Introduction

Exportlab ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use our Service.

Controller Information: Exportlab, Munich, Germany, is the data controller for information we collect directly. When customers upload personal data about others (for example, clients or individuals depicted in photos), the customer is the controller and Exportlab acts as a data processor under the customer's instructions.

By using Exportlab, you agree to the practices described here. If you do not agree, please do not use the Service. We may update this Policy periodically; the date above reflects the latest revision.

1. Categories of Personal Data We Collect

We collect the following categories of personal data to provide and improve the Service:

• Account and Registration Data: Name, email address, tenant identifier, organization details, and onboarding preferences you provide.
• Authentication Data: Login credentials and security data managed by AWS Cognito, plus identity provider data (Google or Apple) when you choose those methods.
• Profile and Settings: Optional profile details, branding assets, configuration settings, and integration identifiers such as Google Analytics tracking IDs.
• Content and Uploads: Photos, videos, and other media you upload, together with metadata such as titles, descriptions, tags, technical specs, and AI-generated metadata where you enable AI features.
• Third-Party Personal Data in Content: Personal data of individuals depicted in your content (for example, clients, models, guests, or employees).
• Client Portal Data: Client names, email addresses, and access credentials for client users invited by account holders.
• Guest Uploader Data: Guest email addresses (when verification is enabled) and guest-uploaded content submitted via public upload forms.
• Biometric Data (Optional): Face embeddings generated by AWS Rekognition when you activate face recognition.
• Usage and Device Data: Log data such as IP address, browser type, device identifiers, timestamps, pages visited, and actions taken.
• Communications and Support: Support requests, feedback, and communications with Exportlab, including any attachments you send.
• Billing Data: Billing name, billing address where required, and payment method details processed by Stripe. We receive limited references such as the last four digits and your Stripe customer ID.

We do not intentionally collect special categories of personal data unless you or your users upload it as part of your content or explicitly enable biometric features.

2. Biometric Data and Face Recognition

Face recognition is an optional feature. If enabled, AWS Rekognition creates biometric identifiers (face embeddings) from photos you upload.

Biometric data is processed only with explicit consent and retained until you delete it or close your account.

You are responsible for obtaining all required consents and notices from individuals depicted in your photos, including compliance with applicable biometric laws (for example, GDPR Article 9 and similar laws).

We do not sell biometric data. You may request deletion of biometric data by contacting hey@exportlab.io or by deactivating face recognition within the Service.

3. AI Processing

AI features are user-initiated. When you enable AI indexing, the Service sends image content and related metadata to third-party AI providers (including OpenAI and AWS) to generate captions, keywords, categories, and other metadata.

AI-generated metadata is stored in the Service to support search and organization. You can delete AI-derived metadata by deleting the related gallery or requesting deletion.

Exportlab may provide an AI assistant for trial or plan recommendations. Conversations are stored temporarily (up to 30 days) for operational purposes.

If you do not enable AI features, your content will not be sent to these AI providers.

4. How We Use Personal Data

We use personal data to:

Provide and maintain the Service, including processing uploads, enabling collaboration, and delivering media.

Operate AI features, face recognition (when enabled), and related search and organization tools.

Manage accounts, authenticate users, and enforce subscription limits and usage policies.

Process payments and subscriptions, send invoices, and manage renewals.

Provide support, respond to inquiries, and communicate about the Service.

Secure and improve the Service, including audit logging, fraud prevention, and troubleshooting.

Comply with applicable laws and respond to lawful requests.

5. Legal Bases for Processing (GDPR)

Where GDPR applies, we process personal data on the following legal bases:

• Contract Performance: Providing the Service, managing accounts, delivering content, and processing payments.
• Consent: AI indexing, face recognition (biometric data), marketing communications, and optional analytics or integrations where required.
• Legitimate Interests: Service security, audit logging, fraud prevention, product improvement, and maintaining email deliverability. You may object to this processing as described below.
• Legal Obligation: Compliance with legal, tax, and regulatory requirements.

6. Sharing and Service Providers

We do not sell or rent personal data. We share data only with trusted service providers and as required to operate the Service:

• AWS (eu-central-1, Frankfurt): Hosting, storage, databases, content delivery (CloudFront), WebSocket connectivity, queues, and operational services.
• AWS Rekognition: Optional face recognition and image analysis (biometric data) when you enable those features.
• AWS Cognito: Authentication and identity management, including password and MFA handling.
• OpenAI: Optional AI processing for image indexing and AI assistant conversations.
• Stripe: Payment processing, billing, and subscription management.
• AWS SES: Transactional email delivery for invitations, confirmations, and service notices.
• Google Analytics: Only when you enable analytics for your gallery; not enabled by default on the main app.
• OAuth Providers: Google and Apple for optional single sign-on.

Where required for international transfers, we rely on appropriate safeguards such as Standard Contractual Clauses.

7. International Data Transfers

Exportlab is based in the European Union and stores data primarily in the EU. Some service providers may process data outside the EU (for example, in the United States).

When data is transferred internationally, we use lawful transfer mechanisms such as Standard Contractual Clauses or other valid safeguards, and we monitor legal developments to maintain compliance.

8. Cookies and Local Storage

Exportlab does not store authentication tokens in cookies. Authentication tokens are stored in localStorage to avoid cookie size limitations.

We use short-term in-memory session caches and localStorage entries to keep you signed in and preserve settings.

If you enable Google Analytics on your gallery, standard analytics cookies may be set by Google on that gallery domain.

9. Personal Data of Third Parties in Uploaded Content

When you upload content that includes images of other people, you act as the data controller for that personal data and Exportlab acts as your processor.

You are responsible for obtaining all required consents and providing any required notices to those individuals, especially when enabling AI indexing or face recognition.

Exportlab does not use personal data in uploaded content for its own purposes beyond providing the Service.

10. Guest Uploaders

Guest upload events may collect guest email addresses for verification and confirmation.

Guest emails are used only for transactional communications and are processed on behalf of the account holder.

Guests may request deletion of their email address by contacting hey@exportlab.io.

11. Client Portal Users

Client Portal users are registered by account holders. Exportlab processes client data as a processor on behalf of the account holder.

Clients should direct privacy requests to the account holder. Exportlab will assist where required or directed by the account holder.

12. Team Collaboration and Messaging

Team messages and collaboration data are stored on Exportlab servers and may be accessible by team administrators.

Messages are retained until deleted or the account is closed. We do not provide end-to-end encryption for team messages.

13. Audit Logging

Exportlab maintains audit logs for security, compliance, and troubleshooting. Logs may contain user identifiers, email addresses, actions performed, and timestamps.

Audit logs are retained for up to 365 days and are accessible by authorized tenant administrators and Exportlab support for troubleshooting.

14. Email Suppression List

To maintain deliverability and prevent abuse, Exportlab maintains an email suppression list for addresses that hard-bounce, repeatedly soft-bounce, or generate spam complaints.

Suppressed addresses will not receive further emails. Users may request removal by contacting hey@exportlab.io.

15. Automated Decision-Making

Exportlab does not perform automated decision-making that produces legal or similarly significant effects. Trial and plan enforcement may be automated based on objective criteria such as time elapsed or usage limits.

You may contact support to dispute or request review of automated trial or plan restrictions.

16. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy or to comply with legal obligations.

• Account Data: Retained while your account is active and for a limited period after deletion for legal or billing purposes.
• Uploaded Content: Stored until you delete it or close your account. Deleted content is removed from active systems and later purged from backups.
• Biometric Data: Retained until you delete it or deactivate face recognition.
• AI Assistant Sessions: Stored temporarily (up to 30 days).
• WebSocket Connection Data: Stored temporarily (up to 24 hours).
• Audit Logs: Retained for up to 365 days for security and compliance.
• Billing Records: Retained for legally required periods (typically 7 to 10 years).

17. Data Security

We implement technical and organizational measures to safeguard your data:

• Encryption: TLS/HTTPS protects data in transit, and AWS encryption protects data at rest.
• Access Controls: Only authorized personnel can access production systems, following need-to-know principles with logging and key management.
• Secure Development: We review code, patch dependencies, and store secrets securely outside of source code.
• Monitoring and Incident Response: We monitor for vulnerabilities and maintain procedures to investigate and notify you of incidents when legally required.
• User Responsibilities: You must maintain the confidentiality of your credentials, enable strong authentication, and notify us of suspected compromise.

18. Your Rights and Choices

Depending on your jurisdiction, you may have rights such as access, portability, correction, deletion, restriction, objection, and withdrawal of consent.

For GDPR requests, you may contact hey@exportlab.io. We will respond within 30 days unless a longer period is permitted by law.

Where processing is based on legitimate interests, you have the right to object. We will assess your objection and cease processing unless we demonstrate compelling legitimate grounds.

Data portability requests include account profile data, billing history, and metadata associated with your content. Media files can be downloaded directly from the Service. Some data (for example, face embeddings) may not be portable in a commonly usable format.

19. Children's Privacy

The Service is not intended for children under 13 (or under 16 where applicable). We do not knowingly collect data from children without verifiable parental consent.

Account holders are responsible for ensuring they do not invite or upload content involving minors in violation of applicable laws.

20. Changes to this Privacy Policy

We may update this Policy periodically to reflect changes in practices, technologies, or legal requirements. When we do, we will revise the 'Last updated' date and, if changes are material, provide prominent notice via email or within the Service.

21. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, contact Exportlab - Privacy Office at hey@exportlab.io, Exportlab, Attn: Privacy, Adelgundenstrasse 1, 80538 Munich, Germany. EU and UK users may also lodge a complaint with their local supervisory authority (for example, BayLDA in Bavaria) if concerns remain unresolved.