Privacy policy

ExifSweep is operated by the ExifSweep project ("we", "us"). The service lets you view, remove, and add metadata to image, video, PDF, and archive files. The website + app live at https://exifsweep.com.

For any privacy-related question or to exercise a data right, email privacy@exifsweep.com.

The single most important commitment in this policy. We never collect, store, log, or transmit:

• — File contents (image, video, PDF, archive bytes)
• — Extracted EXIF / XMP / IPTC / container metadata values
• — Your raw IP address (only a hashed /24 prefix for IPv4 or /64 for IPv6)
• — Your raw browser fingerprint (only an HMAC hash of it)
• — Cross-site tracking cookies, advertising IDs, or fingerprint persistence beyond 30 days
• — Behavioural analytics that could re-identify you (no Mixpanel, no Segment, no Hotjar)

This is enforced by architecture, not by promise: the file-processing code path runs in your browser and has no network access. See our format guides for details.

A DPIA (Data Protection Impact Assessment) covering the fingerprint + reputation system is on file and available on request. The balancing test concluded the legitimate-interest basis is proportional given (a) we hash before storage, (b) we decay scores after 30 days, (c) we offer soft challenges before hard blocks, and (d) the alternative (account-required) would exclude the anonymous flow that drives our funnel.

We use these services to operate ExifSweep. Each one is contractually GDPR-compliant via SCC / DPA.

• · Vercel — hosting + edge delivery. Functions run in Frankfurt (fra1) by default. Privacy
• · Supabase — authentication, Postgres database, file processing webhooks. EU-hosted instance. Privacy
• · Stripe — payments. EU subsidiary. Privacy
• · Upstash — Redis cache for rate-limiting + ephemeral nonce store. EU region. Privacy
• · Cloudflare — DNS, WAF, DDoS shield. Network-layer only; no application data. Privacy

We do NOT use third-party analytics, advertising networks, A/B testing platforms, session replay tools, or chat-widgets that could exfiltrate user data. Vercel Analytics (anonymous, first-party) may be enabled for performance monitoring.

Under the EU/UK GDPR you have the right to:

• · Access — request a copy of all data tied to your account (JSON dump)
• · Rectification — correct anything inaccurate (mostly Supabase Auth profile fields)
• · Erasure — delete your account + all related rows (Stripe customer marked for tax retention only)
• · Restriction — pause processing while a dispute is open
• · Portability — receive your data in a structured, machine-readable format
• · Objection — opt out of fingerprint-based reputation tracking (you fall back to email-only quota)

California residents have equivalent rights under CCPA + CPRA. UK residents under UK GDPR. We treat all requests under the strictest applicable standard.

To exercise any right, file a request at /data-requests or email privacy@exifsweep.com. We respond within 7 days and resolve within 30 (GDPR Art. 12(3) maximum is 30 days extendable to 60 — we don't extend).

We use the bare minimum:

• · sb-* — Supabase auth session cookie (HttpOnly, SameSite=Lax, Secure)
• · anti-abuse nonce — single-use cleanup token (HttpOnly, SameSite=Strict, Secure, 15-min TTL)

Neither tracks you across sites. No analytics cookies. No advertising cookies. No fingerprint persistence cookies.

Browser fingerprinting (Canvas, WebGL, audio, screen, timezone) is used in-memory for the anti-abuse layer but the hash is the only thing that ever reaches our server, never the underlying signals.

ExifSweep is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you're a parent or guardian and believe a child has provided data, email privacy@exifsweep.com and we will delete the account.

Our processing is EU-centred (Frankfurt). When we use US-based sub-processors (Stripe US for global card processing, Cloudflare global edge), transfers rely on Standard Contractual Clauses (SCC) + supplementary measures per the Schrems II ruling.

If we discover a breach involving your data, we notify you by email within 72 hours of discovery (per GDPR Art. 33), notify our supervisory authority, and post a public security notice at /security-notice/<date>. Our incident-response runbook is documented in our internal security model.

Material changes will be announced via email to active accounts and via a banner on the homepage 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

Historical versions of this policy are kept in git history at github.com/exifsweep/exifsweep (link added after public launch).

Privacy questions, complaints, or data requests: privacy@exifsweep.com.

Our Data Protection Officer is reachable at the same address. If you believe we've mishandled your data, you have the right to lodge a complaint with your local supervisory authority — for EU residents that's the Data Protection Authority in your country of residence.