Privacy Policy
Last updated: December 26, 2025
1. Introduction
Welcome to PhotoRevive. This Privacy Policy explains how PhotoRevive ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our AI-powered photo colorization service available at photorevive.com and app.photorevive.com (collectively, the "Service").
We serve customers in the United States and European Union. This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable US state privacy laws.
By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use our Service.
2. Data Controller Information
For the purposes of the GDPR, the data controller responsible for your personal data is:
- Company Name: PhotoRevive Studio, in ownership of CS Totaal
- Address: Bankastraat 7, 2612AE, Delft, Netherlands
- Email: privacy@photorevive.com
For EU residents, you may also contact your local supervisory authority if you have concerns about how we handle your personal data.
3. Personal Data We Collect
We collect different categories of personal data depending on how you interact with our Service:
3.1 Information You Provide Directly
- Account Information: Email address and password when you create an account via our authentication system
- Photographs: Images you upload for colorization processing
- Payment Information: When you purchase tokens, payment details are collected and processed by Stripe. We receive only the last four digits of your card, card type, expiration date, and transaction confirmation—we never receive or store your full card number
- Communications: Feedback, refinement instructions for photo processing, and any correspondence you send us
- Shipping Information: Name and delivery address if you order physical prints
3.2 Information Collected Automatically
- Device Information: Browser type, operating system, device identifiers, and IP address
- Usage Data: Pages visited, features used, time spent on pages, and interaction patterns
- Session Recordings: With your consent, we may record anonymized session replays to improve user experience
4. How We Use Your Personal Data
We process your personal data for the following purposes and legal bases:
| Processing Activity | Purpose | Legal Basis (GDPR) |
|---|---|---|
| Photo colorization | Deliver our AI-powered colorization service | Contractual necessity (Art. 6(1)(b)) |
| Account creation | Manage your account and provide access to the Service | Contractual necessity (Art. 6(1)(b)) |
| Payment processing | Process token purchases via Stripe | Contractual necessity (Art. 6(1)(b)) |
| Print fulfillment | Produce and ship physical prints via Printful | Contractual necessity (Art. 6(1)(b)) |
| Analytics | Understand usage patterns and improve the Service | Consent (Art. 6(1)(a)) |
| Marketing tracking | Measure advertising effectiveness | Consent (Art. 6(1)(a)) |
| Session recordings | Improve user experience | Consent (Art. 6(1)(a)) |
| Email marketing | Send promotional communications | Consent (Art. 6(1)(a)) |
| Fraud prevention | Protect against fraudulent transactions | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
Important: Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
5. AI Processing and Automated Decision-Making
5.1 How Our AI Works
We use Google's Gemini 2.5 Flash Image AI model to colorize your black-and-white photographs for previews, and Google's Gemini 3 Pro Image AI model for HD rendering. When you upload a photo:
- Your image is sent to Google's Gemini API for processing
- The AI analyzes the image content and applies period-appropriate colors
- The colorized result is returned and stored in our image hosting service Cloudinary
- You can provide feedback to refine the colorization through natural language instructions
Images and their AI previews uploaded as a non-signed in (anonymous) user are stored on our servers for 24 hours before being permanently deleted. Signed-in users who upload images will see them stored on our servers for 30 days before being permanently deleted. Only when a Token is used to unlock the HD version of an image is the AI output image stored permanently on our servers.
5.2 Image Training and Usage
Your images are NOT used to train AI models. We use Google Gemini's paid API service, which does not use customer data for model training. Your photos are processed solely for the purpose of delivering the colorization service you requested.
5.3 Automated Decision-Making
The AI colorization process is automated but does not produce decisions with legal or similarly significant effects on you. The output is an aesthetic transformation of your photo, and you retain full control to accept, modify (through refinement), or reject the results.
5.4 Biometric Data
Our colorization service does not extract facial geometry, create facial templates, or process biometric identifiers. We do not use facial recognition technology. The AI processes photos purely for color enhancement and restoration purposes without identifying or tracking individuals.
6. Cookies and Tracking Technologies
We use cookies and similar technologies to operate our Service and analyze usage. We use Cookiebot to manage your cookie preferences.
6.1 Cookie Categories
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Essential for Service operation (authentication, security, consent management) | No (required for Service) |
| Analytics | Google Analytics 4 — understanding how visitors use our Service | Yes |
| Marketing | Facebook Pixel/CAPI, Microsoft Clarity — measuring ad effectiveness and session analysis | Yes |
6.2 Your Cookie Choices
For EU visitors: We will not load analytics or marketing cookies until you provide explicit consent via our cookie banner. You can change your preferences at any time by clicking the cookie settings link in our website footer.
For US visitors: You can opt out of certain tracking through our "Do Not Sell or Share My Personal Information" link. We honor Global Privacy Control (GPC) signals from your browser.
For more details about cookies, see our Cookie Policy.
7. Third-Party Services and Data Recipients
We share your personal data with the following third-party service providers who help us deliver our Service:
| Service | Purpose | Data Shared | Role |
|---|---|---|---|
| Supabase | Database and authentication | Account data, photo metadata | Data Processor |
| Google Gemini | AI photo colorization | Uploaded images | Data Processor |
| Cloudinary | Image storage and delivery | Original and colorized images | Data Processor |
| Stripe | Payment processing | Payment and transaction data | Processor + Controller (fraud) |
| Printful | Print production and shipping | Images, shipping address | Data Processor |
| Google Analytics 4 | Usage analytics | Usage data, device info | Data Processor |
| Meta (Facebook) | Advertising measurement | Hashed identifiers, events | Joint Controller |
| Microsoft Clarity | Session recordings, heatmaps | Usage data, session data | Controller |
| Cookiebot | Cookie consent management | Consent records | Data Processor |
Note regarding Meta and Microsoft: These services act as independent controllers or joint controllers for certain data uses, meaning they may process data they receive for their own purposes as described in their respective privacy policies. We recommend reviewing their policies for details:
8. International Data Transfers
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States and other countries where our service providers operate.
8.1 Transfer Mechanisms
We protect international transfers using the following safeguards:
| Service Provider | EU-US DPF Certified | Alternative Mechanism |
|---|---|---|
| Yes | Standard Contractual Clauses available | |
| Cloudinary | Yes | SCCs in Data Processing Agreement |
| Stripe | Yes | SCCs in Data Transfers Addendum |
| Meta | Yes | Standard Contractual Clauses available |
| Microsoft | Yes | SCCs via Irish entity |
| Supabase | No | SCCs in DPA; EU hosting available |
| Printful | EU fulfillment available | EU production facilities |
| Cookiebot | EU-based | No US transfer |
The EU-US Data Privacy Framework was granted adequacy status by the European Commission on July 10, 2023. You may obtain a copy of the Standard Contractual Clauses by contacting us at the address provided in this policy.
9. Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion + 30 days | Service provision and recovery |
| Photos (unpurchased) | 24 hours when not logged in, 30 days from upload when logged in | Allow time for purchase decision |
| Photos (purchased/HD) | 1 year from purchase, or until account deletion | Continued access to purchased content |
| Transaction records | 7 years | Legal/tax compliance |
| Cookie consent records | 5 years | GDPR compliance documentation |
| Analytics data | 26 months (GA4 default) | Usage analysis |
When data is no longer needed, we securely delete or anonymize it.
10. Your Privacy Rights
10.1 Rights for EU Residents (GDPR)
If you are located in the European Economic Area, you have the following rights under the GDPR:
- Right of Access: Obtain confirmation of whether we process your data and receive a copy
- Right to Rectification: Correct inaccurate or incomplete personal data
- Right to Erasure: Request deletion of your personal data in certain circumstances
- Right to Restriction: Limit how we process your data in certain situations
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for direct marketing
- Right to Withdraw Consent: Withdraw consent at any time for consent-based processing
- Right to Lodge a Complaint: File a complaint with your local supervisory authority
10.2 Rights for California Residents (CCPA/CPRA)
California residents have the following rights under the CCPA as amended by the CPRA:
- Right to Know: Learn what personal information we collect, use, disclose, and sell/share
- Right to Delete: Request deletion of personal information we collected
- Right to Correct: Correct inaccurate personal information
- Right to Opt-Out: Opt out of the sale or sharing of personal information
- Right to Limit Use of Sensitive PI: Limit how we use sensitive personal information
- Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights
10.3 Rights for Residents of Other US States
Residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights including access, deletion, correction, opt-out, and portability. Some state-specific provisions include:
- Virginia (VCDPA): Includes an appeals process if your request is denied
- Colorado (CPA): Requires honoring universal opt-out signals
- Oregon (OCPA): You can request a list of specific third parties (not just categories) who received your data
10.4 How to Exercise Your Rights
To exercise any of these rights, contact us at:
- Email: privacy@photorevive.com
- Online Form: Contact Us
We will verify your identity before processing your request. For California residents, we will respond within 45 days (with possible 45-day extension). For EU residents, we will respond within one month (with possible two-month extension for complex requests).
11. "Do Not Sell or Share My Personal Information"
Under California law and other US state privacy laws, we are required to disclose whether we "sell" or "share" personal information. While we do not sell personal information for monetary consideration, certain analytics and advertising activities may constitute "sharing" under these laws.
To opt out of the sale or sharing of your personal information:
- Click the "Do Not Sell or Share My Personal Information" link in our website footer
- Enable Global Privacy Control (GPC) in your browser—we honor GPC signals
- Email us at privacy@photorevive.com
12. Children's Privacy
Our Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@photorevive.com, and we will delete such information.
Adults may upload photographs that include images of children for colorization. These photos are processed solely for the requested colorization service and are not used to identify or target children.
13. Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Secure authentication via Supabase Auth with row-level security
- PCI-DSS compliant payment processing through Stripe (we never receive full card numbers)
- Regular security reviews of our infrastructure
- Access controls limiting employee access to personal data
No method of transmission or storage is 100% secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website with a new "Last Updated" date
- Sending an email notification for significant changes (if you have an account)
- Displaying a prominent notice on our Service
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Email: privacy@photorevive.com
- Contact form: Contact Us
For EU residents with unresolved concerns, you have the right to lodge a complaint with your local Data Protection Authority.
16. Supplemental Notice for California Residents
This section provides additional disclosures required by California law.
16.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Email address, IP address, device ID | Yes |
| Commercial Information | Purchase history, token balance | Yes |
| Internet Activity | Browsing history, search history on Service | Yes |
| Geolocation Data | Approximate location from IP address | Yes |
| Sensory Data | Photographs you upload | Yes |
| Inferences | Preferences based on usage patterns | Yes |
| Sensitive PI (biometric) | Facial geometry, biometric templates | No |
16.2 Sources of Personal Information
We collect personal information from: directly from you when you create an account, upload photos, or make purchases; automatically through cookies and similar technologies; and from service providers who help us operate our business.
16.3 Business Purposes for Collection
We use personal information for: providing our photo colorization service; processing payments and fulfilling orders; communicating with you; analyzing and improving our Service; preventing fraud; complying with legal obligations; and advertising and marketing (with appropriate consent or opt-out).
16.4 Sale and Sharing of Personal Information
We do not sell personal information for monetary consideration. We may "share" certain identifiers and internet activity with advertising partners (Meta, Google) for targeted advertising purposes, which may constitute "sharing" under the CCPA. You can opt out using the methods described in Section 11.
16.5 Retention Periods
See Section 9 (Data Retention) for details on how long we retain each category of personal information.
Related Policies
- Cookie Policy — Details about how we use cookies and tracking technologies
- Terms & Conditions — Our terms of service
- Refund Policy — Information about refunds and cancellations
Legal Compliance
This Privacy Policy is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable US state privacy laws including those in Virginia, Colorado, Connecticut, Texas, Oregon, and Montana. For more information about how we use cookies, please see our Cookie Policy.