Onionix Privacy Policy
Last updated: June 7, 2026
This Privacy Policy explains how HIGGS LLC ("Onionix", "we", "us", or "our") collects, uses, stores, shares, and protects personal information when you use Onionix, including our mobile application, websites, APIs, image-generation features, virtual try-on features, and related services (collectively, the "Service").
Our contact email is higgs.core@gmail.com. Our mailing address is Uzbekistan.
Please read this Privacy Policy carefully. If you do not agree with it, do not use the Service.
1. Summary
Onionix is an AI-powered tattoo concept and virtual try-on service. Depending on how you use it, we may process your sign-in information, subscription status, prompts, tattoo preferences, reference images, body photos, generated images, try-on previews, likes, device/app technical data, and logs.
The most important points are:
- You may upload photos, including body photos, to preview tattoo placement. These photos can be sensitive and may identify you or another person.
- We use third-party providers for authentication, subscriptions, cloud storage, hosting, and artificial intelligence processing. These may include Apple, Google, RevenueCat, OpenAI, Google Gemini, Yandex Cloud Object Storage, and infrastructure providers.
- We do not currently use third-party advertising SDKs or third-party analytics SDKs in the mobile app.
- We do not currently sell personal information.
- The app uses Apple/Google sign-in and backend-issued access/refresh tokens. The backend does not use browser cookies for app authentication.
- You can delete certain generated images and try-on results in the app. You can also permanently delete your account in Settings → Delete Account, which removes your account and associated Service data from our systems as described in this Policy.
2. Scope
This Privacy Policy applies to the Service. It does not apply to third-party websites, app stores, operating systems, identity providers, AI providers, cloud providers, or other services that have their own privacy policies.
If you access Onionix through Apple, Google, RevenueCat, OpenAI, Google Gemini, Yandex Cloud, or another third-party service, that third party may process information under its own terms and privacy policy.
3. Information We Collect
3.1 Account and Authentication Information
When you sign in with Apple or Google, we may receive and store:
- your email address;
- whether your email address is verified;
- your display name, if provided by the sign-in provider;
- your provider account identifier;
- your internal Onionix user identifier;
- sign-in provider type, such as Apple or Google;
- account creation, update, and last login timestamps; and
- access tokens, refresh tokens, token hashes, token expiration data, and session metadata needed to keep you signed in.
We do not store your Apple or Google password.
3.2 Prompts, Preferences, and Creative Inputs
When you use generation or personalization features, we may collect:
- text prompts describing tattoo ideas;
- selected tattoo styles;
- preset prompt identifiers;
- reference image identifiers and upload metadata;
- liked/favorited status;
- generation status and job metadata;
- image quality, size, model, and processing metadata; and
- other information you submit through the app.
Some onboarding or personalization screens may ask about style, mood, body placement, tattoo goals, or similar preferences. Based on the current app implementation, most onboarding answers are stored locally on your device and are not sent to the backend, except that selected tattoo style may be sent with generation requests. If onboarding changes in the future, additional answers may be processed as described in this Policy or in an updated notice.
3.3 Photos, Images, and Visual Content
You may choose to upload or generate visual content, including:
- reference images for tattoo generation;
- body photos for virtual try-on;
- generated tattoo images;
- transparent tattoo assets;
- try-on composites and result images;
- image dimensions and placement metadata, such as position, scale, rotation, and opacity; and
- image hashes or storage keys used for deduplication, retrieval, and processing.
Photos you upload may contain sensitive information, including your face, body, skin, tattoos, scars, health-related visual information, location clues, or other identifying details. Please do not upload photos of another person unless you have their permission.
3.4 Device, App, and Technical Information
We may collect technical information needed to provide, secure, debug, and improve the Service, such as:
- IP address;
- request path, method, status code, timing, and error data;
- authentication state and user identifier associated with requests;
- app version and platform information;
- device and operating system information made available by the app or request environment;
- API response metadata, ETags, and cache metadata;
- logs related to uploads, generations, try-on jobs, authentication, and errors; and
- truncated request or response bodies where access logging is enabled.
We take steps to redact secrets such as authorization headers, cookies, and raw tokens from logs. However, logs may still include prompts, user identifiers, request metadata, image-related metadata, and other information useful for operating and securing the Service.
3.5 Local Device Storage
The app may store information locally on your device, including:
- access and refresh tokens in the iOS Keychain;
- your user ID, email address, display name, and Apple user ID where available;
- onboarding completion status;
- selected tattoo style;
- premium or entitlement flags;
- cached generation options and API ETags;
- generated image metadata and locally cached image files;
- try-on result metadata and locally cached image files; and
- downloaded style icons and other app caches.
When you log out or switch accounts, the app is designed to clear key authentication data and certain local gallery, try-on, and cache data. Some data may remain in device backups, system logs, operating system caches, or other locations outside our direct control.
3.6 Payment and Subscription Information
The Service offers auto-renewable subscription features through Apple in-app purchase. Current subscription options include a Weekly subscription for USD 9.99 per week and a Monthly subscription for USD 29.99 per month, subject to App Store pricing, currency conversion, taxes, territory, promotional offers, and the final price shown before purchase.
Payment information is processed by Apple. We do not receive your full payment card number from Apple.
We use RevenueCat to manage subscriptions, paywall state, entitlement checks, purchase restoration, and subscription syncing between the app and backend. We may receive, process, and store subscription-related information from Apple, RevenueCat, the app, and our backend, such as:
- RevenueCat app user ID, which may be linked to your Onionix user ID;
- entitlement identifier, such as "Onionix Pro";
- whether the entitlement is active;
- product identifier, such as a weekly or monthly subscription product;
- store or platform, such as App Store;
- purchase, renewal, expiration, cancellation, refund, billing issue, transfer, or restoration status;
- subscription expiration date and renewal-related metadata;
- transaction identifiers, original transaction identifiers, receipt/JWS or validation metadata, where provided by Apple or RevenueCat;
- price, currency, country, storefront, offer, or trial metadata, where provided by Apple or RevenueCat; and
- RevenueCat webhook event identifiers, event types, app user IDs, and webhook payloads used to keep entitlements in sync and prevent duplicate processing.
Our backend stores an entitlement cache for your account, including entitlement ID, active status, expiration date, product ID, store, RevenueCat app user ID, and update time. It also stores RevenueCat webhook events for subscription processing and audit purposes.
3.7 Information We Do Not Intentionally Collect
Based on the current implementation, we do not intentionally collect:
- precise GPS location;
- contacts;
- microphone audio;
- HealthKit data;
- phone number;
- postal address, unless you provide it for support or legal requests;
- government ID;
- third-party advertising identifiers; or
- app tracking data for targeted advertising.
The app may request access to your camera or photo library only when you choose to use features that require those permissions.
4. How We Use Information
We use personal information for the following purposes:
- provide, operate, maintain, and secure the Service;
- create and manage user accounts;
- authenticate users and manage sessions;
- process subscriptions, verify purchase status, restore purchases, sync entitlements, and gate premium features;
- upload, store, retrieve, and display images;
- generate tattoo concepts from prompts and reference images;
- create virtual try-on previews from body photos and placement metadata;
- sync galleries, favorites, liked content, and try-on history;
- provide customer support and respond to requests;
- detect, prevent, and investigate abuse, fraud, security incidents, policy violations, and technical issues;
- debug, analyze, and improve performance and reliability;
- enforce our Terms of Service and other policies;
- comply with legal obligations and respond to lawful requests; and
- communicate with you about the Service, including legal or security notices.
We do not use your photos or prompts for third-party advertising. If we introduce advertising or materially different data uses, we will update this Policy and provide notice where required.
5. Artificial Intelligence Processing
Onionix uses artificial intelligence providers to generate tattoo concepts and, where enabled, try-on renderings. Depending on feature configuration, providers may include OpenAI, Google Gemini, or other AI service providers.
When you use AI features, we may send the following to AI providers:
- your text prompt;
- style or prompt-template information;
- reference images;
- body photos or body-photo composites;
- generated intermediate images;
- placement instructions and metadata;
- technical request metadata needed to process the job.
AI providers process this information to return generated images or related outputs. AI services may produce unexpected, inaccurate, offensive, infringing, or unsuitable results. Do not include information in prompts or photos that you do not want processed by AI providers.
Where commercially reasonable, we use provider settings, agreements, and technical controls intended to limit use of your data to providing the Service. However, provider processing is also governed by the provider's own terms, privacy policy, and data-processing commitments.
6. How We Share Information
We may share personal information with:
- Authentication providers, such as Apple and Google, to verify sign-in tokens and manage authentication.
- Cloud storage providers, such as Yandex Cloud Object Storage or S3-compatible storage providers, to store uploaded, generated, and try-on images.
- AI providers, such as OpenAI and Google Gemini, to generate images and process try-on requests.
- Hosting, networking, infrastructure, proxy, and database providers, to run the backend, store data, deliver content, and maintain security.
- App stores, payment processors, and subscription infrastructure providers, such as Apple and RevenueCat, to process purchases, manage subscription status, restore purchases, sync entitlements, handle refunds or billing issues, and prevent purchase abuse.
- Professional advisers, such as lawyers, auditors, insurers, and accountants, where necessary for business, compliance, or legal purposes.
- Law enforcement, courts, regulators, or government authorities, if we believe disclosure is required by law or necessary to protect rights, safety, users, third parties, or the Service.
- Corporate transaction parties, if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, asset sale, or similar transaction, subject to appropriate safeguards where required.
We do not currently sell personal information or share it with third-party advertising networks for cross-context behavioral advertising.
7. Legal Bases for Processing
If laws such as the GDPR or UK GDPR apply, our legal bases may include:
- Contract: to provide the Service you request, including account access, subscriptions, paid features, purchase restoration, entitlement syncing, generation, uploads, storage, and try-on features.
- Consent: where you grant device permissions, upload photos, choose to use AI features, subscribe to communications, or where consent is required by law.
- Legitimate interests: to secure, maintain, debug, improve, and protect the Service; prevent abuse; and understand technical performance, balanced against your rights.
- Legal obligations: to comply with applicable law, legal process, tax, accounting, consumer protection, and safety obligations.
- Vital or public interests: in rare cases where processing is necessary to protect safety or respond to emergencies.
You may withdraw consent where processing is based on consent, but withdrawal will not affect processing that occurred before withdrawal and may limit your ability to use certain features.
8. Retention
We retain personal information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, maintain your account, comply with legal obligations, resolve disputes, enforce agreements, prevent abuse, and maintain security.
Typical retention considerations include:
- account information is retained while your account is active and for a reasonable period afterward;
- uploaded images, generated images, try-on results, and related metadata may be retained until you delete them, request deletion, or we no longer need them;
- subscription entitlement records and RevenueCat webhook events may be retained for billing, audit, fraud-prevention, customer-support, tax, accounting, platform-compliance, and dispute-resolution purposes;
- refresh token hashes may be retained for session security and audit purposes;
- logs may be retained for security, debugging, fraud prevention, and operational purposes;
- backups may retain copies for a limited period before they are overwritten or deleted; and
- information may be retained longer where required by law, dispute, safety, fraud-prevention, or legitimate business needs.
The current Service provides deletion controls for certain generated images and try-on results. Deleting a generated image or try-on result may not immediately delete every related original upload, body photo, log entry, backup, provider copy, or account record.
If you use Settings → Delete Account, we delete your user account and associated account-linked records from our backend, including authentication records, refresh-token sessions, generation and try-on metadata, subscription entitlement cache, and related cloud-stored images we control (such as uploads, generated outputs, and try-on assets). Deleting your account also signs you out of the app and clears local authentication data on your device. Account deletion does not automatically cancel an Apple App Store subscription; you must cancel auto-renewal separately in your Apple ID subscription settings.
Some information may still remain after account deletion, including server logs, security records, backup copies for a limited period, billing or webhook audit records maintained by us or our providers (such as RevenueCat), and information retained by third-party providers under their own policies. To request data access, correction, export, or help with a request we cannot complete in the app, contact us at higgs.core@gmail.com.
9. Your Choices and Rights
Depending on your location and applicable law, you may have rights to:
- access personal information we hold about you;
- correct inaccurate personal information;
- delete personal information;
- receive a copy of personal information in a portable format;
- object to or restrict certain processing;
- withdraw consent;
- opt out of certain sharing, sales, or targeted advertising where applicable;
- appeal a denied privacy request where required by law; and
- lodge a complaint with a data protection authority.
You can take some actions directly in the app, such as deleting certain generated images or try-on results, logging out, deleting your account in Settings → Delete Account, or clearing local data by deleting the app. For data access, correction, export, or other rights requests that cannot be completed in the app, contact us at higgs.core@gmail.com.
We may need to verify your identity before responding. We will not discriminate against you for exercising privacy rights, but some features may be unavailable if required data is deleted or restricted.
10. Device Permissions
The app may request permissions for:
- Camera: to capture reference photos or body photos for try-on.
- Photo Library access: to select images for generation or try-on.
- Photo Library add access: to save generated images or try-on results to your photo library when you choose to save them.
You can change permissions in your device settings. If you disable permissions, some features may not work.
Based on the current implementation, the app does not request access to precise location, contacts, microphone, HealthKit, or tracking permission for targeted advertising.
11. Cookies and Similar Technologies
The mobile app backend currently uses bearer tokens for authentication and does not rely on browser cookies for app sessions.
If we operate websites, landing pages, documentation pages, or legal pages, those websites may use cookies or similar technologies for basic functionality, security, analytics, or preferences. Any materially different website tracking will be described in an updated notice or cookie notice where required.
12. Security
We use technical and organizational measures designed to protect personal information, such as encrypted transport, token-based authentication, server-side authorization checks, Keychain storage for app tokens, access controls, cloud storage controls, token hashing for refresh-token records, and logging redaction for sensitive headers and token fields.
No method of transmission, processing, or storage is completely secure. You are responsible for protecting access to your device, email account, Apple or Google account, and any credentials or sessions used with the Service.
13. International Transfers
We and our service providers may process personal information in countries other than the country where you live. These countries may have data protection laws that differ from those in your jurisdiction.
Where required, we use appropriate safeguards for international transfers, such as contractual commitments, data-processing agreements, standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms.
14. Children
The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13.
If you are under the age of majority in your jurisdiction, you may use the Service only with permission and supervision from a parent or legal guardian.
If you believe a child has provided personal information to us without appropriate consent, contact us at higgs.core@gmail.com, and we will take appropriate steps to delete or restrict the information as required by law.
15. Region-Specific Notices
15.1 European Economic Area, United Kingdom, and Switzerland
If GDPR, UK GDPR, or Swiss data protection law applies, HIGGS LLC is the controller of personal information processed through the Service, except where we act as a processor on behalf of another controller.
You may have the rights listed in Section 9. You may also contact your local data protection authority. If we appoint an EU or UK representative or Data Protection Officer, their contact details will be listed here:
Not applicable at this time.
15.2 California and Other U.S. State Privacy Laws
Depending on where you live, you may have rights under the California Consumer Privacy Act, as amended by the CPRA, or similar state privacy laws.
Categories of personal information we may collect include:
- identifiers, such as email address, user ID, provider account ID, IP address, and token identifiers;
- internet or electronic network activity information, such as API usage, logs, and request metadata;
- commercial information, such as subscription product, entitlement status, purchase status, renewal or expiration data, store, and related transaction metadata;
- audio, electronic, visual, or similar information, such as photos and generated images;
- inferences and preferences, such as liked content, selected style, and tattoo preferences;
- sensitive personal information, to the extent uploaded photos reveal body, health, biometric-adjacent, or other sensitive details; and
- other information you submit to the Service.
We collect and use these categories for the purposes described in Sections 4 and 6. We do not currently sell personal information or share it for cross-context behavioral advertising. We do not knowingly sell or share personal information of users under 16.
To exercise applicable rights, contact us at higgs.core@gmail.com.
15.3 Russia, CIS, and Other Jurisdictions
If local laws apply to your use of the Service, you may have additional rights or requirements regarding personal data processing, localization, consent, or cross-border transfers. Contact us at higgs.core@gmail.com for requests under applicable local law.
16. Third-Party Links and Services
The Service may link to third-party websites, app stores, identity providers, payment processors, AI providers, support tools, or other services. We are not responsible for the privacy practices of third parties. Review their privacy policies before providing information to them.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If changes are material, we will provide notice by reasonable means, such as in-app notice, website notice, or email where available. The updated Policy will be effective when posted or when otherwise stated.
Your continued use of the Service after the updated Policy becomes effective means you acknowledge the updated Policy.
18. Contact
For questions, requests, or complaints about privacy or personal information, contact:
HIGGS LLC
Uzbekistan
higgs.core@gmail.com
https://onionix.xyz