Privacy Policy
1. Introduction
This Privacy Policy explains how Golden Global Hawks, operating as RetouchFlow ("Company," "we," "us," or "our"), collects, uses, stores, shares, and protects your personal information when you use our website (https://retouchflow.com), API, mobile applications, and related services (collectively, the "Service").
We comply with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as other applicable data protection laws.
2. Information We Collect
2.1 Information You Provide
| Data Type | When Collected | Purpose |
|---|---|---|
| Email address | Account registration | Account identification, communication, password reset |
| Full name | Account registration | Account personalization, invoicing |
| Photos | When you upload for processing | AI enhancement and delivery |
| Payment information | When subscribing to a paid plan | Subscription billing (processed by Stripe) |
| Social media credentials | When connecting Instagram or OnlyFans | Publishing retouched photos to your accounts |
| Support communications | When you contact us | Resolving your inquiries |
2.2 Information Collected Automatically
| Data Type | Method | Purpose |
|---|---|---|
| Page views and usage patterns | Plausible Analytics | Understanding how the Service is used |
| Device type and browser | Plausible Analytics | Service optimization |
| Referring source | Plausible Analytics | Marketing attribution |
Important: We use Plausible Analytics, a privacy-friendly analytics tool that does not use cookies, does not track users across sites, and does not collect personal identifiers. All analytics data is aggregated and anonymous.
2.3 Information We Do NOT Collect
- We do not use tracking cookies or advertising pixels
- We do not collect biometric data or facial recognition identifiers from your photos
- We do not build advertising profiles
- We do not track you across other websites
- We do not store your full credit card number (Stripe handles this)
- We do not access your social media messages or private content
3. How We Use Your Information
- Providing the Service — processing your photos with AI enhancement, delivering results, enabling social publishing
- Account management — creating and maintaining your account, authenticating access
- Billing — processing payments, managing subscriptions, issuing receipts and invoices
- Communication — sending transactional emails (receipts, password resets, processing notifications)
- Service improvement — analyzing aggregated, anonymous usage data to improve features
- Legal compliance — fulfilling legal obligations, responding to lawful requests
- Security — detecting and preventing fraud, abuse, and unauthorized access
We do not use your photos to train AI models. Your photos are processed through pre-trained models hosted by Replicate and are not retained by those services beyond the processing duration.
4. How We Share Your Information
We do not sell, rent, or trade your personal information. We share data only with the following service providers:
| Provider | Data Shared | Purpose |
|---|---|---|
| Stripe | Email, name, payment method | Payment processing and subscription management |
| Replicate | Photos (during processing) | AI model execution |
| AWS (Amazon S3) | Photos | Temporary cloud storage (us-east-2 region) |
| Plausible Analytics | Anonymous page view data | Privacy-friendly usage analytics |
| Instagram (Meta) | Photos, account tokens | Social publishing (only when you initiate) |
| OnlyFans | Photos, session tokens | Social publishing (only when you initiate) |
5. Data Storage and Security
5.1 Storage Location
- Photos: AWS S3, us-east-2 region (United States)
- Account data: Encrypted database hosted in the United States
- Payment data: Stored and managed by Stripe (PCI-DSS compliant)
5.2 Security Measures
- Encryption in transit (TLS/HTTPS for all connections)
- Encryption at rest for stored data
- Access controls limiting employee access to personal data
- Regular security assessments
- Automated deletion of photos after the retention period
6. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Uploaded photos | 30 days after processing | Automatic deletion from AWS S3 |
| Processed photos | 30 days after processing | Automatic deletion from AWS S3 |
| Account information | Lifetime of account + 30 days | Deleted upon request |
| Payment records | As required by law (typically 7 years) | Deleted after legal requirement expires |
| Support communications | 2 years | Deleted after retention period |
| Analytics data | Aggregated indefinitely (no personal data) | N/A (anonymous) |
You may request early deletion of your photos at any time through your account settings or by contacting [email protected].
7. Cookies and Tracking
RetouchFlow does not use cookies for analytics or advertising.
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Keeping you logged in | Browser session or 30 days |
| CSRF token | Preventing cross-site request forgery | Browser session |
These cookies are strictly necessary for the Service to function and do not require consent under GDPR.
8. Your Rights Under GDPR
If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights:
- Right of Access (Article 15) — Request a copy of the personal data we hold about you
- Right to Rectification (Article 16) — Request correction of inaccurate data
- Right to Erasure (Article 17) — Request deletion of your personal data
- Right to Restrict Processing (Article 18) — Limit how we use your data
- Right to Data Portability (Article 20) — Receive your data in a machine-readable format
- Right to Object (Article 21) — Object to processing based on legitimate interests
- Right to Withdraw Consent — Withdraw consent at any time
- Right to Lodge a Complaint — File a complaint with a supervisory authority
Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service (photo processing) | Performance of contract |
| Account management | Performance of contract |
| Payment processing | Performance of contract |
| Service improvement (anonymous analytics) | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Legal compliance | Legal obligation |
International Data Transfers
Your data may be transferred to and processed in the United States. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Your Rights Under CCPA
If you are a California resident:
- Right to Know — Request disclosure of data we collect and how we use it
- Right to Delete — Request deletion of your personal information
- Right to Opt-Out of Sale — We do not sell your personal information.
- Right to Non-Discrimination — We will not discriminate against you for exercising your rights
Categories Under CCPA
| CCPA Category | Data Collected | Sold? | Business Purpose |
|---|---|---|---|
| Identifiers | Email, name | No | Account management |
| Commercial information | Subscription history | No | Billing |
| Internet activity | Anonymous page views | No | Service improvement |
| Visual information | Photos (user-uploaded) | No | AI photo processing |
California residents may submit requests by emailing [email protected] with the subject line "CCPA Request." We will respond within 45 days.
10. Children's Privacy
RetouchFlow is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that a user is under 18, we will promptly delete their account and associated data.
11. Third-Party Links and Services
This Privacy Policy applies only to RetouchFlow. We encourage you to review the privacy policies of third-party services:
- Stripe Privacy Policy
- Replicate Privacy Policy
- AWS Privacy Policy
- Instagram/Meta Privacy Policy
- OnlyFans Privacy Policy
- Plausible Analytics Data Policy
12. Social Publishing and Third-Party Accounts
When you connect your Instagram or OnlyFans account, we access only the permissions necessary to publish photos on your behalf. We do not access your messages, followers, earnings, or other private data. You may disconnect accounts at any time from your RetouchFlow settings.
Social media access tokens are stored encrypted and are deleted when you disconnect an account or delete your RetouchFlow account.
13. AI Processing and Your Photos
When you upload a photo, it is uploaded to AWS S3, sent to Replicate's API for AI processing, the enhanced result is stored on S3, made available for download, and automatically deleted after 30 days.
We do not use your photos to train AI models. We do not extract, store, or create biometric identifiers or facial recognition templates.
14. Data Breach Notification
In the event of a data breach, we will notify affected users within 72 hours, notify relevant supervisory authorities as required by law, describe the nature of the breach and data affected, and provide guidance on steps you can take to protect yourself.
15. Do Not Track
Since we do not track users across websites and use only privacy-friendly analytics (Plausible), our practices already align with DNT principles regardless of your browser setting.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you via email or a prominent notice on the Service. Continued use after changes take effect constitutes acceptance.
17. Data Protection Officer
For GDPR-related inquiries, contact us at [email protected] with the subject line "Data Protection Inquiry." We will respond within 30 days.
18. Contact Us
RetouchFlow (operated by Golden Global Hawks)
Email: [email protected]
Website: https://retouchflow.com
For CCPA requests: subject line "CCPA Request"
For GDPR requests: subject line "Data Protection Inquiry"
By using RetouchFlow, you acknowledge that you have read and understood this Privacy Policy.