Privacy Policy

Privacy Policy of Made By Photos

Last Updated: January 1, 2024

1. Introduction; Binding Agreement; U.S.–Only Service

Made By Photos (“Made By Photos,” “we,” “us,” or “our”) provides websites, mobile and web applications, mail-in digitization services, cloud storage, and related offerings (collectively, the “Services”). This Privacy Policy explains how we collect, use, disclose, retain, secure, and otherwise process information, including personal information, in the United States.

U.S.–Only Service. The Services are offered to U.S. residents with a U.S. shipping/billing address. We do not market or intend the Services for individuals outside the United States. If you are not a U.S. resident, you must not use the Services. The Services are not intended to comply with non-U.S. laws (e.g., GDPR) except to the extent U.S. law incorporates them.

By accessing or using the Services, you acknowledge you have read and understood this Privacy Policy and agree to be bound by it. If you do not agree, do not use the Services. This Privacy Policy is incorporated by reference into our Terms of Service (“Terms”).

Age. The Services are not directed to children under 13. Individuals under 18 may use the Services only with the involvement of a parent or legal guardian and subject to applicable law.

2. Definitions

  • Personal Information means information identifying, relating to, describing, reasonably capable of being associated with, or reasonably linkable to a particular consumer or household, as broadly construed under applicable U.S. law.
  • Sensitive Personal Information includes, where permitted and applicable, government-ID images for identity verification, precise geolocation, and limited face-feature vectors used to power account-local grouping or search (see §8).
  • User Content means photos, film, tapes, audio, documents, associated metadata (e.g., EXIF), scans, derivatives, and any media/materials you send, upload, store, share, or otherwise submit.
  • Sell and Share have the meanings in California law (sale for monetary or other valuable consideration; sharing for cross-context behavioral advertising).

3. Scope and Role

We act as a business (controller) for Personal Information we determine the purposes and means of processing, and as a service provider/processor to enterprise or integrated partners where we process on their behalf.

4. Categories of Information We Collect

We may collect the following categories directly from you, automatically, and from third parties:

  1. Identifiers & Contact: name, alias, postal address, email, phone, account IDs, login credentials, authentication tokens.
  2. Commercial & Subscription: orders, kit activations, plan tier, promotions, redemptions, cart activity, customer service history.
  3. Payment: tokenized card/ACH data via processors (we do not store full PANs).
  4. Internet/Network: IP address, device/browser details, app logs, pages viewed, referrers, approximate and precise geolocation (if enabled), cookie/SDK identifiers, push tokens.
  5. Inferences & Profile: preferences, interests, predicted affinities, product usage patterns.
  6. User Content & Metadata: digitized media, thumbnails, low-res/working copies, transformations, quality metrics, capture time, EXIF, scene labels.
  7. Sensitive Personal Information (if provided): government-ID images for verification; precise geolocation (if enabled); limited face-feature vectors for account-local grouping (see §8).
  8. Communications: emails, chats, calls/SMS and recordings/transcripts where permitted, support tickets.
  9. Third-Party Integration Data: single-sign-on, social or storage integrations you authorize.

5. Sources of Information

  • You: forms, uploads, mail-in kits, account registration, communications.
  • Automated Means: cookies, pixels, SDKs, beacons, local storage, session replay/telemetry, A/B testing tools, crash logs.
  • Service Providers/Partners: payment processors, shipping carriers, identity verification vendors, analytics/ad partners, data brokers, cloud/CDN providers.

6. Purposes for Processing

We may use information for any lawful business purpose, including to:

  • Provide, operate, and administer the Services; digitize, restore, store, stream, transcode, deliver, and enable sharing/re-ordering; operate tracking and logistics.
  • Authenticate & secure accounts; detect, prevent, and respond to fraud, abuse, and security incidents; debug and repair errors.
  • Run content features (including ML-powered tools such as deduplication, search, scene or face grouping within your account, enhancement, denoising, color correction, upscaling, rotation, de-skewing, and restoration).
  • Improve and develop Services and new features; conduct analytics, research, quality assurance, benchmarking, and testing (including with de-identified, aggregated, or low-res derivatives).
  • Personalize experiences, interfaces, and recommendations.
  • Marketing/Advertising (including cross-context behavioral advertising); measurement and attribution; segmentation and lookalike modeling; offers and promotions (subject to opt-out choices).
  • Compliance with law; respond to lawful requests; enforce the Terms and this Policy; protect rights, property, safety.

7. Cookies, Online Tracking, Session Replay

We and partners use cookies, pixels, SDKs, local storage, session-replay/telemetry (e.g., capturing clicks, scrolls, device/browser diagnostics—not payment fields or passwords), heatmaps, and A/B testing to operate, secure, personalize, measure, and improve the Services. Where required, we obtain consent. See Your Privacy Choices (§15) for “Do Not Sell/Share” and targeted advertising choices and our handling of Global Privacy Control (GPC).

8. User Content; Derivatives; Face Grouping

You represent you have all rights and consents to submit User Content, including for people depicted.

License for Operation and Improvement. To the maximum extent permitted by law, you grant Made By Photos a worldwide, non-exclusive, transferable, sublicensable, royalty-free license to host, reproduce, transcode, adapt, modify, create derivative works from, analyze, and otherwise process User Content and associated metadata for: (a) providing and supporting the Services; (b) quality control, safety, and integrity; (c) research, development, testing, and improvement of current and future products (including model training and evaluation); (d) usage analytics and benchmarking; and (e) producing de-identified or aggregated datasets, thumbnails, and low-resolution derivatives for internal demonstrations and documentation. We will not publicly display your identifiable User Content for marketing without your express consent or as otherwise permitted by law.

Face Grouping (Account-Local). To power account-local grouping/search, we may generate non-identifying numerical feature vectors from faces present in your User Content. These vectors are used within your account and are not used to identify individuals outside your account without your explicit consent or as required by law. We do not sell or share these vectors for third-party advertising.

Prohibited Content & Legal Compliance. We may (manually and/or automatically) scan for, preserve, and disclose content we reasonably believe violates law (e.g., CSAM, threats, unlawful recordings, infringing materials), and we may suspend or terminate access and report to authorities.

9. Disclosures of Information

We may disclose information to:

  • Service Providers/Processors (e.g., scanning facilities, logistics/shipping, payment processing, cloud hosting/backup, CDN, analytics, fraud prevention, customer support, marketing). Contracted providers may use information only under our instructions.
  • Affiliates & Corporate Transactions (e.g., mergers, acquisitions, financing, restructuring, asset transfers).
  • Authorized Third Parties you choose to connect or share with; their use is governed by their policies.
  • Advertising & Analytics Partners to measure, personalize, attribute, and deliver ads; to the extent this is deemed a “sale” or “sharing” under state law, you may opt out (§15).
  • Lawful Requests & Safety: courts, regulators, and law enforcement; to protect rights, property, safety, and integrity.

We are not responsible for third-party practices under their own policies.

10. Sale/Sharing; Targeted Advertising (U.S. State Laws)

Our use of advertising and analytics technologies may constitute a “sale” and/or “sharing” of personal information or “targeted advertising” under certain U.S. state privacy laws. See Your Privacy Choices (§15) for opt-out mechanisms, including recognition of GPC signals for browser-based activity where required.

11. Sensitive Personal Information

We do not use or disclose Sensitive Personal Information for purposes that require a right to limit use under California law beyond what is necessary to operate the Services (e.g., identity verification, security). We do not sell or share Sensitive Personal Information for cross-context behavioral advertising.

12. Children’s Privacy

We do not knowingly collect personal information from children under 13. If we learn we collected such information without verifiable parental consent, we will delete it as required.

13. U.S.-Specific Notices of Rights

Depending on your state, you may have the right to know/access, delete, correct, opt-out of sale/sharing/targeted advertising, portability, limit certain uses of sensitive data, and appeal a decision. We will verify requests (which may include email confirmation, multifactor prompts, and, for sensitive requests, government-ID checks). Authorized agents must provide proof of authority; we may require you to verify directly.

We may deny, or charge a reasonable fee for, manifestly unfounded or excessive requests, and we may retain limited information to honor opt-out choices and for fraud prevention, security, legal holds, or compliance.

How to Exercise. Use in-product privacy controls where available or contact privacy@madebyphotos.com. We will respond within timeframes required by applicable U.S. law.

14. Retention; Deletion; Backups

We retain information as long as reasonably necessary for the purposes in this Policy, including to provide Services, comply with law, enforce agreements, resolve disputes, protect security/integrity, and for archival/backup/audit, and thereafter as permitted by law. De-identified/aggregated data and derived analytics may be retained indefinitely.

Cloud Storage Expiration. If a trial, subscription, or promotional access lapses, we may, in our discretion and without liability, delete, de-identify, or archive stored User Content after a reasonable grace period we determine appropriate, subject to legal holds and backup cycles.

15. Your Privacy Choices (Opt-Outs and Signals)

  • Do Not Sell/Share & Targeted Ads Opt-Out. You can set your preferences in our privacy controls.
  • Global Privacy Control (GPC). Where required, we treat a valid GPC signal as a browser-level request to opt-out of sale/sharing for that browser.
  • Communications. You may opt out of non-transactional emails/SMS via provided links or by contacting us.
  • Cookies. You can control cookies in browser settings; blocking may break features.

Do Not Track. We currently do not respond to DNT headers.

16. Security

We implement commercially reasonable administrative, technical, and physical safeguards appropriate to the nature of information processed. No method is 100% secure; we cannot guarantee absolute security. You are responsible for safeguarding your credentials and for access you enable to others.

17. International Processing & Transfers

Although the Services are U.S.–only, our providers and facilities may process information inside and outside the U.S. (including countries with different data protection regimes). By using the Services, you consent to such transfers and processing. Where required, we employ appropriate safeguards (e.g., contractual clauses).

18. Third-Party Sites and Integrations

Linked services, embedded content, plug-ins, and integrations operate under their own policies. We are not responsible for their practices.

19. HIPAA/GLBA/FERPA and Other Sectoral Laws

We are not a covered entity or business associate under HIPAA, a GLBA-regulated financial institution, or an educational institution under FERPA. Do not submit regulated health, financial-account numbers, or student records to the Services except as expressly requested for identity or payment processing via providers.

20. Data About Others; Your Responsibilities

If you submit information about others (e.g., images of family/friends), you are responsible for obtaining all necessary permissions and lawful bases. You represent that submission and our processing will not violate any rights or laws. You agree not to submit prohibited or unlawful content.

21. Financial Incentives

We may offer discounts or benefits in exchange for personal information (e.g., email sign-ups). Material terms will describe categories of information, benefits, and how to opt in/out. Participation is voluntary.

22. Changes to this Policy

We may update this Policy at any time by posting a new version. Where required by law, we will provide additional notice before changes take effect. Your continued use constitutes acceptance.

23. Contact

Made By Photos

(510) 930-2239

support@madebyphotos.com

30 North Could St, Ste N

Sheridan, Wyoming 82801

24. Additional Protective Terms (Dispute Resolution; Liability; Survival)

24.1 Governing Law and Venue. This Policy and any dispute, claim, or controversy arising out of or relating to privacy or data practices shall be governed by the laws of the State of Delaware, without regard to conflict-of-law rules. Exclusive venue shall lie in the state or federal courts located in [New Castle County, Delaware], except as provided in §24.2.

24.2 Arbitration; Class-Action and Jury Waiver. To the fullest extent permitted by law, any dispute or claim arising out of or relating to this Policy or our data practices shall be resolved by binding arbitration on an individual basis under the rules of the American Arbitration Association. Class, collective, consolidated, representative, or private-attorney-general proceedings are not permitted. Jury trial is waived. Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in a court of competent jurisdiction to protect intellectual property, data security, or confidentiality.

24.3 Limitation of Liability. To the maximum extent permitted by law, Made By Photos and its affiliates, officers, employees, agents, and suppliers shall not be liable for any indirect, incidental, special, consequential, exemplary, punitive, or enhanced damages; loss of profits, revenue, goodwill, or data; or loss/corruption of content, even if advised of the possibility. Our aggregate liability relating to privacy or data practices shall be limited to the greater of (a) amounts you paid to us for the Services in the 12 months preceding the event giving rise to the claim or (b) $100. Some states do not allow certain exclusions or limitations; to that extent they may not apply.

24.4 Time to Bring Claims. Any claim relating to this Policy or our data practices must be filed within one (1) year after the claim arose, or it is permanently barred, unless a longer period is required by law.

24.5 Indemnification (User Content & Third-Party Claims). You agree to defend, indemnify, and hold harmless Made By Photos from any third-party claim or governmental demand arising from: (a) your User Content; (b) your violation of law or this Policy; or (c) claims that our processing of your User Content (as permitted here) infringes or violates another’s rights.

24.6 Force Majeure. We are not responsible for failures or delays due to events beyond our reasonable control, including acts of God, labor disputes, internet failures, power outages, cyberattacks, or governmental actions.

24.7 Assignment; Corporate Transactions. We may assign or transfer this Policy and the information governed hereby, in whole or in part, without restriction, including in connection with a merger, acquisition, or sale of assets.

24.8 Severability; Interpretation; No Waiver. If any provision is held invalid, the remainder shall continue in full force. Headings are for convenience only. No waiver is effective unless in writing. This Policy does not create third-party beneficiary rights.

24.9 Precedence. If there is a conflict between this Policy and our Terms, the Terms control on issues of license, ownership, service scope, dispute resolution mechanics, and damages caps; this Policy controls on privacy-specific disclosures, rights, choices, and state privacy notices.

25. U.S. State Law Disclosures (Summary)

We provide this high-level notice to U.S. residents to the extent applicable state laws require it:

  • Categories Collected: All categories listed in §4 may be collected; sources are in §5; purposes are in §6; disclosures are in §9.
  • Sale/Sharing/Targeted Advertising: We may engage in these activities via advertising and analytics technologies; opt-out available (§15).
  • Sensitive Personal Information: Collected and used as described in §11; not sold/shared for cross-context advertising.
  • Retention: See §14.
  • Your Rights & Appeals: See §13 and §15 for how to exercise rights and appeal.
  • Non-Discrimination: We will not discriminate against you for exercising legally available rights.