Privacy Policy

1. Information We Collect

2. How We Use Your Information

• —Provide the Service — store and process your content, manage your galleries, process bookings, generate invoices, and host your website
• —Process payments — handle subscription billing and transaction processing through our payment providers
• —Communicate with you — send transactional emails (verification, password reset, booking notifications, download links), technical notices, and product updates
• —Provide analytics — generate gallery activity insights (views, downloads, visitor tracking) to help you understand how clients interact with your work
• —Improve the Service — analyze usage patterns to identify bugs, improve features, and develop new functionality
• —Ensure security — detect, investigate, and prevent fraud, abuse, and unauthorized access through rate limiting, input validation, and monitoring
• —Comply with law — fulfill legal obligations, respond to lawful requests, and enforce our Terms of Service

3. Your Creative Content

We understand that your creative work is your livelihood. We treat your uploaded content with the utmost care:

• —Your photos, videos, contracts, invoices, and documents are stored securely using Cloudflare R2 cloud storage with encryption
• —Image transformations (thumbnails, resized versions) are generated on-the-fly for display and download purposes only
• —GPS metadata is stripped from images during bulk download processing to protect location privacy
• —We will never access, view, analyze, train AI models on, or use your creative content for any purpose other than providing the Service to you
• —Your content is only accessible to you, your designated clients and visitors (based on your gallery access settings), and authorized CoreHue personnel for support purposes when explicitly requested

4. Gallery Visitors & Client Data

When visitors interact with your published galleries and booking pages, we collect:

• —Anonymous visitor identifiers (via cookies) for view and download tracking
• —Email addresses and names when voluntarily provided through email registration, collection submission, or booking enquiries
• —Device type, browser, and referrer information for analytics provided to the gallery owner

This data is provided to you (the photographer/creative) as gallery activity insights. As a photographer using CoreHue, you act as the data controller for your clients' personal data and are responsible for complying with applicable privacy laws regarding your clients' information.

5. Information Sharing

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

• —Infrastructure providers — Cloudflare (hosting, CDN, file storage, image processing), Neon (database hosting), and Resend (transactional email delivery)
• —Payment processors — Stripe for payment processing, subject to their respective privacy policies
• —Authentication providers — Google (only if you choose to sign in with Google OAuth)
• —Error monitoring — Sentry for application error tracking, with sensitive data (passwords, tokens, secrets) automatically scrubbed before transmission
• —Legal requirements — when required by law, court order, subpoena, or to protect our rights, property, or the safety of our users
• —Business transfers — in connection with a merger, acquisition, or sale of assets, with continued protection of your data under equivalent privacy commitments

All third-party providers are bound by data processing agreements and are only permitted to process your data as necessary to provide their respective services.

6. Data Security

We implement comprehensive security measures to protect your data:

• —All data transmitted between your browser and our servers is encrypted via TLS
• —File storage is encrypted at rest on Cloudflare R2
• —Account passwords are hashed using bcrypt with appropriate work factors
• —Gallery and client passwords are encrypted at rest using AES-256-GCM with dedicated encryption keys
• —Password reset and email verification tokens are cryptographically hashed before database storage
• —Rate limiting is enforced on authentication endpoints and all public-facing APIs to prevent abuse
• —Security headers (HSTS, CSP, X-Frame-Options, etc.) are applied to all responses
• —File uploads are validated by both file extension and magic byte verification to prevent malicious uploads
• —Independent security audits have been conducted and all identified issues have been remediated

While no system is 100% secure, we are committed to following industry best practices and promptly addressing any security concerns. If you discover a security vulnerability, please report it to hello@corehue.co.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• —Access — request a copy of the personal data we hold about you
• —Correction — request that inaccurate or incomplete data be corrected
• —Deletion — request deletion of your personal data and uploaded content
• —Portability — receive your data in a structured, machine-readable format
• —Restriction — request that we restrict processing of your data in certain circumstances
• —Objection — object to processing of your data for certain purposes

To exercise any of these rights, contact us at hello@corehue.co. We will respond within 30 days. We may ask for identity verification before processing your request.

8. Cookies & Tracking

We use the following types of cookies:

• —Essential cookies — required for authentication, session management, and security. These cookies are httpOnly and cannot be accessed by client-side scripts.
• —Visitor tracking cookies — anonymous UUID identifiers used on public galleries to provide gallery owners with view and download analytics. These cookies do not track you across websites.

We do not use advertising cookies, retargeting pixels, or share cookie data with advertisers. You can manage cookies through your browser settings, though disabling essential cookies may prevent you from using the Service.

9. Data Retention

We retain your data as follows:

• —Active account data — retained for as long as your account is active
• —Deleted files — soft-deleted initially, then permanently removed from storage after a retention period via automated cleanup
• —Account deletion — upon account termination, personal data and uploaded content are permanently deleted within 30 days
• —Bulk downloads — generated zip files expire and are automatically cleaned up after 3 days
• —Legal obligations — certain data (such as financial transaction records) may be retained longer where required by applicable tax, accounting, or other legal requirements

10. International Data Transfers

CoreHue operates globally and your information may be processed and stored in the United States and other countries where our infrastructure providers operate (including Cloudflare's global network). When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses where applicable. By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions outside your country of residence, which may have different data protection laws.

11. Children's Privacy

CoreHue is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to promptly delete that information from our systems. If you believe a child has provided us with personal data, please contact us at hello@corehue.co.

12. Third-Party Links & Integrations

The Service may contain links to third-party websites or integrate with third-party services (such as Google Calendar or social media platforms). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through or in connection with CoreHue.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated via email or a prominent notice within the Service at least 14 days before they take effect. We encourage you to review this policy periodically. The "Effective" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.