Privacy Policy

IMG Flow is a native macOS application published by Terramar Marketing, Inc.. We designed it to keep your images on your device. We do not sell or rent your personal information. We process what we need to run your account, deliver the features you use, meet our legal obligations, and keep the Service secure — and we try to keep that list as short as possible. The highlights:

• Image processing runs locally. Your images never leave your Mac unless you explicitly point a pipeline at a cloud destination (Dropbox, Google Drive, Webhook, FTP, Email), use the Inbox feature, or enable Cloud Sync.
• You don't need an account to use the core app. An IMG Flow account is only required for the Inbox, Cloud Sync, and certain Pro destinations. Everything else works offline.
• No advertising, no tracking pixels, no data brokers. We do not run third-party analytics that profile you across sites. We do not sell personal information to anyone for any purpose.
• You can access, correct, export, or delete your information at any time by emailing hello@imgflow.app.
• We retain data only as long as we need it. Specific retention periods are listed in Section 8 below.
• Free 7-day trial, no credit card required. During the trial period we collect only what is described above — no payment information is collected until you choose to purchase.

IMG Flow is published by Terramar Marketing, Inc. ("IMG Flow," "we," "us," or "our"), a company incorporated in California, United States. This Privacy Policy ("Policy") explains how we collect, use, store, disclose, and protect personal information when you download, purchase, install, or use the IMG Flow desktop application, the websites at imgflow.app, api.imgflow.app, upload.imgflow.app, and any related services (collectively, the "Service").

For any questions, requests, or concerns about this Policy or our handling of personal information, please contact us at hello@imgflow.app.

Terramar Marketing, Inc. is the data controller (for EEA/UK residents) and business (for California residents) responsible for your personal information, except where a separate controller or business is identified in this Policy (such as third-party cloud destinations you choose to send images to).

IMG Flow is a native macOS desktop application. The core image processing engine (rotate, resize, crop, convert, compress, watermark), your saved pipelines, your image queue, and your local destinations all run entirely on your Mac. Image bytes do not leave your device unless you, acting deliberately:

• Configure a cloud destination (Dropbox, Google Drive, Webhook, FTP/SFTP, or Email delivery) in a pipeline and run it.
• Receive images through the Inbox feature (your @imgflow.app email address or your public upload page).
• Enable Cloud Sync to sync saved pipelines across devices.
• Send us a support request with attachments.

Where feasible we designed features to minimize what reaches our servers, and where data must reach our servers (for example, to deliver an email link to a recipient), we retain it only for as long as necessary and then automatically delete it.

We collect personal information in three ways: (a) information you provide directly, (b) information that flows through the Service when you use specific features, and (c) information collected automatically from your device and your interactions with the Service.

3.1 Information you provide directly

• Account information. When you create an IMG Flow account, we collect your email address, a chosen username (used for your inbox address and public upload page URL), an optional display name, and a password. Passwords are hashed using PBKDF2 with 100,000 iterations of SHA-256 before storage; we never see or store plaintext passwords and cannot recover them for you if you forget them.
• Notification email. An optional secondary email address you can set for inbox-arrival notifications and Email delivery receipts.
• Approved-sender list. Email addresses and display names of senders you have approved or blocked in your Inbox settings.
• Support and correspondence. Any messages, feedback, bug reports, or support requests you send us — including the contents of those messages, any attachments, and relevant metadata such as your app version and operating system version.
• Purchase and license information. When you buy the base app or the optional Pro upgrade, our payment processor (currently Lemon Squeezy) collects your payment details on its own systems under its own privacy policy. We receive and store only: transaction ID, product purchased, price, currency, purchase date, buyer email address, billing country (for tax reporting), and a license key or tier flag associated with your account.

3.2 Information you send through the Service

• Inbox images and metadata. If you use the Inbox feature, images sent to your IMG Flow inbox address or through your public upload page are stored on our servers (Cloudflare R2) until you accept them into your desktop app or dismiss them. We also store per-image metadata: filename, file size, content type, sender email address, sender display name, optional label, arrival timestamp, and sender review status. Image bytes are deleted from R2 within twenty-four (24) hours after delivery or dismissal; metadata is retained only as long as the associated image record exists.
• Email destination batches. If a pipeline uses the Pro Email destination, the processed image files are uploaded to our servers so we can host the download page at api.imgflow.app/batch/{token} where the recipient retrieves them. Each batch and its files are automatically deleted after three (3) days, whether or not the recipient has downloaded them. We also store per-batch metadata: recipient email addresses, subject line, your optional message, optional "from name," file list, total size, creation timestamp, and view/download counts.
• Cloud Sync content. If you enable Cloud Sync, a subset of your app state is synced to your IMG Flow account: saved pipelines (minus local file-system paths), whitelisted settings (file-naming rules, theme, tip preferences), and lifetime processing statistics. We do not sync OAuth tokens for Dropbox or Google Drive, FTP or SFTP passwords, your local output directory path, your image queue, or any other device-specific data.
• Incoming third-party sender information. When someone sends you images through your IMG Flow inbox, we receive and store their email address, display name, and the label or message they attached, for the purpose of delivering the images to you and letting you approve or block future senders. If you are such a sender, the recipient is the data controller for your images after delivery; please contact them to exercise any rights with respect to those images.

3.3 Information collected automatically

• Server logs. Our servers (Cloudflare Workers) automatically log request metadata for security, rate-limiting, debugging, and abuse prevention: source IP address, approximate geolocation derived from IP, user-agent string, request path, HTTP status code, response size, and timestamp. These logs are retained for up to thirty (30) days and are not joined with account data except when investigating specific security incidents or responding to lawful process.
• Application telemetry and usage metrics. The desktop app may record aggregated, non-identifying usage metrics locally on your device and optionally include them in Cloud Sync statistics. Examples: how many images you have processed, how often you use Auto Build, how many saved pipelines you have, how often each destination type is used. These metrics never include the content of your images, filenames of your source files, the identities of your recipients, or the contents of your pipelines beyond structural counts.
• Crash reports. If the app crashes, it may send a stack trace and basic system information (macOS version, app version, chip architecture, locale) to help us diagnose and fix the bug. Crash reports never include image content, filename content, recipient email addresses, pipeline configurations, or account credentials. Crash reporting can be disabled in Settings.
• Website analytics. Our marketing website at imgflow.app uses Plausible Analytics, a privacy-focused, EU-hosted analytics service that does not use cookies, does not collect personal data, and does not track you across sites. Plausible aggregates page views, referrers, and country-level geolocation derived from your IP address (the IP is never stored). We do not use third-party advertising trackers, cross-site behavioral tracking, social-network pixels, or data-broker enrichment.
• Cookies and similar technologies. Our websites use only strictly necessary cookies (session maintenance, CSRF protection, language preference). We do not use advertising or tracking cookies. See Section 13 for details.

We use the personal information we collect for the following purposes and no others without your consent or as required by law:

• To provide and operate the Service. Running your account; authenticating sign-ins and maintaining sessions; processing and delivering Inbox images and Email delivery batches; syncing your pipelines across your devices; validating and enforcing your license; making the website and app work.
• To process purchases and refunds. Completing transactions for the base app and the optional Pro upgrade; validating license keys; applying tier upgrades and downgrades; handling refund requests.
• To communicate with you. Sending operational messages (password resets, security alerts, purchase receipts, inbox-arrival notifications, batch delivery receipts, refund confirmations), responding to your support requests, and — only if you opt in — occasional product updates.
• To keep the Service secure. Detecting and preventing fraud, abuse, denial-of-service attacks, brute-force login attempts, and violations of our Terms of Service; investigating suspected abuse; rate-limiting and blocking malicious traffic.
• To improve the Service. Fixing bugs using crash reports; understanding aggregate usage patterns to guide our roadmap; testing new features with willing users.
• To comply with legal obligations. Responding to lawful requests from government authorities and courts; filing tax returns and maintaining accounting records; enforcing our rights under our Terms of Service and this Policy; meeting retention obligations imposed by law.
• To protect rights and safety. Exercising or defending legal claims; protecting the rights, property, or safety of Terramar Marketing, Inc., our users, or third parties.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, Articles 6 and 9 of the GDPR (and the equivalent UK and Swiss provisions) require us to identify a lawful basis for each processing activity. We rely on the following lawful bases:

• Performance of a contract (Art. 6(1)(b)) — to provide the Service you have purchased or requested, to deliver inbox and email-destination batches, to validate your license, and to administer your account. Without this data, we cannot provide the Service to you.
• Legitimate interests (Art. 6(1)(f)) — to secure our infrastructure, prevent fraud and abuse, diagnose bugs, understand aggregate usage, improve the Service, and defend legal claims. We balance these interests against your rights and freedoms before relying on this basis and will not use it where your interests or fundamental rights override ours.
• Consent (Art. 6(1)(a)) — for optional marketing emails, optional crash reports, and any processing where we ask for your explicit permission. You may withdraw consent at any time without affecting the lawfulness of processing that took place before withdrawal.
• Compliance with legal obligations (Art. 6(1)(c)) — to comply with applicable laws, including tax and accounting obligations and responses to lawful process.

We do not process special categories of personal data (GDPR Art. 9) or rely on automated decision-making that produces legal or similarly significant effects (GDPR Art. 22).

We do not sell or rent your personal information for monetary or other valuable consideration, and we do not "share" personal information for cross-context behavioral advertising purposes as those terms are defined under the California Privacy Rights Act. We disclose personal information only in the limited circumstances below.

6.1 Service providers and subprocessors

We disclose personal information to third-party service providers ("subprocessors") who help us operate the Service. These providers are contractually bound to protect your information, process it only on our documented instructions, and not use it for their own purposes. Our current subprocessor list:

We may add or change subprocessors as our operational needs evolve. Material changes will be reflected in an updated version of this Policy, and where required by applicable law we will notify affected users in advance.

6.2 Third-party destinations you choose

When you configure a cloud or network destination in a pipeline (Dropbox, Google Drive, Webhook, FTP/SFTP, or Email delivery), processed image files are transmitted directly from your Mac (or, for the Email destination, briefly staged on our servers) to the destination you selected. Once a file is delivered to a third-party destination, that destination's own privacy policy governs how it is handled, and Terramar Marketing, Inc. is not responsible for the destination's practices. We recommend you review the privacy policies of any destinations you use.

6.3 Legal and safety disclosures

We may disclose personal information if we reasonably believe disclosure is necessary to (a) comply with applicable laws, regulations, legal process, or enforceable governmental requests; (b) enforce our Terms of Service, including investigation of potential violations; (c) detect, prevent, or otherwise address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Terramar Marketing, Inc., our users, or the public as required or permitted by law.

Where legally permitted, we will notify affected users of legal process that seeks their personal information.

6.4 Business transfers

If Terramar Marketing, Inc. is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of all or part of its assets, or transition of service to another provider, your personal information may be transferred as part of that transaction. We will notify affected users by email and through a prominent notice on the Service before personal information becomes subject to a different privacy policy, and will provide an opportunity to delete your account before any transfer takes effect.

6.5 With your consent

We may disclose personal information in ways not described in this Policy if we obtain your specific consent first.

Terramar Marketing, Inc. operates from the United States. When you use the Service, your personal information is transferred to and processed in the United States and in the countries where our subprocessors operate (primarily the United States, the European Union, and Cloudflare's global edge network). The data protection laws in these jurisdictions may differ from the laws of your country and may provide a lower level of protection than you are accustomed to.

Where we transfer personal information of EEA, UK, or Swiss residents out of those jurisdictions, we rely on one or more of the following transfer mechanisms:

• The European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or the UK International Data Transfer Addendum to the SCCs, as applicable;
• Adequacy decisions where one exists for the destination country;
• Your explicit consent to the specific transfer, obtained after informing you of the possible risks;
• Where necessary for the performance of a contract with you or in your interest.

A copy of the safeguards we rely on for international transfers is available on request from hello@imgflow.app.

We retain personal information only as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. When personal information is no longer needed, we securely delete or anonymize it. Our specific retention periods are:

• Account data — retained for as long as the account is active, plus up to 90 days after deletion to allow for account recovery, chargeback handling, and resolution of pending support cases.
• Inbox images (R2 object storage) — retained until you accept or dismiss them in the desktop app, then automatically deleted within 24 hours.
• Inbox metadata (D1 database) — retained as long as the associated image record exists, plus up to 90 days after deletion.
• Email delivery batches (files and metadata) — automatically deleted seventy-two (72) hours after creation, whether or not the recipient has downloaded them.
• Cloud Sync content — retained for as long as your account is active. Deleted within 90 days of account deletion.
• Server logs — retained up to thirty (30) days, then automatically rotated out.
• Transaction and purchase records — retained for at least seven (7) years from the transaction date for tax, accounting, audit, and compliance purposes as required by applicable law.
• Support communications — retained up to three (3) years to help us address recurring issues and provide continuity of support.
• Security and abuse investigation records — retained as long as necessary to investigate and respond, up to seven (7) years where required for legal defense.

We may retain personal information for longer than the periods above if required by law, if necessary to resolve ongoing disputes, or if necessary to enforce our agreements.

Depending on where you live, you may have some or all of the rights described below with respect to your personal information. We honor verifiable requests from all users, regardless of residency, to the greatest extent practical.

• Right to access / to know — request a copy of the personal information we hold about you, the categories of information, the sources, the purposes, and the categories of recipients.
• Right to correction / rectification — ask us to correct personal information that is inaccurate or incomplete.
• Right to deletion / erasure — ask us to delete your account and associated personal information, subject to the retention obligations described in Section 8.
• Right to data portability — receive your synced pipelines, settings, and stats in a commonly used, machine-readable format, and where technically feasible transmit them to another controller.
• Right to restrict or object to processing — limit how we process certain information, including the right to object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent — where we rely on consent, you may withdraw it at any time without affecting prior lawful processing.
• Right to non-discrimination — we will not deny you service, charge you different prices, or provide a different level of quality because you exercise a privacy right.
• Right to lodge a complaint — EEA, UK, and Swiss residents have the right to lodge a complaint with their local supervisory authority. We encourage you to contact us first so we have an opportunity to address your concern directly.

9.1 How to exercise your rights

To exercise any of the rights above, email hello@imgflow.app from the email address on file for your account. If you do not have an account, include sufficient information for us to verify your identity and locate any records we may hold about you.

We will verify your identity before acting on the request. For most requests we will respond within thirty (30) days, or within forty-five (45) days for California-resident requests, or earlier where required by applicable law. We may extend this period by an additional thirty (30) or forty-five (45) days where the request is complex or we have received a high volume of requests, in which case we will notify you of the extension within the initial period.

Requests are free of charge, except that we may charge a reasonable fee for or refuse manifestly unfounded or excessive requests, as permitted by law.

9.2 Authorized agents

California residents may designate an authorized agent to submit requests on their behalf. We will require the agent to provide proof of authorization and may require you to verify your identity directly with us.

This section provides additional disclosures for residents of US states with comprehensive consumer privacy laws. These disclosures supplement — they do not replace — the rest of this Policy.

10.1 California (CCPA / CPRA)

Under the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), California residents have the rights described in Section 9, including the right to know the categories and specific pieces of personal information collected, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information. Those categories are disclosed in Sections 3, 4, and 6 of this Policy.

Categories of personal information collected in the past 12 months (using the categories defined in Cal. Civ. Code § 1798.140(v)):

• Identifiers — name, email address, username, IP address, device identifiers.
• Customer records (Cal. Civ. Code § 1798.80(e)) — account information, purchase history.
• Commercial information — records of products purchased, Pro upgrade status.
• Internet or other electronic network activity — interactions with the app and website, server log data.
• Geolocation data — approximate location derived from IP address (city-level, for security and fraud prevention only).
• Professional or employment-related information — only if you voluntarily provide it in a support request or optional profile field.

We do not collect sensitive personal information as defined in Cal. Civ. Code § 1798.140(ae), and we do not use or disclose sensitive personal information for purposes other than those permitted under Cal. Civ. Code § 1798.121(a).

We do not sell or share personal information as those terms are defined under the CPRA. Because we do not sell or share, we do not offer a "Do Not Sell or Share My Personal Information" link; however, if that determination changes, we will update this Policy and provide the required opt-out mechanism.

10.2 Other US state privacy laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), Indiana (ICDPA), Tennessee (TIPA), and Minnesota (MCDPA) have rights substantially similar to those described in Section 9, including rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions producing legal or similarly significant effects. We do not engage in targeted advertising, sale of personal data, or such profiling. To exercise any of these rights, contact us at hello@imgflow.app.

If you are a resident of one of these states and we deny a rights request, you may appeal that decision by replying to our denial email. If your appeal is denied, you may contact your state attorney general to file a complaint.

10.3 "Shine the Light" (California)

California Civil Code § 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for those third parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

We use administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These include:

• Transport encryption — all traffic between the app or website and our servers uses TLS 1.2 or higher.
• At-rest encryption — data stored in Cloudflare D1 and R2 is encrypted at rest using provider-managed keys.
• Password hashing — account passwords are hashed using PBKDF2 with 100,000 iterations of SHA-256 and a per-user random salt. Plaintext passwords are never stored or logged.
• Session tokens — stored as hashes, rotated on sensitive events, and expired after a defined period.
• Access controls — production systems are access-controlled, and privileged actions are logged.
• Webhook signature verification — inbound webhooks (for example, from Lemon Squeezy) are verified using HMAC signatures before any state change is applied.
• Subprocessor due diligence — we select subprocessors with strong security programs and review them periodically.

Device-specific secrets — OAuth tokens for Dropbox and Google Drive, FTP and SFTP passwords, and your local license key — are stored in the macOS Keychain on your Mac and never transmitted to our servers.

Despite our safeguards, no system is perfectly secure and we cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you and the appropriate regulatory authorities where required by law and within the timeframes required by law.

IMG Flow is not directed to children under the age of 16, and we do not knowingly collect personal information from anyone under 16. If you are under 16, do not create an account and do not provide us with any personal information.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@imgflow.app. We will promptly delete the information and close any associated account.

We comply with the U.S. Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) and the GDPR's heightened protections for children in the EEA and UK.

Our marketing website (imgflow.app), the Worker-hosted pages (api.imgflow.app, upload.imgflow.app), and the desktop app's embedded web views use only strictly necessary storage mechanisms:

• Session cookies / local storage — to maintain your authenticated session when signed in to the Worker API.
• CSRF protection tokens — to protect form submissions.
• Preference storage — to remember your recent upload-page recipients, your dark/light theme preference, and similar per-device UI preferences.

We do not use advertising cookies, cross-site tracking pixels, third-party analytics that profile individual users, social-network embed scripts, or data-broker enrichment scripts. Because we use only strictly necessary storage, consent under the ePrivacy Directive is not required for these mechanisms; if we add any non-essential tracking in the future, we will obtain consent first and update this Policy.

We do not make decisions based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you, within the meaning of GDPR Article 22 or equivalent provisions.

Some browsers transmit a "Do Not Track" signal to websites. Because there is no consensus industry standard for how to respond to this signal, our websites do not currently respond to it. However, our websites do not engage in the kind of cross-site tracking the signal was designed to oppose, so this limitation does not reduce your privacy on our Services.

The Service may contain links to third-party websites, apps, or services, and allows you to configure third-party destinations (Dropbox, Google Drive, Webhook endpoints you control, FTP servers, email recipients). This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third parties before providing them with your personal information.

We may update this Privacy Policy from time to time to reflect changes to our practices, to our Service, or to applicable law. When we make material changes, we will update the "Effective" and "Last updated" dates at the top of this Policy and, where appropriate, notify you by email (if you have an account) or through a prominent in-app notice before the changes take effect.

Your continued use of the Service after the effective date of an updated Policy constitutes acceptance of the updated Policy. If you do not agree to the updated Policy, you should stop using the Service and may close your account.

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, or if you wish to exercise any of your privacy rights, please contact us at:

Terramar Marketing, Inc.
Email (privacy matters): hello@imgflow.app
Email (legal matters): hello@imgflow.app
Website: https://imgflow.app

When you contact us about a privacy request, please include enough information for us to verify your identity and locate the personal information in question. We may ask follow-up questions to complete the verification.