Privacy Policy

1. Introduction

PhotoRaters ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services.

2. Information We Collect

2.1 Information You Provide

• • Account information (name, email address, age, gender)
• • Photos you upload for rating
• • Ratings and feedback you provide on other users' photos
• • Profile information and preferences

2.2 Automatically Collected Information

• • Device information (device type, operating system, unique device identifiers)
• • Usage data (features used, time spent, interaction patterns)
• • Log data (IP address, browser type, timestamps)
• • Analytics data (app performance, crash reports)

2.3 Biometric Information and Sensitive Data

Important: Photos you upload may contain biometric identifiers, including facial geometry, which are considered sensitive personal information under GDPR (EU), CCPA (California), BIPA (Illinois), and similar laws.

• • We do NOT perform facial recognition or extract biometric templates
• • We do NOT use photos to identify individuals
• • Photos are processed by AI moderation to detect inappropriate content only
• • Photos may inadvertently reveal: race/ethnicity, health information, or sexual orientation
• • You should only upload photos you are comfortable sharing publicly for rating purposes

2.4 Cookies and Tracking Technologies

We use the following technologies:

• • Essential Cookies: Session management and authentication (Clerk)
• • Analytics: Usage patterns and app performance monitoring
• • Security: Fraud detection and abuse prevention

You can control cookies through your browser settings. Disabling cookies may limit functionality.

3. How We Use Your Information

We use the collected information to:

• • Provide, maintain, and improve our services
• • Display your photos to other users for rating purposes
• • Calculate rating scores and tier levels
• • Detect and prevent fraud, abuse, and suspicious activity
• • Send service-related notifications and updates
• • Analyze usage patterns to improve user experience
• • Comply with legal obligations

3.1 Legal Basis for Processing (GDPR - EU Users)

Under GDPR, we process your personal data based on the following legal grounds:

• • Contract (Article 6(1)(b)): Account management, photo rating services, tier calculations
• • Consent (Article 6(1)(a)): Marketing communications, optional features, photo uploads containing biometric data
• • Legitimate Interest (Article 6(1)(f)): Fraud detection, service improvement, security, analytics
• • Legal Obligation (Article 6(1)(c)): Compliance with law enforcement requests, tax obligations
• • Explicit Consent for Sensitive Data (Article 9(2)(a)): Processing biometric identifiers in photos

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

3.2 Automated Decision-Making

We use AI to automatically moderate uploaded photos. The AI analyzes content for appropriateness and may automatically reject photos deemed inappropriate. This is necessary to protect our community.

Your Rights: You can request human review of any AI decision by contacting contact@photoraters.com with "Moderation Appeal" in the subject line. We will provide an explanation of the rejection reason and allow you to appeal the decision.

4. Information Sharing and Disclosure

4.1 With Other Users

Photos you upload are shown to other users for rating. Your name, specific email address, or other identifying information is NOT shared with raters.

4.2 With Third-Party Service Providers

We share data with the following specific providers:

• • Clerk (clerk.com/privacy) - Authentication and user management
• • Railway (railway.app/legal/privacy) - Cloud hosting and database
• • OpenAI (openai.com/privacy) - AI content moderation (photos are analyzed but not stored by OpenAI)
• • Email Service Provider - Transactional emails and moderation alerts

All third-party providers are bound by contractual obligations to protect your data and use it only for the purposes we specify. We ensure Standard Contractual Clauses (SCCs) are in place for EU data transfers.

4.3 Legal Requirements

We may disclose information if required by law, court order, or to protect our rights, users, or the public.

5. Data Security

We implement industry-standard security measures including:

• • Encryption of data in transit (TLS/SSL) and at rest
• • Secure authentication via Clerk (OAuth 2.0)
• • Regular security audits and updates
• • AI-powered content moderation
• • Fraud detection systems
• • Access controls and principle of least privilege

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

5.1 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you and relevant authorities within 72 hours (as required by GDPR) or as required by applicable law. The notification will include details of the breach, potential impact, and steps you can take to protect yourself.

6. Your Rights and Choices

6.1 General Rights (All Users)

You have the right to:

• • Access: Request copies of your personal data
• • Correction: Update or correct inaccurate data
• • Deletion: Delete your account and associated data
• • Data Portability: Export your data in a machine-readable format
• • Opt-Out: Unsubscribe from marketing communications
• • Object: Object to certain data processing activities

6.2 Additional Rights for EU Users (GDPR)

• • Right to Restriction: Limit how we use your data while disputes are resolved
• • Right to Object to Profiling: Object to automated decision-making
• • Right to Withdraw Consent: Withdraw consent for biometric data processing
• • Right to Lodge a Complaint: File complaints with your national Data Protection Authority
• • Right to Data Portability: Receive your data in structured, commonly used format

EU Data Protection Authority Contact: Find your country's authority at edpb.europa.eu

6.3 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• • Right to Know: Request categories and specific pieces of personal information collected
• • Right to Delete: Request deletion of personal information (subject to exceptions)
• • Right to Correct: Request correction of inaccurate personal information
• • Right to Opt-Out of Sale/Sharing: We do NOT sell or share your personal information
• • Right to Limit Sensitive Personal Information: Limit use of biometric data (photos with faces)
• • Right to Non-Discrimination: We will not discriminate against you for exercising privacy rights

We Do Not Sell Your Data: PhotoRaters does not sell or share personal information for monetary or other valuable consideration.

Sensitive Personal Information: Photos may contain biometric identifiers (faces), which California law considers sensitive. We use this data solely for photo rating and content moderation purposes.

12-Month Collection Summary: In the past 12 months, we have collected: identifiers (name, email), demographic information (age, gender), photos (may contain biometric data), internet activity (usage patterns), and geolocation data (IP address).

6.4 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• • Email: contact@photoraters.com
• • Subject Line: "Privacy Request - [Your Jurisdiction]" or "Data Request"
• • Response Time: We will respond within 30 days (GDPR) or 45 days (CCPA)

We may require verification of your identity before processing requests to protect your privacy.

7. Data Retention

We retain different types of data for varying periods based on legal requirements and business needs:

• • Photos (Biometric Data): Retained until you delete them or close your account, then permanently deleted within 30 days. Maximum retention: 3 years after last account activity.
• • Account Information: Retained while account is active, then deleted within 30 days of account closure
• • Ratings Data: Anonymized after 2 years (disconnected from user identity) for statistical purposes
• • Authentication Logs: 90 days
• • Moderation Records: 1 year for compliance and fraud prevention
• • Legal Hold Data: Retained as required by law enforcement, tax authorities, or ongoing litigation

When you delete your account, all personal data is permanently deleted within 30 days, except where we are legally required to retain it longer (e.g., tax records, fraud investigations).

8. Children's Privacy

PhotoRaters is not intended for users under 18 years of age. We do not knowingly collect information from children under 18. If you believe we have collected information from a child, please contact us immediately.

9. International Data Transfers

PhotoRaters is operated from France, but your data may be transferred to and processed in other countries, including the United States (for cloud hosting and AI services).

9.1 EU to Third Countries (GDPR Article 44-50)

For transfers from the EU to countries without an adequacy decision, we rely on:

• • Standard Contractual Clauses (SCCs): EU Commission-approved contracts with our service providers (Railway, OpenAI)
• • Your Explicit Consent: For certain transfers where you explicitly agree
• • Contractual Necessity: Where transfers are necessary to provide the service you requested

You may request copies of the Standard Contractual Clauses by contacting contact@photoraters.com

9.2 Data Transfer Safeguards

All international data transfers are protected by encryption, access controls, and contractual obligations requiring third parties to protect your data at the same level as required by EU law.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email or in-app notification. Your continued use of PhotoRaters after changes indicates acceptance of the updated policy.

11. Contact Us

If you have questions about this privacy policy or our data practices, please contact us: