Privacy Policy

Last updated: EFFECTIVE_DATE

This policy explains what data BUSINESS_NAME ("we", "us") collects when you use the Image Analyzer service (the "Service"), why we collect it, who else is involved, and what rights you have over it.

This policy is written to satisfy the requirements of the Australian Privacy Act 1988, the EU/UK General Data Protection Regulation (GDPR), and Singapore's Personal Data Protection Act (PDPA). Where these laws differ in your favour, the stricter standard applies.

What we collect

Data	Why	Legal basis
Email address	Account identification and login	Contract performance
Hashed password (bcrypt)	Authentication	Contract performance
Credit balance	Service delivery, billing	Contract performance
Job history (tier, status, timestamp, result, image-set fingerprint)	Service delivery, result caching, abuse detection	Contract performance + legitimate interest in fraud prevention
Payment records (Stripe session ID, amount, credits granted)	Accounting, refund handling	Contract performance + legal obligation (tax records)
Server logs (IP address, request paths, errors)	Operations, security, abuse detection	Legitimate interest

What we do not collect

• Your images. Photos you submit pass through our system to the analysis server, are processed, and the image data is discarded. We do not save image files anywhere — not on our web server, not in our database, not in any cache.
• Payment card details. Stripe handles all card data directly. We never see card numbers, CVVs, or expiry dates.
• Face/identity embeddings. Our Pro-tier face landmark analysis computes geometric ratios in memory and discards the underlying landmark coordinates when the request finishes. We do not generate, store, or share anything that could be used to identify a person.
• Tracking analytics. We do not use Google Analytics, Facebook Pixel, or similar tracking tools.

How long we keep it

Account data, job history, and payment records are retained for as long as your account is active. Job history (including failed and low-quality results) is kept indefinitely while your account exists, because patterns across that history are how we detect abuse of the Service.

When you delete your account, we delete your email, password hash, credit balance, and personally-identifiable job records within 30 days. We may retain aggregated and anonymised abuse signals (e.g. "an account at this IP attempted N submissions blocked by content moderation") indefinitely for ongoing fraud prevention. Nothing in that aggregate is linkable to you.

Sub-processors

The following third parties process some of your data on our behalf. We have or will have data processing agreements with each.

Provider	Purpose	Data shared	Region
RackNerd (hosting)	Web server, database storage	All account and job data	Singapore
Stripe	Payment processing	Email, amount, session metadata	USA / global
RunPod	GPU inference for paid analysis	Image data (transiently — not retained)	USA / global
Microsoft Azure (Content Safety)	Pre-analysis content moderation check	Image data (transiently — not retained per Microsoft's policy)	Australia East

Your rights

Under the laws listed above, you have the right to:

• Access — request a copy of all data we hold about you.
• Deletion — request that we delete your account and associated data. The "Delete Account" button on your account page does this immediately.
• Correction — update incorrect information (currently the only field is your email — contact us to change it).
• Portability — download your data in a machine-readable format (JSON). Available via the "Export Data" button on your account page.
• Withdraw consent — for any processing based on consent (currently, none of our processing relies on consent — it's all contract or legitimate interest).
• Lodge a complaint — with the relevant supervisory authority (the Office of the Australian Information Commissioner for Australia; your national DPA for the EU; the PDPC for Singapore).

To exercise any of these rights, use the buttons on your account page or email us at CONTACT_EMAIL. We respond within 30 days, usually faster.

Cookies

We use a single session cookie (PHPSESSID) to keep you logged in. This is a strictly-necessary cookie and does not require consent under either GDPR or Australian law. We do not use tracking, advertising, or analytics cookies.

Children

This Service is not directed at children. You must be at least 16 years old to create an account.

Security

Passwords are hashed with bcrypt before storage. All connections to the Service use HTTPS. The database is access-restricted at the host level. In the event of a data breach affecting personal data, we will notify affected users and, where required, the relevant authority within 72 hours of becoming aware.

International transfers

Some sub-processors are located outside Australia, the EU, and Singapore (see the table above). Where required, we rely on Standard Contractual Clauses (for EU transfers) or equivalent legal mechanisms to ensure your data is protected to the same standard.

Changes to this policy

If we make material changes to this policy, we'll notify you by email and update the "Last updated" date at the top. Continued use of the Service after that constitutes acceptance.

Contact

Questions about this policy or your data:
CONTACT_EMAIL
BUSINESS_NAME, BUSINESS_ADDRESS

Terms of Service · Back to analyzer