The short version

Your photographs live in a private session on our EU-West server only while you're comparing them. They are deleted when you close the tab, click "Clear all", or after 30 minutes idle.
If you sign in we open a small account record (your email, your chosen display name, optional photographer profile). You can delete it at any time from /account/settings.
Anthropic and AWS analyse photos as our subprocessors under Zero Data Retention — they don't keep your image after the API response.
Industry-mandatory CSAM classifiers run upstream — we cannot override that, and we disclose it because it's true.
You must be at least 16 to open an account (GDPR Art. 8). We don't ask anything else about your age.

1. Who we are (Controller)

WinPhoto is operated as a sole-proprietor activity established in the Grand Duchy of Luxembourg, with the intention to incorporate as a Luxembourg société à responsabilité limitée (S.à r.l.) once recurring revenue justifies it. The full operator identity and contact channels are in our Imprint. For any privacy-related question, write to privacy@winphoto.io. No Data Protection Officer is appointed: the Art. 37(1) GDPR triggers are not satisfied (no public-authority status, no large-scale systematic monitoring, no large-scale special-category processing); the reasoning is recorded in our internal DPIA. The lead supervisory authority is the Commission nationale pour la protection des données (CNPD), Luxembourg.

Operator location does not affect data location. Every photograph and every analysis result stays inside the European Economic Area, processed in AWS Bedrock's eu-west-1 (Dublin) region under Zero Data Retention contracts. The technical isolation is what protects your data, not the operator's mailing address.

2. What data we process

2.1 Your photographs (session storage)

Held in a private per-session directory while you compare. Multi-photo analysis is the product, so when you drop photos onto your session they are written to a server-side directory keyed on a random session token. Apprentice (free) tier holds up to 3 photos per session, Studio up to 30, Atelier up to 100.

Three triggers delete the photos:

You click Clear all or remove photos individually (immediate deletion).
You close the browser tab — a best-effort beacon clears your session.
30 minutes pass without activity (idle cleanup runs probabilistically on each request and as a daily cron pass).

What goes to AWS Bedrock. When you click Find competitions, each photo is sent in turn to AWS Bedrock (eu-west-1, Dublin, Ireland), where Anthropic's Claude vision model classifies it. Both AWS and Anthropic operate under Zero Data Retention for this analysis path — neither retains the image after the API response.

The textual analysis is cached for the session. So that re-running the comparison is free, the structured analysis output (categories, tags, subject description, cultural markers — never the photo bytes) is held in the same session record. It is wiped when the session is wiped, on the same triggers above.

No backups, no cross-session linking. The session directory is not replicated, not backed up, and the random token is never tied to your IP, browser, or any account.

Lawful basis. Performance of the contract you initiate by uploading (Art. 6(1)(b) GDPR) — without the upload the analysis service does not exist. Processing is strictly scoped to the immediate purpose; no further use is made of the image bytes or the analysis output.

2.2 Your account record (signed-in users only)

If you sign in — through the magic-link email flow or "Continue with Google" — we create a small account record on our EU-West server. The record contains:

Your email address (validated, lowercased). Lawful basis: performance of contract (Art. 6(1)(b) GDPR).
An opaque internal identifier (random 128-bit hex). Used as the JWT subject claim; never derived from the email.
Your chosen display name (free-text, max 64 chars), captured at first sign-in for greeting purposes.
Your tier (apprentice / studio / atelier) and a small history of tier changes for audit.
Compliance audit fields — timestamp of when you confirmed you were 16+, the version of the Terms you accepted, whether you opted in to marketing email. Lawful basis: GDPR Art. 6(1)(c) (compliance with a legal obligation), specifically Art. 7(1) (demonstrating consent where consent is relied on) and Art. 5(2) (accountability).
Optional photographer profile (subjects, AI workflow preference, residency country code) — provided voluntarily on /account to personalise competition recommendations. Lawful basis: explicit consent (Art. 6(1)(a) GDPR). You can clear any field by re-submitting the profile form; you can erase the whole record from /account/settings.
Issued JWT identifiers (last 50) so we can revoke active sign-in tokens when you change tier or sign out from all devices.

We do not store passwords (there are none) and we do not store payment-card details (those live with Polar, our merchant of record). Account deletion is self-serve from /account/settings → Erase your account; the file is removed and a tombstone in the email index ensures the same email cannot resurrect the prior record.

2.3 Sign-in cookies

We use three small cookies for authenticated sessions, all strictly necessary, all HttpOnly, all SameSite=Lax:

wpc_sid — anonymous session token, lifetime 4 hours since last interaction. Issued for every visitor, used to key your private photo session. Not tied to any account or IP.
wpc_ent — entitlement JWT (signed with HMAC, 7-day expiry). Carries your account identifier and current tier; refreshed each time you sign in.
wpc_id — short account-id cookie (7-day expiry, mirrors wpc_ent) used to render the nav greeting without parsing the JWT on every request.

None of these are used for analytics or advertising. We do not currently run any third-party analytics, tracking, or advertising cookie. If we ever add analytics it will be behind a granular consent banner — this paragraph will update at the same time.

2.3a Saved verdicts ("the wall")

If you click Save this verdict on a judging surface, we keep a small JPEG thumbnail (256-pixel max dimension) of your photograph plus the verdict text and the competition the verdict was issued against. The original full-resolution photograph is not persisted — it remains in session storage and is deleted on the same triggers as Section 2.1. Free tier holds up to 3 saved verdicts; Studio and Atelier are unlimited. Lawful basis: legitimate interest (Art. 6(1)(f) GDPR) — providing the persistent reference the operator explicitly requested. You can delete any saved verdict at any time from /account; the delete is immediate (atomic tombstone in the per-account JSONL). Account deletion wipes the entire wall.

2.4 Free-tier session quota tracking

To enforce the 5-sessions-per-month free quota, we track an IP-hashed identifier that rotates every 30 days. The hash is one-way (SHA-256 with a salted prefix) and is not reversible. The salt rotates monthly, so the same IP produces a different hash next month, making cross-month linking impossible. The IP itself is truncated to /24 (IPv4) or /48 (IPv6) before hashing — we hash a network block, not an individual address.

2.5 Deep-judge per-session quota counter

Free-tier accounts get up to 3 deep-judge runs per session. The counter lives inside your session record (the same record described in 2.1), is wiped on session deletion, and never leaves our server.

2.6 Checkout consent log

If you confirm consent on the checkout page (paid plans), we append a single line to a private JSONL file recording: a random intent ID, the tier you chose, the consent boxes you ticked, your withdrawal-rights choice, your email, your truncated IP and a hash of your User-Agent header, and the moment of recording. This is the evidence trail required by the Consumer Rights Directive 2011/83/EU (Art. 6) and the Omnibus Directive 2019/2161 (transparency-of-consent obligations). It is retained for 6 years — chosen as a conservative ceiling that exceeds the consumer-claims limitation period under every likely jurisdiction of our EU customers — and then purged. Lawful basis: GDPR Art. 6(1)(c) (compliance with a legal obligation) read with Art. 5(2) (accountability) and Art. 7(1) (demonstrating consent where consent is the lawful basis).

2.7 Server logs

Standard HTTP server logs (request URL, HTTP status, timestamp, generic User-Agent) are retained for 14 days for operational diagnostics, then automatically purged. We do not log full IP addresses; logged IPs are truncated to /24 (IPv4) or /48 (IPv6) at write time. Lawful basis: legitimate interest (Art. 6(1)(f) GDPR — service security and abuse mitigation).

2.8 Email transport (Resend)

Sign-in links, payment receipts, deadline alerts, and (if you opted in) the weekly Letter from the Critic are sent via Resend. The email payload contains your address and the message body only — no analysis content, no photographs, no profile data. Resend operates from the United States under Standard Contractual Clauses for the EU→US transfer and acts as our processor under a written DPA.

2.9 What we don't process

We do not perform face recognition or any biometric identification on your photographs.
We do not use your photographs to train AI models — ours or anyone else's.
We never compare your photos to other users' work; comparisons are strictly within your own session.
We do not enrich your account with data from third parties (no email-to-profile lookups, no IP-to-location enrichment beyond the city-level inference Bedrock makes for routing).
We do not process special-category data (Art. 9 GDPR). The optional residency country is a 2-character code; we collect no health, religious, political, or biometric data.

3. Subprocessors

The following service providers process data on our behalf, under written contract. Sub-processor changes are notified at least 30 days in advance via this page (anyone) and via email (paid tiers).

Provider	Purpose	Region	Terms
Anthropic, PBC	Vision-model classification (Claude)	EU-West (Ireland) via Bedrock	Zero Data Retention
Amazon Web Services EMEA SARL	Compute, network, Bedrock gateway	eu-west-1 (Dublin)	GDPR DPA, ZDR for Bedrock
Polar Software, Inc.	Payment processing, billing, invoicing (merchant of record)	United States (SCCs for EU→US transfer)	Independent controller for payment data
Resend Inc.	Transactional email delivery (sign-in links, receipts, deadline alerts, opted-in newsletters)	United States (SCCs for EU→US transfer)	Processor; payload limited to recipient address and message body
Google LLC (Google OAuth)	"Continue with Google" sign-in. We receive your email address, name, and Google account ID; nothing is written back to Google.	United States (SCCs for EU→US transfer)	Independent controller for the Google-side auth flow; processor for the email attestation we receive
Fly.io, Inc.	Container hosting (the application itself)	EU-West region (Frankfurt / Paris)	DPA on file with SCCs; data lives in EU regions only
Google LLC (Google Fonts)	Web-font delivery (Inter, JetBrains Mono). Your browser fetches font files directly from Google's CDN; the bytes do not pass through our server.	Google's global CDN (request resolves to the nearest edge)	Public CDN — no DPA available; we are evaluating self-hosting the fonts to remove the transfer
Cloudflare, Inc. (unpkg.com)	Delivery of one JavaScript file (htmx 1.9.12). Your browser fetches it directly from Cloudflare's CDN.	Cloudflare's global CDN (nearest edge)	Public CDN — no DPA available; we are evaluating bundling htmx locally to remove the transfer

Photographs never leave the European Economic Area. Your photograph stays in Dublin from the moment it leaves your browser to the moment it is released from memory. Photographs are not included in any backup. Payment metadata (your email, billing country, the amount charged) is processed by Polar in the United States under Standard Contractual Clauses; we never send Polar your photographs or analysis results.

Browser-side CDN disclosure. When your browser loads a WinPhoto page, it fetches typography from Google Fonts (fonts.googleapis.com, fonts.gstatic.com) and one JavaScript file from unpkg.com (Cloudflare). For the duration of those requests, your IP address and User-Agent string are visible to Google and Cloudflare. Neither sets a cookie on those domains. We are listed as the controller for these transfers because we caused them by including the <link> and <script> references; the legal basis is our legitimate interest in delivering typography and interaction without bundling fees, paired with this disclosure. Self-hosting both is on the post-launch roadmap.

4. CSAM classifiers — honest disclosure

Industry standards require any commercial vision-model service to run CSAM-detection classifiers upstream of analysis. Anthropic and AWS do this, and we cannot opt out — and we wouldn't if we could. If a false positive flags your photograph, the upstream provider may retain it for review independently of us. This is described in their respective privacy policies. We disclose this here because we believe you deserve to know.

5. Automated decision-making (GDPR Art. 22 + AI Act Art. 50)

Our service is an AI critique tool. Verdicts ("Strong submit", "Submit", "Maybe", "Skip"), per-category rankings, and shortlists are generated by an AI vision model, with no human in the loop on the per-photograph judgment.

You retain the curatorial decision. WinPhoto outputs are advisory; the choice to enter a competition, with which photograph, in which category, is yours alone. The decision is therefore not "based solely on automated processing producing legal effects" within the meaning of Art. 22(1) GDPR.

AI Act Art. 50 disclosure. Every analysis output, every verdict, and every email derived from those outputs carries a clear "AI-generated" label. The first time you use the service in a session, you must acknowledge an AI-disclosure modal. The compliance band on every tier card on /pricing repeats this disclosure pre-contractually.

6. Retention

Data	Retention
Photographs (session storage)	Deleted on tab close, "Clear all" click, or 30 minutes idle
Cached analysis text (session storage)	Same as photographs
Account record	Until you delete it from /account/settings, or 24 months after the last sign-in (whichever is sooner)
Saved verdicts (the wall, with thumbnails)	Until you delete the verdict, or until account deletion. Originals never persisted.
Sign-in cookies	4 hours (sid) / 7 days (ent + id), HttpOnly, SameSite=Lax
Checkout consent log	6 years (conservative ceiling exceeding the consumer-claims limitation period under every likely EU member-state jurisdiction of our customers), then purged
Server logs	14 days, then purged
Email index (lookup record)	While the account is live; after self-serve erasure, a minimal tombstone line (email address + deletion timestamp, no other fields) is retained for up to 6 years — aligned with the checkout consent-log limitation period — so we can demonstrate erasure on audit and prevent the same email re-resurrecting a deleted account. Lawful basis: Art. 17(3)(b) GDPR (compliance with a legal obligation) read with Art. 5(2) (accountability). If you want the tombstone itself purged before that horizon, write to privacy@winphoto.io from the address that owned the account — we will assess the request and confirm in writing.
IP-hashed quota identifier	30 days; salt rotates monthly

7. International transfers

Photographs and analysis results are processed only in the EEA (Ireland). Where a sub-processor is in a third country (United States — Polar, Resend, Google), we rely on the European Commission's Standard Contractual Clauses (modules appropriate to the relationship) plus supplementary measures: encryption in transit (TLS 1.3), pseudonymisation where the data permits it, and data-minimisation in the payload. We do not rely on the EU–US Data Privacy Framework adequacy decision alone.

Off-site backups. We do not currently maintain off-site backups of personal data. The Fly volume that holds operational data (account index, audit logs, checkout consent log) is replicated within the EU region by Fly itself. If we add a third-party off-site backup provider in the future, this section will update with the provider, region, and safeguards before any data flows.

8. Your GDPR rights

You have the right to:

Access the data we hold about you (Art. 15)
Rectification of inaccurate data (Art. 16)
Erasure ("right to be forgotten", Art. 17) — self-serve from /account/settings or by email; we delete within 30 days, typically same-day
Restriction of processing (Art. 18)
Portability of your data in a machine-readable format (Art. 20) — email privacy@winphoto.io; we deliver a JSON export within 30 days
Object to processing (Art. 21)
Withdraw consent for marketing email at any time (Art. 7(3)) — one click from the unsubscribe link in any email, or from /account/settings
Lodge a complaint with your local data protection authority (a list is at edpb.europa.eu)

Most of these rights are trivially satisfied because we hold very little about you. To exercise any right, email privacy@winphoto.io from the address you signed up with. Our standard response window is 30 days (Art. 12(3)); we typically respond within 5 business days.

9. Children (GDPR Art. 8)

WinPhoto is not directed at children. You must be at least 16 to open an account; this is the strictest member-state floor under Art. 8 and we apply it across the EU rather than branch by country. We capture a 16+ confirmation at first sign-in and at checkout, recorded with an ISO timestamp on your account record.

If you believe a child under 16 has opened an account, please email privacy@winphoto.io and we will erase it within 7 days.

10. Changes to this policy

Material changes will be reflected on this page with an updated "Last updated" date. For paid-tier users, material changes that affect your rights or the processing scope are also notified by email at least 30 days before they take effect. Continued use after the effective date constitutes acceptance; if you object, you may delete your account at no cost.