AI Processing Details — Puppet Pals 1

A hop-by-hop description of what happens when an AI feature in Puppet Pals 1 is used. This page exists because the standard privacy policy can't reasonably hold this much detail. Schools and privacy- conscious parents asked for it; here it is.

When does this apply?

Only when an active subscriber uses an AI feature inside Puppet Pals 1. The two AI features are:

  • Stylize a photo into a puppet — the user picks a photo from their device or takes one with the camera, and the app turns it into a stylized character (cartoon, Pixar 3D, watercolor, etc.).
  • Generate a character or background from text — the user types a description ("a friendly red dragon") and the app draws it.

Neither feature works for free users, non-subscribers, or the School Edition — for the School Edition this is enforced at our API, not in the app, so there is no way to turn it on.

The chain

  iPad / iPhone (your device)
       │   photo or text prompt
       ▼
  Polished Play API  (Vercel, US)
       │   strip EXIF/GPS, base64-encode
       ▼
  fal.ai             (US-based, our AI gateway)
       │   forward to Google
       ▼
  Google Gemini      (paid API tier)
       │
       ▼ generated image
  fal.ai CDN         (60-second public URL)
       │   downloaded once by our API
       ▼
  Polished Play API  (no image bytes stored)
       │
       ▼
  iPad / iPhone      (final image saved on device)

The same chain is used for both photo stylization and text-to- image generation. The only differences are which AI inputs are sent (photo + prompt vs. just prompt) and which Gemini endpoint fal.ai routes to.

Hop by hop

1. iPad/iPhone → Polished Play API

What is sent: the photo (if photo flow) or text prompt, the user's active subscription identifier, and the source identifier (which app + edition is calling).

What is retained: nothing on our side at this point — the request is just authenticated and forwarded.

How it's protected: TLS 1.2+ encrypted in transit. Subscription state is checked against our database; requests from the School Edition source ID are rejected here.

2. Polished Play API → fal.ai

What is sent: the prompt, and (if photo flow) an EXIF-stripped re-encoded copy of the photo.

What we strip first: all EXIF metadata, including GPS coordinates, camera identifiers, capture timestamps, and any embedded thumbnails. We use sharp to decode and re-encode the image — that re-encoding drops metadata as a side effect. The model sees pixels only.

What is retained on Polished Play servers: the request metadata only — timestamp, model used, success/failure, latency, cost estimate. No image bytes, no full prompts. We use this for billing, reliability monitoring, and abuse detection.

How it's protected: TLS to fal.ai.

3. fal.ai → Google Gemini image model

What is sent: the prompt and (if photo flow) the image bytes.

What is retained: Google's paid-tier Gemini API terms explicitly state that customer prompts and inputs are not used to train Google's models. Google logs prompts and responses for a "limited period" for abuse detection only.

Important caveat: Google's no-training contract is between Google and fal.ai (their paid customer), not between Google and Polished Play directly. We rely on fal.ai's contractual posture to extend that protection downstream to us. Google's Zero Data Retention (ZDR) option exists but is opt-in per project and we do not control whether fal.ai has applied for it.

What we did to constrain this hop: we restrict fal.ai to routing only to Google's Gemini image model for Puppet Pals 1 traffic. Other models available on fal.ai (Black Forest Labs Flux, OpenAI, Replicate-hosted models) are not used by the consumer app — this restriction is enforced at our API, not the iOS client.

4. fal.ai CDN → Polished Play API → device

What is sent back: a public URL on fal.ai's CDN pointing at the generated image.

How long the URL is alive: 60 seconds. fal.ai's default is 7 days, but we set the expiresIn parameter explicitly on every request. Our server downloads the image into memory within milliseconds, so 60 seconds is generous margin and minimizes the public-URL exposure.

What is retained on Polished Play servers: still nothing. We never write the image bytes to disk or database. The image is held in memory for the duration of the response and then released.

5. Device storage

The final generated image is saved on the user's device in the app's sandbox. From this point on it is treated like any other on-device asset: it is not uploaded to our servers and is included in the device's normal iCloud backup (if the user has that enabled in iOS Settings).

Mitigations we've put in place

  • EXIF/GPS metadata is stripped server-side before forwarding, so location and device identifiers do not leave the device.
  • fal.ai CDN retention is shortened to 60 seconds per-request, vs. the 7-day default.
  • The upstream model is restricted to Google Gemini (paid tier, contractual no-training) for all consumer subscriber traffic.
  • Image bytes are not persisted on Polished Play servers — only request metadata is logged.
  • Production AI traffic is restricted to two providers (fal.ai and Google). The other providers supported in the codebase (Replicate, OpenAI) are not reachable from consumer app traffic.
  • The School Edition is sealed off from AI at the API layer.

What we cannot promise

Honesty about what an AI processing chain actually looks like is more useful than reassurance. Here are the things we cannot control or fully guarantee:

  • fal.ai standard tier does not contractually bar training on customer data. fal.ai offers an enterprise tier that includes that guarantee; we are on the standard tier today. We rely on the upstream Google contract (which fal.ai inherits as Google's paid customer) to provide the no-training protection.
  • We are not a party to the fal.ai ↔ Google contract. Google's no-training commitment is made to fal.ai, and we benefit indirectly. If Google or fal.ai materially change their terms, we will update this page and notify subscribers.
  • Abuse-detection logging exists at multiple hops. Google logs prompts/responses for a "limited period" for abuse detection; fal.ai retains some request-level information for the same purpose. We do not have visibility into the exact retention windows at those hops.
  • Generated images are not perfect. Image models can produce unexpected output. Users should review generated images before using them in a finished puppet show.

Things we are evaluating

Improvements we are actively considering, listed here so this page is honest about where we are vs. where we want to be:

  • Upgrading to fal.ai's enterprise tier for the explicit no-training contractual guarantee.
  • Pursuing Google Gemini Zero Data Retention (ZDR) — though this requires fal.ai cooperation since fal.ai is the API key holder.
  • Replacing the simplest stylization paths with on-device models (Apple CoreML / Foundation Models), eliminating the AI hop entirely for those flows.

Contact

If anything on this page is unclear, or you would like more detail on a specific hop, please reach out at privacy@polishedplay.com.

Effective: July 1, 2026