Privacy Policy. In plain English.

1. Controller (Art. 13(1)(a) GDPR)

A Data Protection Officer is not required under Art. 37 GDPR and Section 38 BDSG. Questions are routed to the contact email above.

2. Overview of data processing

Processing of personal data is limited to what is needed to run the website, provide the app, and respond to you when you write in. We do not sell data. For each activity below we name the purpose, the legal basis, and how long data is kept.

3. The SwipePhotos iOS and Mac apps

Photos never leave your device. The apps use Apple's PhotoKit framework to read the library you grant access to. Burst detection and similarity grouping run with on-device machine learning. Keep and delete decisions are written back to the Apple Photos library, so deletions follow Apple's usual “Recently Deleted” recovery window.

What the app never does: upload your photos, send image pixels to our servers, or share anything with advertisers. We literally could not look at your photos if we wanted to — we have no server that receives them.

Crash and diagnostic data: if you opt in to share diagnostics with app developers in your iOS or macOS privacy settings, Apple may forward anonymised crash reports to us through App Store Connect. We use these only to fix bugs. You can opt out at any time in Settings → Privacy & Security → Analytics & Improvements.

Purchases and subscriptions: billing is handled entirely by Apple through the App Store. We receive anonymised, aggregated reporting (for example “X subscriptions this week”) but no payment information, no Apple ID, and no names. See Apple's privacy policy for details.

Legal basis: Art. 6(1)(b) GDPR (performance of the app contract) for running the app; Art. 6(1)(f) GDPR (legitimate interest in fixing crashes) for diagnostics.

4. Hosting and server log files

This website is hosted by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA). Every request to the site produces a temporary log entry containing:

• IP address (truncated)
• Request date and time
• URL requested and HTTP method
• HTTP status code and response size
• Browser type, version, and operating system
• Referrer URL (if your browser sends one)

Purpose: keeping the site online, preventing abuse, and investigating bugs. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a secure service). Retention: log entries are deleted after 14 days unless we need them to investigate a security incident. Vercel acts as our processor under Art. 28 GDPR.

5. Cookies and local storage

We use exactly one first-party storage entry: cookie-consent. It records whether you accepted or rejected analytics and is strictly necessary to honour the choice you made in the banner. It is exempt from consent under Section 25(2) No. 2 TDDDG.

Analytics cookies (see the next section) are only set after you click “Accept all”. Full details, including how to clear stored choices, are in our Cookie Policy.

6. Analytics (optional, consent-based)

If you opt in, we load Google Analytics 4, provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics collects:

• Pages you visit and actions you take
• Approximate location (derived from a truncated IP)
• Device, browser, and operating system
• Referrer URL and session duration

We have IP anonymisation enabled and a data-processing agreement in place under Art. 28 GDPR. Data retention in Google Analytics is set to 14 months.

Legal basis: Section 25(1) TDDDG and Art. 6(1)(a) GDPR (your consent). You can withdraw consent at any time by clearing the cookie-consent entry in your browser storage, or by using Google's opt-out browser add-on.

Transfer to third countries: transfers to Google LLC in the United States are covered by the EU–US Data Privacy Framework adequacy decision (C(2023) 4745).

7. Contact by email

When you email us at [email protected], we process your email address, your name (if you provide one), and the content of your message to answer you. Legal basis: Art. 6(1)(b) GDPR (pre-contractual or support) or Art. 6(1)(f) GDPR (legitimate interest in responding to correspondence). Retention: we keep the thread until the matter is resolved, then delete it unless we are required by law to retain it (e.g. for accounting).

8. Your rights under the GDPR

You can reach us about any of these rights at [email protected]:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to restriction (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right to withdraw consent (Art. 7(3))

9. Right to lodge a complaint

You may file a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. Our competent authority is:

10. Data security

We use industry-standard measures to protect data: TLS-encrypted connections (HTTPS) for everything in transit, access controls on our infrastructure, and routine security updates. No system is perfectly secure, but we treat your data like it was our own — which is why the app is designed to never send your photos in the first place.

11. Automated decision-making

The apps use on-device machine learning to group similar photos or bursts. These suggestions are not automated decisions in the sense of Art. 22 GDPR — every keep/delete choice is made by you, tapping on your own device.

12. Changes to this policy

We update this policy when the law, our tools, or our practices change. The current version is always available at this URL. Material changes are noted at the top by updating the date.