Privacy Policy
Last updated: February 18, 2026
1. Information We Collect
Account Information
When you create an account, we collect your name, email address, and password (stored as a cryptographic hash). If you enable two-factor authentication, we store your TOTP secret and recovery codes in encrypted form.
Social Authentication
If you sign in with Google or GitHub, we receive your name, email address, and profile photo URL from the provider. If your social login email matches an existing Upscale Media account, we automatically link the accounts. We do not access your contacts, calendars, repositories, or any other data from these providers.
Payment Information
Payment details are collected and processed securely by Stripe. We do not store your full credit card number, CVV, or billing address on our servers. Stripe provides us with a token, the last four digits of your card, and your card brand for display purposes. Please refer to Stripe's Privacy Policy for details on how they handle your payment data.
Images
We store the images you upload and their upscaled outputs. Image metadata we record includes: original filename, file size, dimensions, file type, processing status, and scale factor. We do not use your images for AI model training or share them with third parties.
Usage Data
We track your usage of the Service for billing and quota enforcement, including the number of images uploaded, API calls made, and storage consumed. This data is recorded in usage logs associated with your account.
Trial Upscaler Data
If you use our trial upscaler without an account, we collect your IP address, user agent (browser and device information), the file hash (SHA-256) of your uploaded image, and the original filename. This data is used for rate limiting (10 uploads per hour per IP) and abuse prevention, and is automatically deleted along with the trial images after 24 hours.
Technical Data
We automatically collect IP addresses, browser type, device information, and referring URLs when you access the Service. This data is used for security, rate limiting, and abuse prevention. IP addresses are used as rate-limiting keys for both the trial upscaler and authenticated API requests.
2. How We Use Your Information
We use your information to:
- Provide, maintain, and improve our image upscaling service
- Process your payments and manage your subscription through Stripe
- Enforce usage quotas and rate limits based on your plan
- Send you transactional emails (see Section 6 below)
- Prevent abuse, fraud, and unauthorized access
- Comply with legal obligations
We do not use your information for targeted advertising, and we do not sell your personal data to third parties.
3. Image Storage, Processing, and Retention
Images you upload are stored in encrypted, private cloud storage (Amazon S3) and are only accessible through your authenticated account. Images are processed by our AI upscaling service running on dedicated GPU infrastructure within the same cloud network.
Images are automatically deleted after the retention period for your plan:
| Plan | Retention Period |
|---|---|
| Trial (no account) | 24 hours |
| Free | 7 days |
| Starter | 30 days |
| Professional | 90 days |
| Enterprise | 180 days |
If you cancel a paid subscription, a 30-day grace period applies during which your images are preserved regardless of your plan's normal retention period. After this grace period, standard retention rules for the Free plan (7 days) apply. You can delete your images manually at any time from your dashboard.
4. Third-Party Services
We share data with the following third-party services, solely to operate the Service:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Name, email, payment method |
| Email delivery provider | Email delivery | Email address, notification content |
| Amazon Web Services (AWS) | Infrastructure hosting, image storage (S3), job queuing (SQS) | All data stored and processed by the Service |
| Social authentication (optional) | OAuth tokens during sign-in only | |
| GitHub | Social authentication (optional) | OAuth tokens during sign-in only |
| Google Analytics | Website analytics (with your consent) | Page views, anonymized usage patterns, device/browser type |
We use Google Analytics 4 to understand how visitors use our website, subject to your consent (see Section 7). We do not use any advertising or behavioral tracking services. All application data is hosted in the AWS US East (N. Virginia) region.
5. Data Security
We implement the following security measures:
- Encryption in transit: All connections use TLS/HTTPS. Internal traffic between services is within a private network.
- Encryption at rest: Images in S3 are encrypted using AWS server-side encryption. The database (RDS) uses encryption at rest.
- Authentication: API access uses Sanctum tokens. Web sessions use CSRF protection and secure, HTTP-only cookies.
- Access control: Image storage is not publicly accessible. Images can only be retrieved through authenticated requests.
- Password security: Passwords are hashed using bcrypt. We never store plaintext passwords.
- Two-factor authentication: Optional TOTP-based 2FA is available for additional account security.
6. Emails We Send
We may send the following types of emails:
- Email verification: When you register, to confirm your email address
- Welcome email: After email verification, with onboarding information
- Password reset: When you request a password reset
- API key notification: When a new API token is generated for your account
- Subscription events: When your subscription is created, renewed, or cancelled
- Usage warnings: When your monthly usage reaches 80% and 90% of your plan limit
- Usage exceeded: When you have reached your monthly limit
7. Cookies
Essential Cookies
We use essential cookies required for the Service to function:
- Session cookie: Maintains your authenticated session
- XSRF-TOKEN: Protects against cross-site request forgery attacks
- Remember me: Optional persistent login cookie if you choose "remember me" at sign-in
Analytics Cookies (Consent Required)
With your consent, we use Google Analytics 4 which sets the following cookies:
- _ga: Distinguishes unique visitors (expires after 2 years)
- _ga_<ID>: Maintains session state (expires after 2 years)
These cookies are not set until you explicitly grant consent via our cookie banner. You can withdraw your consent at any time using the cookie preferences link in our footer, which will prevent future analytics data collection. We do not use advertising cookies or any other third-party cookies.
8. Your Rights
You have the right to:
- Access your data: View your personal information, images, and usage data through your dashboard and API
- Correct your data: Update your name, email, and password from your profile settings
- Delete your account: Permanently delete your account and all associated data (images, usage logs, API tokens) from your profile settings. Deletion is immediate and irreversible.
- Delete individual images: Remove specific images from your dashboard at any time
- Data portability: Download your upscaled images from the dashboard or via the API before they expire. If you need a full export of your personal data, contact us via our contact page and we will provide it within 30 days.
9. International Data Transfers
All data is stored and processed in the United States (AWS US East region). If you are accessing the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.
10. Children's Privacy
The Service is not directed to children under 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
11. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to know: You may request details about the personal information we collect about you and how it is used.
- Right to delete: You may request deletion of your personal information (available through your profile settings or by contacting us).
- Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
- No sale of data: We do not sell personal information to third parties.
12. European Privacy Rights (GDPR)
If you are in the European Economic Area (EEA) or the United Kingdom, we process your data under the following legal bases:
- Contract performance: Processing necessary to provide you the Service (image uploads, account management, billing)
- Legitimate interest: Security, abuse prevention, and service improvement
- Consent: Optional features like social login and two-factor authentication
In addition to the rights listed in Section 8, you also have the right to:
- Restrict or object to processing of your personal data
- Lodge a complaint with your local data protection authority
To exercise any of these rights, contact us via our contact page.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect. The "Last updated" date at the top reflects when this policy was most recently revised.
14. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us via our contact page.