Back

Privacy Policy

Last updated: 7 June 2026

1. Introduction

TechRadar LTD (Company Number: 16446173) ("we", "our", "us") operates PhotoLabs. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting your privacy in accordance with the UK GDPR and EU GDPR.

2. Information We Collect

2.1 Personal Information

  • Email address (for account creation and communication)
  • Name (optional, for personalisation)
  • Payment information (processed securely by Stripe — we never see your full card number)
  • IP address (hashed with a server-side pepper for anonymous rate limiting; raw IPs are not stored)

2.2 Usage Data

  • Images you upload for processing (sent to Replicate for background removal; see Section 5 for retention)
  • Service usage statistics (images processed, subscription tier, features accessed)
  • Browser type, operating system, and access times (collected by Vercel Analytics)

2.3 Cookies and Tracking

We use essential cookies for authentication via Supabase. We use Vercel Analytics for anonymous, aggregated usage metrics. We do not use third-party advertising trackers. For anonymous users, we store a hashed version of your IP address for rate limiting purposes, which is automatically deleted after 7 days.

3. How We Use Your Information

  • To provide the Service, including sending your images to Replicate for background removal
  • To manage your account and subscription
  • To process payments via Stripe and prevent fraud
  • To enforce usage limits (50 images/month free, 10,000 images/month pro)
  • To send service-related communications
  • To improve the Service using aggregated, anonymised analytics
  • To comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

  • Contract Performance: To provide the image processing service you have subscribed to, including sending images to third-party providers for processing
  • Legitimate Interests: To prevent abuse via rate limiting (IP hashing), improve the Service, and prevent fraud
  • Legal Obligation: To comply with tax and financial regulations
  • Consent: For non-essential cookies and marketing communications (where applicable)

5. Data Retention

  • Uploaded Images: Sent to Replicate for processing and automatically deleted within 1 hour per Replicate's API retention policy. We do not store your images beyond the time needed to deliver results.
  • Export ZIPs: Stored temporarily with a 1-hour signed URL. Automatically deleted after expiry.
  • Anonymous Rate Limit Data: Hashed IP records deleted after 7 days
  • Account Data: Retained while your account is active. Deleted upon account deletion request.
  • Billing Records: Retained for 7 years for tax compliance (held by Stripe)
  • Usage Logs: Monthly usage counts retained for the current billing period

6. Data Sharing and Third Parties

We share data only with the following service providers:

  • Stripe: Payment processing (PCI-DSS compliant). Stripe processes your payment details directly; we never handle your full card information.
  • Supabase: Database, authentication, and file storage. Data stored on EU/UK servers.
  • Replicate: Image processing (background removal). Your images are sent to Replicate's API and deleted within 1 hour of processing.
  • Vercel: Application hosting and anonymous analytics.
  • Legal Authorities: When required by law

We do not sell your personal data to third parties.

7. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent for data processing at any time

To exercise these rights, contact us at admin@photolabs.app or through the Settings page in your dashboard.

8. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS/SSL)
  • Secure authentication via Supabase
  • Server-side IP hashing with a secret pepper (raw IPs never stored)
  • Webhook signature verification for payment and processing callbacks
  • Automatic data deletion after retention periods

9. International Data Transfers

Your account data is stored on Supabase servers in the EU/UK. Images are processed by Replicate, whose servers may be located in the United States. When data is transferred outside the EEA, we rely on Standard Contractual Clauses or equivalent mechanisms as required by GDPR.

10. Children's Privacy

Our Service is not intended for users under 16 years of age. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or through the Service. Your continued use after changes constitutes acceptance.

12. Contact Us

For privacy-related questions or to exercise your GDPR rights, contact us at admin@photolabs.app.

TechRadar LTD

Company Number: 16446173

Registered in England and Wales

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated.