Privacy Policy
Last updated: January 2025
Data Controller
The data controller responsible for your personal data is:
- Business Name: ImageMerger.io
- Address: PO BOX 1539, NR13 5US
- Email: privacy@imagemerger.io
We are not required to appoint a Data Protection Officer (DPO) as we are a small organisation and do not process special category data at scale.
This policy explains how we collect, use, and safeguard your information when you use our website and services at imagemerger.io.
1. Information We Collect
Account Information
When you create an account, we collect:
- Email address (via Google or GitHub authentication)
- Name and profile picture (from your authentication provider)
- Account identifiers from authentication providers
Payment Information
Payment processing is handled by Stripe. We do not store your full card details. We receive and store transaction records including purchase amount, date, and a reference to your Stripe customer ID.
Usage Information
We collect information about how you use our service:
- Images you upload for processing (temporarily stored during generation)
- Generated images and associated metadata
- Credit balance and usage history
- Feature usage and interaction data
Technical Information
We automatically collect:
- IP address and approximate location
- Browser type and version
- Device information
- Pages visited and actions taken (via analytics)
2. How We Use Your Information
We use your information to:
- Provide and improve our image generation service
- Process payments and manage your credit balance
- Send service-related communications
- Respond to support requests
- Analyse usage to improve our service
- Prevent fraud and abuse
- Comply with legal obligations
3. Legal Basis for Processing (UK GDPR)
We process your data under the following legal bases:
- Contract: To provide services you've purchased
- Legitimate Interest: To improve our service and prevent fraud
- Consent: For analytics cookies (you can withdraw anytime)
- Legal Obligation: To comply with tax and accounting requirements
4. Data Sharing
We share data with the following third parties:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google (Auth) | Authentication | OAuth tokens |
| GitHub (Auth) | Authentication | OAuth tokens |
| Stripe | Payment processing | Payment details, email |
| Google Analytics | Usage analytics | Anonymised usage data |
| Google reCAPTCHA | Fraud prevention | Interaction data |
We do not sell your personal data to third parties.
5. International Transfers
Some of our service providers are based outside the UK/EEA. Where we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.
6. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account deletion request
- Uploaded images: Deleted within 24 hours of processing
- Generated images: Retained until you delete them or close your account
- Payment records: Retained for 7 years for tax compliance
- Analytics data: Aggregated and anonymised after 26 months
7. Your Rights
Under UK GDPR, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data ("right to be forgotten")
- Restriction: Limit how we process your data
- Portability: Receive your data in a portable format
- Object: Object to processing based on legitimate interest
- Withdraw Consent: Withdraw consent for analytics cookies at any time
To exercise these rights, contact us at privacy@imagemerger.io. We will respond within 30 days.
8. Cookies
We use the following cookies:
Essential Cookies
Required for the website to function. Cannot be disabled.
- Session authentication
- Security tokens (CSRF protection)
- Cookie consent preferences
Analytics Cookies (Optional)
Used to understand how visitors use our site. Requires your consent.
- Google Analytics (_ga, _gid)
You can change your cookie preferences at any time using the "Cookie Settings" link in the footer.
9. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (HTTPS), secure authentication, and access controls.
10. Automated Decision-Making
Our service uses artificial intelligence to generate product images. This processing:
- Does not make decisions that have legal or similarly significant effects on you
- Is used solely to provide the image generation service you requested
- Does not profile you or make automated decisions about your access to services
Fraud prevention via Google reCAPTCHA involves automated risk scoring, but this does not result in decisions with legal effects - it only helps prevent automated abuse of our service.
11. Children
Our service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of significant changes by email or by posting a notice on our website.
13. Contact Us
For privacy-related questions or to exercise your rights:
- Email: privacy@imagemerger.io
14. Complaints
If you're not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113