Privacy Policy
سياسة الخصوصية
Last updated: 1 June 2026
UK GDPR & Data Protection Act 2018 Compliant | ICO Registered
1. Who We Are
PicGlobe is operated by a company registered in England and Wales. We are registered with the Information Commissioner's Office (ICO) as a data controller.
2. Data We Collect
Guest users (no account required):
- IP address (retained max 30 days per UK GDPR)
- Upload timestamp and date
- File metadata (name, size, MIME type, dimensions)
- Expiry preference selected
- User-Agent for analytics and security
Registered users (Free & Premium):
- Email address (required for authentication)
- Name (optional)
- Password (hashed with PBKDF2 — never stored in plain text)
- Account creation date, upload history, preferences
- OAuth provider info (Google) if used
Premium subscribers (payment):
- Billing info (processed by Stripe — we never store full card details)
- Subscription status and history
- Payment receipts (kept 7 years per UK law)
3. How We Use Your Data
- Provide, maintain, and improve the image hosting service
- Prevent abuse, spam, and illegal content (zero tolerance for CSAM)
- Process subscription payments via Stripe
- Comply with UK legal obligations (ICO requirements)
- Send service-related communications (no marketing without consent)
- Analyse usage patterns using anonymised data only
- Respond to support, DMCA, and legal enquiries
4. Legal Basis for Processing
- Contract (Art. 6(1)(b)): Processing to provide the requested service
- Legitimate Interests (Art. 6(1)(f)): Security monitoring and abuse prevention
- Legal Obligation (Art. 6(1)(c)): Compliance with UK law and court orders
- Consent (Art. 6(1)(a)): Marketing communications where applicable
5. Data Retention
- IP addresses (guest): Max 30 days
- Anonymous upload metadata: 90 days
- Registered account data: Account duration + 30 days after deletion
- Payment records: 7 years (UK legal requirement)
- Images: Per expiry setting chosen at upload
- Audit logs: 30 days
- Email verification codes: 10 minutes
- Refresh tokens: 7 days
6. Your Rights Under UK GDPR
- Access (Art. 15): Request a copy of your data Free
- Erasure (Art. 17): Request deletion ("right to be forgotten")
- Rectification (Art. 16): Correct inaccurate data
- Portability (Art. 20): Receive your data in machine-readable format
- Object (Art. 21): Object to processing based on legitimate interests
- Restrict (Art. 18): Limit how we use your data
7. Cookies
We use essential cookies only — session management, language preferences, and CSRF tokens. No tracking or advertising cookies without your explicit consent.
8. Third-Party Services
- Cloudflare (R2, CDN): Image storage and delivery — Privacy Policy
- Cloudflare D1: Database storage (EU)
- Stripe: Payment processing — Privacy Policy
- Resend: Email delivery (verification, notifications)
- Google OAuth: Social login (optional) — Privacy Policy
All processors are bound by Standard Contractual Clauses (SCCs) approved by the ICO.
9. International Data Transfers
Data may be processed on servers outside the UK. We ensure appropriate safeguards including SCCs, DPAs, and the UK Extension to the EU-US Data Privacy Framework.
10. Data Security
- AES-256 encryption at rest
- TLS 1.3 for all data in transit
- PBKDF2 with 100,000 iterations for password hashing
- Rate limiting against brute force and DDoS attacks
- Full audit logging and security monitoring
11. Children's Privacy
PicGlobe is not intended for children under 13. If you believe a child has provided data, contact us immediately at ···.
12. Complaints
You may lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk | Helpline: 0303 123 1113
We'd appreciate the chance to resolve your concerns first — please contact ···.
13. Changes to This Policy
- Email notification to registered users (30 days in advance)
- Notice banner on our website
- Updated "Last updated" date at the top of this page
Related legal pages