AI Processing Details — Puppet Pals 1

A hop-by-hop description of what happens when an AI feature in Puppet Pals 1 is used. This page exists because the standard privacy policy can't reasonably hold this much detail. Schools and privacy- conscious parents asked for it; here it is.

Current chain — subject to change

This page documents the AI processing chain as it stands today. The chain may change over time — for example, when we adopt new models, manage cost, respond to subscriber abuse, or react to provider availability. We update this page when the chain changes, but we do not commit to specific advance notice. See "Changes to the AI Processing Chain" in our Privacy Policy for the full statement.

We may also route different requests to different models — for instance, a subscriber who has hit usage limits may be routed to a different (often cheaper) model than the default. The iOS client cannot pick alternatives; routing is decided at our API.

When does this apply?

Only when an active subscriber uses an AI feature inside Puppet Pals 1. The two AI features are:

  • Stylize a photo into a puppet — the user picks a photo from their device or takes one with the camera, and the app turns it into a stylized character (cartoon, Pixar 3D, watercolor, etc.).
  • Generate a character or background from text — the user types a description ("a friendly red dragon") and the app draws it.

Neither feature works for free users, non-subscribers, or the School Edition — for the School Edition this is enforced at our API, not in the app, so there is no way to turn it on.

The chain

  iPad / iPhone (your device)
       │   photo or text prompt
       ▼
  Polished Play API  (Vercel, US)
       │   strip EXIF/GPS, base64-encode
       ▼
  fal.ai             (US-based, our AI gateway)
       │   forward to Google
       ▼
  Google Gemini      (paid API tier)
       │
       ▼ generated image
  fal.ai CDN         (60-second public URL)
       │   downloaded once by our API
       ▼
  Polished Play API  (no image bytes stored)
       │
       ▼
  iPad / iPhone      (final image saved on device)

The same chain is used for both photo stylization and text-to- image generation. The only differences are which AI inputs are sent (photo + prompt vs. just prompt) and which Gemini endpoint fal.ai routes to.

Hop by hop

1. iPad/iPhone → Polished Play API

What is sent: the photo (if photo flow) or text prompt, the user's active subscription identifier, and the source identifier (which app + edition is calling).

What is retained: nothing on our side at this point — the request is just authenticated and forwarded.

How it's protected: TLS 1.2+ encrypted in transit. Subscription state is checked against our database; requests from the School Edition source ID are rejected here.

2. Polished Play API → fal.ai

What is sent: the prompt, and (if photo flow) an EXIF-stripped re-encoded copy of the photo.

What we strip first: all EXIF metadata, including GPS coordinates, camera identifiers, capture timestamps, and any embedded thumbnails. We use sharp to decode and re-encode the image — that re-encoding drops metadata as a side effect. The model sees pixels only.

What is retained on Polished Play servers: the request metadata only — timestamp, model used, success/failure, latency, cost estimate. No image bytes, no full prompts. We use this for billing, reliability monitoring, and abuse detection.

How it's protected: TLS to fal.ai.

3. fal.ai → Google Gemini image model

What is sent: the prompt and (if photo flow) the image bytes.

What is retained: Google's paid-tier Gemini API terms explicitly state that customer prompts and inputs are not used to train Google's models. Google logs prompts and responses for a "limited period" for abuse detection only.

Important caveat: Google's no-training contract is between Google and fal.ai (their paid customer), not between Google and Polished Play directly. We rely on fal.ai's contractual posture to extend that protection downstream to us. Google's Zero Data Retention (ZDR) option exists but is opt-in per project and we do not control whether fal.ai has applied for it.

What we did to constrain this hop: we control which upstream model fal.ai routes to — the iOS client cannot pick alternatives. Today the default upstream is Google's Gemini image model. Specific requests may be routed to a different model (for example, subscribers who have exceeded usage limits may be routed to a cheaper model). If we change the default upstream model, this page is updated when the chain changes; we do not commit to advance notice.

4. fal.ai CDN → Polished Play API → device

What is sent back: a public URL on fal.ai's CDN pointing at the generated image.

How long the URL is alive: 60 seconds. fal.ai's default is 7 days, but we set the expiresIn parameter explicitly on every request. Our server downloads the image into memory within milliseconds, so 60 seconds is generous margin and minimizes the public-URL exposure.

What is retained on Polished Play servers: still nothing. We never write the image bytes to disk or database. The image is held in memory for the duration of the response and then released.

5. Device storage

The final generated image is saved on the user's device in the app's sandbox. From this point on it is treated like any other on-device asset: it is not uploaded to our servers and is included in the device's normal iCloud backup (if the user has that enabled in iOS Settings).

Mitigations we've put in place

  • EXIF/GPS metadata is stripped server-side before forwarding, so location and device identifiers do not leave the device.
  • fal.ai CDN retention is shortened to 60 seconds per-request, vs. the 7-day default.
  • Image bytes are not persisted on Polished Play servers — only request metadata is logged.
  • Production AI traffic is routed only through fal.ai. Other AI providers supported in the codebase (Replicate, OpenAI direct) are not reachable from consumer app traffic. This is enforced at our API, not the iOS client.
  • The current upstream model (Google Gemini, paid tier) contractually prohibits training on customer inputs. This is a property of the current model — not a forward commitment about every future model. Future models may have different terms; see "What we cannot promise" below.
  • The School Edition is sealed off from AI at the API layer.

What we cannot promise

Honesty about what an AI processing chain actually looks like is more useful than reassurance. Here are the things we cannot control, do not guarantee, or have explicitly chosen not to commit to:

  • We do not commit to advance notice of model changes. If we change the upstream model — whether for cost, abuse mitigation, availability, or any other reason — we update this page when the change happens, not necessarily before. There is no in-app banner, email notification, or advance-warning mechanism for model changes.
  • We do not commit that every future model will contractually prohibit training on customer inputs. Today's upstream model (Google Gemini paid tier) does. Future models we route to may not. Parents should check the "Current chain" callout at the top of this page if this matters to them.
  • We may route different requests to different models. For example, a subscriber who has exceeded usage limits may be routed to a cheaper model with different terms. The model used for any specific request is not disclosed to the user.
  • fal.ai standard tier does not contractually bar training on customer data. fal.ai offers an enterprise tier that includes that guarantee; we are on the standard tier today. The no-training protection in today's chain comes from the upstream Google contract (which fal.ai inherits as Google's paid customer), not from fal.ai itself.
  • We are not a party to the fal.ai ↔ Google contract. Google's no-training commitment is made to fal.ai, and we benefit indirectly. If Google or fal.ai materially change their terms, we may not learn about it immediately.
  • Abuse-detection logging exists at multiple hops. Google logs prompts/responses for a "limited period" for abuse detection; fal.ai retains some request-level information for the same purpose. We do not have visibility into the exact retention windows at those hops.
  • Generated images are not perfect. Image models can produce unexpected output. Users should review generated images before using them in a finished puppet show.

If any of these are unacceptable for your use case — particularly classroom or institutional use — please use the School Edition, which has no AI features at all.

Things we are evaluating

Improvements we are actively considering, listed here so this page is honest about where we are vs. where we want to be:

  • Upgrading to fal.ai's enterprise tier for the explicit no-training contractual guarantee.
  • Pursuing Google Gemini Zero Data Retention (ZDR) — though this requires fal.ai cooperation since fal.ai is the API key holder.
  • Replacing the simplest stylization paths with on-device models (Apple CoreML / Foundation Models), eliminating the AI hop entirely for those flows.

Contact

If anything on this page is unclear, or you would like more detail on a specific hop, please reach out at privacy@polishedplay.com.

Effective: July 1, 2026