Zernike

Privacy Policy

Last updated: May 7, 2026

1. Information We Collect

We collect the following categories of information when you use AzDrop:

Account & Profile Data (registered users)

  • Email address and hashed password
  • Storage quota and current usage
  • Account role (standard or admin)

Media & Gallery Data

  • Uploaded file names, sizes, content types, and image dimensions
  • EXIF metadata embedded in your photos (e.g. camera model, capture date, GPS coordinates if present)
  • Gallery titles, descriptions, and configuration settings (password protection, download permissions, share expiration dates)
  • Collection and collaboration invitation records

Visitor & Client Interaction Data (guests accessing shared galleries)

  • Visitor name and email address (when required by the gallery owner's Visitor Mode setting)
  • Name, email address, and message submitted through client selection forms
  • Photo selections made during the client review workflow
  • Comments submitted on photos, including the commenter's email address
  • Visitor session tokens used to track authenticated access to galleries with Visitor Mode enabled

Automatically Collected Data

  • IP address and approximate country (derived from request headers via Cloudflare)
  • Browser user-agent string and HTTP referrer
  • Action audit logs: events such as gallery views, downloads, uploads, and share link accesses, recorded with timestamps

We do not use any third-party analytics services (such as Google Analytics). All usage data is stored internally in our own database.

2. How We Use Your Information

  • To create and manage your account and authenticate your sessions
  • To store, display, and deliver your photos and galleries to you and the clients you share them with
  • To enforce storage quotas and account restrictions
  • To process client selections and comments submitted through shared gallery links
  • To generate optimized previews and thumbnails of uploaded media
  • To maintain security audit logs for fraud prevention and service integrity
  • To enforce rate limits and prevent abuse

3. Information Sharing & Third-Party Services

We do not sell your personal information. We rely on the following infrastructure providers to operate the service:

  • Supabase — Database (PostgreSQL) and user authentication. Stores account data, gallery metadata, audit logs, client selections, comments, and visitor registration data.
  • IDrive E2 (S3-compatible object storage) — Stores original uploaded photo and video files.
  • Cloudflare — Backend API runtime (Cloudflare Workers), CDN delivery of preview images (Cloudflare R2), video streaming infrastructure (Cloudflare Stream), and bot protection (Turnstile). Cloudflare also provides IP and country headers used in audit logging.
  • Cloudinary — Real-time image transformation and optimization for preview generation and display.
  • Fly.io — Video encoding service for HLS transcoding and delivery.
  • Vercel — Hosts the frontend web application.

Each provider is bound by their own data processing terms. We do not share your data with these providers beyond what is necessary to operate the service.

When you share a gallery with a client via a public share link, the recipient can view, comment on, and download photos per the permissions you configure. You are responsible for ensuring you have the right to share the content and that your clients are aware their submitted selections and comments will be stored.

4. Data Security

We implement the following technical measures to protect your data:

  • All passwords are hashed using bcrypt before storage; we never store plaintext passwords
  • Gallery passwords are separately hashed before storage
  • API authentication uses short-lived JWT tokens issued by Supabase
  • File access uses time-limited presigned URLs (15-minute expiry) — files are not served through our servers
  • Row-Level Security (RLS) policies in the database ensure users can only access their own data
  • HTTPS is enforced for all connections via Cloudflare
  • API endpoints enforce rate limiting to prevent brute-force and abuse

No method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

5. Data Retention

Your account data, galleries, and uploaded media are retained as long as your account is active. If you delete a gallery or photo, it is removed from our storage. Audit logs and client submission records may be retained for a reasonable period for security and operational purposes even after the associated gallery is deleted.

6. Your Rights

As a registered user, you can:

  • Access and manage your galleries, photos, and account settings directly through the platform
  • Delete individual photos or entire galleries at any time
  • Revoke or expire public share links for your galleries
  • Request deletion of your account and associated data by contacting us

Guests who submit selections or comments through a shared gallery link may contact us to request deletion of their submitted data.

7. Children's Privacy

AzDrop is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page when changes are made. Continued use of the service after changes constitutes your acceptance of the revised policy.

9. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at privacy@zernike.com.

Powered by the Zernike Media Group, Version 268151f • Made in the USA • Powered by ZernikeDeployPrivacy PolicyTerms of Use