Privacy Policy

Last updated: April 13, 2026

1. Introduction

Free Image Optimiser ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is Free Image Optimiser. For all privacy-related inquiries, please use the contact details in section 12 below.

3. Images & Browser-Based Processing

We do not upload, access, or store any of your images. All image processing is performed entirely in your web browser using the HTML5 Canvas API. Image data never leaves your device.

4. Personal Data We Collect

We collect the minimum data necessary to provide the Service:

4.1 Account Information

  • Email address — for account identification, login, and transactional emails.
  • Name — for display purposes and correspondence.
  • Google profile data — if you sign in via Google OAuth (name, email, avatar URL, Google ID).
  • Password hash — if you register with email (we never store plain-text passwords).

4.2 Usage Data

  • Number of images optimized per day.
  • Approximate size reduction (MB saved).
  • Timestamps of usage sessions.

4.3 Payment Data

Payments are processed by Stripe. We do not store your full credit card number. We store only:

  • Stripe customer ID and payment intent ID.
  • Order amount, currency, and status.
  • Last four digits of the card (for your receipt).

For details on Stripe's data handling, see Stripe's Privacy Policy.

4.4 Technical Data

  • IP address (logged by our web server, not stored in our application database).
  • Browser type and version (via standard HTTP headers).

5. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under GDPR Article 6:

  • Contract performance (Art. 6(1)(b)) — to provide the Service, manage your account, and process payments.
  • Legitimate interests (Art. 6(1)(f)) — to maintain security, prevent abuse, and improve the Service.
  • Consent (Art. 6(1)(a)) — for optional cookies and marketing communications (if any).
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and legal requirements.

6. Cookies

We use a limited number of cookies. For full details, see our Cookie Policy.

CookiePurposeDuration
PHPSESSIDSession management (login state, CSRF protection)30 days
fio_cookie_consentRemembers your cookie consent choice365 days

7. Data Sharing & Third Parties

We share personal data only with:

  • Stripe — for payment processing (see their privacy policy).
  • Google — for OAuth authentication (see their privacy policy).
  • Email provider — for sending transactional emails (password reset, order confirmation).

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

8. Data Retention

  • Account data: Retained while your account is active. Deleted upon account deletion request.
  • Usage logs: Retained for up to 12 months for analytics, then purged.
  • Payment records: Retained for 7 years to comply with tax and accounting obligations.

9. Your Rights Under GDPR

If you are in the European Economic Area (EEA) or UK, you have the following rights:

  • Right of access — request a copy of your personal data.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure ("right to be forgotten") — request deletion of your data.
  • Right to restrict processing — request limitation of how we use your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, visit your Account page where you can export your data or delete your account. You may also contact us directly.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit.
  • Bcrypt hashing for passwords.
  • CSRF protection on all state-changing operations.
  • HTTP-only, secure session cookies.
  • Prepared statements for all database queries.

11. International Transfers

If your data is transferred outside the EEA (e.g., to cloud infrastructure or Stripe's US servers), we ensure it is protected by appropriate safeguards such as Standard Contractual Clauses (SCCs) or the service provider's certification under applicable data protection frameworks.

12. Contact & Complaints

For any privacy-related questions or to exercise your data rights, contact us via the Support page or by email at the address listed on our website.

You also have the right to lodge a complaint with your local data protection supervisory authority.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Service. Continued use after changes constitutes acceptance of the revised policy.