Privacy Policy

Last updated: January 2, 2026

One Punch Technology, Inc. ("Company," "we," "our," or "us") operates Tinify.ai ("Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information and uploaded images when you use our AI-powered image optimization service.

1. Information We Collect

Registration Information

When you create an account, we collect the following information:

  • Email address: Used for account identification, authentication, and communication
  • Password: Stored as a secure hash (never in plain text) and managed by our authentication provider, Supabase
  • Account metadata: Creation date, subscription tier, and usage statistics

Payment Information

When you subscribe to a paid plan, payment processing is handled entirely by Stripe, a PCI-compliant payment processor. We do not store, process, or have access to:

  • Credit or debit card numbers
  • CVV/security codes
  • Full card expiration dates
  • Bank account details

We only receive from Stripe: a unique customer ID, subscription status, last four digits of your card (for display purposes), and billing history.

Image Data

When you upload images for processing, we temporarily store:

  • Original uploaded images
  • Processed/optimized versions of your images
  • Image metadata (filename, size, format, dimensions)

Images are stored temporarily on Google Cloud Storage and are automatically deleted according to your subscription tier (see Data Retention section below).

Usage Information

We automatically collect information about your interaction with our Service:

  • Log data (IP address, browser type, device information)
  • Usage patterns and feature interactions
  • Performance metrics and error reports
  • Number of images processed and credits used

2. Cookies and Tracking Technologies

We use the following types of cookies:

Essential Cookies

  • Session cookies: Required for authentication and maintaining your logged-in state
  • Security cookies: Help protect against cross-site request forgery and other security threats

Analytics Cookies

  • Usage analytics: Help us understand how users interact with our Service to improve functionality
  • Performance monitoring: Track page load times and error rates to ensure service reliability

You can control cookie preferences through your browser settings. Disabling essential cookies may affect Service functionality.

3. How We Use Your Information

We use collected information for:

  • Processing and optimizing your uploaded images using AI technology
  • Providing AI upscaling, compression, and SEO metadata generation
  • User authentication and account management
  • Processing payments and managing subscriptions
  • Customer support and communication
  • Service improvement and analytics (using anonymized data)
  • Legal compliance and security
  • Marketing communications (with your consent)

4. Third-Party Services

We use the following third-party services to operate our platform. Each service has its own privacy policy governing how they handle your data:

Stripe (Payment Processing)

Stripe processes all payment transactions. They are PCI-DSS Level 1 certified, the highest level of certification in the payments industry.

  • Privacy Policy: https://stripe.com/privacy
  • Data processed: Payment card details, billing address, transaction history

Supabase (Authentication and Database)

Supabase provides our authentication system and database infrastructure. They handle secure password hashing and session management.

  • Privacy Policy: https://supabase.com/privacy
  • Data processed: Email, password hash, session tokens, account data

Google Cloud Platform (Storage and Processing)

Google Cloud provides our cloud infrastructure for image storage and processing services.

  • Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice
  • Data processed: Uploaded images, processed images, application logs
  • Data location: Images are stored in US-based data centers

5. Image Data Handling

Your uploaded images are handled with the following safeguards:

  • Encryption: All images are encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access control: Images are accessible only via unique, time-limited signed URLs
  • Isolation: Each user's images are stored in isolated storage paths
  • No training: Your images are never used to train AI models
  • Automatic deletion: Images are automatically and permanently deleted according to your tier's retention period

6. Data Retention

We retain different types of data for different periods:

Image Retention by Tier

User TierRetention Period
Unregistered (Guest)1 hour
Free24 hours
Pro7 days
Max14 days

You may request immediate deletion of your images at any time through your account settings or by contacting support.

Account Data Retention

  • Active accounts: Data retained while account is active
  • Deleted accounts: Personal data deleted within 30 days of account deletion request
  • Transaction records: Retained for 7 years for legal and tax compliance
  • Anonymized analytics: May be retained indefinitely

7. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

Right to Access

You can request a copy of all personal data we hold about you. We will provide this within 30 days in a machine-readable format (JSON or CSV).

Right to Deletion

You can request deletion of your account and associated data. Upon request, we will:

  • Immediately delete all stored images
  • Delete account data within 30 days
  • Cancel any active subscriptions
  • Anonymize usage logs

Right to Data Portability

You can export your data at any time, including:

  • Account information
  • Currently stored images (within retention period)
  • Processing history
  • Subscription and billing history

Additional Rights

  • Correction: Request correction of inaccurate data
  • Objection: Object to processing for marketing purposes
  • Restriction: Request restriction of processing
  • Withdrawal: Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@tinify.ai or use the account settings in your dashboard.

8. Data Security

We implement comprehensive security measures to protect your data:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for all data at rest
  • Secure password hashing using industry-standard algorithms
  • Regular security audits and penetration testing
  • Access controls and audit logging
  • DDoS protection and rate limiting

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own, primarily the United States where our infrastructure is located. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses where required.

10. Children's Privacy

Our Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will promptly delete it.

11. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to know whether personal information is sold or disclosed
  • Right to opt-out of the sale of personal information
  • Right to delete personal information
  • Right to non-discrimination for exercising CCPA rights

We do not sell your personal information. To exercise your CCPA rights, contact us at privacy@tinify.ai.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and sending an email notification to registered users.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

One Punch Technology, Inc.
Email: privacy@tinify.ai
Subject: Privacy Policy Inquiry

For data access, deletion, or portability requests, please include:

  • Your account email address
  • The specific right you wish to exercise
  • Any relevant details to help us locate your data

We will respond to all legitimate requests within 30 days.