Privacy Policy
1. Who we are
Paper Mache (Toronto, Ontario, Canada) is the controller of the personal data described here — meaning we decide why and how it is processed. This policy covers papermache.io, our iOS app, and everything you do with them.
Questions, or any request about your data: privacy@papermache.io.
2. What we collect
You give us
| Data | When |
|---|---|
| Email address | When you sign in. If you use Google or Apple, we receive your email address and, if you allow it, your name — nothing else from your Google or Apple account. |
| Photos | When you upload them. Includes whatever is visible in the image itself. |
| Poster designs | Titles, layouts, frames, filters, sizes, and where each photo sits on the page. |
| Comments and collaborators | Comment text, and the email addresses of anyone you invite to a poster. |
| Order and shipping details | Name, shipping address, and what you ordered. Card details go directly to Stripe. We never see or store your card number. |
| Support messages | Anything you email us. |
We collect automatically
- Usage and device data via Google Analytics: pages visited, approximate location (city-level, derived from a truncated IP address), device type, browser, referring site, and a randomly generated analytics identifier stored in a cookie. See Cookies.
- Server logs kept by our hosting providers, including IP address and timestamps, used to keep the Service running and to detect abuse.
- Session cookies that keep you signed in. These are strictly necessary and are not used for tracking.
What we deliberately do not collect
- We do not read your device's photo library. You choose which photos to send us.
- We do not collect precise GPS location.
- We do not buy data about you from data brokers.
- We do not track you across other websites, and we do not run advertising.
3. Why we use it, and our legal basis
If you are in the EEA or UK, the GDPR requires us to name a legal basis for each purpose. Here they are.
| Purpose | Legal basis |
|---|---|
| Create your account and sign you in | Performance of a contract |
| Store your photos and posters, and show them back to you | Performance of a contract |
| Print and ship your order, and take payment | Performance of a contract |
| Answer your support emails | Performance of a contract; legitimate interests |
| Keep the Service secure, prevent abuse, enforce quotas | Legitimate interests |
| Analytics, to understand how the product is used and improve it | Consent (in the EEA/UK/Switzerland); legitimate interests elsewhere. You can withdraw consent at any time. |
| Keep records of completed orders | Legal obligation (tax and accounting law) |
We do not use your data for automated decision-making that produces legal or similarly significant effects, and we do not profile you.
4. Your photos, specifically
This is the part most people actually want to know, so we will be exact.
- Where they go. Photos are uploaded to a private storage bucket at Supabase. There is no public URL. Access is enforced by row-level security in the database: a request that is not you, or someone you have explicitly shared with, is rejected by the server, not merely hidden by the interface.
- What we do to them. Before upload, your browser downscales the image and converts it to JPEG. This strips most embedded metadata as a side effect — including, typically, GPS coordinates and camera serial numbers. We do not read, index, or store EXIF data.
- Who can see them. You. Anyone you invite as a collaborator. Anyone holding a share link you created (until you revoke it). Our print partner, but only for a poster you actually ordered, and only the flattened print file. Nobody else.
- Staff access. We do not browse your photos. A named engineer can technically reach stored files, and would only do so if you asked us to investigate a specific problem with your account, or if we were legally compelled to.
- AI training. We do not use your photos, your posters, or your comments to train machine-learning models, and we do not license them to anyone who does.
- Deletion. Remove a photo from a poster and delete it, and the underlying file is deleted from storage. Copies may persist in encrypted backups for up to 30 days before being overwritten.
5. Who we share data with
We do not sell your personal data, and we never have. We share it only with service providers who process it on our behalf, under contract, and only to the extent they need it:
| Processor | What for | Where |
|---|---|---|
| Supabase | Database, file storage, and authentication | United States |
| Vercel | Website hosting and content delivery | United States |
| Google Analytics | Product and traffic analytics | United States |
| Stripe | Payment processing | United States |
| Prodigi | Print production and shipping | United Kingdom / global print network |
Our print partner receives only what is needed to make and deliver your order: the print file, your name, and your shipping address. They do not receive your other posters, your other photos, or your account history.
We will also disclose data if we are legally required to — a valid court order, subpoena, or similar. We will notify you unless we are legally prohibited from doing so. And if we are ever acquired or merged, your data may transfer to the successor, who will be bound by a policy at least as protective as this one; we will tell you before that happens.
6. Cookies and analytics
We use two kinds of cookies: strictly necessary ones that keep you signed in, and analytics cookies set by Google Analytics 4.
In the EEA, UK and Switzerland, analytics cookies are off by default and are only set if you press “Allow” on the banner. We use Google Consent Mode, we have IP anonymisation turned on, and Google Signals and advertising features are disabled — so analytics data is not used to build an advertising profile of you.
Full detail, including how to change your mind: Cookie Notice.
7. How long we keep it
| Data | Retention |
|---|---|
| Photos and posters | Until you delete them, or 30 days after you close your account |
| Account and email address | Until you close your account |
| Order records and invoices | 7 years after the order — required by tax law, and kept even if you close your account |
| Support emails | 2 years |
| Analytics data | 14 months |
| Server logs | Up to 30 days |
| Encrypted backups | Rolling 30 days, then overwritten |
8. Your rights
Wherever you live, you can ask us to do all of the following, and we will do it — we do not gatekeep these rights by geography.
- Access — get a copy of the personal data we hold about you.
- Portability — get your photos and poster data in a machine-readable format.
- Correction — fix anything inaccurate.
- Deletion — delete your account and your content (subject to the order-record retention above).
- Restriction and objection — object to processing based on legitimate interests.
- Withdraw consent — turn analytics off at any time, with no effect on anything else.
Email privacy@papermache.io from the address on your account. We respond within 30 days. We will not charge you, and we will not treat you differently for asking.
If you are in the EEA or UK and think we have got it wrong, you may complain to your national supervisory authority. We would rather you told us first, but it is your right either way.
9. US state privacy rights
If you live in California, Colorado, Connecticut, Virginia, or another state with a comprehensive privacy law, you have the rights listed above, plus the right to opt out of the “sale” or “sharing” of personal information and of targeted advertising.
We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not engage in targeted advertising or cross-context behavioural advertising. There is nothing to opt out of. We honour Global Privacy Control signals regardless.
We do not knowingly collect the personal information of anyone under 16 for sale or sharing — again, because we do not sell or share it at all.
10. International transfers
Our providers are primarily in the United States, and our print partner operates a global print network, so your data will be transferred outside your country — including outside the EEA and UK.
Where that happens, transfers are covered by the European Commission's Standard Contractual Clauses (and the UK Addendum), by an adequacy decision, or by the EU-US Data Privacy Framework where our provider is certified. You can request a copy of the relevant safeguards from privacy@papermache.io.
11. Security
- Everything is encrypted in transit (TLS) and at rest.
- Photo storage is a private bucket. Access is enforced server-side by row-level security, not by hiding buttons in the interface.
- Sign-in is passwordless — there is no password of yours for us to leak.
- Payment card data never touches our servers; it goes straight to Stripe.
- Uploads are limited by type, file size and per-account quota, enforced at the storage layer.
No system is perfectly secure. If we ever suffer a breach affecting your personal data, we will notify you and the relevant regulator without undue delay, and within 72 hours where the GDPR requires it.
12. Children
The Service is not directed at children. You must be 13 or older to use it, and 16 or older in the EEA and UK. We do not knowingly collect personal data from children below those ages. If you believe a child has given us data, email privacy@papermache.io and we will delete it.
Photographs of children uploaded by a parent or guardian are, of course, fine — that is much of what this product is for. Section 3 of the Terms covers your responsibility to have the right to upload images of other people's children.
13. Changes
We will update this policy when what we do changes. If a change is material — a new category of data, a new purpose, a new processor who receives your photos — we will email you at least 30 days before it takes effect. The “last updated” date at the top always reflects the current version.
14. Contact us
Paper Mache
Toronto, Ontario, Canada
Privacy: privacy@papermache.io
Everything else: hello@papermache.io