Privacy Policy
Last updated: May 28, 2026
One Punch Technology, Inc. ("Company," "we," "our," or "us") operates Tinify.ai ("Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information and uploaded images when you use our AI-powered image optimization service.
1. Information We Collect
Registration Information
When you create an account, we collect the following information:
- Email address: Used for account identification, authentication, and communication
- Password: Stored as a secure hash (never in plain text) and managed by our authentication provider, Supabase
- Account metadata: Creation date, subscription tier, and usage statistics
Payment Information
When you subscribe to a paid plan, payment processing is handled entirely by Stripe, a PCI-compliant payment processor. We do not store, process, or have access to:
- Credit or debit card numbers
- CVV/security codes
- Full card expiration dates
- Bank account details
We only receive from Stripe: a unique customer ID, subscription status, last four digits of your card (for display purposes), and billing history.
Image Data
When you upload images for processing, we temporarily store:
- Original uploaded images
- Processed/optimized versions of your images
- Image metadata (filename, size, format, dimensions)
Your uploaded images and their processed versions are stored temporarily on Google Cloud Storage. Both the original upload and the optimized output are deleted automatically once your tier's retention period expires. Deletion runs on a periodic schedule; actual removal occurs within a few hours of expiry. In all cases, images are fully removed within the outer bounds shown in the Data Retention table below.
Usage Information
We automatically collect information about your interaction with our Service:
- Log data (IP address, browser type, device information)
- Usage patterns and feature interactions
- Performance metrics and error reports
- Number of images processed and credits used
2. Cookies and Tracking Technologies
We use the following types of cookies:
Essential Cookies
- Session cookies: Required for authentication and maintaining your logged-in state
- Security cookies: Help protect against cross-site request forgery and other security threats
Analytics Cookies
- Usage analytics: Help us understand how users interact with our Service to improve functionality
- Performance monitoring: Track page load times and error rates to ensure service reliability
You can control cookie preferences through your browser settings. Disabling essential cookies may affect Service functionality. We also honor the Global Privacy Control (GPC) signal — if your browser sends Sec-GPC: 1, analytics tracking is automatically disabled for your session.
3. How We Use Your Information
We use collected information for:
- Processing and optimizing your uploaded images using AI technology
- Providing AI upscaling, compression, and SEO metadata generation
- User authentication and account management
- Processing payments and managing subscriptions
- Customer support and communication
- Service improvement and analytics (using anonymized data)
- Legal compliance and security
- Marketing communications (with your consent)
4. Third-Party Services
We use third-party service providers to operate our platform. We require these providers to handle your data only for the purpose of delivering their services to us, and not for their own independent purposes. Each category of provider and the data they handle is described below.
Payment Processing
Payment transactions are handled by a PCI-DSS Level 1 certified payment processor. We do not receive or store your card details.
- Data processed: Payment card details, billing address, transaction history
Authentication and Database
User authentication, secure password hashing, and session management are handled by a third-party authentication and database provider.
- Data processed: Email, password hash, session tokens, account data
Cloud Infrastructure (Storage, Processing, and AI Services)
We use Google Cloud Platform for image storage, application infrastructure, and AI-powered services including SEO metadata generation.
- Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice
- Data processed: Uploaded images, processed images, application logs, image content for AI metadata generation
- Data location: US-based data centers
Image Compression Service Providers
We use specialist third-party image compression services to reduce file sizes. Your uploaded images are transmitted to these services for processing and are not retained by them beyond the immediate processing operation.
- Data processed: Uploaded image files
AI Upscaling Service Providers
AI upscaling (resolution enhancement) is performed using third-party AI model inference services. Images are transmitted to these services solely to produce the upscaled output.
- Data processed: Uploaded image files
Analytics Service Providers
We use a third-party analytics platform to understand how our Service is used and to improve functionality. Analytics data is collected only for registered users and is associated with your account.
- Data processed: Usage events, session identifiers, feature interactions
5. Image Data Handling
Your uploaded images are handled with the following safeguards:
- Encryption: All images are encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access control: Images are accessible only via unique, time-limited signed URLs
- Isolation: Each user's images are stored in isolated storage paths
- Automatic deletion: Images are automatically and permanently deleted according to your tier's retention period
6. Data Retention
We retain different types of data for different periods:
Image Retention by Tier
| User Tier | Download Link Expires | Image Deleted Within |
|---|---|---|
| Unregistered (Guest) | 1 hour | 24 hours |
| Free | 24 hours | 48 hours |
| Starter | 7 days | 8 days |
| Pro | 7 days | 8 days |
| Max | 14 days | 15 days |
“Download link expires” is when your image becomes inaccessible. “Image deleted within” is the guaranteed outer bound for permanent removal from our servers, including both your original upload and the optimized version.
You may request deletion of your images at any time by emailing privacy@tinify.ai with your account email and the subject “Image Deletion Request.” We will process deletion requests within 48 hours.
Account Data Retention
- Active accounts: Data retained while account is active
- Deleted accounts: Personal data deleted within 30 days of account deletion request
- Transaction records: Retained for 7 years for legal and tax compliance
- Anonymized analytics: May be retained indefinitely
7. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
Right to Access
You can request a summary of the personal data we hold about you by emailing privacy@tinify.ai. We will respond within 45 days.
Right to Deletion
You can request deletion of your account and associated data by emailing privacy@tinify.ai. Upon a verified request, we will:
- Delete stored images (subject to your tier's retention schedule)
- Delete account data within 45 days
- Cancel any active subscriptions
- Anonymize usage logs
Right to Data Portability
You can request a copy of your personal data by emailing privacy@tinify.ai. We will provide the following within 45 days:
- Account information
- Processing history (last 90 days)
- Subscription and billing history
Additional Rights
- Correction: Request correction of inaccurate data
- Objection: Object to processing for marketing purposes
- Restriction: Request restriction of processing
- Withdrawal: Withdraw consent where processing is based on consent
Right to Limit Use of Sensitive Personal Information
Under the California Privacy Rights Act (CPRA), certain categories of personal information are classified as “Sensitive Personal Information” (SPI) and carry additional protections. tinify.ai collects the following SPI:
- IP address (as geolocation indicator) — collected when you use the service as a guest; only a one-way hash is stored, never the raw address.
- Cryptocurrency wallet address — collected only if you make a payment using the x402 crypto payment protocol. Your wallet address is stored solely as a transaction record (similar to storing a billing address). tinify.ai cannot initiate transactions, request funds, or access your wallet in any way — every payment requires your explicit authorization through your own wallet software.
You have the right to request that we limit our use of your sensitive personal information to what is necessary to provide the service. To exercise this right, email privacy@tinify.ai.
To exercise any of these rights, contact us at privacy@tinify.ai with your account email and a description of the right you wish to exercise. We will respond to all legitimate requests within 45 days.
8. Data Security
We implement comprehensive security measures to protect your data:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for all data at rest
- Secure password hashing using industry-standard algorithms
- Regular security audits and penetration testing
- Access controls and audit logging
- DDoS protection and rate limiting
Both your original uploaded images and their processed versions are deleted according to your subscription tier. Neither copy is retained after your retention period expires.
However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security of your data.
9. International Data Transfers
Your information may be transferred to and processed in countries other than your own, primarily the United States where our infrastructure is located. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses where required.
10. Children's Privacy
Our Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will promptly delete it.
11. California Privacy Rights (CCPA/CPRA)
California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA, in force January 2023):
- Right to know what personal information is collected
- Right to know whether personal information is sold or disclosed
- Right to opt-out of the sale of personal information
- Right to delete personal information
- Right to correct inaccurate personal information (CPRA)
- Right to limit use of sensitive personal information (CPRA)
- Right to non-discrimination for exercising these rights
We do not sell your personal information. We also honor the Global Privacy Control (GPC) signal — browsers that send Sec-GPC: 1 are automatically opted out of analytics tracking. To exercise any California privacy right, contact us at privacy@tinify.ai. See Section 7 for full details on how to submit a request.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and sending an email notification to registered users.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:
One Punch Technology, Inc.
Email: privacy@tinify.ai
Subject: Privacy Policy Inquiry
For data access, deletion, or portability requests, please include:
- Your account email address
- The specific right you wish to exercise
- Any relevant details to help us locate your data
We will respond to all legitimate requests within 30 days.