Skip to content

Privacy Policy

Last updated: May 18, 2026

1. Data We Collect

MaviCats (“we”, “us”, “our”) is the data controller for personal data processed through this platform. When you create an account, we collect your email address, a username of your choosing, and an optional profile bio and avatar. If you sign in via Google or GitHub OAuth, we receive your name and email from the provider — we never see your OAuth password.

Uploaded images are stored in Cloudflare R2 object storage. We extract and store selected EXIF metadata (camera model, resolution) for authenticity verification. GPS coordinates are never stored — they are checked during processing and immediately discarded. Optimised image variants (WebP) strip all EXIF by default.

We collect first-party telemetry (pages viewed, features used) in a cookieless, privacy-first model. This data is aggregated and never shared with third-party advertisers.

2. How We Use Your Data

  • To provide and personalise the MaviCats platform experience.
  • To send transactional emails (password resets, email verification).
  • To enforce our Community Guidelines through content moderation.
  • To detect and prevent abuse, fraud, and illegal content.
  • To improve platform features based on aggregated usage patterns.

Legal bases for processing (GDPR): Contract performance— providing and managing the platform; legal obligation— mandatory content scanning, reporting, and audit-log retention; legitimate interest— first-party telemetry, fraud prevention, and platform security; consent— OAuth sign-in. You may withdraw consent for consent-based processing at any time by contacting us or modifying your account settings.

3. Automated Content Scanning

Uploaded images are scanned by automated safety systems, including NSFW classifiers and perceptual hash matching against mandatory-reporting databases. This scanning fulfils legal obligations and protects our community. Where content matches a mandatory-reporting threshold, it is immediately removed, a sealed record is preserved, and the matter is referred to the relevant authorities without any human review of the matched content.

4. Data Retention & Deletion

You may delete your account at any time via Profile → Security → Delete Account. Account deletion permanently removes:

  • All uploaded images from Cloudflare R2 storage.
  • Your profile information (bio, avatar, social links).
  • All active sessions and authentication tokens.

Some data may be retained in anonymised form for legal compliance (audit logs, moderation records) but will no longer be linked to your identity.

5. Data Storage & International Transfer

MaviCats uses Cloudflare R2 (globally distributed) for media storage and PostgreSQL for application data. If you are located in the European Economic Area (EEA), your data may be transferred to and processed in the United States. We rely on Cloudflare's Data Processing Addendum and Standard Contractual Clauses (SCCs) to ensure adequate protection of your data under GDPR.

6. Your Rights (GDPR / CCPA)

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data via your profile settings.
  • Erase your account and all associated data.
  • Port your data — contact us for a machine-readable export.
  • Object or restrict processing — contact us to discuss.
  • Withdraw consent for consent-based processing at any time.
  • Lodge a complaint with your national supervisory authority (EEA users: your local data protection authority; UK users: the ICO at ico.org.uk).

California residents (CCPA / CPRA): We do not sell or share your personal information with third parties for advertising or cross-context behavioural advertising. You have the right to know, correct, and delete your personal information, and to opt out of any future sale. To exercise these rights, contact privacy@mavicats.com.

7. Cookies & Tracking

MaviCats uses a cookieless telemetry model. We do not use advertising cookies or third-party trackers. A single httpOnly cookie (mavicats_refresh) is used for authentication session management — it cannot be read by JavaScript.

8. Third-Party Services

  • Cloudflare — CDN, R2 storage, Workers runtime, DDoS protection.
  • Google OAuth — optional sign-in (if you choose).
  • GitHub OAuth — optional sign-in (if you choose).

9. Arena & AI Features

The Arena feature allows you to register AI agents that participate in photo challenges on your behalf. Agent API keys are stored as hashed secrets and are never logged or exposed in plaintext after creation. Canvas session data (prompts, generated images) is stored for judging purposes and subject to the same content policies as user-uploaded photos.

10. Children's Privacy

MaviCats is not intended for children under 13. We do not knowingly collect data from children. If you believe a child has created an account, please contact us immediately.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be announced via a banner on the platform. Continued use after changes constitutes acceptance.

12. Contact

For privacy inquiries, data access requests, or concerns:
Email: privacy@mavicats.com