Privacy Policy

Last Updated: December 29, 2025

This Privacy Policy describes how ColorYourPast ("Company", "we", "us", or "our") collects, uses, and shares your personal information when you use our website and services (the "Service").

By using ColorYourPast, you consent to the data practices described in this policy. If you do not agree with this Privacy Policy, please do not use our Service.

1. Data Collection

We collect various types of information to provide and improve our Service. Below are the categories of data we collect:

Account Data

When you create an account, we collect:

  • Email address
  • Name (as provided through Google OAuth or manually entered)
  • Profile picture (if using Google OAuth)
  • OAuth tokens (encrypted and used solely for authentication)

Session Data

We maintain database-persisted sessions to keep you logged in. Session data includes:

  • Session identifiers
  • Login timestamps
  • Session expiration (30-day lifetime)
  • Device information (browser type, operating system)

Photos and Images

When you use our colorization service, we collect:

  • Original black-and-white photos you upload
  • Colorized versions of your photos
  • Image metadata (file size, dimensions, format)
  • Upload timestamps

Transaction History

We maintain records of your purchases and usage:

  • Credit purchase history
  • Credit usage records (colorizations performed)
  • Payment method identifiers (processed securely by Stripe)
  • Transaction timestamps

Print Orders

If you order physical prints, we collect:

  • Shipping address
  • Recipient name
  • Phone number (if provided for delivery)
  • Order details (print size, quantity, framing options)
  • Order status and tracking information

2. Third-Party Services

We use third-party services to operate ColorYourPast. Each service has its own privacy policy governing how they handle your data:

ServicePurposeData Shared
Google OAuthAuthenticationEmail, name, profile picture (from your Google account)
ResendMagic link emailsEmail address
OpenAI APIPhoto colorizationUploaded images (processed per OpenAI API Data Usage Policy)
StripePayment processingPayment information (handled entirely by Stripe; we do not store card details)
AWS S3Photo storageOriginal and colorized photos (encrypted at rest)
AWS SQSProcessing queueJob metadata (photo IDs, processing status)
Prodigi Print APIPrint fulfillmentShipping address, order details, photos for printing
Vercel PostgresDatabaseAll user data, sessions, transactions (encrypted)

OpenAI Data Processing

When you colorize a photo, the image is sent to OpenAI's API for processing. OpenAI's API Data Usage Policy governs how they handle this data. As of our knowledge, OpenAI does not use API inputs to train their models, but we encourage you to review their current policies.

3. Data Retention

Your data is retained indefinitely until you explicitly request deletion.

Specifically:

  • Account data: Retained until you delete your account
  • Photos: Stored until you delete them or request account deletion
  • Transaction history: Retained for accounting and legal compliance purposes
  • Session data: Automatically expires after 30 days of inactivity
  • Print order data: Retained for order fulfillment and customer support

We may retain certain data longer if required by law or for legitimate business purposes (e.g., fraud prevention, legal disputes).

4. Your Rights

Depending on your location, you may have specific rights regarding your personal data. We honor requests from users worldwide, regardless of which framework applies to you.

GDPR Rights (European Union)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing: Request limitation of how we process your data
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

United Kingdom GDPR Rights

If you are located in the United Kingdom, you have equivalent rights under the UK General Data Protection Regulation (UK GDPR), including:

  • Right to access, rectification, and erasure
  • Right to restrict processing and data portability
  • Right to object and withdraw consent

The UK Information Commissioner's Office (ICO) is the supervisory authority for data protection in the UK.

CCPA Rights (California, USA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request disclosure of what personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale of personal information (Note: We do not sell personal information)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Categories of Personal Information Collected: As described in Section 1, we collect identifiers, commercial information, internet activity, and visual information.

PIPEDA Rights (Canada)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

  • Right to access your personal information
  • Right to challenge the accuracy of your information
  • Right to withdraw consent (subject to legal or contractual restrictions)
  • Right to file a complaint with the Office of the Privacy Commissioner of Canada

5. How to Exercise Your Rights

To exercise any of your data protection rights, please contact us at:

Email: privacy@coloryourpast.com

We will respond to your request within:

  • GDPR/UK GDPR: 30 days (extendable by 60 days for complex requests)
  • CCPA: 45 days (extendable by 45 days)
  • PIPEDA: 30 days

To verify your identity, we may ask you to confirm your email address or provide additional information.

6. Right to Lodge Complaints

If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with a supervisory authority:

  • EU: Contact your local Data Protection Authority (DPA)
  • UK: Information Commissioner's Office (ICO) - ico.org.uk
  • California: California Attorney General - oag.ca.gov/privacy
  • Canada: Office of the Privacy Commissioner - priv.gc.ca

7. Cookie Policy

ColorYourPast uses cookies and similar technologies to enhance your experience. Cookies are small text files stored on your device that help us remember your preferences and understand how you use our Service.

Cookie Categories

Necessary Cookies

These cookies are essential for the Service to function properly. They enable core features like:

  • User authentication and session management
  • Security features
  • Remembering your cookie consent preferences

These cookies cannot be disabled as they are required for the Service to work.

Functional Cookies

These cookies enhance your experience by remembering your preferences:

  • Language preferences
  • Display settings
  • Previously viewed content

Analytics Cookies

These cookies help us understand how visitors interact with our Service:

  • Pages visited and time spent
  • Features used
  • Error encounters

Analytics data is aggregated and does not personally identify you. We use this information to improve our Service.

Managing Cookies

When you first visit ColorYourPast, you will be presented with a cookie consent banner where you can accept all cookies or manage your preferences. You can change your preferences at any time by clearing your browser cookies.

Most web browsers also allow you to control cookies through their settings. Note that disabling certain cookies may affect the functionality of our Service.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for stored data
  • Regular security assessments
  • Access controls and authentication
  • Secure cloud infrastructure (AWS, Vercel)

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States where our service providers are located. When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with our service providers
  • Privacy Shield certifications where applicable (for historical transfers)

10. Children's Privacy

ColorYourPast is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at privacy@coloryourpast.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

12. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

ColorYourPast
Data Protection Inquiries: privacy@coloryourpast.com
General Support: support@coloryourpast.com