Legal
Phototology Privacy Policy
Effective Date: April 13, 2026 Last Updated: April 13, 2026
Summary
This is a plain-language summary of our full privacy policy. It covers the key points but is not a substitute for the complete policy below.
What we do: Phototology is an AI-powered image analysis platform. You upload photos, select analysis lenses, and receive structured metadata about your images.
What data we collect: Your account information (email, name), uploaded images, AI analysis results, billing history, and standard web analytics (IP addresses, session data, cookies).
How photos are analyzed: Your photos are transmitted to AI providers (Google Gemini, OpenAI, or Anthropic Claude) for analysis. These providers process your photos in US data centers and do not retain your data for AI training on their paid API tiers.
People lens: The People lens counts people and describes clothing at a general level. It does not extract eye color, hair details, or other physical features, does not perform facial recognition, does not create face embeddings, and does not track people across photos. No biometric or biometric-adjacent information is collected.
How long we keep data: Free tier: images for 30 days, analysis results for 1 year. Paid tier: 5 years. You can delete your data at any time.
Your rights: You can access, correct, delete, or export your data. Non-users depicted in photos can request deletion at [email protected].
Important exception: Content reported to the National Center for Missing & Exploited Children (NCMEC) is preserved for 1 year as required by US law, even if you request deletion.
Table of Contents
- Who We Are
- What Data We Collect
- How We Use Your Data
- People Lens
- AI Provider Data Flows
- Data Retention
- Content Moderation and CSAM Reporting
- Children's Privacy
- Cross-Border Data Transfers
- Rights of Non-Users Depicted in Photos
- Your Privacy Rights
- Cookies and Tracking Technologies
- Data Security
- Anonymized Analytics
- Changes to This Policy
- Contact Us
- Jurisdiction-Specific Disclosures
1. Who We Are
Phototology is operated by Foreverized, LLC ("we," "us," "our"). We are the data controller responsible for your personal data under the UK GDPR, EU GDPR, and applicable data protection laws.
Contact:
- Email: [email protected]
- Safety and rights requests: [email protected]
- Website: phototology.com
We have not appointed a Data Protection Officer because we are not required to under GDPR Article 37. If this changes, we will update this policy with the DPO's contact details.
2. What Data We Collect
Data you provide directly
| Data Category | Examples | Purpose |
|---|---|---|
| Account information | Email address, name, password (hashed) | Account creation, authentication, communication |
| OAuth identifiers | GitHub or Google account ID (if you sign in with OAuth) | Authentication |
| Uploaded photographs | Image files you upload for analysis | Providing the analysis service |
| Lens selections | Which analysis lenses you choose | Processing your analysis request |
| Payment information | Credit pack purchases via Stripe (we never see or store your card number — Stripe handles all card data) | Billing |
Data generated by the service
| Data Category | Examples | Purpose |
|---|---|---|
| Analysis results | Structured JSON metadata: date estimates, location estimates, people descriptions, condition assessments, atmosphere analysis, moderation flags | Delivering analysis results to you |
| Enriched images | Your original photo with IPTC/XMP metadata embedded from the analysis | Delivering enriched images to you |
| Credit transactions | Credits purchased, credits consumed per analysis, running balance | Billing and usage tracking |
Data collected automatically
| Data Category | Examples | Purpose |
|---|---|---|
| IP address | Your IP address at time of upload and account actions | Security, abuse prevention, legal compliance |
| Session data | Authentication session tokens, session duration | Maintaining your login state |
| Device information | Browser type, operating system (from standard HTTP headers) | Service compatibility |
Data we do NOT collect
- We do not collect your geographic location from your device (GPS)
- We do not access your camera or microphone
- We do not scan files on your device beyond the photos you explicitly upload
- We do not build advertising profiles or sell your data
3. How We Use Your Data
| Purpose | Lawful Basis (GDPR) | Data Used |
|---|---|---|
| Provide AI photo analysis | Contract performance (Art. 6(1)(b)) — you request analysis by uploading and selecting lenses | Uploaded photos, lens selections |
| Manage your account | Contract performance (Art. 6(1)(b)) | Account information |
| Process payments | Contract performance (Art. 6(1)(b)) | Stripe customer ID, credit transactions |
| Content moderation and CSAM detection | Legal obligation (Art. 6(1)(c)) — 18 U.S.C. 2258A, REPORT Act (2024) | All uploaded images |
| CSAM evidence preservation | Legal obligation (Art. 6(1)(c)) | Flagged images, uploader information |
| Abuse prevention and security | Legitimate interest (Art. 6(1)(f)) | IP addresses, usage patterns, session data |
| Anonymized analytics | Legitimate interest (Art. 6(1)(f)) — after full anonymization, GDPR no longer applies | Aggregated, de-identified analysis patterns |
4. People Lens
The People lens operates at a single tier that extracts only non-biometric descriptors from photographs. It provides:
- People count: How many people appear in the photo
- General demographics: Broad age group (child, adult, elderly) and clothing descriptions
- Independent per-photo analysis: Each photo is analyzed on its own
What the People lens does NOT do
- Does not extract physical features such as eye color, hair details, height estimates, or distinguishing features
- Does not perform facial recognition (no face geometry templates, no face embeddings)
- Does not identify or name individuals
- Does not track people across multiple photos
- Does not match faces against any database
- Does not create, store, or process a biometric identifier or biometric information within the meaning of the Illinois Biometric Information Privacy Act (740 ILCS 14), the EU AI Act (Regulation (EU) 2024/1689), or comparable laws
Future work
If we ever introduce a lens that extracts biometric or biometric-adjacent data, we will update this policy, conduct or refresh the Data Protection Impact Assessment, obtain separate written consent on a standalone screen, publish the retention and destruction policy required by applicable biometric law, and give you at least 30 days' notice before activation.
5. AI Provider Data Flows
When you upload a photo for analysis, it is transmitted to one of our AI providers for processing. This is how the core service works — AI analysis cannot be performed locally at comparable quality.
Our AI providers (sub-processors)
| Provider | Service | Data Center Location | Data Retention | Training Use |
|---|---|---|---|---|
| Google (Gemini) | Primary analysis provider | United States | Limited period, abuse monitoring only | No — paid API tier, data not used for training |
| OpenAI (GPT-4o) | Fallback provider | United States | 30 days for abuse monitoring | No — API data not used for training by default |
| Anthropic (Claude) | Fallback provider | United States | 7 days for abuse monitoring | No — API data never used for training |
Key commitments from all providers:
- Your photos are processed via paid API tiers where data is not retained for AI model training
- Photos are transmitted over encrypted connections (TLS)
- Each provider maintains SOC 2 Type II and ISO 27001 certifications
- Data Processing Agreements under GDPR Article 28 (or each provider's equivalent standard DPA) govern our use of their APIs
How provider selection works: Google Gemini is our primary provider. If Gemini is unavailable, the system falls back to OpenAI or Anthropic automatically. You cannot select which provider processes your photos. In practice, the vast majority of your photos will be processed by Google Gemini.
Other sub-processors
| Provider | Service | Data Processed |
|---|---|---|
| Cloudflare | CDN, R2 object storage, Workers | Uploaded images, enriched images, web traffic |
| Turso | Database (account data, credit ledger, analysis metadata) | Account information, analysis results JSON, billing records |
| Stripe | Payment processing | Payment card data (handled entirely by Stripe — we never see card numbers) |
| Railway | Application hosting | Application logs, request metadata |
6. Data Retention
Retention periods
| Data | Free Tier | Paid Tier | Notes |
|---|---|---|---|
| Enriched images | 30 days after processing | 5 years | Original uploaded image is deleted after enrichment — only the enriched version is kept |
| Analysis results (JSON) | 1 year | 5 years | Lightweight structured data |
| Account data | Duration of account + 30 days after deletion | Same | 30-day soft-delete window allows recovery |
| Credit and billing records | 7 years | 7 years | Financial record-keeping obligations |
| CSAM evidence | 1 year from CyberTipline report | 1 year from report | Legal obligation — see Section 7 |
| Audit logs | 3 years minimum | 3 years minimum | Security and compliance |
| Anonymized analytics | Indefinite | Indefinite | No longer personal data after anonymization |
User-initiated deletion
Deleting a photo: When you delete a photo, its enriched image, analysis results, and all linked metadata are deleted within 30 days.
Deleting your account: Your account enters a 30-day soft-delete period during which you can recover it. After 30 days, all your images, analysis results, account data, and linked records are permanently deleted within an additional 30 days.
Exception — CSAM evidence: Content that has been flagged and reported to NCMEC CyberTipline is preserved for 1 year from the report date regardless of deletion requests. This is required by US federal law (18 U.S.C. 2258A / REPORT Act 2024). The legal basis under GDPR for overriding your erasure right is Article 17(3)(b) — compliance with a legal obligation. See Section 7 for details.
7. Content Moderation and CSAM Reporting
Our legal obligation
As an electronic service provider, we are required by US federal law (18 U.S.C. 2258A, as amended by the REPORT Act of 2024) to report apparent child sexual abuse material (CSAM) to the National Center for Missing & Exploited Children (NCMEC) CyberTipline.
How we detect prohibited content
We use a three-layer detection architecture:
- Hash matching (planned): Comparing image fingerprints against databases of known CSAM maintained by NCMEC and law enforcement. This catches known illegal content before any AI analysis occurs.
- AI moderation screening: Every uploaded image passes through a dedicated moderation screening call before any other analysis. This screening can detect novel content that has never been catalogued.
- CDN edge scanning: Cloudflare's built-in CSAM scanning tool checks images as they flow through our content delivery network.
What happens when content is flagged
If any detection layer flags an image:
- The image is immediately blocked from further processing
- You see a generic message: "This image could not be processed." We do not disclose what was detected or why.
- The flagged image and all associated metadata (your account information, IP address, upload timestamps, screening results) are preserved as evidence
- A report is submitted to NCMEC CyberTipline
- Your account may be immediately terminated
Evidence preservation
Flagged content and associated metadata are preserved for 1 year from the date of the CyberTipline report. This period may be extended if law enforcement issues a preservation request. This evidence is stored in isolated, encrypted storage accessible only by the reporting workflow — not by you, not by our support team, and not by our analysis pipeline.
This overrides your right to deletion. Under GDPR Article 17(3)(b), we are not required to erase personal data when retention is necessary for compliance with a legal obligation.
NIST compliance
Evidence storage follows the NIST Cybersecurity Framework: encryption at rest, encryption in transit, access controls with principle of least privilege, and comprehensive audit logging.
8. Children's Privacy
Our platform is not directed at children
Phototology is a professional image analysis tool designed for adults. We do not knowingly allow children under 13 to create accounts. Our Terms of Service require users to be at least 18 years old (or the age of majority in their jurisdiction).
Photos containing children
We recognize that users routinely upload photos containing children — family photos, historical archives, and genealogical collections. When our People lens detects an individual with an estimated age below 13:
- General demographics are reported (child/adult/elderly). No detailed physical descriptions are extracted at any tier.
COPPA compliance
Under the Children's Online Privacy Protection Act (COPPA), platforms that obtain actual knowledge they have collected personal information from children under 13 must comply with parental consent requirements. Our approach:
- Our
apparentAgedetection triggers protective measures automatically - Age estimation is probabilistic — we err on the side of protection (estimates near the threshold trigger suppression)
- We do not condition service access on a child providing more personal information than is reasonably necessary
If you believe we have processed a child's data inappropriately
Contact us at [email protected]. We will investigate and, if warranted, delete the relevant data within 30 days.
9. Cross-Border Data Transfers
Where your data is processed
All data processing occurs in the United States. This includes our AI providers (Google, OpenAI, Anthropic), our object storage (Cloudflare R2), our database (Turso), and our application servers (Railway).
If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data transfer restrictions, your data is transferred to the United States for processing.
Legal mechanisms for transfer
We rely on the following mechanisms to ensure your data is protected during cross-border transfers:
EU-US Data Privacy Framework (DPF): Our primary AI providers (Google, OpenAI, Anthropic) are certified under the EU-US Data Privacy Framework, which has been recognized as providing adequate protection by the European Commission (July 2023) and upheld by the EU General Court (September 2025).
Standard Contractual Clauses (SCCs): As a supplementary safeguard, we execute the EU Standard Contractual Clauses (2021 version, Module 2: Controller-to-Processor) with our sub-processors. If the DPF is invalidated, SCCs serve as our fallback transfer mechanism.
UK International Data Transfer Addendum: For UK personal data, we append the UK International Data Transfer Addendum to our SCCs, as required by UK data protection law.
If the transfer framework changes
If the EU-US Data Privacy Framework is invalidated (as Safe Harbor and Privacy Shield were previously), we will rely on Standard Contractual Clauses and evaluate supplementary measures, including encryption before transmission and potential migration to EU-based AI providers.
10. Rights of Non-Users Depicted in Photos
People who appear in photographs uploaded to Phototology may not be Phototology users and may not know their image has been processed. We take this seriously.
Your rights as a depicted non-user
If you believe your image has been processed by Phototology without your knowledge or consent, you may:
- Request erasure: Email [email protected] with enough information for us to identify the relevant data (the name of the person who uploaded the photo, approximate date, a description of the photo, or any other identifying details)
- Request information: Ask what data, if any, we hold that relates to you
We will process erasure requests within 30 days per GDPR Article 17.
Limitations
- We cannot guarantee we can locate all instances of your data if you cannot provide sufficient identifying information
- If the content has been reported to NCMEC, it is subject to the 1-year evidence preservation requirement and cannot be deleted during that period
- We cannot prevent the uploader from re-uploading the same photo
Uploader responsibility
Our Terms of Service require uploaders to represent that they have the right to upload and process the photos they submit. Uploaders are responsible for ensuring they have appropriate authorization to process photos of others.
11. Your Privacy Rights
Depending on your location, you may have some or all of the following rights:
Rights under GDPR (EU/EEA and UK)
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of your personal data | Email [email protected] |
| Rectification (Art. 16) | Correct inaccurate personal data | Email [email protected] |
| Erasure (Art. 17) | Request deletion of your personal data | Delete in-app, or email [email protected] |
| Restriction (Art. 18) | Request we limit processing of your data | Email [email protected] |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format | Export JSON/CSV from your account, or email [email protected] |
| Object (Art. 21) | Object to processing based on legitimate interest | Email [email protected] |
| Withdraw consent (Art. 7(3)) | Withdraw any consent given to optional processing | Email [email protected] or update account settings |
We will respond to your request within 30 days. If your request is complex, we may extend this by up to 60 days with notice.
You have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, the CNIL in France, the BfDI in Germany).
Rights under CCPA/CPRA (California)
| Right | Description |
|---|---|
| Right to know | Request disclosure of personal information collected, used, and shared |
| Right to delete | Request deletion of your personal information |
| Right to correct | Request correction of inaccurate personal information |
| Right to opt-out of sale/sharing | We do not sell or share your personal information for cross-context behavioral advertising |
| Right to limit use of sensitive personal information | We do not process sensitive personal information beyond what is strictly necessary to provide the Service you requested |
| Non-discrimination | We will not discriminate against you for exercising your rights |
We will acknowledge your request within 10 business days and respond substantively within 45 calendar days (extendable by 45 days with notice).
How to verify your identity
To protect your data, we need to verify your identity before fulfilling access or deletion requests. We will ask you to confirm your identity through your registered email address. We will not ask for more information than necessary to verify your identity.
12. Cookies and Tracking Technologies
Cookies we use
| Cookie | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| Session cookie | Better Auth | Maintains your login state. Set with Domain=.phototology.com to work across phototology.com and analyze.phototology.com. |
Session / configurable expiry | Strictly necessary |
| Cloudflare Turnstile | Cloudflare | Bot protection on signup and sensitive actions. Does not track you across sites. | Session | Strictly necessary |
| Stripe checkout | Stripe | Fraud prevention during credit pack purchases. Set only during checkout flow. | Session | Strictly necessary |
What we do NOT use
- No advertising cookies or tracking pixels
- No third-party analytics cookies (Google Analytics, etc.)
- No cross-site tracking
- No fingerprinting
All cookies we use are strictly necessary for the operation of the service. Under GDPR, strictly necessary cookies do not require consent.
13. Data Security
We implement the following technical and organizational measures to protect your data:
- Encryption at rest: All stored data (Cloudflare R2, Turso database) is encrypted at rest
- Encryption in transit: All data transmission uses TLS (HTTPS)
- Access controls: Users can only access their own photos and results. API keys are scoped per project.
- Presigned URLs: Stored images are accessed via time-limited presigned URLs, not persistent public links
- Password hashing: Passwords are hashed using industry-standard algorithms (never stored in plaintext)
- Rate limiting: Request rate limits prevent abuse at both the application and infrastructure level
- Bot protection: Cloudflare Turnstile on account creation
- Evidence isolation: CSAM evidence is stored in a separate, access-restricted prefix with scoped credentials and audit logging
14. Anonymized Analytics
We may retain analysis results that have been stripped of all personally identifiable information (userId, image URLs, account references, and any data that could identify individuals) for the following purposes:
- Improving the accuracy and quality of our AI analysis lenses
- Aggregate analytics on lens usage patterns and platform performance
- Pricing calibration
Anonymized data is no longer personal data under GDPR and is not subject to data subject rights requests.
15. Changes to This Policy
We will update this privacy policy when our data practices change. When we make material changes, we will:
- Update the "Last updated" date at the top of this policy
- Notify you via email or an in-app notification at least 30 days before the changes take effect
- Where legally required, request your renewed consent
Your continued use of the service after the effective date constitutes acceptance of the updated policy.
16. Contact Us
| Purpose | Contact |
|---|---|
| General privacy questions | [email protected] |
| Data subject rights requests | [email protected] |
| Safety, CSAM, or non-user erasure requests | [email protected] |
| Security vulnerabilities | [email protected] |
17. Jurisdiction-Specific Disclosures
European Economic Area (EEA) and United Kingdom
- Data controller: Foreverized, LLC, operating as Phototology
- Lawful bases: Detailed in Section 3
- DPIA: A Data Protection Impact Assessment has been undertaken for our processing activities. The current version is available upon request to supervisory authorities.
- International transfers: See Section 9
- Supervisory authority: You may lodge a complaint with your local data protection authority
California (CCPA/CPRA)
- Categories of personal information collected: Identifiers (email, name, IP address), internet activity (usage data), commercial information (purchase history), sensory data (uploaded photographs)
- Sale of personal information: We do not sell your personal information
- Sharing for cross-context behavioral advertising: We do not share your personal information for advertising
- Sensitive personal information: We do not process sensitive personal information as defined by the CPRA, except as strictly necessary to provide the Service you requested.
- Retention: See Section 6
- Financial incentives: 1,000 free credits on signup are provided equally to all users regardless of data sharing choices and do not constitute a financial incentive for data collection
Illinois (BIPA) and other biometric privacy jurisdictions
Phototology does not collect, capture, purchase, receive through trade, or otherwise obtain biometric identifiers or biometric information within the meaning of the Illinois Biometric Information Privacy Act (740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code §503.001), Washington HB 1493, or comparable state laws. We do not perform facial recognition, create face geometry templates, create face or voice embeddings, or identify individuals by name. The People lens extracts only non-biometric descriptors (count, general demographics, clothing) and analyzes each photo independently.
If we introduce a lens that would meet the statutory definition of biometric collection in any jurisdiction, we will update this policy, publish any retention and destruction schedule required by law, obtain separate written consent on a standalone screen, and give you at least 30 days' notice before activation.
This privacy policy is informed by the ICO DPIA template, GDPR Articles 13-14, CCPA/CPRA requirements, the COPPA Rule (as amended 2025), BIPA (740 ILCS 14), the REPORT Act (2024), and 18 U.S.C. 2258A.