PicGlobe

1. Who We Are

PicGlobe is operated by WEBXO TECH LTD, a company registered in England and Wales (Company Number: 17178615). Our registered address is 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK.

We are registered with the Information Commissioner's Office (ICO) as a data controller (Registration Number: ZB123456).

2. Data We Collect

When you upload images (no account required - Guest users):

• IP address (retained for a maximum of 30 days per UK GDPR requirements)
• Upload timestamp and date
• File metadata (original name, size, MIME type, dimensions when available)
• Expiry preference selected (1 hour, 1 day, 1 week, 1 month, 1 year, or forever)
• User-Agent (browser/device information for analytics and security)

When you create an account (Registered users - Free and Premium):

• Email address (required for authentication and notifications)
• Name (optional, for personalisation)
• Password (hashed using PBKDF2 with 100,000 iterations — we never store plain text)
• Account creation timestamp
• Upload history and account preferences
• OAuth provider information if signing in with Google (provider ID, email)

When you subscribe to Premium (Payment processing):

• Billing information (processed securely by Stripe — we do not store full card details)
• Subscription status and history
• Payment receipts (retained for 7 years as required by UK law)

3. How We Use Your Data

• To provide, maintain, and improve the image hosting service
• To prevent abuse, spam, illegal content, and CSAM (zero tolerance policy)
• To process subscription payments (Premium users via Stripe)
• To comply with legal obligations under UK law (including ICO requirements)
• To send service-related communications (no marketing without explicit consent)
• To analyse usage patterns and improve performance (anonymised data only)
• To respond to support requests and legal enquiries (DMCA, abuse reports)

4. Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following lawful bases:

• Contract (Article 6(1)(b)): Processing necessary to provide the service you requested, including image uploads and account management
• Legitimate Interests (Article 6(1)(f)): Security monitoring, abuse prevention, fraud detection, and service improvement
• Legal Obligation (Article 6(1)(c)): Compliance with UK law, ICO requirements, and court orders
• Consent (Article 6(1)(a)): Marketing communications and optional data collection (where applicable)

5. Data Retention Periods

• IP addresses (guest uploads): Maximum 30 days (required for security and abuse prevention)
• Anonymous upload metadata: 90 days (for analytics and trend analysis)
• Registered user account data: Duration of account + 30 days after deletion request
• Payment records: 7 years (UK legal requirement for financial records)
• Images: Per expiry setting chosen at upload (or indefinitely if "Forever")
• Audit logs: 30 days (for security incident investigation)
• Email verification codes: 10 minutes (automatically deleted after expiry)
• Refresh tokens: 7 days (automatically revoked after expiry or logout)

6. Your Rights Under UK GDPR

You have the following rights regarding your personal data under Articles 15-22 of the UK GDPR:

• Right of Access (Article 15): Request a copy of your data (Subject Access Request - SAR) Free of charge
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Right to Rectification (Article 16): Correct inaccurate or incomplete data
• Right to Portability (Article 20): Receive your data in a machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests
• Right to Restrict Processing (Article 18): Limit how we use your data
• Rights related to automated decision-making (Article 22): We do not use automated decision-making that significantly affects you

7. Cookies and Tracking Technologies

We use essential cookies only to maintain your session and preferences. We do not use tracking or advertising cookies without your explicit consent. Types of cookies we use:

• Session cookies: Maintain your login state (deleted when you close your browser)
• Preference cookies: Remember language and UI preferences (persistent, up to 1 year)
• Security cookies: CSRF protection tokens (session-based)

You can manage cookies in your browser settings. Disabling essential cookies may affect service functionality.

8. Third-Party Services and Data Processors

We use the following third-party services (Data Processors), all of which comply with UK GDPR through Data Processing Agreements (DPAs):

• Cloudflare (R2, CDN, DDoS Protection): Image storage, content delivery, and security — Privacy Policy Located: Global (EU/US)
• Cloudflare D1: Database storage for user accounts and metadata Located: EU
• Stripe: Payment processing (Premium subscriptions) — Privacy Policy Located: EU (Ireland)
• Vercel: Website hosting and frontend delivery — Privacy Policy Located: Global (EU/US)
• Resend: Email delivery service (verification codes, notifications) — Privacy Policy Located: EU
• Google OAuth: Social login (optional) — Privacy Policy Located: Global

All processors are bound by Standard Contractual Clauses (SCCs) approved by the ICO for international data transfers.

9. International Data Transfers

Your data may be processed on servers located outside the United Kingdom, including the European Union and the United States. When this occurs, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the ICO
• Data Processing Agreements (DPAs) with all third-party processors
• UK Extension to the EU-US Data Privacy Framework where applicable

10. Data Security

We implement industry-standard security measures to protect your data:

• Encryption at rest: All data stored in D1 and R2 is encrypted using AES-256
• Encryption in transit: TLS 1.3 for all data transmission
• Password hashing: PBKDF2 with 100,000 iterations and SHA-512
• Rate limiting: Protection against brute force and DDoS attacks
• Audit logging: All security events are logged and monitored
• Regular security reviews: Code audits and penetration testing
• Bug Bounty Program: Security researchers can report vulnerabilities to security@webxo.tech

11. Children's Privacy

PicGlobe is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us immediately at privacy@webxo.tech.

12. Making a Complaint

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:

We would appreciate the opportunity to address your concerns before you contact the ICO. Please contact us first at privacy@webxo.tech.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via:

• Email notification to registered users (30 days in advance where possible)
• Notice on our website (banner or popup)
• Updated "Last updated" date at the top of this page

Continued use of PicGlobe after changes constitutes acceptance of the updated policy.

14. Contact Us