PhotoCull — Privacy Policy

If you have questions about this Privacy Policy or want to exercise your data protection rights, contact us at privacy@novasas.ch.

This Privacy Policy applies to personal data processed in connection with your use of PhotoCull (web, desktop, or mobile apps) and related support or sales interactions. By using the Service, you accept the terms of this Privacy Policy and consent to the processing described herein where consent is required.

We process personal data only where we have a valid legal basis under applicable law (including the EU GDPR). Typical legal bases we rely on include:

• Performance of a contract (Art. 6(1)(b) GDPR) — e.g., account management, providing the Service, billing.
• Consent (Art. 6(1)(a) GDPR) — e.g., optional analytics, cookies, and Smart Insights (AI image analysis).
• Legitimate interests (Art. 6(1)(f) GDPR) — e.g., fraud prevention, service improvement, security (we balance these interests against your rights).
• Legal compliance (Art. 6(1)(c) GDPR) — e.g., tax, accounting, and lawful requests.

PhotoCull is intended for users at least 16 years old (or the minimum age required in your jurisdiction). If local law sets a higher minimum age, you must be at least that age. We do not knowingly collect personal data from children below the minimum permitted age.

If a person under the applicable minimum age wishes to use PhotoCull, a parent or legal guardian must register and consent on their behalf. Parents/guardians are responsible for supervising the child's account. If we learn we have collected personal data from a child without required consent, we will promptly delete it.

• To provide the Service (account management, storage, synchronization, search, duplicate detection). Legal basis: contract.
• For subscription management and billing (via Stripe). Legal basis: contract / legal compliance.
• To enable optional AI features (Smart Insights): AI analysis only if you explicitly opt in. Legal basis: consent.
• To improve and secure the Service (bug fixes, analytics, fraud prevention). Legal basis: legitimate interests (or consent for analytics where required).
• To respond to legal requests and enforce our Terms. Legal basis: legal obligation and legitimate interests.

Smart Insights is an optional feature. If you enable it:

• • Selected images and derived metadata will be transmitted securely to third-party AI providers (e.g., Microsoft Azure Computer Vision) for analysis (object recognition, OCR, tagging, scene detection).
• • Transmissions are encrypted in transit (TLS). Novasas' contracts with AI providers require appropriate data protection measures; however, the exact handling and retention of data by those providers are controlled by their policies. We recommend reviewing providers' privacy notices.
• • You can revoke consent at any time; revocation prevents future transfers but does not necessarily delete analysis results already created (see Data Retention).
• • We will provide a clear, affirmative opt-in flow in the UI and a "Learn more" link explaining Data Processing Addendum / Sub-processor details.

We use subprocessors to deliver parts of the Service. Typical subprocessors include:

• • Microsoft Azure — AI processing and compute (only for Smart Insights when you opt in)
• • Supabase — storage and database (EU region for EU customers where possible)
• • Stripe — payment processing
• • Vercel / Sentry / analytics providers — performance and optional monitoring

We maintain a current Sub-Processor list on our website and update it when we add or change subprocessors. Where required (e.g., for EU controllers), we will enter into DPAs and flow-down obligations to subprocessors.

Some processing may occur outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we rely on appropriate safeguards (e.g., the EU Standard Contractual Clauses (SCCs)), adequacy decisions, or explicit user consent, as applicable. Contact privacy@novasas.ch for details or to request a copy of applicable transfer safeguards.

We use cookies and similar technologies. Categories:

• • Strictly necessary — required for core site functionality (no opt-out). Legal basis: legitimate interests / contract.
• • Functional — enhance user experience (may require consent). Legal basis: consent.
• • Analytics — anonymized or pseudonymized usage data. Legal basis: consent.
• • Marketing — personalized advertising. Legal basis: consent.

You can manage cookie preferences via the cookie banner or your browser settings. Disabling certain cookies may reduce functionality.

We retain personal data for as long as necessary to provide the Service and meet legitimate business needs or legal obligations.

Typical retention periods:

• • Account data: until account deletion plus up to 90 days in backups, unless legal obligations require longer.
• • Image data: until you delete it or delete your account. Backups may persist for a reasonable recovery period (e.g., up to 90 days).
• • Usage statistics and anonymized analytics: up to 36 months.
• • Payment and invoicing data: 7 years (tax/accounting requirements).
• • Guest data: 24 hours (automatic cleanup).
• • GDPR logs and audit records: 7 years.

We will delete or anonymize data when no longer needed, subject to backups and legal obligations. For exact retention schedules, see our retention page or contact privacy@novasas.ch.

Where applicable, you have the right to:

• • Access the personal data we hold about you.
• • Request rectification of inaccurate data.
• • Request deletion ("right to be forgotten") subject to legal limits.
• • Request restriction of processing.
• • Object to certain processing (e.g., direct marketing).
• • Request portability of data you provided in a structured, machine-readable format.
• • Withdraw consent (where processing is based on consent) — withdrawal does not affect processing prior to withdrawal.
• • Lodge a complaint with a supervisory authority (for EU/EEA residents).

To exercise your rights, contact privacy@novasas.ch. We may require identity verification before responding.

We implement reasonable technical and organizational measures appropriate to the risk, including:

• • TLS encryption in transit
• • Encryption at rest for cloud storage where supported
• • Role-based access controls and logging
• • Regular security updates and vulnerability management
• • Access restrictions for Novasas personnel (least privilege)
• • Incident response procedures

No system is perfectly secure — we encourage you to keep local backups of important Content.

If a personal data breach occurs that poses a risk to your rights and freedoms, Novasas will notify the relevant supervisory authority and affected data subjects as required by law (e.g., GDPR: without undue delay, and where feasible within 72 hours). Report suspected incidents to privacy@novasas.ch.

We do not sell your personal data. We may share data with:

• • Subprocessors (as described above) under contract and only to provide the Service
• • Law enforcement or regulators when required by law or court order
• • Third parties in connection with a corporate transaction (sale, merger, reorganization) — in which case we will require the recipient to respect this Privacy Policy

If you are located outside the EU/EEA, your data may be transferred to, stored, and processed in countries with different data protection laws. We will ensure transfers are lawful (SCCs, adequacy decisions, or other mechanisms) and documented.

The Service may contain links to third-party sites. This Privacy Policy does not apply to third-party websites; we are not responsible for their privacy practices. Please review third-party privacy policies before providing personal data.

With your consent, we may send promotional emails. You can opt out at any time via unsubscribe links or by contacting privacy@novasas.ch.

We may update this Privacy Policy. For material changes, we will notify you in-app or by email and obtain renewed consent if required. The "Last updated" date at the top indicates when the policy was last revised.

For privacy inquiries, data subject requests, or complaints: privacy@novasas.ch. You may also contact your local data protection authority if you believe your rights have been violated.

• • Data Protection Officer (DPO): [if applicable, insert contact]
• • Legal basis summary: see Section 3.
• • Transfers: we use SCCs or equivalent safeguards for transfers outside the EEA — contact privacy@novasas.ch for copies.