↪ DATA

Data processing

Last updated: June 2026

This page describes how image.sh processes personal data. It is intended as a supplement to the Privacy Policy.

Operator

image.sh is operated from Queensland, Australia. For data queries, contact: hello@image.sh

Categories of data processed

• Identity data: Google account identifier, email address, display name, profile picture URL.
• Content data: images and associated metadata (filename, file size, dimensions, upload timestamp, view count, hidden flag).
• Technical data: IP address, user agent, request URL, response status, request timestamp.
• Session data: opaque session identifier stored in a cookie, mapped to a user record in our database with an expiry timestamp.
• Invitation data: where an admin issues an invitation by email, the invited email address and an expiry are stored until the invitation is used or revoked.

Lawful basis (where applicable)

Where the GDPR or similar regulation applies to your data, we process it on the following bases:

• Performance of a contract: authenticating you, storing your content, generating the links you ask us to generate.
• Legitimate interests: maintaining server logs for security, diagnostics, and abuse prevention.
• Legal obligation: where required by law to retain or disclose information.
• Consent: where applicable, by your continued use of the service after being informed.

Sub-processors

We use the following sub-processors:

• Google LLC (United States): authentication. When you sign in, your Google ID token is transmitted to Google's public verification endpoint for cryptographic validation. We do not send any other personal data to Google in the course of normal operation.

Hosting and storage of all account data and uploaded images is performed on the operator's own servers. We do not use a third-party object store or content delivery network.

Data location

All account data and uploaded content are stored on servers located in Australia. Some technical metadata may transit international networks during normal Internet operation.

Retention

• Account data: retained while your account is active. Deleted on account deletion, typically within seven (7) days of a deletion request.
• Uploaded content: deleted immediately when you delete an image; deleted along with your account on account deletion.
• Session records: deleted on logout, on session expiry (30 days), or by hourly background sweep, whichever comes first.
• Invitation records: pending invitations expire by their nominated date and are purged thirty (30) days after expiry.
• Access logs: rotated and discarded within ninety (90) days.

Security measures

We protect personal data using TLS (HTTPS) in transit, HTTP-only Secure cookies for sessions, server-side cryptographic verification of authentication credentials, parameterised database queries, role-based access controls, magic-byte validation of uploads, and standard operating-system hardening. We do not warrant that these measures are sufficient against every possible threat.

Breach notification

If we become aware of a personal data breach likely to result in serious harm to affected individuals, we will notify those individuals and, where required, the Office of the Australian Information Commissioner, in accordance with the Notifiable Data Breaches scheme. Where the GDPR or UK GDPR applies, we will notify the relevant supervisory authority within seventy-two (72) hours where required.

Data subject requests

You may request access to, correction of, export of, or deletion of your personal data by contacting the operator at the address above. We will respond within thirty (30) days. We may need to verify your identity before acting on a request.

Changes

We may update this page as our processing practices change. Material changes will be communicated through the service.