Privacy Policy
Last updated: 20 April 2026
1. Data Controller
This website is operated by Kadár Mózes Persoană Fizică Autorizată (PFA), registered in Romania.
We act as the data controller for personal data processed through this website, in accordance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679).
2. What Data We Collect
2.1 Images You Upload
- We temporarily store the images you upload solely to process (compress/convert) them.
- Images are automatically and permanently deleted from our servers immediately after you download the processed files, or within 2 hours of upload — whichever comes first.
- We do not view, analyze, copy, share, or use your images for any purpose other than the requested processing.
- We do not train any AI or machine learning models on your images.
2.2 Payment Data
- Payments are processed entirely by Stripe, Inc. (our third-party payment processor).
- We never receive, store, or have access to your full credit card number, CVV, or banking details.
- Stripe may share with us: your email address, the last 4 digits of your card, payment amount, and transaction status.
- Stripe's own privacy policy applies to data they collect: stripe.com/privacy.
2.3 Technical / Server Data
- IP address — used for security, abuse prevention, and to enforce the daily free-tier usage limit (max 5 free images per IP per day). IP-based usage counts are stored in server memory only (not on disk) and reset automatically every 24 hours and whenever the server restarts.
- Browser user agent, referrer — standard HTTP request headers, recorded in server access logs.
- Server logs are retained for a maximum of 30 days and then automatically deleted.
2.4 Browser Fingerprint
- To prevent abuse of the free tier, we generate a browser fingerprint — a short hash derived from publicly available browser properties: user agent string, screen resolution, colour depth, timezone offset, hardware concurrency, maximum touch points, and a canvas rendering test.
- The resulting hash is a short, non-reversible identifier (e.g.,
fp_a1b2c3). It cannot be used to reconstruct the original browser properties or identify you personally.
- The fingerprint is sent to our server solely to track daily free-tier usage alongside your IP address. It is stored in server memory only (never written to disk), is associated with no personal data, and is automatically purged every 24 hours and on every server restart.
- We do not use this fingerprint for advertising, cross-site tracking, profiling, or any purpose other than enforcing the daily free-image limit.
- Legal basis: Legitimate interest (GDPR Art. 6(1)(f)) — preventing abuse and ensuring fair use of the free tier.
2.5 Analytics
- We use Plausible Analytics, a privacy-focused, EU-hosted analytics service.
- Plausible does not use cookies, does not collect personal data, and does not track users across websites.
- Plausible collects only aggregate, anonymous data: page views, referrer sources, country (from IP, which is immediately discarded), browser type, and device type. No individual user profiles are created.
- Plausible is compliant with GDPR, CCPA, and PECR without requiring cookie consent. See Plausible's data policy.
2.6 Cookies
We use no tracking cookies, no analytics cookies, and no advertising cookies. See our Cookie Policy for details.
3. Legal Basis for Processing (GDPR Art. 6)
| Data | Legal Basis |
|---|
| Uploaded images | Contract performance (Art. 6(1)(b)) — necessary to provide the service you requested. |
| Payment data (via Stripe) | Contract performance (Art. 6(1)(b)) — necessary to process your purchase. |
| Server logs / IP address | Legitimate interest (Art. 6(1)(f)) — security, abuse prevention, and maintaining service availability. |
| IP address for free-tier limit | Legitimate interest (Art. 6(1)(f)) — preventing abuse and ensuring fair access to the free tier. |
| Browser fingerprint hash | Legitimate interest (Art. 6(1)(f)) — preventing circumvention of the daily free-image limit. |
| Plausible Analytics (aggregate) | Legitimate interest (Art. 6(1)(f)) — understanding site usage to improve the service. No personal data is collected. |
4. Data Retention
- Uploaded/processed images: Deleted immediately after download or within 2 hours — whichever is sooner.
- IP-based usage counts: In-memory only. Reset every 24 hours and on server restart. Never stored on disk.
- Browser fingerprint hashes: In-memory only. Reset every 24 hours and on server restart. Never stored on disk.
- Server logs: Maximum 30 days.
- Plausible Analytics data: Retained by Plausible under their data retention policy. We have no access to individual-level data.
- Payment records: Retained as required by Romanian fiscal law (typically 10 years for accounting records).
5. Data Sharing
We do not sell, rent, or share your personal data with any third party, except:
- Stripe, Inc. — for payment processing (data processor, under GDPR requirements).
- Plausible Analytics — for anonymous, aggregate website analytics. Plausible is an EU-based company and does not receive any personal data. See Plausible's data policy.
- Hosting provider — our servers are hosted in the EU. The provider acts as a data processor under a Data Processing Agreement (DPA).
- Legal obligations — if required by Romanian or EU law, court order, or regulatory authority.
6. International Transfers
Stripe is a US-based company. Data transfers to the US are covered by Stripe's compliance with the EU-US Data Privacy Framework. No other international transfers occur.
7. Your Rights (GDPR)
As an EU resident, you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your data ("right to be forgotten").
- Restriction — restrict processing in certain circumstances.
- Portability — receive your data in a machine-readable format.
- Object — object to processing based on legitimate interest.
- Complaint — file a complaint with the Romanian data protection authority (ANSPDCP) at www.dataprotection.ro.
To exercise any of these rights, contact us at contact@imgsqueeze.com.
8. Security
- All data is transmitted over HTTPS (TLS encryption).
- Uploaded files are stored in isolated session directories with randomized (UUID) names.
- Files are deleted immediately after download or within 2 hours.
- Our server runs with minimal privileges (non-root user in a containerized environment).
9. Children
This service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, please contact us for immediate deletion.
10. Changes to This Policy
We may update this policy from time to time. The "last updated" date at the top will reflect changes. Continued use of the service after changes constitutes acceptance.
11. Contact
For any privacy-related questions or requests: