Privacy Policy

The data controller for img.pro is:

Moshi Inc.
4023 Kennett Pike #50475
Wilmington, DE 19807
United States

Contact for privacy matters: privacy@img.pro.

img.pro is an image hosting and CDN service. This policy explains what data we collect, how we use it, the legal bases on which we rely, and your rights regarding your information.

• We collect minimal data necessary to provide the service
• We do not sell or share your personal information for cross-context behavioral advertising
• We do not use your images for advertising
• We do not track visitors to sites using our CDN

Account Data

• Email address — Account identification, important notifications
• Name — Personalization, team collaboration
• Authentication state — Hashed credentials and session tokens (no plaintext passwords are stored)
• Consent records — Timestamp and country at signup, indicating which optional consents you granted (e.g., marketing email)

Usage Data

• Image upload counts and storage used — Quota tracking
• Session metadata — IP address and user agent at sign-in (kept while the session is active; see Retention below)
• API request logs — Debugging, abuse prevention (retained ~30 days)

What We Don't Collect

• We don't track individual visitors to websites using our CDN
• We don't store visitor IP addresses from CDN requests
• We don't profile or sell information derived from your images

Where the General Data Protection Regulation or the UK GDPR applies, we process personal data under the following bases:

• Performance of a contract (Art. 6(1)(b)) — for account creation, authentication, image hosting and delivery, billing, and customer support.
• Legitimate interests (Art. 6(1)(f)) — for security, abuse prevention, content-safety classification, fraud detection, and aggregated analytics. We balance these against your rights and have measures in place (data minimization, retention limits) to keep the impact proportionate.
• Consent (Art. 6(1)(a)) — for non-essential cookies/trackers and for marketing email. You can withdraw consent at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c)) — for tax records, responding to lawful requests, and statutory reporting (including, where applicable, mandatory reporting of CSAM under 18 U.S.C. §2258A).

• Service delivery: Storing and serving your images via our CDN
• Account management: Authentication, team invitations, email verification
• Security: Detecting abuse, preventing fraud, protecting infrastructure
• Content safety: Automated classification of uploaded images to detect violations of our Acceptable Use Policy. Classifications inform whether content is flagged, hidden behind a viewer-side warning, subject to a reduced retention window, or removed from public serving. Operator review of flagged content is logged. See the Retention section for how classifications interact with retention.
• Communications: Transactional notifications (verification, billing, security alerts) sent via Amazon SES; optional product updates sent via Resend only where you have given consent (or, in jurisdictions that permit it, on an opt-out basis).

• Images: Stored on Cloudflare R2 (encrypted at rest)
• Databases: Cloudflare D1 with encryption at rest
• Transit: All connections use TLS/HTTPS encryption
• Authentication secrets: Hashed (never stored in plain text)

The factors that determine how long we retain a given piece of personal data are: (a) whether the upload was authenticated; (b) your subscription tier; (c) the upload surface (for example, a dashboard upload versus a transient image-processing tool); and (d) the content classification produced by automated and, where applicable, operator review. The blanket retention ceilings below are durable commitments; the operational windows that apply within them are disclosed at the moment of upload by the surface you are using (for example, a tool page indicates the retention window for the outputs of that tool) and may be tuned over time to balance user expectations, storage constraints, and safety.

• Authenticated user uploads: retained until you delete the image or close your account, with two exceptions. Content identified by our classification or review processes as falling within categories prohibited by the Acceptable Use Policy is removed after a limited recovery window, regardless of subscription tier. Content identified as restricted but not prohibited (for example, nudity that does not fall within the prohibited categories) may be subject to a limited retention window on free accounts; paid accounts retain such content until you delete it.
• Anonymous uploads: retained for a limited window that depends on the upload surface and the content classification. The specific window is disclosed by the upload surface at the moment of upload. As a blanket ceiling, we will not retain an anonymous upload for more than two years from the date of upload regardless of any longer window advertised by an upload surface; in practice operational windows are much shorter. To extend retention beyond the operational window, sign in for a free account before uploading.
• Image bytes after deletion or retention expiry: moved to an operator-recovery store and retained there for a limited window to allow recovery from accidental or contested removals, then automatically reaped. The recovery window does not extend the public visibility of the content — content moved to operator-recovery is no longer served from our public-facing CDN.
• Account data: retained while your account is active. You can delete your account at any time from Settings. Deletion is reversible for a grace period via the email link we send at submit; after the grace period, all account data, owned-collection content, API keys, and marketing-list membership are permanently erased on the next sweep run. The full window between submit and erasure is well inside the GDPR Art. 12(3) one-month maximum response window.
• Sessions: a sliding expiry of approximately three months, with a hard maximum of approximately six months. Hard-deleted at submit when you delete your account.
• Worker / API request logs: approximately one month.
• Stripe billing records: retained on Stripe's side for approximately seven years for tax and accounting reasons (legal-obligation exception under GDPR Art. 17(3)(b)). At account deletion we cancel any active subscription immediately and scrub the Stripe Customer record's identifying fields (name, email, phone, address); the historical invoice ledger remains so we and you can still meet tax-authority requests.
• Abuse and DMCA records: retained for the rolling 12-month repeat-infringer policy and any pending counter-notification window. Your email and other identifiers on those records are anonymized at deletion (the records survive for legal-defensibility reasons; your identity in them does not).

To deliver the Service we share limited data with the following processors, each governed by a Data Processing Agreement and their own privacy commitments. The current list is also maintained at /subprocessors.

• Cloudflare — image hosting, CDN, databases, edge compute (R2, D1, Workers, KV).
• Amazon Web Services — transactional email delivery (SES) and automated content-safety classification (Rekognition) on uploaded images. Image data is transmitted only for the duration of the classification request; we do not authorize this processor to retain images for model training.
• Stripe — payment processing for paid subscriptions; collects payment-method data directly from your browser.
• Plausible — privacy-respecting, cookieless analytics. We send aggregate event metadata (no full email addresses or IPs that we control).
• Resend — lifecycle and product-update email (only to recipients who have given the appropriate consent).
• Reddit — server-side conversion measurement for paid acquisition (hashed identifiers only).

We do not sell personal data and we do not authorize subprocessors to use your data for purposes outside the Service.

Moshi Inc. is incorporated in the United States and most of our subprocessors are also U.S.-based. Where we transfer personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland to a country outside that region, we rely on one or both of the following safeguards:

• The EU–U.S. Data Privacy Framework (and the UK Extension / Swiss Addendum) where the recipient is certified.
• The European Commission's Standard Contractual Clauses (Module 2 controller-to-processor) supplemented by appropriate technical and organizational measures.

You may request a copy of the transfer mechanism that applies to a specific subprocessor by emailing privacy@img.pro.

Depending on where you live, you may have some or all of the following rights. We will respond to verifiable requests within the time frame required by applicable law (generally 30 days under GDPR; 45 days under CCPA/CPRA).

European rights (GDPR / UK GDPR)

• Access — Receive a copy of your personal data
• Rectification — Correct inaccurate or incomplete data
• Erasure - Delete your account and associated data. Self-serve at Settings → Danger Zone; reversible for 7 days via the email link we send.
• Portability — Export your data in a machine-readable format
• Restriction — Limit how we process your data while a question is being resolved
• Objection — Object to processing based on legitimate interests, including profiling
• Withdraw consent — At any time, without affecting prior processing
• Lodge a complaint — With your local data-protection authority (in the EU, you can find the list at edpb.europa.eu)

California rights (CCPA / CPRA)

• Right to know — Categories and specific pieces of personal information collected, sources, business purposes, and third parties to whom it is disclosed
• Right to delete — Subject to legal retention exceptions
• Right to correct — Inaccurate personal information
• Right to opt out of sale or sharing — We do not sell or share your personal information for cross-context behavioral advertising; we honor the Global Privacy Control signal
• Right to limit use of sensitive personal information — We do not use sensitive personal information beyond what is necessary to provide the Service
• Right to non-discrimination — We will not deny service, charge a different price, or provide a different quality of service for exercising any of these rights

To exercise any of these rights, email privacy@img.pro from the address on file with your account, or use the in-app data-export and account-deletion tools when available. If you are an authorized agent acting on behalf of a California resident, include written authorization with your request.

We aim to minimize the cookies we set. The full list and your controls are documented at /cookies.

• Strictly necessary: Session cookie (keeps you logged in), CSRF token (form-tampering protection), and a consent record cookie if you have used a cookie banner. These do not require consent.
• Analytics: Plausible, which is cookieless and aggregates only.
• Marketing: Where applicable, conversion-measurement pixels are loaded only after explicit consent on the cookie banner.

img.pro is not intended for children under 16 years of age, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact privacy@img.pro and we will delete it.

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated through in-app notice or email to the address on file.

For privacy questions, requests, or complaints: privacy@img.pro. Mailing address: Moshi Inc., 4023 Kennett Pike #50475, Wilmington, DE 19807, United States.