Paper Mache

Privacy Policy

What we collect, and what we don't · Effective July 14, 2026 · Last updated July 14, 2026

The short version. We collect your email address, the photos you upload, the posters you build, and — if you order a print — your shipping address. We use Google Analytics to see how the site is used. We do not sell your data. We do not run ads. We do not use your photos to train AI models. Your photos are stored privately and are only ever shown to you, to people you explicitly share with, and to the printer when you place an order.

1. Who we are

Paper Mache (Toronto, Ontario, Canada) is the controller of the personal data described here — meaning we decide why and how it is processed. This policy covers papermache.io, our iOS app, and everything you do with them.

Questions, or any request about your data: privacy@papermache.io.

2. What we collect

You give us

DataWhen
Email addressWhen you sign in. If you use Google or Apple, we receive your email address and, if you allow it, your name — nothing else from your Google or Apple account.
PhotosWhen you upload them. Includes whatever is visible in the image itself.
Poster designsTitles, layouts, frames, filters, sizes, and where each photo sits on the page.
Comments and collaboratorsComment text, and the email addresses of anyone you invite to a poster.
Order and shipping detailsName, shipping address, and what you ordered. Card details go directly to Stripe. We never see or store your card number.
Support messagesAnything you email us.

We collect automatically

What we deliberately do not collect

3. Why we use it, and our legal basis

If you are in the EEA or UK, the GDPR requires us to name a legal basis for each purpose. Here they are.

PurposeLegal basis
Create your account and sign you inPerformance of a contract
Store your photos and posters, and show them back to youPerformance of a contract
Print and ship your order, and take paymentPerformance of a contract
Answer your support emailsPerformance of a contract; legitimate interests
Keep the Service secure, prevent abuse, enforce quotasLegitimate interests
Analytics, to understand how the product is used and improve itConsent (in the EEA/UK/Switzerland); legitimate interests elsewhere. You can withdraw consent at any time.
Keep records of completed ordersLegal obligation (tax and accounting law)

We do not use your data for automated decision-making that produces legal or similarly significant effects, and we do not profile you.

4. Your photos, specifically

This is the part most people actually want to know, so we will be exact.

5. Who we share data with

We do not sell your personal data, and we never have. We share it only with service providers who process it on our behalf, under contract, and only to the extent they need it:

ProcessorWhat forWhere
SupabaseDatabase, file storage, and authenticationUnited States
VercelWebsite hosting and content deliveryUnited States
Google AnalyticsProduct and traffic analyticsUnited States
StripePayment processingUnited States
ProdigiPrint production and shippingUnited Kingdom / global print network

Our print partner receives only what is needed to make and deliver your order: the print file, your name, and your shipping address. They do not receive your other posters, your other photos, or your account history.

We will also disclose data if we are legally required to — a valid court order, subpoena, or similar. We will notify you unless we are legally prohibited from doing so. And if we are ever acquired or merged, your data may transfer to the successor, who will be bound by a policy at least as protective as this one; we will tell you before that happens.

6. Cookies and analytics

We use two kinds of cookies: strictly necessary ones that keep you signed in, and analytics cookies set by Google Analytics 4.

In the EEA, UK and Switzerland, analytics cookies are off by default and are only set if you press “Allow” on the banner. We use Google Consent Mode, we have IP anonymisation turned on, and Google Signals and advertising features are disabled — so analytics data is not used to build an advertising profile of you.

Full detail, including how to change your mind: Cookie Notice.

7. How long we keep it

DataRetention
Photos and postersUntil you delete them, or 30 days after you close your account
Account and email addressUntil you close your account
Order records and invoices7 years after the order — required by tax law, and kept even if you close your account
Support emails2 years
Analytics data14 months
Server logsUp to 30 days
Encrypted backupsRolling 30 days, then overwritten

8. Your rights

Wherever you live, you can ask us to do all of the following, and we will do it — we do not gatekeep these rights by geography.

Email privacy@papermache.io from the address on your account. We respond within 30 days. We will not charge you, and we will not treat you differently for asking.

If you are in the EEA or UK and think we have got it wrong, you may complain to your national supervisory authority. We would rather you told us first, but it is your right either way.

9. US state privacy rights

If you live in California, Colorado, Connecticut, Virginia, or another state with a comprehensive privacy law, you have the rights listed above, plus the right to opt out of the “sale” or “sharing” of personal information and of targeted advertising.

We do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not engage in targeted advertising or cross-context behavioural advertising. There is nothing to opt out of. We honour Global Privacy Control signals regardless.

We do not knowingly collect the personal information of anyone under 16 for sale or sharing — again, because we do not sell or share it at all.

10. International transfers

Our providers are primarily in the United States, and our print partner operates a global print network, so your data will be transferred outside your country — including outside the EEA and UK.

Where that happens, transfers are covered by the European Commission's Standard Contractual Clauses (and the UK Addendum), by an adequacy decision, or by the EU-US Data Privacy Framework where our provider is certified. You can request a copy of the relevant safeguards from privacy@papermache.io.

11. Security

No system is perfectly secure. If we ever suffer a breach affecting your personal data, we will notify you and the relevant regulator without undue delay, and within 72 hours where the GDPR requires it.

12. Children

The Service is not directed at children. You must be 13 or older to use it, and 16 or older in the EEA and UK. We do not knowingly collect personal data from children below those ages. If you believe a child has given us data, email privacy@papermache.io and we will delete it.

Photographs of children uploaded by a parent or guardian are, of course, fine — that is much of what this product is for. Section 3 of the Terms covers your responsibility to have the right to upload images of other people's children.

13. Changes

We will update this policy when what we do changes. If a change is material — a new category of data, a new purpose, a new processor who receives your photos — we will email you at least 30 days before it takes effect. The “last updated” date at the top always reflects the current version.

14. Contact us

Paper Mache
Toronto, Ontario, Canada
Privacy: privacy@papermache.io
Everything else: hello@papermache.io