PhotoBuns
Pro
CompressConvertResizeUpscaleRemove BGSocial Export

Privacy Policy

Last updated: March 16, 2026 (v1.1)

Data Controller

PhotoBuns is operated by Gary Hua. For questions about this policy or your data, contact hello@photobuns.com.

Your Images Stay Private

PhotoBuns processes all images entirely in your browser. Your images are never uploaded to our servers, stored, or transmitted. All compression, conversion, resizing, upscaling, background removal, and social export processing happens client-side using your device's hardware.

What We Collect & Legal Basis

  • Authentication data: If you sign in with Google, we receive your name, email address, and profile picture from Google OAuth. This is used solely to identify your account and manage your subscription.
    Legal basis: Contract performance (providing the service you signed up for).
  • Payment data: Payments are processed by Stripe. We do not store credit card numbers. Stripe may collect data as described in their privacy policy.
    Legal basis: Contract performance (processing your purchase).
  • Usage counts: We track the number of images processed per day in your browser's localStorage to enforce the free tier limit. This data never leaves your device.
    Legal basis: Not applicable — data stays on your device and is never transmitted to us.

What We Do NOT Collect

  • Your images or image content
  • Image metadata (EXIF data, location, etc.)
  • Browsing history or tracking cookies
  • Device fingerprints
  • Analytics or behavioral data

We do not sell, share, or rent your personal information to anyone.

Cookies & Browser Storage

  • Session cookie: Auth.js sets a secure, HTTP-only session cookie (__Secure-next-auth.session-token) when you sign in. This is essential for authentication and cannot be disabled while logged in.
  • localStorage: Used to store your daily usage count and subscription status. This data never leaves your browser.

We do not use any analytics, advertising, or tracking cookies.

Third-Party Services

Data Retention

We retain your Google OAuth account data (name, email, profile picture) for as long as your account exists. Payment records are retained by Stripe per their policies and applicable financial regulations. If you delete your account, we will remove your authentication data within 30 days.

Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your account and associated data.
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing of your data.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

CCPA (California): We do not sell or share your personal information. You have the right to know what data we collect, request deletion, and opt out of any sale (though we do not sell data). We honor Global Privacy Control (GPC) signals.

GDPR (EU/EEA): You have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, email hello@photobuns.com.

International Data Transfers

PhotoBuns is hosted on Vercel, which may process data in the United States. If you are accessing our service from outside the US, your authentication data may be transferred to and processed in the US. Your images are never transferred — they remain on your device.

Children's Privacy

PhotoBuns is not directed at children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. Material changes will be posted on this page with an updated date and version number. Continued use of PhotoBuns after changes constitutes acceptance of the revised policy.

Contact

Questions about this policy? Email us at hello@photobuns.com.