Privacy Policy

Your privacy matters. We're transparent about what we collect and why.

Last Updated: October 23, 2025

Effective Date: October 23, 2025

Quick Navigation

→ Data We Collect→ How We Use Data→ Third-Party Services→ Your Privacy Rights→ Cookies & Tracking→ Data Security→ Data Retention→ Contact Us

Introduction

Welcome to PicForge ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered image transformation platform at picforge.com.

PicForge is operated by Derek Bobola, owner of Bobola's Restaurant in Nashua, NH. We built PicForge to make AI image editing accessible, fun, and powerful for everyone.

If you do not agree with this policy, please do not use our services.

Data We Collect

1. Information You Provide Directly

  • Account Information: Email address (for magic link authentication via InstantDB), optional name
  • Payment Information: Credit card details processed securely through Stripe (we never store full card numbers)
  • Images: Photos you upload for transformation (stored temporarily, see retention policy)
  • Prompts: AI transformation instructions you provide
  • Showcase Submissions: Titles, descriptions, and images you submit to our public gallery
  • Feedback: Messages, support requests, or feature suggestions you send us

2. Information Collected Automatically

  • Usage Data: Image generation count, daily limits, feature usage patterns (tracked via InstantDB)
  • Device Information: IP address, browser type, operating system, device identifiers
  • Analytics Data: Page views, session duration, referral sources (via Google Analytics)
  • Cookies & Tracking: Session cookies, analytics cookies, preference cookies (see Cookies section)
  • API Usage: Request timestamps, processing times, error logs

3. Information from Third Parties

  • Payment Processor (Stripe): Payment status, subscription details, billing information
  • AI Providers: Processing metadata from Google Gemini and Replicate APIs (no personal data shared)

How We Use Your Data

We use your personal information for the following purposes:

Service Delivery

  • Process and transform your images using AI models
  • Manage your account and authentication
  • Enforce daily usage limits (20 images/day for free tier)
  • Enable features like Lock Composition, favorites, and image history

Billing & Payments

  • Process subscription payments (Free, Pro, Unlimited tiers)
  • Handle promo code redemptions
  • Send payment receipts and billing notifications

Communication

  • Send magic link authentication emails
  • Notify you about daily limit warnings (if opted in)
  • Send product updates, new features, and tips (if opted in)
  • Respond to support requests

Analytics & Improvement

  • Analyze feature usage and user behavior patterns
  • Monitor API performance and error rates
  • Improve AI transformation quality
  • Develop new features based on usage data

Legal & Security

  • Prevent fraud, abuse, and unauthorized access
  • Enforce our Terms of Service
  • Comply with legal obligations and law enforcement requests
  • Protect intellectual property rights

Legal Basis (GDPR): We process your data based on (1) your consent, (2) contractual necessity to provide services, (3) our legitimate interests in improving the platform, and (4) legal compliance requirements.

Third-Party Services

We use the following third-party services that may collect your data:

InstantDB

Purpose: User authentication (magic links) and database storage

Data Shared: Email address, user ID, images, favorites, usage stats

Privacy Policy: instantdb.com/privacy

Stripe

Purpose: Payment processing for Pro subscriptions

Data Shared: Payment information, billing address, email

Compliance: PCI DSS Level 1 certified

Privacy Policy: stripe.com/privacy

Google Gemini API

Purpose: AI image transformation and processing

Data Shared: Uploaded images, transformation prompts

Privacy Policy: policies.google.com/privacy

Google Analytics

Purpose: Website traffic analysis and user behavior tracking

Data Shared: IP address, page views, session data, device information

Privacy Policy: policies.google.com/privacy

Resend

Purpose: Transactional email delivery

Data Shared: Email address, email content

Privacy Policy: resend.com/privacy

Vercel (Hosting & KV Storage)

Purpose: Website hosting and analytics tracking

Data Shared: Visitor counts, share tracking, template usage

Privacy Policy: vercel.com/legal/privacy-policy

Note: We do not control these third-party services and are not responsible for their privacy practices. Please review their privacy policies directly.

Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data:

GDPR Rights (EU/EEA Residents)

  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your data
  • Right to Data Portability: Receive your data in a machine-readable format (JSON export)
  • Right to Object: Object to processing for direct marketing or legitimate interests
  • Right to Restriction: Limit how we use your data
  • Right to Withdraw Consent: Withdraw consent at any time (doesn't affect prior processing)
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

CCPA Rights (California Residents)

  • Right to Know: Request details about data collected in the past 12 months
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of the "sale" of personal information (we do not sell data)
  • Right to Non-Discrimination: Equal service regardless of exercising privacy rights

How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: derek.bobola@gmail.com

Subject: "Privacy Rights Request - PicForge"

Response Time: We will respond within 30 days (GDPR) or 45 days (CCPA).

Identity Verification: We may request additional information to verify your identity before processing requests.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and analyze usage patterns.

Types of Cookies We Use

Essential Cookies (Required)

Session authentication, user preferences, account security. Cannot be disabled.

Analytics Cookies (Optional)

Google Analytics tracking for feature usage, page views, and performance monitoring.

LocalStorage

Favorites, image history, UI preferences stored in your browser (not sent to servers).

Managing Cookies

You can control cookies through:

Data Security

We implement industry-standard security measures to protect your data:

Encryption

TLS/SSL encryption for all data in transit. Database encryption at rest via InstantDB.

Access Controls

Role-based access, admin-only promo code generation (derek.bobola@gmail.com).

Payment Security

Stripe handles all payment processing (PCI DSS Level 1). We never store card details.

Monitoring

Automated error logging, rate limiting (500 requests/day/IP), abuse detection.

Important: No security system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. Use strong passwords and enable two-factor authentication when available.

Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you within 72 hours (GDPR requirement) via email and provide details about the breach, affected data, and steps we're taking to resolve it.

Data Retention

We retain your data for as long as necessary to provide services and comply with legal obligations:

Account Data (email, name)Until account deletion
Uploaded Images30 days after upload
Transformed Images90 days or account deletion
Showcase SubmissionsIndefinitely (public gallery)
Usage Statistics2 years (anonymized after 1 year)
Payment Records7 years (tax/legal compliance)
Email Logs90 days
Error Logs30 days

Automatic Deletion: Uploaded images are automatically deleted after 30 days. Transformed images in your account are deleted after 90 days or upon account deletion.

Children's Privacy

PicForge is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13.

If you believe we have inadvertently collected data from a child under 13, please contact us immediately at derek.bobola@gmail.com and we will delete it.

International Data Transfers

Your data may be transferred to and processed in the United States and other countries where our service providers operate.

EU/EEA Users: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers outside the EEA. Our service providers (InstantDB, Stripe, Vercel) have implemented appropriate safeguards to protect your data.

By using PicForge, you consent to the transfer of your data to countries with different data protection laws than your country of residence.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification: Material changes will be communicated via:

  • Email notification (for registered users)
  • Prominent notice on our website
  • Updated "Last Updated" date at the top of this policy

Continued use of PicForge after changes constitutes acceptance of the updated policy.

Contact Us

For privacy-related questions, requests, or concerns, please contact:

Data Protection Contact

Name: Derek Bobola

Company: Bobola's Restaurant / PicForge

Email: derek@pic-forge.com

Subject Line: "Privacy Request - PicForge"

Location: Nashua, NH, United States

Response Time: We aim to respond to all privacy inquiries within 2-3 business days, with formal requests processed within 30 days (GDPR) or 45 days (CCPA).

EU Representative

If you are located in the EU/EEA and need to contact a representative, please email derek@pic-forge.com with subject "EU Data Protection Inquiry".

Filing a Complaint

If you are not satisfied with how we handle your privacy concerns, you have the right to lodge a complaint with your local data protection authority:

  • EU/EEA: Contact your national data protection authority (list available at edpb.europa.eu)
  • UK: Information Commissioner's Office (ICO) - ico.org.uk
  • California: California Attorney General's Office - oag.ca.gov/privacy
Terms of Service|Back to Home|Contact Support

PicForge is a project by Derek Bobola, owner of Bobola's Restaurant, Nashua NH