1. Introduction

Welcome to imgflow.io ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and protect your information when you use our image processing services, and informs you about your privacy rights under the General Data Protection Regulation (GDPR) and other applicable laws.

2. Data Controller

For the purposes of GDPR, the data controller is:

imgflow.io

Email: privacy@imgflow.io

Support: support@imgflow.io

3. Information We Collect

We collect and process the following categories of personal data:

3.1 Account Information

Identity Data: First name, last name, username
Contact Data: Email address
Authentication Data: OAuth tokens from Google (we do not store your password)

3.2 Technical Data

IP address
Browser type and version
Operating system
Device information
Time zone and location settings

3.3 Usage Data

Pipeline configurations (stored locally in your browser)
User preferences and settings

3.4 Image Data

Important: Most image processing occurs entirely in your browser (client-side). Your images are NOT uploaded to our servers for operations like resize, compress, rotate, flip, convert, crop, and watermark addition.

Exception: The automatic watermark removal feature temporarily uploads images to our server for processing using AI/ML models. These images are immediately deleted after processing and are never stored permanently.

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

Consent: You have given clear consent for us to process your personal data for specific purposes (e.g., cookie usage, account creation)
Contract: Processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract
Legitimate Interests: Processing is necessary for our legitimate interests (e.g., improving our services, security) and does not override your rights
Legal Obligation: Processing is necessary to comply with legal obligations

5. How We Use Your Information

We use your personal data for the following purposes:

To create and manage your account
To authenticate your identity and provide access to our services
To provide and improve our image processing tools
To communicate with you about service updates or support requests
To ensure security and prevent fraud
To comply with legal obligations
To analyze usage patterns and improve user experience (anonymized data only)

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

Account Data: Retained while your account is active and for 30 days after account deletion
Authentication Tokens: Retained until you log out or tokens expire
Pipeline Configurations: Stored locally in your browser indefinitely (you can clear at any time)
Uploaded Images (Watermark Removal): Deleted immediately after processing (within seconds)
Technical Logs: Retained for up to 90 days for security and debugging purposes

After the retention period, we will securely delete or anonymize your personal data.

7. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

7.1 Right to Access (Article 15)

You have the right to request a copy of the personal data we hold about you.

7.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data.

7.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when there is no compelling reason for its continued processing.

7.4 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing of your personal data in certain circumstances.

7.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

7.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests.

7.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing. We do not use automated decision-making or profiling.

How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@imgflow.io. We will respond to your request within 30 days as required by GDPR.

8. Third-Party Services

8.1 Supabase (Authentication & Database)

We use Supabase for authentication and database services. Supabase is GDPR compliant and stores data in secure data centers. When you sign in with Google, we use Google's OAuth service to authenticate your identity. We do not store your Google password.

8.2 Google OAuth

We use Google OAuth for authentication. Google's privacy policy applies to data collected during the authentication process. View Google's privacy policy at https://policies.google.com/privacy

8.3 PostHog (Product Analytics)

We use PostHog to understand how our Service is used. PostHog collects usage data to help us improve user experience. PostHog is GDPR compliant and allows us to analyze user behavior without compromising privacy. View PostHog's privacy policy at https://posthog.com/privacy

9. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). Supabase stores data in secure, GDPR-compliant data centers. We ensure that all international data transfers comply with GDPR requirements through appropriate safeguards such as Standard Contractual Clauses (SCCs).

10. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our services. For detailed information about the cookies we use, please see our Cookie Policy.

Types of Cookies We Use:

Essential Cookies: Required for authentication and core functionality
Functional Cookies: Store your preferences and pipeline configurations (using localStorage)
Preference Cookies: Remember your cookie consent choices

11. Data Security

We implement appropriate technical and organizational security measures to protect your personal data:

Encryption of data in transit using HTTPS/TLS
Encryption of data at rest in our databases
Access controls limiting data access to authorized personnel only
Regular security audits and updates
Secure authentication using industry-standard OAuth 2.0
Immediate deletion of temporarily uploaded images

While we strive to protect your personal data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

12. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@imgflow.io, and we will delete such information.

13. Your Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority (Data Protection Authority). However, we encourage you to contact us first at privacy@imgflow.io so we can address your concerns.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your data, please contact us:

Privacy Inquiries:

Email: privacy@imgflow.io

General Support:

Email: support@imgflow.io

We will respond to all requests within 30 days as required by GDPR.