send, or by contacting us directly.

We do not send unsolicited commercial email. We do not share your email address with third parties for their own marketing use.

7. In-App Purchases and Apple

All purchases are processed by Apple through the App Store. We verify the validity of transactions using Apple’s App Store Server API, which provides us with transaction identifiers and product information — not your payment details.

Apple’s handling of your payment data is governed by Apple’s Privacy Policy.

8. Data Storage and Security

Account data — including your Apple User ID, optional name and email, and credit balance — is stored in a database hosted on a cloud infrastructure provider that supports encryption at rest and in transit. All data in transit between your device, our servers, and third-party services is encrypted using TLS.

Authentication tokens are stored locally in your device’s iOS Keychain, which Apple isolates from other applications using hardware-level security.

Photos are never written to disk on our servers. They exist only in memory during the processing window and are not recoverable after the response is returned.

No security system is infallible. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority as required by law.

9. International Data Transfers

StrongLight is operated from India. Your personal data may be stored and processed in countries outside your country of residence — including the United States and the European Union — by our cloud infrastructure, AI processing, and email service providers.

This means your personal data may be transferred to countries that do not have the same level of data protection as your home country. Where we transfer personal data from the EEA or the UK, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, which are incorporated into our agreements with cloud infrastructure, AI processing, and email service providers.
  • Contractual commitments from our service providers to protect your data in accordance with applicable law.

Under India’s Digital Personal Data Protection Act, 2023, the Central Government may restrict transfers of personal data to certain countries. We will comply with any such restrictions as they come into effect.

If you have questions about international data transfers or wish to obtain a copy of the applicable safeguards, contact us at privacy@stronglight.app.

10. Data Retention

We retain your account data for as long as your account is active. If you request deletion of your account, we will delete your personal data within 30 days, except where we are required to retain certain records for legal or accounting compliance (for example, transaction records, which may be retained for up to seven years depending on applicable law).

Waitlist email addresses are deleted once the waitlist programme ends or upon request.

Photos submitted for enhancement are never retained; there is nothing to delete.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Ask us to correct inaccurate or incomplete data.
  • Deletion. Request that we delete your personal data (“right to be forgotten”).
  • Portability. Receive your data in a structured, machine-readable format.
  • Objection / restriction. Object to or restrict certain types of processing, including processing based on legitimate interests.
  • Withdraw consent. Where processing is based on consent (e.g., waitlist signup), withdraw it at any time without affecting prior processing.

EEA and UK residents have these rights under the General Data Protection Regulation (GDPR) and UK GDPR respectively. You also have the right to lodge a complaint with your local data protection supervisory authority.

California residents may have additional rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know, the right to delete, and the right to opt out of the “sale” of personal information. We do not sell personal information. Note that the CCPA applies to for-profit businesses meeting certain revenue and data-volume thresholds; as a sole-operator indie app, StrongLight may fall below those thresholds, but we honour these rights regardless.

Indian residents have rights under the Digital Personal Data Protection Act, 2023 (DPDPA), including the right to access your personal data, the right to correction and erasure, the right to grievance redressal, and the right to nominate another person to exercise your rights on your behalf. These rights are subject to the rules notified by the Central Government.

To exercise any of these rights, contact us at privacy@stronglight.app. We will respond without undue delay and within the timeframe required by applicable law (generally within one calendar month).

12. Children’s Privacy

StrongLight is not directed at children under the age of 13 (or 16 in the EEA where applicable). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. If the changes are material, we will make reasonable efforts to notify you — for example, by sending an email if you have provided one, or by displaying a notice in the app.

We encourage you to review this policy periodically. If we make changes that materially affect how we process your personal data, we will notify you before those changes take effect and, where required by law, seek your consent. If you do not agree with a material change, you may stop using StrongLight and request deletion of your account.

14. Contact & Grievance Officer

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

Email: privacy@stronglight.app
Website: https://stronglight.app
Country of operation: India

For the purposes of the Digital Personal Data Protection Act, 2023 (India), the designated Grievance Officer is the operator of StrongLight, reachable at privacy@stronglight.app. If you are not satisfied with our response to a grievance, you may escalate your complaint to the Data Protection Board of India once it is constituted.

EEA and UK residents who are not satisfied with our response may also lodge a complaint with their local data protection supervisory authority (e.g., the ICO in the UK, or the relevant national DPA in their EEA member state).