Privacy Policy

Version v0.2 (draft) · Effective date: to be announced · Data controller: MiniPic (minipic.ai)

This is a draft and must be reviewed by counsel before going live; the published version prevails. This Privacy Policy explains how MiniPic (“we”, “us”, the “data controller”) collects, uses, stores and protects your personal data, and your rights under the EU General Data Protection Regulation (GDPR) and comparable laws. Please read it carefully, in particular the bold sections. If you do not agree, do not use the Service.

1. Who we are

MiniPic operates the online image compression service at minipic.ai. For the purposes of the GDPR, we are the controller of the personal data described in this policy. You can reach us about any privacy matter at [email protected].

2. What data we collect

We practise data minimisation and collect only what is necessary to provide and protect the Service:

Anonymous use (no sign-up): to prevent abuse and keep the Service available, we process a device fingerprint (an identifier derived from browser and device characteristics) and your IP address. This is used only for anti-abuse and rate limiting, not to identify you personally.
Account data: when you create an account we collect your email address, used to create the account, verify sign-in (one-time codes) and send essential service messages.
Images you upload: to perform the compression you request, we temporarily receive and store your image files (see section 3).
Usage and metering data: task metadata (such as file format, original and compressed size, savings ratio, processing time) and API metering data, used to show your results and to meter and bill usage. This metadata does not contain the visual content of your images.
Logs: for security and compliance we keep access, operation and content-screening logs. We retain behavioural logs and screening labels, not the visual content of your images.

3. How we handle your images

Your uploaded images are used only for the compression you request and for automated safety screening. They are encrypted in transit and at rest, results are returned over a private link only you can access, and images are permanently deleted within 24 hours after processing. We never use your images for model training, analytics, sharing with third parties, or any other purpose.

To meet our legal obligations we run automated safety screening on uploads. Content detected as unlawful is blocked and deleted immediately; the related screening record (not the image content itself) may be retained as required by law.

4. Why we process your data (lawful bases)

Under Article 6 GDPR we rely on the following lawful bases:

Performance of a contract (Art. 6(1)(b)) — to provide compression, deliver results, manage your account and meter usage;
Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent abuse and apply rate limits, balanced against your rights;
Legal obligation (Art. 6(1)(c)) — to run safety screening and retain certain records where required by law;
Consent (Art. 6(1)(a)) — for any non-essential cookies and for any use beyond the purposes above, which you may withdraw at any time.

5. Service providers and sharing

We use carefully selected processors to deliver parts of the Service, acting on our instructions under a data processing agreement that requires them to process data only for the agreed purpose and to keep it secure. These include:

Cloud hosting and storage providers — temporary image storage and result delivery;
Content-safety providers — automated screening of uploaded images;
Email providers — sending sign-in codes and essential service messages;
Payment providers — processing transactions and invoicing when you purchase a paid plan.

We do not sell your personal data, and we do not share it with other third parties except as required by law or with your consent.

6. International transfers

We host the international service on infrastructure that may be located outside your country. Where personal data is transferred outside the European Economic Area, we rely on an adequacy decision or appropriate safeguards such as the European Commission’s Standard Contractual Clauses, and apply additional measures where needed. You may contact us for more information about the safeguards in place.

7. Data retention

Uploaded images: permanently deleted within 24 hours after processing;
Security and screening logs: retained only as long as necessary, and as required by applicable law;
Account data: kept while you use the Service, then handled as described in “Your rights” below;
Other data: kept for the shortest period necessary to achieve the purpose, unless a longer period is required by law.

We use cookies and browser local storage that are strictly necessary to keep you signed in, remember your preferences (such as theme and output format) and protect security. We do not use cookies for cross-site advertising tracking. You can manage or clear this data through your browser settings, though some features may then stop working.

9. Your rights

Subject to applicable law, you have the following rights over your personal data:

Access: obtain confirmation of processing and a copy of your data;
Rectification: correct inaccurate, or complete incomplete, data;
Erasure: request deletion of your data (“right to be forgotten”) where the legal conditions are met;
Restriction and objection: restrict, or object to, processing in certain circumstances;
Data portability: receive your data in a structured, commonly used, machine-readable format;
Withdraw consent: withdraw any consent at any time, without affecting prior processing;
Close your account: request account closure from your account settings or by contacting us; we will then delete or anonymise your personal data, except where the law requires us to retain it.

To exercise these rights, use your account settings or email [email protected]; we will respond within the period required by law. You also have the right to lodge a complaint with your local data protection supervisory authority.

10. Security and breach response

We maintain technical and organisational measures — including encryption in transit and at rest, access controls and least-privilege access — together with an incident response plan. In the event of a personal data breach, we will notify the competent supervisory authority and, where required, affected individuals, in line with Articles 33 and 34 GDPR.

11. Children

The Service is intended for adults and is not directed at children. We do not knowingly collect personal data from children below the age of digital consent. If we learn that we have collected such data without the required consent, we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. We will notify you through an on-site notice or other appropriate means and update the version number and effective date at the top of this page. For changes that materially affect your rights, we will give more prominent notice. Your continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

13. Contact us

For any question, request or complaint about this policy or our handling of your personal data, email us at [email protected]. We will respond as soon as possible.