Privacy Policy

Last updated: 24 April 2026 · Version 1.0

This Privacy Policy explains how Obvious Bubbles LDA ("we", "us", "our" or the "Controller") collects, uses, stores, and protects your personal data when you visit our website or use the Restore Old Photos App (the "Service"). It is drafted in accordance with Regulation (EU) 2016/679 (the "GDPR"), the Portuguese Data Protection Act (Law 58/2019), and the ePrivacy rules.

Quick summary. We collect only what's needed to run the Service: your email, the photos you choose to restore, account and billing data, and basic technical logs. We process photos with AI partners (Google Gemini and, optionally, infrastructure we operate ourselves). We never sell your data, and we never use your photos to train AI models. You can delete your account and every associated photo at any time from the in‑app account page or by emailing privacy@obviousbubbles.pt.

1. Data Controller

Legal entity: Obvious Bubbles LDA
Portuguese tax number (NIPC): 516 517 350
Registered office: Portugal
General contact: hello@obviousbubbles.pt
Privacy / data subject rights: privacy@obviousbubbles.pt

We have not appointed a Data Protection Officer because our processing does not meet the thresholds of Article 37 GDPR. Privacy enquiries are handled by the company management via the address above.

2. Scope

This Policy applies to all personal data we collect through the Service, including the public website, the web app, any associated email communications, and any mobile application we may publish under the name Restore Old Photos App.

3. Categories of Personal Data We Process

Category	Examples	Source
Account data	Email address, account tier, creation date	You, at sign‑up
Authentication data	One‑time magic‑link tokens, session identifiers stored in an httpOnly cookie	Generated by us
User‑generated content	Photographs you upload for restoration and the corresponding restored outputs	You, by uploading
Billing data	Subscription plan, Stripe customer id, payment status, invoice records	You and Stripe
Technical data	IP address, user‑agent, timestamps, request metadata, crash and error logs	Automatically
Usage data	Actions taken in the Service, number of restorations, feature use	Automatically

Sensitive or "special category" data

Photographs can depict faces. Under Article 9 GDPR, biometric data is a special category of personal data only when processed for the purpose of uniquely identifying a natural person. We do not perform facial recognition or any biometric identification. Your photographs are processed solely to repair, enhance, and return them to you. We treat them as personal data, with the heightened care described below.

4. Purposes and Legal Bases

Purpose	Legal basis (Art. 6 GDPR)
Create and operate your account; deliver restorations; maintain your library	Performance of the contract between you and us (Art. 6(1)(b))
Send sign‑in magic links and transactional emails	Contract performance (Art. 6(1)(b))
Process payments and maintain billing records	Contract performance and legal obligation under Portuguese tax law (Art. 6(1)(b) and (c))
Prevent fraud, abuse, and unlawful uploads (including child sexual abuse material); enforce our Terms	Our legitimate interest in operating a lawful service and legal obligation (Art. 6(1)(c) and (f))
Improve reliability and performance of the Service through aggregate analytics and logs	Legitimate interest, balanced against your rights (Art. 6(1)(f))
Respond to your requests and provide customer support	Contract performance or your consent (Art. 6(1)(b) or (a))
Marketing emails about new features, where you opted in	Your consent (Art. 6(1)(a)) — withdrawable at any time

We never use your photographs to train machine‑learning models, neither ours nor a third party's, beyond the immediate restoration request you submit.

5. Who We Share Data With (Sub‑processors)

We rely on a small number of trusted service providers that process data on our behalf under written data processing agreements and, where relevant, Standard Contractual Clauses. As of the date of this Policy the list is:

Provider	Purpose	Location	Transfer safeguards
Cloudflare, Inc.	Hosting, CDN, DDoS protection, storage of account data and images (D1, R2, Workers)	EU primary region with global edge	EU Standard Contractual Clauses; EU‑US Data Privacy Framework certification
Resend, Inc.	Transactional email delivery (magic‑link sign‑in)	United States	EU Standard Contractual Clauses; EU‑US Data Privacy Framework certification
Google LLC (Gemini API)	AI image restoration when the primary pipeline is unavailable or the output quality check fails	United States, with regional routing available	EU Standard Contractual Clauses; EU‑US Data Privacy Framework certification. No training use per Google's API terms.
Stripe, Inc. / Stripe Payments Europe Ltd.	Payment processing, subscription billing, tax calculation	Ireland (EU) and United States	EU Standard Contractual Clauses; EU‑US Data Privacy Framework certification

An up‑to‑date list is maintained on request at privacy@obviousbubbles.pt. We may also disclose data to competent authorities where required by law.

We do not sell your personal data. We do not share it for third‑party advertising purposes.

6. International Transfers

Because the Service uses providers established outside the European Economic Area, your personal data may be transferred to, and processed in, the United States or other third countries. For every such transfer we rely on:

the European Commission's Standard Contractual Clauses (SCCs, 2021 controller‑to‑processor module) as executed in our data‑processing agreements with each provider;
the EU‑US Data Privacy Framework where the provider is certified under it;
supplementary technical measures including encryption in transit (TLS 1.2+) and encryption at rest for stored images and database contents.

You may request a copy of the safeguards that apply to a specific transfer by writing to privacy@obviousbubbles.pt.

7. Retention

Data	Retention
Uploaded photos and restored outputs	Stored as part of your personal library until you delete them or your account. If a restoration job fails or is abandoned, originals are automatically purged within 30 days.
Account and authentication data	For the life of the account, plus up to 90 days after closure for backup rotation.
Magic‑link tokens	15 minutes (expiry) or at first use.
Invoices and tax records	10 years (Portuguese tax law).
Technical logs	Up to 30 days, after which they are deleted or irreversibly anonymised.
Webhook events from Stripe (event id + type + redacted payload)	2 years, for idempotency and audit.

8. Your Rights

Under the GDPR you have the right to:

Access the personal data we hold about you and obtain a copy (Art. 15).
Rectify inaccurate or incomplete data (Art. 16).
Erase your data — the "right to be forgotten" (Art. 17). You can delete individual photos or your whole account from the in‑app account page, or request deletion by email.
Restrict processing in certain circumstances (Art. 18).
Data portability — receive the personal data you provided in a structured, commonly‑used machine‑readable format (Art. 20).
Object to processing based on legitimate interest (Art. 21).
Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7(3)).
Lodge a complaint with the Portuguese Data Protection Authority, Comissão Nacional de Proteção de Dados (CNPD), Av. D. Carlos I, 134, 1º, 1200‑651 Lisboa, www.cnpd.pt, or with the supervisory authority of your habitual residence or place of work in the EU.

To exercise any right, email privacy@obviousbubbles.pt. We reply within one month (extendable by two further months for complex requests, as permitted by Art. 12(3) GDPR). We may need to verify your identity before acting.

9. Security

We apply technical and organisational measures appropriate to the risks involved, including:

TLS 1.2+ encryption of all data in transit;
encryption at rest for images stored in Cloudflare R2 and for data stored in Cloudflare D1;
httpOnly, Secure, and SameSite session cookies; no passwords stored (we use magic‑link authentication);
least‑privilege access to production systems and audit logs;
rate limits on authentication endpoints and automated abuse detection;
vendor due diligence and contractual data protection obligations with every sub‑processor.

No internet service can be guaranteed 100 % secure. We will notify you and the CNPD of any personal data breach likely to result in a risk to your rights within 72 hours of becoming aware of it, as required by Art. 33–34 GDPR.

10. Cookies and Similar Technologies

The Service uses a single strictly necessary first‑party cookie (rp_session) to keep you signed in. No consent banner is legally required for strictly‑necessary cookies under Art. 5(3) of the ePrivacy Directive. We do not use third‑party tracking cookies, advertising cookies, or cross‑site analytics.

11. Children

The Service is intended for users aged 16 or older, in line with Article 8 GDPR and Portuguese law. If we become aware that a child under 16 has provided personal data without verifiable parental consent, we will delete the data and close the account.

12. Automated Decision‑Making

The AI restoration process is an automated treatment of your photograph, but it does not produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. You can review every restored image before saving it. You can decline the result and redo, discard, or delete it at any time.

13. Changes to this Policy

We may update this Policy to reflect changes in law, technology, or our service. We will post the updated version on this page and, when changes are material, notify signed‑in users by email at least 14 days before they take effect. The "Last updated" date at the top reflects the current version.

14. Contact

General: hello@obviousbubbles.pt
Privacy and data subject requests: privacy@obviousbubbles.pt
Postal: Obvious Bubbles LDA, Portugal (NIPC 516 517 350)