Privacy Policy

Last updated: April 2026

1. What We Collect

When you use Metadata Fix, we collect:

• Account information: Email address and hashed password used for login.
• Image files: Photos you upload for processing. These are held temporarily and deleted automatically within hours.
• Usage data: Number of images processed per month to enforce plan limits.
• Login metadata: IP address and approximate location for security monitoring (account-sharing detection).
• Payment data: Handled entirely by Stripe. We receive only a confirmation and the Stripe customer ID — no card numbers or payment details.

2. How We Use Your Data

• To process your uploaded images and return corrected files to you.
• To enforce usage limits and manage your account.
• To send transactional emails (account creation confirmation, purchase receipts).
• To detect and prevent unauthorized account sharing.

We do not use your data for advertising, AI training, or analytics profiling.

3. Image Storage and Deletion

Uploaded images are stored temporarily in encrypted AWS S3 storage during processing. They are automatically deleted within hours of processing. No images are retained, shared, or used beyond the immediate processing task.

4. Data Sharing

We do not sell or share your personal data with third parties, except:

• AWS: Cloud infrastructure for processing and storage (Canada, ca-central-1).
• Stripe: Payment processing. Subject to Stripe's Privacy Policy.
• AWS SES: Transactional email delivery.

5. Cookies and Tracking

We use only a session token (stored in your browser's localStorage) to keep you logged in. No advertising cookies, tracking pixels, or third-party analytics scripts are used.

6. Data Retention

• Account data is retained while your account is active.
• Login history (IP/location) is retained for up to 90 days for security purposes.
• Purchase history is retained for legal and accounting compliance.
• Uploaded images: deleted within hours of processing.

7. Your Rights

You may request deletion of your account and associated data at any time by emailing info@tagthatphoto.com. We will delete your account and all personal data within 30 days, excluding data we are required to retain for legal compliance.

8. Security

All data transfers use HTTPS/TLS encryption. Passwords are stored using bcrypt hashing. AWS S3 storage uses AES-256 server-side encryption. Access keys are stored in AWS Secrets Manager in production.

9. Contact

For privacy questions or data requests, contact us at: info@tagthatphoto.com