Imazho
Back home

Legal

Privacy Policy

Last updated: May 29, 2026

Imazho is built privacy-first. Your photos and videos are end-to-end encrypted on your device before they reach us. We operate zero-knowledge storage — we cannot decrypt or view the contents of your library. This policy explains the limited information we do process, why, and the rights you have over it.

1. Who we are

This Privacy Policy describes how Imazho (“Imazho,” “we,” “us,” or “our”) processes personal information in connection with the imazho.com website and the Imazhoapplications and services (together, the “Service”). For the purposes of the EU and UK General Data Protection Regulation (“GDPR”), Imazho is the data controller of the limited personal data described below.

[Before launch, insert your registered legal entity name, company number, and registered address here.]

2. The short version

  • Your photos, videos, albums, and captions are encrypted end-to-end. We can’t see them.
  • We collect the minimum needed to run your account, billing, and the website.
  • We do not sell or “share” your personal information, and we do not show ads.
  • We use a small number of trusted processors (hosting, payments, email) under contract.
  • You can access, export, correct, or delete your data at any time.

3. Information we process

3.1 Information you provide

  • Account data: name (optional), email address, and authentication credentials (password hashes, passkeys, or third-party sign-in identifiers).
  • Encrypted content: your photos, videos, albums, captions, tags, and metadata — all encrypted on your device. We store only ciphertext and cannot read it.
  • Payment data: processed by our payment provider (e.g., Stripe). We receive billing status, plan, country, and the last four digits/expiry of your card — never full card numbers.
  • Support communications: messages you send us and their contents.

3.2 Information collected automatically

  • Device & usage data: IP address, device/browser type, operating system, app version, timestamps, and basic feature/usage events used to operate and secure the Service.
  • Storage metadata: file sizes, counts, and encrypted-object identifiers needed to manage your quota and sync.
  • Cookies / local storage: see Section 6.

3.3 Information we do NOT have

Because of end-to-end encryption, we do not have access to the visual contents of your photos/videos, your encryption keys, or your passphrase. AI features (search, tagging) run on-device or on data you explicitly choose to process; see Section 10. If you lose your passphrase and recovery key, we cannot recover your content.

4. How we use information & legal bases (GDPR Art. 6)

PurposeLegal basis
Provide, maintain, and secure your account and the ServicePerformance of a contract
Process payments and manage subscriptions/trialsPerformance of a contract; legal obligation (tax/accounting)
Prevent fraud, abuse, and ensure security (incl. CAPTCHA)Legitimate interests
Respond to support requestsPerformance of a contract; legitimate interests
Product analytics & improvement (privacy-preserving)Legitimate interests; consent where required
Send service/transactional emailsPerformance of a contract
Send marketing emails (if any)Consent (withdraw anytime)
Comply with law and enforce our TermsLegal obligation; legitimate interests

5. Cookies & similar technologies

We use strictly necessary cookies/local storage to keep you signed in and to secure the Service. Where required by law (e.g., EU/UK ePrivacy, California), we request consent before setting any non-essential (analytics) cookies and provide controls to change your choices. We honor Global Privacy Control (GPC) signals where applicable.

6. How we share information

We do not sell your personal information. We share limited data only with:

  • Service providers / sub-processors who process data on our behalf under contract, including cloud hosting & encrypted object storage, our payments provider, transactional email, and bot/abuse protection.
  • Legal & safety: when required by valid legal process, or to protect rights, safety, and security. Because content is encrypted, we can only ever produce the limited account/metadata we hold.
  • Business transfers: in connection with a merger, acquisition, or asset sale, subject to this policy.

[Maintain a current sub-processor list and link it here / in your DPA.]

7. International data transfers

We may process information in countries other than your own. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum) or an adequacy decision.

8. Data retention

We keep account and billing data for as long as your account is active and as needed to comply with legal, tax, and accounting obligations. When you delete your account, we delete or irreversibly anonymize your data within a commercially reasonable period (typically within 30 days), except where retention is legally required. Encrypted content is deleted from active systems and purged from backups on a rolling schedule.

9. Security

We protect your data with end-to-end encryption, encryption in transit (TLS) and at rest, access controls, and the principle of least privilege. No method of transmission or storage is 100% secure, but our zero-knowledge architecture means that even in the event of a server compromise, your content remains encrypted and unreadable without your key. Report vulnerabilities to support@imazho.com.

10. AI & automated processing

Imazho offers optional AI features (e.g., search, tagging). These run on your device or on data you explicitly choose to process, and are opt-in where they would involve server-side processing of decrypted content. We do not use your private content to train third-party models. We do not make legal or similarly significant decisions about you solely by automated means.

11. Your privacy rights

11.1 EEA, UK & Switzerland (GDPR)

You have the right to access, rectify, erase, restrict, and port your data, to object to processing, and to withdraw consent. You may lodge a complaint with your local supervisory authority. To exercise rights, contact privacy@imazho.com.

11.2 California (CCPA/CPRA)

California residents have the right to know, access, delete, and correct personal information, and to opt out of “sale” or “sharing” and limit use of sensitive personal information. We do not sell or share personal information as those terms are defined under the CPRA, and we do not knowingly process the sensitive personal information of consumers for purposes requiring an opt-out. We will not discriminate against you for exercising your rights.

11.3 Other regions

We honor data-protection rights under other applicable laws, including Canada (PIPEDA), Brazil (LGPD), Australia (Privacy Act / APPs), and other U.S. state privacy laws (e.g., Virginia, Colorado, Connecticut, Utah, Texas). Contact us to exercise any rights available to you.

We respond to verifiable requests within the timeframes required by applicable law (generally 30–45 days).

12. Children

The Service is not directed to children under 16 (or the minimum age in your jurisdiction), and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

13. Contact us & representatives

Privacy questions or requests: privacy@imazho.com. General support: support@imazho.com.

[Appoint and list your Data Protection Officer (if required) and your EU and UK Article 27 representatives, with addresses, before launch.]

14. Changes to this policy

We may update this policy from time to time. We will post the new version here with an updated date and, for material changes, provide additional notice (e.g., by email or in-app).