1. Data We Collect
We collect your email address and password (stored as a salted hash) when you register. We collect the photos you upload, along with metadata such as file size, upload date, and EXIF data (if present — including GPS coordinates if your device embeds them). We collect usage data (storage used, retrieval requests) to operate the service. We collect payment information via Stripe — we never store your card details directly. If you choose to enable face recognition (see section 3), we additionally collect facial embeddings (mathematical vectors derived from faces in your photos) solely to power that feature.
2. Content Moderation
Every uploaded photo is automatically scanned for child sexual abuse material (CSAM) using AWS Rekognition (machine-learning detection). When illegal content is detected, the content is quarantined, the account is flagged, and a report is submitted to the National Center for Missing & Exploited Children (NCMEC) as required by law. At share-link creation time, we additionally check content against StopNCII's non-consensual intimate imagery (NCII) hash database. All moderation is automated — no human reviews your photos unless an abuse report triggers a manual review. Moderation results are stored securely and not used for advertising.
3. Face Recognition and Biometric Data
Face recognition is an entirely optional, opt-in feature that groups your photos by the people in them. It is disabled by default and must be explicitly enabled in Account Settings. When enabled, facial embeddings — mathematical numerical vectors representing facial geometry, not your photos themselves — are extracted from your uploaded images and transmitted to AWS Rekognition for secure storage and similarity matching. This data constitutes biometric data as defined by GDPR Article 4(14) and is treated as special category personal data under GDPR Article 9. Legal basis: We process your biometric data solely on the basis of your explicit consent (GDPR Article 9(2)(a)), given at the point of opt-in. You may withdraw consent at any time by disabling Face Recognition in Account Settings — upon withdrawal, all face embeddings are permanently and immediately deleted from AWS Rekognition and we retain no copy. Sub-processor: Facial embeddings are processed by AWS Rekognition (Amazon Web Services EMEA SARL for EU/EEA users; Amazon Web Services, Inc. for all others). AWS acts as a data processor and may not use the embeddings for any purpose other than providing the matching service. Retention: Biometric data is retained only while face recognition is enabled. Disabling the feature or deleting your account both trigger immediate permanent deletion of all face data. Illinois BIPA notice: If you are an Illinois resident, by enabling face recognition you acknowledge that you have read and agree to our collection, storage, use, and destruction of biometric data as described in this section.
4. Encryption
Photos are encrypted in transit using TLS/HTTPS for every upload, download, and API call. Photos at rest are protected by infrastructure-provider encryption on hot storage (Backblaze B2) and additionally encrypted at the application layer with AES-256-GCM in cold storage (the Archive), using a per-user encryption key. These keys are wrapped with a master key under our control, which means we can decrypt content when needed for restore operations and for the legally-required CSAM scanning. We never decrypt your content for profiling, advertising, AI training, or any purpose other than serving the product to you and meeting our legal obligations.
5. How We Use Your Data
Your photos are stored to provide the service. We do not scan them for advertising purposes, use them to train AI models, sell them to third parties, or allow employees to view them (except in response to a valid law enforcement request or a manual abuse-report review). When you have opted in to face recognition, facial embeddings derived from your photos are used solely to group your library by person and are not used for advertising, profiling, or any other purpose.
6. EXIF Data and Shared Photos
When you upload a photo, any EXIF metadata embedded by your camera or phone (including GPS coordinates, camera model, and timestamp) is stored alongside your photo and used to organise your library — for example, to determine the date a photo was taken. When you share a photo via a share link, the original file including its EXIF data is served to recipients. If you do not want GPS or camera information to be visible to people you share with, please strip EXIF from your photos before uploading, using your phone's native tools or a third-party app.
7. Cookies
We use only essential cookies necessary to operate the service: a session authentication cookie, a terms-acceptance state cookie, and a short-lived invitation token cookie. We do not use advertising cookies, analytics trackers, or third-party tracking pixels. For the full list of cookies and their purposes, see our Cookie Policy at preserveforever.photos/cookies.
8. Data Retention
Your photos are retained as long as your account is active. If you delete your account, your photos are permanently deleted from our systems within 30 days. Archive (cold storage) photos may take up to 90 days to be fully purged from all backups. Face recognition data (biometric embeddings) is an exception: it is deleted immediately and permanently when you disable face recognition or delete your account — no grace period applies.
9. Your Rights (GDPR / UK GDPR)
If you are in the EU, EEA, or United Kingdom, you have the following rights: (a) Right of access — request a copy of the personal data we hold about you; (b) Right to rectification — ask us to correct inaccurate data; (c) Right to erasure — delete your account and all associated data at any time via Account Settings → Delete Account; (d) Right to data portability — download a structured JSON export of your profile, photo metadata, and sharing history via Account Settings → Export Data, or by requesting it at privacy@preserveforever.photos; (e) Right to object — object to processing where we rely on legitimate interest; (f) Right to withdraw consent — where processing is based on consent (including biometric data under Article 9), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawing consent for face recognition (by disabling it in Account Settings) triggers immediate permanent deletion of all biometric data. We will respond to all data subject access requests (DSARs) within 30 days of receipt. To exercise any of these rights, email privacy@preserveforever.photos.
10. Incident Response and Breach Notification
In the event of a personal data breach, Preserve Forever Ltd will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where it is likely to result in a risk to the rights and freedoms of individuals, as required by UK GDPR Article 33. Where a breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay. To report a suspected security incident, email security@preserveforever.photos.
11. Third-Party Services
We use the following third-party services: AWS (S3 Glacier Deep Archive for cold storage; Rekognition for mandatory content moderation and, for opted-in users only, face recognition; KMS for encryption key management); StopNCII for NCII hash matching at share time; NCMEC CyberTipline for mandatory CSAM reporting; Backblaze B2 for hot photo storage; Supabase for authentication and database; Stripe for payments; and Resend/SMTP for transactional emails. Each of these services has their own privacy policy. Image hashes (not image content) are transmitted to StopNCII solely for child safety purposes. Facial embeddings are transmitted to AWS Rekognition only for accounts that have opted in to face recognition.
12. Contact and Data Controller
The data controller is Preserve Forever Ltd, Company No. 17198569, 124–128 City Road, London, United Kingdom EC1V 2NX. For privacy questions, data requests, or to exercise your rights, email: privacy@preserveforever.photos. For security concerns, email: security@preserveforever.photos.