Helluin Labs, LLC ("we," "us," "our," or the "Company") operates the Exposera platform (the "Service"), a premium photography hosting and sharing service. This Privacy Policy describes our practices regarding the collection, processing, storage, use, disclosure, and protection of personal information in compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other relevant privacy legislation.
We are committed to protecting your privacy and handling your personal information with transparency and in accordance with all applicable laws. This Privacy Policy is designed to provide you with comprehensive information about our data practices and your rights concerning your personal information.
We collect and process the following categories of personal information. The specific data elements, legal basis for processing, and retention periods are detailed below for transparency and compliance with applicable data protection laws.
Data Collected: Email address (required), username, display name, password (stored as cryptographic hash using Argon2id), date of birth (optional, for age verification), account plan type (free or pro), account creation timestamp.
Legal Basis: Contract performance, consent, and legitimate interest in providing and securing the Service.
Retention: Retained for the duration of your account. Deleted upon account deletion request, subject to legal retention requirements.
Data Collected: Session identifiers, session creation and expiration timestamps, authentication tokens (email verification, magic links, password reset tokens), WebAuthn passkey credentials (public keys, credential IDs, sign counts, transport methods), TOTP multi-factor authentication device secrets (encrypted).
Legal Basis: Contract performance, security of the Service, and legitimate interest in protecting user accounts.
Retention: Sessions retained until expiration or logout (typically 24 hours). Authentication tokens retained until consumed or expired (24-48 hours). Passkeys and MFA devices retained until revoked by user.
Data Collected: Biography, avatar image, social media profile links, website links, content filtering preferences (NSFW visibility, AI-generated content visibility), download permissions, like visibility settings.
Legal Basis: Consent and contract performance.
Retention: Retained until updated or account deletion.
Data Collected: Image files, original filenames, file sizes, MIME types, image dimensions, checksums, upload timestamps, user-provided titles, captions, tags, category classifications, NSFW flags, AI-generated flags, license information, visibility settings, album associations.
Legal Basis: Contract performance and consent.
Retention: Retained until content deletion by user or account deletion.
Data Collected: Camera make and model, lens model, camera settings (aperture, shutter speed, ISO, focal length), image orientation, date and time photograph was taken, GPS coordinates (latitude, longitude, altitude) if present in uploaded images, software information.
Privacy Controls: GPS coordinates are extracted from uploaded images but are NOT made publicly available by default. Users control location display through privacy settings: (1) exact location, (2) approximate location (rounded to ~10km radius), or (3) hidden (no location data shared). We do not expose GPS coordinates beyond the user's chosen privacy level.
Legal Basis: Consent and contract performance.
Retention: Retained with photograph until deletion. Location data subject to user privacy controls at all times.
Data Collected: Stripe Customer ID, Stripe Subscription ID, subscription status, subscription period end date. Payment card information is collected and stored exclusively by Stripe, Inc., our PCI DSS Level 1 certified payment processor. We do not store full credit card numbers or payment card details on our systems.
Legal Basis: Contract performance and legitimate interest in subscription management.
Retention: Subscription identifiers retained for account duration. Full payment records retained by Stripe per their retention policies.
Data Collected: Page views, photograph views (aggregated counts), user interactions (likes, comments), feature usage, session duration, referral sources, device type, browser type, operating system, IP address, geographic location (country/city level only).
Legal Basis: Legitimate interest in improving the Service, analytics, and security.
Retention: Aggregated analytics retained indefinitely. Individual session data retained per third-party analytics provider policies (typically 30-90 days for detailed logs).
Data Collected: Support requests, feedback, correspondence with our team, email addresses for transactional communications.
Legal Basis: Contract performance, consent, and legitimate interest in customer support.
Retention: Retained for reasonable period to resolve inquiries and for legal compliance.
Data Collected: Image content hash (SHA-256), AI-generated label suggestions (text strings), provider name (e.g., "google_vision"), provider raw response metadata (for debugging), timestamp of suggestion generation.
Third-Party Service: When you opt to use the AI Label Suggestions feature (Pro users only), your uploaded image is sent to Google Cloud Vision API for label detection. Google processes the image and returns label descriptions. Only normalized label text is stored locally; no image content is retained in our suggestion cache.
Purpose: Provide AI-assisted tagging to reduce manual tagging effort, improve photo discoverability, and enhance user experience for Pro users.
Privacy Controls: This feature is completely opt-in. Images are sent to Google Cloud Vision only when you explicitly click the "Get AI Suggested Tags" button. You can decline to use suggested labels, and labels can be removed after adding. The feature is only available to Pro plan users.
Legal Basis: Consent (opt-in feature) and contract performance (Pro plan service).
Retention: Label suggestions cached indefinitely by image content hash to avoid duplicate API calls and minimize costs. No personal identification information or image content stored in suggestion cache. May be purged if storage constraints arise.
Data Sharing: Image content temporarily shared with Google Cloud Vision API when you request suggestions. See Section 3.2.5 for details about Google Cloud Vision data sharing.
Data Collected: Session cookies (HttpOnly, Secure), authentication cookies, theme preference (stored in browser localStorage), analytics cookies (via Google Analytics).
Purpose: Authentication, user preferences, analytics, security.
Legal Basis: Consent (for non-essential cookies) and legitimate interest (for essential cookies).
Control: You may control cookies through browser settings. Essential cookies are required for Service functionality.
We process your personal information for the following purposes, in accordance with applicable law and based on the legal grounds described in Section 1. Our processing is limited to what is necessary and proportionate to achieve these purposes.
You may withdraw consent for marketing communications at any time through account settings or by following unsubscribe instructions in emails. Transactional communications necessary for Service operation cannot be opted out of while maintaining an account.
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share personal information only in the limited circumstances described below, and only to the extent necessary to provide and improve the Service, comply with legal obligations, and protect rights.
We share information that you explicitly choose to make public or share with others:
We engage third-party service providers who process personal information on our behalf to support Service operations. These providers are contractually obligated to use your information only as necessary to provide services to us and to maintain appropriate security measures.
Services: Hosting (Cloudflare Pages), serverless compute (Cloudflare Workers), database (Cloudflare D1), object storage (Cloudflare R2), image optimization (Cloudflare Images), content delivery network (CDN), DDoS protection, SSL/TLS encryption.
Data Shared: All application data as our primary infrastructure provider, including user accounts, photographs, metadata, HTTP requests and responses, IP addresses.
Purpose: Infrastructure, hosting, security, performance optimization, and content delivery.
Data Processing Agreement: Cloudflare acts as a data processor under appropriate data processing agreements.
Privacy Policy: https://www.cloudflare.com/privacypolicy/
Services: Payment processing, subscription management, customer portal, billing.
Data Shared: Email address, name (if provided), subscription plan selection, user ID (as metadata).
Data Received: Stripe Customer ID, Stripe Subscription ID, payment status, subscription status.
Purpose: Processing subscription payments, managing Pro plan access, billing operations.
Security: Stripe is PCI DSS Level 1 certified. Payment card information is collected and stored exclusively by Stripe. We do not access or store full credit card numbers.
Privacy Policy: https://stripe.com/privacy
Services: Google Analytics 4 (GA4) for website analytics.
Data Shared: Page views, user sessions, engagement metrics, device and browser information, geographic location (country/city level only), referral sources, anonymized IP addresses.
Data NOT Shared: Personally identifiable information (PII), user IDs, email addresses, authentication tokens, photograph content.
Purpose: Website usage analytics, user behavior analysis, traffic source tracking, performance monitoring, feature usage optimization.
User Controls: Users may opt out using browser extensions (e.g., Google Analytics Opt-out Browser Add-on) or by enabling Do Not Track browser settings.
Privacy Policy: https://policies.google.com/privacy
Services: Transactional email delivery.
Data Shared: Email addresses (recipients), email content (transactional messages including account verification, magic links, password resets, notifications).
Purpose: Delivering transactional emails necessary for Service operation and account security.
Privacy Policy: https://www.mailgun.com/privacy-policy/
Services: Google Cloud Vision API for AI-powered label detection (Pro feature only).
Data Shared: Image content (uploaded photos) when Pro users explicitly click "Get AI Suggested Tags" button.
Data Received: Label descriptions (text), confidence scores, API response metadata.
Purpose: AI-assisted photo tagging, improved photo discoverability, reduced manual tagging effort for Pro users.
Usage Pattern: Completely opt-in. Images sent to Google Cloud Vision only when Pro users explicitly request label suggestions. No automatic processing. Results cached by image content hash to minimize API calls and costs.
Data Retention (by Google): Google processes images and returns labels immediately. Google's data retention follows their Cloud Vision API policies. We store only normalized label text (not image content) in our local cache.
Security: API calls made server-side only. Credentials not exposed to client. Images sent over HTTPS.
User Control: Feature is completely optional. Users initiate each analysis by clicking button. Users can decline suggested labels and remove labels after adding.
Privacy Policy: https://cloud.google.com/vision/docs/data-usage
We may disclose personal information if required to do so by law or in the good faith belief that such action is necessary to:
In the event of a merger, acquisition, reorganization, sale of assets, bankruptcy, or similar corporate transaction, your personal information may be transferred or disclosed as part of that transaction. We will provide notice of any such change in ownership or control of your personal information through email or a prominent notice on our Service. Any acquiring entity will be required to continue to protect your personal information in accordance with this Privacy Policy or obtain your consent for any material changes.
We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. Such information is not considered personal information and may be used and shared without restriction for analytics, research, marketing, and other purposes.
We implement and maintain appropriate technical and organizational security measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.
All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security) via HTTPS protocol.
Data stored in Cloudflare R2 object storage is encrypted at rest. Database encryption is managed by Cloudflare D1.
Passwords are hashed using Argon2id, a modern, secure password hashing algorithm with appropriate salt and iteration parameters. We never store passwords in plain text.
Session cookies use HttpOnly and Secure flags to prevent client-side script access and ensure transmission only over HTTPS.
Cloudflare's DDoS protection and Web Application Firewall (WAF) protect against distributed denial-of-service attacks and common web vulnerabilities.
Implementation of security headers including Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, and X-Content-Type-Options.
In the event of a data breach affecting your personal information, we will notify affected users and relevant supervisory authorities in accordance with applicable law, including GDPR requirements (72 hours for authority notification) and CCPA requirements. We will provide information about the nature of the breach, affected data, potential consequences, and mitigation measures.
You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. Please notify us immediately of any unauthorized access or use of your account.
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, enforce agreements, and protect our legitimate interests. The specific retention periods vary based on the category of information and applicable legal requirements.
Retained for the duration of your account. Deleted upon account deletion request, subject to legal retention requirements.
Retained until you delete the content or your account. Soft deletion with potential recovery period may apply.
Retained until session expiration (typically 24 hours) or user logout.
Email verification, magic link, and password reset tokens expire and are deleted after 24-48 hours or upon consumption.
Stripe Customer and Subscription IDs retained for account duration. Full payment records retained by Stripe per their retention policies.
Aggregated analytics retained indefinitely. Detailed logs retained per third-party provider policies (typically 30-90 days).
Retained for 30-90 days per Cloudflare's policies, then automatically rotated or aggregated.
Retained indefinitely for compliance, safety, and appeals purposes.
Retained for a reasonable period to resolve inquiries and for legal compliance (typically 3-5 years).
Label suggestions cached indefinitely by image content hash to avoid duplicate API calls and minimize costs. No personal identification information or image content stored in cache. May be purged if storage constraints arise.
When you delete your account, we will delete your personal information and content, except where retention is required by law, necessary to resolve disputes, enforce agreements, or protect legitimate interests. Certain information may be retained in aggregated or anonymized form that cannot be used to identify you. Backup copies may persist in our systems for a limited period during normal backup retention cycles.
We may retain certain information for longer periods when required by law, including but not limited to tax records, payment transaction records, and records related to legal proceedings or investigations. Such retention will comply with applicable legal requirements and will be limited to what is necessary for the specific legal purpose.
Depending on your location, you may have certain rights regarding your personal information. We respect these rights and provide mechanisms for you to exercise them as described below.
You may access your personal information through your account settings at any time.
You may update or correct your personal information through your account settings.
You may delete your account and associated personal information through account settings or by contacting us.
You may control the visibility of your content, location data privacy levels, and other sharing preferences.
You may unsubscribe from marketing communications at any time via account settings or email unsubscribe links.
If you are located in the European Union, United Kingdom, or European Economic Area, you have the following additional rights under the General Data Protection Regulation (GDPR) and UK GDPR:
You have the right to obtain confirmation whether we process your personal data and to access such data, along with information about the processing.
You have the right to obtain rectification of inaccurate personal data and to have incomplete personal data completed.
You have the right to obtain erasure of your personal data under certain conditions, including where data is no longer necessary or consent is withdrawn.
You have the right to restrict processing of your personal data under certain conditions, such as when you contest accuracy or object to processing.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.
Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of alleged infringement.
Legal Basis for Processing: We process your personal data based on: (1) Performance of a contract (providing the Service), (2) Compliance with legal obligations, (3) Legitimate interests (service improvement, security, fraud prevention), and (4) Consent (for non-essential processing).
International Data Transfers: Your data may be transferred to and processed in countries outside the EU/EEA. We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) with our service providers and compliance with the EU-U.S. Data Privacy Framework where applicable.
Data Protection Officer: For GDPR-related inquiries, contact our Data Protection Officer at dpo@helluinlabs.com.
Supervisory Authority: You may contact your local data protection authority with complaints or concerns.
Note: Helluin Labs, LLC is a United States company and does not have an establishment, legal entity, or employees in the European Union or United Kingdom. We comply with GDPR for EU/UK data subjects but do not have a physical presence in these jurisdictions.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
You have the right to request disclosure of: (1) categories of personal information collected, (2) categories of sources, (3) business or commercial purpose for collection, (4) categories of third parties with whom we share personal information, and (5) specific pieces of personal information collected about you.
You have the right to request deletion of your personal information, subject to certain exceptions under law.
You have the right to opt out of the sale of your personal information. We do not sell personal information and have not sold personal information in the preceding 12 months.
You have the right to opt out of sharing personal information for cross-context behavioral advertising. We do not engage in such sharing.
You have the right to request correction of inaccurate personal information.
You have the right to limit the use and disclosure of sensitive personal information. We use sensitive information only as necessary for Service provision.
You have the right not to receive discriminatory treatment for exercising your CCPA rights.
Authorized Agent: You may designate an authorized agent to submit requests on your behalf. We will require proof of authorization.
Verification: To protect your privacy, we will verify your identity before fulfilling requests using information you have previously provided to us.
Response Time: We will respond to verifiable requests within 45 days, with a possible 45-day extension if reasonably necessary. We will inform you of any extension and the reason.
California Shine the Light Law: California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.
CCPA Reporting Threshold: As a small business, we do not meet the CCPA's threshold for annual privacy reports (e.g., metrics reporting). We provide this information for transparency and compliance with user rights under CCPA.
Residents of other U.S. states with comprehensive privacy laws (e.g., Virginia, Colorado, Connecticut, Utah) may have similar rights. We will honor comparable rights under applicable state laws. Please contact us at privacy@helluinlabs.com to exercise such rights.
To exercise any of the rights described above, you may:
We will respond to your request within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA). We may request additional information to verify your identity before processing requests.
We use cookies and similar tracking technologies to enhance your experience, provide functionality, and analyze usage of our Service. This section describes the types of cookies we use and how you can control them.
Required for core platform functionality, authentication, session management, and security. These cookies cannot be disabled without severely impacting Service functionality. Includes session authentication cookies (HttpOnly, Secure flags enabled).
Remember your preferences and settings, such as theme selection (dark/light mode), language preferences, and content display preferences. Stored in browser localStorage.
Help us analyze platform usage, understand user behavior, and identify areas for improvement. Includes Google Analytics cookies (GA4) that collect anonymized usage data, page views, session information, and aggregated engagement metrics.
What We Do NOT Use:
You can control cookie preferences through your browser settings. Most browsers allow you to:
For Google Analytics, you may opt out using the Google Analytics Opt-out Browser Add-on. You may also enable Do Not Track (DNT) in your browser settings.
Note: Disabling essential cookies will prevent you from logging in and using core Service features.
Our Service uses Google Analytics, which may set third-party cookies on your device. These cookies are governed by Google's privacy policy. We have configured Google Analytics to anonymize IP addresses and do not send personally identifiable information to Google.
Our Service is hosted on Cloudflare's global network, which means your personal information may be transferred to, stored in, and processed in countries other than your country of residence, including the United States and other countries where Cloudflare operates data centers. These countries may have data protection laws that differ from the laws of your jurisdiction.
When we transfer personal information from the European Union, United Kingdom, or other jurisdictions with comprehensive data protection laws to countries that do not provide an adequate level of data protection, we implement appropriate safeguards, including:
We rely on Standard Contractual Clauses approved by the European Commission and UK Information Commissioner's Office for transfers from the EU/EEA and UK to third countries.
Where applicable, we rely on adequacy decisions and compliance with the EU-U.S. Data Privacy Framework for transfers to the United States.
We maintain data processing agreements with our service providers (including Cloudflare, Stripe) that include appropriate data protection obligations.
Helluin Labs, LLC is a limited liability company organized under the laws of the United States. We do not have a legal entity, establishment, branch, subsidiary, or employees in the European Union, United Kingdom, or European Economic Area. However, we are committed to complying with GDPR and UK GDPR requirements for data subjects in those jurisdictions.
Data is stored and processed on Cloudflare's global network, which includes data centers in multiple countries worldwide. Cloudflare may store and process your data in the United States, Europe, Asia-Pacific, and other regions to provide optimal performance and reliability. Data residency is managed by Cloudflare according to their infrastructure and routing policies.
Our Service is not intended for, nor directed to, children under the age of 13 years (or the equivalent minimum age in your jurisdiction). We do not knowingly collect, use, or disclose personal information from children under 13 without verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA) and similar laws.
If we become aware that we have collected personal information from a child under 13 without proper parental consent, we will take steps to delete such information as quickly as possible. If you believe that we may have collected information from a child under 13, please contact us immediately at privacy@helluinlabs.com so we can take appropriate action.
Age Verification: We may implement age verification mechanisms to restrict access to age-appropriate content. Users may be required to provide their date of birth for this purpose. Date of birth information is used solely for age verification and content filtering purposes.
Parental Rights: Parents and legal guardians have the right to review, request deletion of, and refuse further collection of their child's personal information. To exercise these rights, please contact us at privacy@helluinlabs.com.
Our Service may contain links to third-party websites, services, or resources that are not owned or controlled by Helluin Labs, LLC. This Privacy Policy applies only to our Service. When you access third-party websites or services, you are subject to the privacy policies of those third parties.
We are not responsible for the privacy practices, content, or security of third-party websites or services. We encourage you to review the privacy policies of any third-party sites or services you visit or use.
Social Media Integration: If you choose to link your social media profiles to your account, those platforms may collect information about your use of our Service according to their own privacy policies. We do not control the data collection practices of social media platforms.
Some web browsers have a "Do Not Track" (DNT) feature that signals websites that you do not want to have your online activities tracked. Our Service currently does not respond to DNT signals or similar mechanisms due to the lack of industry standards regarding how to interpret and honor DNT signals.
However, you may control tracking through other means, including browser cookie settings, Google Analytics opt-out tools, and privacy-focused browser extensions. We will update this policy if we implement DNT signal processing in the future.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this Privacy Policy, we will notify you through one or more of the following methods:
Effective Date: Changes to this Privacy Policy will become effective when posted unless otherwise specified. The "Last updated" date at the top of this Privacy Policy indicates when it was most recently revised.
Your Acceptance: Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with any changes, you must discontinue using the Service and may delete your account.
Material Changes: For material changes that significantly affect your rights or how we process your personal information, we will provide at least 30 days' advance notice and, where required by law, obtain your consent before the changes take effect.
We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your personal information and your privacy rights.
This Privacy Policy and our processing of your personal information are governed by the laws of the United States and the state in which Helluin Labs, LLC is organized, except to the extent that applicable data protection laws (such as GDPR or CCPA) provide additional mandatory protections.
We comply with applicable data protection and privacy laws, including but not limited to:
Any disputes arising from or relating to this Privacy Policy will be resolved in accordance with the dispute resolution procedures set forth in our Terms of Service. For GDPR-related disputes, you have the right to lodge a complaint with a supervisory authority in your jurisdiction.
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us using the information below. We will respond to your inquiry in accordance with applicable law.
Email: privacy@helluinlabs.com
Company: Helluin Labs, LLC
Website: https://helluinlabs.com
For inquiries related to GDPR, UK GDPR, or other European data protection matters:
Email: dpo@helluinlabs.com
California residents may contact us regarding CCPA rights at:
Email: privacy@helluinlabs.com
Subject Line: "California Privacy Rights Request"
We will respond within 30 days (may be extended by an additional 60 days in complex cases).
We will respond within 45 days (may be extended by an additional 45 days if reasonably necessary).
We strive to respond to all privacy inquiries within a reasonable timeframe.
Verification: For your security, we may request additional information to verify your identity before responding to privacy rights requests.