NIRO Privacy Policy
This is the master privacy policy for NIRO Corp and every app we ship — PicPlots, AICheck, SkyWrite, and DeNiro Card. Each app has a short companion page that lists the specific data that app collects; everything else on this page applies to all of them.
Effective date: May 3, 2026 · Last updated: May 3, 2026
The short version
We try to collect as little as we can get away with and still ship a working product. We do not sell your personal information. We do not share your data with third-party advertisers. We do use a small number of vendors (Stripe for payments, Apple and Google for in-app purchases, Supabase and Vercel for infrastructure) to actually run the apps — those are listed below by name.
If you want your account or your data deleted, email jesse@niroaerial.com from the address on the account, and we will do it within 30 days.
Who this policy is from
This policy is published by NIRO Corp, a Georgia corporation (GA SOS Control # 21232709), EIN 36-4996890, with an address at 3372 Peachtree Road NE, Unit #2607, Atlanta, GA 30326, USA. When this policy says "we," "us," or "NIRO," it means NIRO Corp. When it says "you," it means you — the person using one of our apps or our website.
This policy covers:
- niroaerial.com and its subpages.
- PicPlots (iOS + Android) — collaborative photo wall.
- AICheck (iOS + Android) — on-device checks for AI-generated content.
- SkyWrite (iOS + Android, where applicable) — drone-skywriting booking and flight scheduling.
- DeNiro Card (iOS + Android) — card-style mobile game.
Each app has a per-app addendum that lists the specific data that app collects: PicPlots · AICheck · SkyWrite · DeNiro Card.
What data we collect
We group the data we collect into six categories. Not every app collects every category — see each app's addendum for the specifics.
1. Account data
If an app lets you create an account, we collect what you give us during sign-up: typically an email address, a password hash (we never store the plaintext password), and any handle or display name you choose. If you sign in with Apple or Google, we receive the basic profile info those providers hand us — usually a stable user ID and an email (which Apple may relay through a private-relay address).
2. Payment data
We do not store full credit-card numbers. Card details go directly to Stripe (stripe.com/privacy) for web purchases, or to Apple and Google for in-app purchases. We receive a transaction ID, the last four digits of the card or wallet identifier, the amount, and the status (paid, refunded, failed). That is enough to fulfill the purchase, validate the receipt, and reconcile a refund.
3. Device and usage data
When you use one of our apps, our servers automatically log: IP address, device model and OS version, app build number, language and locale, crash reports, and a session timestamp. We use this for debugging, fraud and abuse prevention, and figuring out what to fix next. We do not maintain advertising profiles.
4. Location data
Some apps (notably SkyWrite, which has to know where to fly) collect coarse or precise location — but only when you explicitly grant the permission and only while you are using the relevant feature. We do not run location collection in the background unless an app's per-app addendum specifically says so and your OS shows the persistent indicator.
5. Content data
Some apps let you upload content — photos in PicPlots, selected media in AICheck, message text in SkyWrite booking notes. The exact handling depends on the app; the per-app addenda are explicit about what leaves the device and what doesn't. AICheck checks selected files for Content Credentials and asks permission before sending a selected image to a third-party AI detector.
6. Subscription and entitlement data
For paid features, we keep a record of which subscription is active, when it renews, and when it was cancelled. Apple and Google share this with us through their server-to-server notifications and receipt-validation APIs.
Why we collect it
Under GDPR language, our legal bases are: contract (we have to process your account and payments to give you the service you signed up for), legitimate interest (running the service, preventing abuse, debugging crashes), and consent (anything optional, like location or push notifications, where the OS asks before we collect).
Concretely:
- Service delivery — to actually run the app: log you in, charge your card, deliver the photo, schedule the flight.
- Payment processing — to take your money and not get charged back fraudulently.
- Security and abuse prevention — to detect bots, account takeovers, payment fraud, and CSAM uploads.
- Compliance — App Store and Play Store reviews, tax reporting, subpoenas, DMCA takedowns.
- Product improvement — fixing crashes, finding what features are unused, prioritizing what to build next.
Who we share it with
We share data with the following processors, and only the data they need to do the job we hired them for. We do not share data with advertising networks or data brokers.
| Processor | What they get | What for |
|---|---|---|
| Stripe, Inc. | Card and ACH payment data; billing email | Card processing for web checkout (where applicable). PCI-DSS compliant. |
| Apple Inc. | In-app purchase receipts; Sign-in-with-Apple identifier | iOS purchases, subscription management, Apple ID auth. |
| Google LLC | Play Billing receipts; Google Sign-In identifier | Android purchases, subscription management, Google account auth. |
| Supabase, Inc. | Account records, content metadata, server logs | Hosted Postgres + Auth + Storage backend. SOC 2 Type II. |
| Vercel, Inc. | Web traffic, edge logs | Hosting niroaerial.com and the marketing surfaces. |
| Amazon Web Services | Backups, object storage where used | Storage for backups and large media (where applicable). |
| Apple App Store / Google Play | Aggregated install / crash data | Required to ship on the platforms. |
We will share data with law enforcement when we get a valid legal request — subpoena, court order, or warrant — that we are legally required to comply with. We will push back on overbroad requests where we can. If we receive a national security letter or other gag-ordered request, we are not always allowed to tell you.
How long we keep it
- Account data — for as long as your account exists, plus 30 days after a deletion request, after which we delete or anonymize it. Some records (e.g., a hashed user ID linked to a refund) may persist longer in financial logs.
- Payment records — Stripe and Apple/Google retain transaction records on their own schedules (typically 7 years for financial compliance). We keep our own copy of receipts for as long as the subscription is active plus 7 years for tax purposes.
- Server logs — typically 90 days, then rolled off.
- Crash reports — typically 180 days.
- Content you upload (PicPlots photos, etc.) — until you delete it or your account is deleted. We may keep moderation records (a hash + the moderation decision) longer to enforce our rules against re-uploaded prohibited content.
Your rights
Depending on where you live, you have some or all of the following rights. You can exercise any of these by emailing us at jesse@niroaerial.com from the email address on the account, with a clear description of what you want.
Under California law (CCPA / CPRA)
- Right to know what personal information we have about you.
- Right to delete personal information we have collected.
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing." We do not sell your personal information as that term is defined under California law, and we do not "share" it for cross-context behavioral advertising.
- Right to non-discrimination — we will not punish you for exercising any of these rights.
Under EU and UK law (GDPR / UK GDPR)
- Right of access — get a copy of your data.
- Right to rectification — fix what's wrong.
- Right to erasure ("right to be forgotten").
- Right to restrict or object to certain processing.
- Right to data portability — get your data in a machine-readable format.
- Right to withdraw consent at any time, where we relied on consent.
- Right to lodge a complaint with your local supervisory authority (e.g., the Irish DPC, the UK ICO).
Children
Our apps are rated 17+ on the App Store and the equivalent on Google Play. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and you believe your child under 13 has given us personal information, email jesse@niroaerial.com and we will delete the account and any associated data. We comply with the U.S. Children's Online Privacy Protection Act (COPPA).
PicPlots additionally enforces a hard age-gate on first launch: users below 13 are locked out, and users below 18 cannot make in-app purchases.
How we secure your data
We use TLS in transit, encryption at rest on Supabase and AWS, hashed passwords (never plaintext), server-side receipt validation for in-app purchases, and short-lived auth tokens. No system is perfectly secure. If we ever discover a breach affecting your data, we will notify affected users and the relevant regulators within the timelines required by law (typically 72 hours under GDPR for high-risk breaches).
International transfers
Our servers are in the United States. If you are using our apps from outside the U.S., your data will be transferred to and processed in the U.S. For users in the EU/UK, we rely on the Standard Contractual Clauses (and, where applicable, the EU-U.S. Data Privacy Framework) for these transfers. You can ask for a copy of the relevant SCCs by emailing us.
Cookies and similar technologies
The marketing site at niroaerial.com uses essential cookies only — we do not use advertising or analytics cookies on the marketing site. Inside the apps, we use the platform's native auth tokens (not browser cookies) to keep you logged in.
Do Not Track
We do not currently respond to "Do Not Track" browser signals because there is still no consistent industry standard for what they mean. We honor the California Global Privacy Control (GPC) signal where it applies.
Changes to this policy
We will update this page when our practices change. For material changes, we will give you 30 days' notice through an in-app banner and, if you have an account, an email to the address on file before the change takes effect. The "Effective date" at the top of this page tells you when the current version went into force; we keep an archive of prior versions on request.
Contact
For privacy questions, deletion requests, data access requests, or anything else covered by this policy, email jesse@niroaerial.com. We are setting up privacy@niroaerial.com and abuse@niroaerial.com aliases — until those are live, the founder address above is the right one to use.
Postal mail:
NIRO Corp
Attn: Privacy
3372 Peachtree Road NE, Unit #2607
Atlanta, GA 30326
USA
Per-app addenda
Each of our apps has a short page listing the specific data that app collects. You should read those alongside this master policy:
- PicPlots privacy addendum
- AICheck privacy addendum
- SkyWrite privacy addendum
- DeNiro Card privacy addendum
See also: Terms of Service.