Privacy Policy

Last updated: April 15, 2026

Short version: Equipora analyzes your photos to produce sorted albums and cleanup suggestions. Preview-sized copies are sent to our servers and temporarily stored so AI models can analyze them. Your original photos stay on your device. You can delete your account and all associated data at any time.

1. Controller

The data controller under GDPR is the operator named in the Imprint. Privacy contact: [email protected].

2. What we process

2.1 Account data

email address
optional display name
hashed password (never plaintext) or Google account ID if you use "Sign in with Google"
registration timestamp, last sign-in, session tokens
email verification codes

Legal basis: Art. 6(1)(b) GDPR (contract performance).

2.2 Photos and derived data

When you sort photos with Equipora we transmit preview-sized copies (max. 2048 px long edge) to our servers. On those previews we run:

AI analysis of content, quality, composition (e.g. "beach", "blurry", "screenshot")
perceptual hashing for near-duplicate detection
optionally: face embeddings to cluster recurring people (clustering only, no identification)

We store: the preview (temporarily, see retention), file hashes, analysis results (tags, categories, quality scores), derived album and cleanup suggestions.

Your original photos stay on your device. Equipora never writes photos to external services unless you explicitly authorize it per sort run.

Legal basis: Art. 6(1)(b) GDPR.

2.3 Technical data

For operations and debugging the server logs:

IP address (truncated after 7 days)
timestamp, HTTP method, path, status code
user agent (app version, Android version)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation).

3. Third-party recipients (processors)

Recipient	Purpose	Location	Basis
OpenAI, LLC (USA)	AI image analysis (GPT Vision)	USA (SCCs)	Art. 6(1)(b), 46 GDPR
Google LLC (USA)	AI image analysis (Gemini), Google Sign-In	USA / EU (SCCs)	Art. 6(1)(b), 46 GDPR
Hetzner Online GmbH	Server hosting, database, preview storage	Germany	Art. 6(1)(f), 28 GDPR
Brevo (Sendinblue)	Transactional email	Germany / France	Art. 6(1)(b) GDPR
Google Play (on purchase)	Subscription and one-time purchase billing	USA / EU	Art. 6(1)(b) GDPR

4. Retention

Data	Retention
Account data	until account deletion
Uploaded previews	max. 30 days after last scan, then auto-purge
Analysis results	until account deletion or manual reset
Face embeddings	until account deletion or feature disable
IP addresses	7 days (truncated), then anonymized
Billing records	10 years (German tax law)

5. App permissions

Read photos & videos (READ_MEDIA_IMAGES, READ_MEDIA_VIDEO) – to analyze your library; only preview copies leave the device
Post notifications (POST_NOTIFICATIONS) – inform you when a scan finishes
Foreground service (data sync) – finish scans while the screen is off; defaults to Wi-Fi only
Internet – upload previews, receive results

6. Your rights

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure (Art. 17) – in-app via Settings → Delete account, or by email
Right to restriction (Art. 18)
Right to data portability (Art. 20)
Right to object (Art. 21)
Right to lodge a complaint with a supervisory authority (Art. 77)

Privacy contact: [email protected]

7. Security

All client–server traffic runs over TLS (HTTPS) only.
Passwords are hashed with bcrypt/PBKDF2, never stored in plaintext.
API keys, OAuth secrets, and service account credentials are AES-256-GCM encrypted at rest.

8. Cookies

The website equipora.de does not use tracking cookies. Technical session cookies are only set for the admin panel.

9. Changes

We update this policy when features or processors change. Material changes are announced in the app. The current version is always available at equipora.de/privacy.

10. Contact

Privacy: [email protected]
Support: [email protected]