Last updated: 19 June 2026
This Privacy Policy explains how Exportlab collects, uses, stores, shares, and protects personal data when you use Exportlab or when personal data is processed through Exportlab on behalf of an Exportlab customer.
This Policy applies to the Exportlab web app, websites, public pages, client portals, guest upload features, asset collection forms, status pages, model release workflows, team collaboration features, APIs, plugins, integrations, AI features, face recognition features, billing features, support interactions, and related services (together, the "Service").
1. Controller information
For personal data that Exportlab processes for its own purposes, the controller is:
Exportlab
Adelgundenstrasse 1
80538 Munich
Germany
Email: hey@exportlab.io
2. Our role as controller and processor
Exportlab processes personal data in different roles.
Exportlab acts as controller where we determine the purposes and means of processing, including account registration, authentication, billing, customer support, security, abuse prevention, service communications, product operations, legal compliance, and our own business administration.
Exportlab usually acts as processor where customers use the Service to upload, collect, manage, share, review, publish, or deliver personal data of other people. This may include personal data in photos, videos, files, galleries, guest uploads, asset collection forms, client portals, public profiles, status pages, review comments, team messages, model releases, signature workflows, group shoot workflows, API workflows, and integrations.
If you are a client, guest, model, signer, participant, employee, contractor, visitor, gallery viewer, public page visitor, or other end user interacting with an Exportlab workspace controlled by an Exportlab customer, the customer is usually the controller of your personal data. In that case, privacy requests should generally be directed to that customer. Exportlab will support the customer as required by law and contract.
Where required, Exportlab makes a Data Processing Addendum ("DPA") available to business customers.
3. Personal data we process
Depending on how the Service is used, we may process the following categories of personal data.
Account and workspace data
Name, email address, company or organization name, workspace or tenant identifier, role, permissions, onboarding information, plan information, profile information, and account settings.
Authentication and security data
Login information, authentication provider identifiers, Google or Apple sign-in data if you use those providers, session data, MFA or 2FA data where enabled, security events, access logs, IP addresses, user agents, device information, timestamps, and abuse prevention signals.
Profile, branding, and configuration data
Branding assets, public profile settings, portfolio information, pricing information, references, testimonials, social links, domain settings, gallery settings, workflow settings, integration identifiers, analytics identifiers, and other configuration data.
Media, content, and project data
Photos, videos, files, thumbnails, previews, transcodes, HLS assets, ZIP files, galleries, folders, titles, descriptions, tags, technical metadata such as EXIF, IPTC, or XMP data, comments, annotations, review decisions, approvals, versions, delivery history, download events, and project information.
AI-related data
Content, metadata, prompts, generated captions, keywords, classifications, categories, summaries, scene descriptions, assistant interactions, and AI-generated metadata where you enable or use AI features.
Biometric data
Face embeddings, biometric templates, or similar identifiers generated when optional face recognition is activated.
Client portal data
Client names, email addresses, login details, access permissions, shared content, project history, portal activity, and related communication or access logs.
Guest upload and asset collection data
Guest email addresses where collected, submitted files, submitted media, form answers, messages, upload logs, verification events, confirmation events, and event-related metadata.
Public profile and lead data
Contact requests, form submissions, names, email addresses, messages, timestamps, browser and device data, referrers, profile interactions, and associations with projects, contracts, or customer relationships.
Status page data
Status page subscriptions, subscriber email addresses, project references, notification preferences, notification delivery events, and related timestamps.
Model release and signature data
Names, contact details, role information, release scope, permitted usage, territory, duration, guardian or legal representative details where relevant, signature images, timestamps, IP addresses, device information, document versions, audit trail events, and related attachments.
Group shoot and check-in data
Participant data, guest or employee identifiers, form fields, check-in status, package or favorite information, shooting day information, statistics, API references, and associations with galleries or projects.
Integration, plugin, API, and webhook data
API keys or references, access scopes, webhook events, plugin versions, integration settings, connected account identifiers, upload status, delivery status, error logs, compatibility information, request metadata, and data exchanged with connected third-party services where an integration is activated.
Usage, device, and operational data
IP address, browser type, device type, operating system, pages visited, actions taken, timestamps, referrer, approximate location derived from technical data, storage usage, bandwidth usage, processing logs, WebSocket connection data, audit logs, and system events.
Communications and support data
Support requests, emails, chat messages with support, feedback, attachments, bug reports, abuse reports, and other communications with Exportlab.
Billing data
Billing name, billing address, tax information, plan, subscription status, invoice information, payment status, Stripe customer ID, and limited payment method references such as the last four digits of a card where provided by the payment processor. Full payment details are processed by Stripe or the relevant payment provider.
4. Special categories of personal data
Exportlab does not intentionally collect special categories of personal data for its own purposes unless this is necessary for a feature you activate or content you upload.
Special categories of personal data may be included in customer content, such as photos, videos, forms, model releases, or biometric features. Where Exportlab processes such data as processor, the customer is responsible for ensuring that a valid legal basis exists.
Biometric data used for unique identification is subject to special legal requirements. You must only enable face recognition where all required notices, consents, and legal bases have been obtained.
5. Purposes of processing
We process personal data to:
- provide, operate, maintain, and secure the Service;
- create and manage accounts, workspaces, plans, roles, and permissions;
- authenticate users and protect accounts;
- upload, store, process, transcode, preview, organize, share, review, and deliver media and files;
- operate galleries, client portals, guest uploads, asset collection forms, public profiles, status pages, model releases, team collaboration, group shoots, check-ins, and project workflows;
- provide AI features where enabled or requested;
- provide face recognition where enabled or requested;
- process payments, subscriptions, invoices, taxes, renewals, cancellations, credits, and add-ons;
- provide customer support and respond to inquiries;
- send transactional emails, invitations, confirmations, service notices, billing notices, status updates, and security alerts;
- operate APIs, plugins, webhooks, and integrations;
- monitor usage limits, storage limits, token balances, and fair use;
- detect, prevent, and investigate fraud, abuse, spam, security incidents, illegal content, and rights violations;
- troubleshoot errors, maintain logs, improve reliability, and develop the Service;
- comply with legal obligations and enforce legal rights.
6. Legal bases where Exportlab is controller
Where GDPR applies and Exportlab acts as controller, we rely on the following legal bases.
Contract performance
We process data where necessary to create accounts, provide the Service, manage subscriptions, deliver features, provide support, and perform our agreement with you.
Consent
We rely on consent where required, including for certain optional analytics, certain marketing communications, certain integrations, and certain AI or biometric processing contexts where Exportlab acts as controller and consent is required.
You may withdraw consent at any time with future effect.
Legitimate interests
We process data based on legitimate interests where appropriate, including service security, abuse prevention, fraud prevention, audit logging, troubleshooting, product improvement, legal defense, platform integrity, email deliverability, and business administration.
You may object to processing based on legitimate interests where the legal requirements are met.
Legal obligations
We process data where necessary to comply with legal, tax, accounting, regulatory, data protection, and law enforcement obligations.
7. Where Exportlab is processor
Where Exportlab acts as processor, we process personal data on behalf of and under the documented instructions of the customer. The customer is responsible for determining the purposes and legal basis of processing, providing required privacy notices, obtaining required consents, configuring access, responding to data subject requests, and deciding when data should be deleted.
Exportlab supports customers with these obligations as required by law and contract.
8. AI processing
AI features are optional and user-enabled or user-initiated.
When AI indexing or AI assistance is enabled, relevant content and metadata may be sent to third-party AI providers, including OpenAI and AWS, to generate captions, tags, keywords, classifications, summaries, descriptions, recommendations, assistant responses, or similar outputs.
AI-generated metadata may be stored in Exportlab to support search, filtering, discovery, organization, and workflow automation.
If AI features are not enabled or requested, we do not intentionally send your media to AI providers for those AI features.
AI outputs may be inaccurate or incomplete. Users are responsible for reviewing outputs before relying on them.
9. Face recognition and biometric data
Face recognition is optional.
If enabled, AWS Rekognition or a similar provider may process photos to generate face embeddings or comparable biometric templates. These are used to match faces across photos or projects.
Customers are responsible for obtaining all required notices, consents, and legal bases from individuals depicted in the content before enabling face recognition.
Biometric data is retained until the customer deletes it, disables the relevant feature, deletes the related content, or closes the account, unless a longer retention period is required or permitted by law.
Exportlab does not sell biometric data.
10. Public pages, visitors, and analytics
Customers may create public or semi-public Exportlab pages, including public profiles, galleries, status pages, delivery links, review links, guest upload links, asset collection links, or client portal resources.
When visitors interact with these pages, Exportlab may process technical data, access logs, form submissions, contact requests, download events, status subscriptions, and other interaction data.
Where those pages are operated by a customer for the customer's own purposes, the customer is usually the controller and Exportlab acts as processor. Exportlab may separately process technical, security, and operational data as controller where necessary to operate and protect the Service.
Public pages and public content may be indexed or cached by search engines or other third parties if made publicly available.
If customers activate analytics services, such as Google Analytics, additional data may be processed by that provider. Customers are responsible for configuring analytics lawfully and obtaining any required consent.
11. Model releases and signature workflows
Where customers use model release, document, form, or signature workflows, Exportlab may process the data entered into the document or generated by the workflow, including names, contact details, release scope, guardian details, signature images, timestamps, IP addresses, device information, document versions, and audit trail events.
This data is processed to generate, execute, document, store, retrieve, and manage the relevant workflow.
Exportlab does not provide legal advice and does not determine whether a specific document or signature is legally sufficient for a customer's intended use.
12. Group shoots, check-ins, forms, and asset collection
Where customers use group shoot, check-in, form, or asset collection features, Exportlab may process participant data, check-in information, form answers, uploaded content, accompanying messages, favorites, statistics, API references, HR import references, and project or gallery assignments.
This processing is used to technically provide, document, manage, and administer the relevant workflow. The customer is usually responsible for the purpose, lawfulness, necessity, and retention of that data.
13. Integrations, plugins, APIs, and webhooks
If you activate integrations, plugins, APIs, or webhooks, Exportlab may exchange data with the connected third-party service to provide the requested functionality.
This may include account identifiers, project identifiers, event data, upload status, comments, files, metadata, error logs, API request data, authentication data, and configuration information.
Third-party integrations may include creative software providers, automation platforms, messaging tools, analytics providers, authentication providers, payment providers, signature providers, or other services selected by you.
Third-party providers process data under their own terms and privacy policies where they act independently.
14. Cookies, local storage, and similar technologies
Exportlab may use cookies, localStorage, sessionStorage, in-memory storage, device storage, and similar technologies to provide authentication, session continuity, security, preferences, tenant routing, UI settings, uploads, real-time features, and other Service functionality.
Some storage or access may be strictly necessary to provide the Service requested by the user. Optional analytics, tracking, or marketing technologies are used only where enabled and where legally required consent has been obtained.
A separate Cookie Policy or consent interface may provide more detail about specific technologies, purposes, providers, and choices.
15. Service providers and recipients
We do not sell or rent personal data.
We may share personal data with trusted service providers and recipients where necessary to provide, secure, operate, support, or improve the Service, including:
- AWS, including services such as hosting, storage, databases, queues, content delivery, operational infrastructure, AWS Cognito, AWS SES, and AWS Rekognition where enabled;
- OpenAI and other AI providers where AI features are enabled;
- Stripe or other payment providers for billing and payment processing;
- Google and Apple for optional sign-in;
- Google Analytics or similar analytics providers where enabled;
- Slack, Microsoft Teams, Make, Zapier, or similar integration providers where enabled;
- email delivery, logging, monitoring, security, support, analytics, signature, or infrastructure providers;
- legal, tax, accounting, compliance, and professional advisors where necessary;
- authorities, courts, regulators, or law enforcement where required by law or necessary to protect rights, safety, and security.
16. International data transfers
Exportlab is based in the European Union and aims to store and process data primarily within the EU or EEA where reasonably possible.
Some providers or integrations may process data outside the European Economic Area, including in the United States. Where international transfers occur, we use lawful transfer mechanisms such as adequacy decisions, Standard Contractual Clauses, or other valid safeguards where required.
17. Data retention
We retain personal data only as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.
Typical retention periods include:
- Account and workspace data: retained while the account is active and for a limited period after closure where required for legal, billing, support, security, or dispute purposes.
- Uploaded content and metadata: retained until deleted by the customer, deleted through the Service, or the account is closed, subject to backup cycles and legal requirements.
- Client portal, guest upload, asset collection, public profile, status page, review, and group shoot data: retained until deleted by the customer, the relevant project ends, or the account is closed, subject to legal requirements.
- Model release and signature data: retained until deleted by the customer or until account closure, unless longer retention is required for legal, contractual, or defense purposes.
- Biometric data: retained until deleted, the feature is disabled, related content is deleted, or the account is closed, unless longer retention is required or permitted by law.
- AI assistant sessions: typically retained for up to 30 days for operational purposes unless otherwise stated.
- WebSocket and real-time connection data: typically retained temporarily, for example up to 24 hours, where needed for operation, security, or troubleshooting.
- Audit logs: typically retained for up to 365 days unless a longer period is required for security, compliance, or legal reasons.
- Billing and invoice records: retained for legally required periods, commonly 7 to 10 years depending on applicable law.
- Email suppression lists and abuse records: retained as long as necessary to maintain deliverability, prevent abuse, comply with legal obligations, or protect the Service.
Deleted data may remain in backups for a limited period until backup rotation or purge is completed.
18. Security
Exportlab uses technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure.
These measures may include TLS/HTTPS encryption in transit, encryption at rest through infrastructure providers, access controls, role-based permissions, tenant separation, signed URLs, secret management, audit logging, monitoring, vulnerability management, backups, incident response procedures, and need-to-know access for authorized personnel.
No system can be guaranteed to be fully secure. Users are responsible for securing their accounts, using strong authentication, managing team permissions, protecting API keys, and notifying Exportlab of suspected compromise.
19. Your rights
Where Exportlab acts as controller and the legal requirements are met, you may have the following rights:
- access to your personal data;
- correction of inaccurate personal data;
- deletion of personal data;
- restriction of processing;
- data portability;
- objection to processing based on legitimate interests;
- withdrawal of consent with future effect;
- complaint to a supervisory authority.
You can exercise these rights by contacting hey@exportlab.io.
We respond without undue delay and generally within one month after receiving your request. This period may be extended where legally permitted, depending on complexity and number of requests.
Where Exportlab acts as processor for a customer, please direct your request to the customer who controls the relevant workspace or page. Exportlab will assist the customer where required.
20. Email communications and suppression list
Exportlab sends transactional emails such as account emails, login emails, invitations, upload confirmations, client portal notifications, status notifications, billing notices, security alerts, and service communications.
To maintain deliverability and prevent abuse, Exportlab may maintain suppression lists for email addresses that hard-bounce, repeatedly soft-bounce, unsubscribe where applicable, or generate spam complaints. Suppressed addresses may no longer receive certain emails.
You may contact hey@exportlab.io if you believe an address has been suppressed incorrectly.
21. Automated decision-making
Exportlab does not use automated decision-making that produces legal or similarly significant effects within the meaning of GDPR Article 22.
Certain service restrictions may be applied automatically based on objective criteria such as plan limits, storage limits, token balance, failed payment status, trial status, abuse signals, or security rules. You may contact support if you believe an automated restriction is incorrect.
22. Children and minors
Exportlab accounts are not intended to be created or administered by minors.
Minors may appear in customer-uploaded content or customer workflows, such as photos, videos, guest uploads, group shoots, model releases, or guardian-related forms. In those cases, the customer is responsible for obtaining all required consents, guardian approvals, notices, and legal bases.
If you believe a minor's personal data has been processed unlawfully through Exportlab, contact the relevant customer or contact us at hey@exportlab.io so we can assist where appropriate.
23. Data portability and deletion requests
Customers may download media files and export certain data through available Service functionality. Additional assistance may be requested at hey@exportlab.io.
Some data, such as face embeddings, operational logs, security records, or derived system data, may not be portable in a commonly usable format.
Deletion requests are handled according to applicable law, customer instructions, backup cycles, legal retention requirements, billing retention requirements, and security obligations.
24. Changes to this Policy
We may update this Privacy Policy to reflect changes in the Service, technology, providers, legal requirements, or business operations.
When changes are material, we will provide appropriate notice, such as through email, in-app notice, or a prominent website notice where required.
The "Last updated" date shows when this Policy was last revised.
25. Contact and complaints
For questions, concerns, or requests relating to this Privacy Policy or personal data, contact:
Exportlab
Attn: Privacy
Adelgundenstrasse 1
80538 Munich
Germany
Email: hey@exportlab.io
You may also lodge a complaint with a competent data protection supervisory authority, including the authority in your place of residence, place of work, or place of the alleged infringement. For Bavaria, this may include the Bavarian Data Protection Authority (BayLDA).