imageupload.io
Privacy Policy

How we handle your data.

Last updated: April 10, 2026

imageupload.io ("we", "us") is an image-hosting service. We believe your data belongs to you. This page explains, in plain language, what we collect, why, the legal basis for processing, who we share it with, and what you can do about it.

1. What we collect

Images you upload. We store the image file, its dimensions, file size, MIME type, and the expiration rule you chose. Before storing, we strip EXIF metadata (including GPS coordinates and camera fingerprints).

Account data (registered users only). Your email address, username, optional display name, a securely hashed version of your password (one-way, per-user salt), and - if you create one - your MCP API key. If you sign in via Google, we also store your Google account identifier.

Request metadata (all visitors). When you upload an image, we record your IP address, user-agent string, and a hashed fingerprint derived from those plus your Accept-Language header. This is used to block abuse and is never sold or shared.

View logs. For each view of an uploaded image we store the timestamp, IP, user-agent and referer header. These logs are deleted after 90 days.

Cookies. We use one essential session cookie (sid) to keep you logged in, a consent cookie to remember your banner choice, and per-image cookies to remember that you unlocked a password-protected image. If you accept analytics, we load Google Analytics which sets its own cookies. We do not use advertising or cross-site tracking cookies.

2. Why we collect it and the legal basis

Under GDPR Article 6, every processing activity requires a legal basis. Here are ours:

  • To deliver the service (storing and serving your images) - legal basis: performance of a contract (Art. 6(1)(b)).
  • To authenticate you (sessions, password reset, MCP API, Google sign-in) - legal basis: performance of a contract (Art. 6(1)(b)).
  • To prevent abuse (fingerprint-based rate limiting, blocking, Cloudflare Turnstile) - legal basis: legitimate interest (Art. 6(1)(f)).
  • To enforce expiration (we scan every 60 seconds and delete expired, delete-after-view, and view-limited images) - legal basis: performance of a contract (Art. 6(1)(b)).
  • To process payments (via our Merchant of Record, Paddle) - legal basis: performance of a contract (Art. 6(1)(b)).
  • Analytics (Google Analytics, loaded only if you accept the cookie banner) - legal basis: consent (Art. 6(1)(a)). You can withdraw consent at any time by clearing your browser storage.

3. How long we keep it

  • Anonymous uploads: deleted when their expiration rule fires (1 day, 1 week, 1 month, N views, or delete-after-view).
  • Registered accounts: kept until you delete your account. All your images are deleted automatically with the account.
  • Request logs: 90 days, then permanently deleted.
  • Expired sessions and password-reset tokens: purged every 10 minutes.
  • Payment records: kept for 7 years as required by tax and accounting regulations.

4. Where it's stored and who processes it

We use the following third-party services that may process your data. Each acts as a data processor under GDPR:

  • Cloudflare (USA/global) - CDN, DDoS protection, image storage (R2), bot protection (Turnstile). Cloudflare processes request metadata (IP, headers) for every page load. Image files may be cached at Cloudflare edge locations worldwide.
  • Paddle (UK/USA) - payment processing as our Merchant of Record. Paddle processes your email, name, payment details, and billing address when you subscribe to Pro.
  • Resend (USA) - transactional email delivery (password resets, welcome messages). Processes your email address.
  • Google (USA) - optional: Google sign-in (OAuth) processes your name, email, and profile picture. Google Analytics (if you accept the cookie banner) processes anonymized page-view data.

Data may be transferred to the United States under the EU-US Data Privacy Framework and/or Standard Contractual Clauses. Nothing is sold to third parties or fed to advertising networks. This specifically includes data received via Google APIs, which is used solely for authentication and never for marketing or advertising.

5. Google API Services User Data Policy

imageupload.io's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • We access your Google name, email address, and profile picture solely to authenticate you via Google Sign-In and create your account.
  • We do not sell, rent, or trade your Google data.
  • We do not use Google data for advertising, marketing, or profiling.
  • We do not transfer Google data to third parties except as necessary to provide the service (e.g. storing your email in our database for account management).
  • To revoke Google access: visit Google Account → Security → Third-party connections, find imageupload.io, and click Remove Access. Your account will remain functional but you will need to use email/password to sign in.

6. Your rights (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify inaccurate data - edit your profile any time from your dashboard.
  • Erase your account and all associated data - one click from /dashboard/profile.
  • Restrict or object to processing.
  • Data portability - email us to request an export.
  • Withdraw consent for analytics at any time by clearing your browser storage or clicking "Essential" on the cookie banner.
  • Lodge a complaint with your local data protection supervisory authority (e.g. the ICO in the UK, CNIL in France, BfDI in Germany).

To exercise any right, email [email protected]. We will respond within 30 days.

7. Security

Passwords are hashed using scrypt with a unique per-user salt (one-way; we cannot reverse them). Sessions are signed, HTTP-only, same-site cookies. We strip EXIF metadata on every upload so that GPS coordinates and camera serial numbers never reach storage. We use HTTPS for all traffic. Uploaded images are served with Content-Type pinning and X-Content-Type-Options: nosniff. Login and registration are protected by Cloudflare Turnstile to prevent automated attacks.

8. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33). Where the breach is likely to result in a high risk to you, we will notify you without undue delay (GDPR Article 34).

9. Children

imageupload.io is not intended for users under 13 (or 16 in the EEA). We do not knowingly collect data from children. If we discover that a user is under the applicable minimum age, we will promptly delete their account and all associated data.

10. Changes to this policy

If we make material changes we will post a notice on the site and update the date at the top of this page. Continued use of the service after changes constitutes acceptance.

11. Contact

Questions, GDPR requests, or data protection inquiries: [email protected].