PhotoCull Logo

Privacy Policy

Last updated: July 26, 2025

Your Privacy Matters to Us

PhotoCull respects your privacy and is committed to processing your personal data in a transparent and secure manner. This Privacy Policy explains what information we collect, how we use it, and what rights you have.

1. Data Controller

The data controller for data processing is:

PhotoCull

Email: privacy@photocull.com

Website: https://photocull.com

2. What Data Do We Collect?

Account Data

  • • Email address (via Google OAuth)
  • • Name and profile picture (if provided by Google)
  • • Unique user ID and session identifiers
  • • Login time and last activity
  • • Device information and browser type
  • • Plan type and subscription status

Image Data

  • • Uploaded images (stored locally in your browser for free users)
  • • Cloud storage for paid users (Supabase Storage, EU servers)
  • • Filename, size and technical metadata
  • • Tags and ratings added by you
  • • Automatically generated AI analysis results
  • • Duplicate detection data and image quality scores
  • • Search history and filter preferences (cached locally)

Usage Data

  • • Upload counts and download usage statistics
  • • Smart insights usage and storage quotas
  • • Search queries and filter settings
  • • User interface interactions and preferences
  • • Error messages and technical logs
  • • Cookie preferences and consent history
  • • Performance monitoring data (only with consent)
  • • GDPR compliance audit logs

Payment Data

  • • Stripe customer ID (no credit card data is stored by us)
  • • Subscription status and payment history
  • • Billing address (if provided)
  • • Usage quotas and limits stored in payment metadata
  • • Subscription period and renewal dates

3. Special Protections for Minors

Age Verification: PhotoCull is designed for users 18 years and older. We do not knowingly collect personal information from children under 18.

Parental Consent: If you are under 18, you may only use PhotoCull with active parental or guardian supervision and consent. The parent/guardian assumes full responsibility for the minor's use of the service.

Data Minimization for Minors: When minors use the service under parental supervision, we:

  • • Limit data collection to essential service functionality only
  • • Disable optional analytics and marketing cookies by default
  • • Provide enhanced privacy controls to parents/guardians
  • • Automatically delete data when the user reaches age of majority unless explicitly retained

Removal Process: If we learn that we have collected information from a child under 18 without parental consent, we will delete such information immediately. Parents can contact us to request deletion of their child's data.

4. How Do We Use Your Data?

Service Provision

Legal basis: Contract performance (Art. 6 para. 1 lit. b GDPR)

  • • User account management and authentication
  • • Storage and organization of your images
  • • Providing search and filter functions
  • • Subscription management and billing

AI-Powered Features

Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)

  • • Automatic image analysis and tag generation
  • • Intelligent search functions
  • • Duplicate detection
  • • Image quality assessment

Service Improvement

Legal basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR)

  • • Bug fixing and technical improvements
  • • Analysis of service usage (anonymized)
  • • Security monitoring

5. Where Is Your Data Stored?

Local Storage (Free Users)

Free users have their images and processing data stored locally in their browser:

  • • Images stored in IndexedDB (1GB limit)
  • • Search history and user preferences in localStorage
  • • Data stays on your device and doesn't leave your computer
  • • Exception: AI features send image data to Azure Vision API with consent

Cloud Storage (Paid Users)

Paid users benefit from hybrid cloud storage:

  • • Images stored in Supabase Storage (EU servers)
  • • 5GB storage for Basic plan, 10GB for Pro plan
  • • Automatic sync between devices
  • • Secure backup and redundancy

Server Storage (All Users)

The following data is stored on secure servers in the EU:

  • • User account information (Supabase, EU region)
  • • Subscription data (Stripe, global with EU adequacy)
  • • Usage quotas and limits
  • • GDPR compliance logs
  • • Session and authentication data

6. Cookies and Tracking

What Are Cookies?

Cookies are small text files that are stored on your device when you visit our website. They help us provide you with a better experience and understand how our service is used.

Cookie Categories

Necessary Cookies

These cookies are essential for the website to function properly and cannot be disabled.

Purpose: Authentication, security, basic functionality
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
Retention: Session duration

Functional Cookies

These cookies enable enhanced functionality such as AI image analysis and intelligent search.

Purpose: Enhanced user experience and AI-powered features
Legal basis: Consent (Art. 6(1)(a) GDPR)
Retention: 12 months

Analytics Cookies

These cookies help us understand how the website is used to improve our services.

Purpose: Service improvement and performance optimization
Legal basis: Consent (Art. 6(1)(a) GDPR)
Retention: 12 months

Marketing Cookies

These cookies are used for advertising purposes and personalized content.

Purpose: Personalized marketing and advertising
Legal basis: Consent (Art. 6(1)(a) GDPR)
Retention: 6 months

Managing Your Cookie Preferences

You can manage your cookie preferences at any time through:

  • Cookie banner: Click "Settings" in the cookie banner at the bottom of the page
  • Account settings: Go to Privacy & Data settings in your account
  • Browser settings: Configure cookie settings in your browser preferences

Note: Disabling certain cookies may affect the functionality of our service.

7. Third-Party Services

Authentication & Backend

Google OAuth: For user login and account creation

Data shared: Email, name, profile picture
Privacy policy:Google Privacy Policy

Supabase: For user authentication, database, and cloud storage

Data shared: Account data, session info, images (paid users)
Location: EU region
Privacy policy:Supabase Privacy Policy

Payment Processing

Stripe: For secure payment processing and subscription management

Data shared: Email, usage quotas, subscription data
Location: Global with EU adequacy decision
Privacy policy:Stripe Privacy Policy

AI Analysis (optional)

Azure Computer Vision: For advanced image analysis (only with your consent)

Data shared: Image data for analysis only
Retention: Microsoft processes and deletes immediately
Privacy policy:Microsoft Privacy Statement

Performance Monitoring (optional)

Vercel Analytics: For performance monitoring (only with your consent)

Data shared: Performance metrics, anonymized usage data
Location: Global
Privacy policy:Vercel Privacy Policy

8. Data Retention

Retention Periods

Account Data

Until account deletion

Image Data

Until manual deletion or account deletion

Usage Statistics

36 months (for quota management)

Payment Data

7 years (tax law requirements)

Guest Data

24 hours (automatic cleanup)

GDPR Logs

7 years (compliance requirements)

Automatic Cleanup

We automatically delete data according to our retention policies:

  • • Guest sessions are cleaned up after 24 hours
  • • Temporary cache data is cleaned up after 30 days
  • • Expired session data is removed after 90 days
  • • Data exports are deleted after 7 days
  • • Anonymized analytics data is retained for 36 months

9. Your Rights

Right to Access

You have the right to know what data we have stored about you.

Rectification

You can have incorrect data corrected or updated.

Deletion

You can request the deletion of your personal data.

Data Portability

You can export your data in a structured format.

How to Exercise Your Rights

To exercise your rights, contact us at privacy@photocull.com or use the following features in the app:

  • Data export: Full export available in account settings (JSON and ZIP formats)
  • Account deletion: Comprehensive 6-step deletion process in account settings
  • Cookie settings: Available in account settings and cookie banner
  • Consent management: Withdraw consent for AI features and analytics
  • Data access: View your data through export or contact us for detailed report

Note: Some rights may be limited for technical reasons. For example, we cannot modify data that has been processed by third-party AI services.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • • HTTPS encryption for all data transmissions
  • • Local data storage for maximum privacy (free users)
  • • Encrypted cloud storage for paid users
  • • Access controls and permission management
  • • Secure deletion procedures (6-step process)
  • • Content Security Policy (CSP) headers
  • • API rate limiting and abuse prevention
  • • Regular security monitoring and updates

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you through the app and ask for renewed consent if required.

12. Contact

If you have questions about this Privacy Policy or the processing of your personal data, you can contact us:

Email: privacy@photocull.com

Subject: Privacy Inquiry

This Privacy Policy is effective as of 7/26/2025and complies with GDPR requirements.