Privacy Policy

Last updated: February 2026

Our Privacy Promise

Photo Monster is built with privacy as its foundation. We believe your photos are deeply personal. That's why we use Apple's official PhotoKit framework to process your photos right on your device. We never upload or store the contents of your photos or videos on our servers.

How Photo Monster Works With Your Photos

Photo Monster uses Apple's PhotoKit framework to access and organize your photos directly on your device. Here's what that means:

  • Your photos live in your Photos library. If you use iCloud Photos, they sync across your devices under Apple's settings and terms
  • All scanning, duplicate detection, and categorization happens on your device through Apple's official frameworks
  • We do not upload, store, cache, or retain the contents of your photos or videos on our servers
  • When you delete photos through Photo Monster, the changes sync across devices connected to the same iCloud account

Who We Are (Data Controller)

Photo Monster is operated by Deep Dive Dev Inc., a Canadian company.

Deep Dive Dev Inc.
6510 Gateway Boulevard Suite 1029
Edmonton, AB T6H 5Z5
Canada
[email protected]

Data Protection Officer: We are not required to appoint a Data Protection Officer under GDPR and have not done so. For all privacy inquiries, contact us at the address above.

EU Representative: As a small company whose processing of EU personal data is occasional and does not involve large-scale processing of special categories of data or data relating to criminal convictions, we qualify for the exemption under Article 27(2) GDPR. For all privacy inquiries, please contact us directly.

Information We Collect and Why

a) Waitlist Email

  • Purpose: Notify you when Photo Monster launches and send occasional updates
  • Data collected: Email address
  • Legal basis: Consent (Article 6(1)(a) GDPR). You opt in by submitting the signup form
  • Mandatory? No. If you don't provide your email, you simply won't receive launch updates
  • Recipients: Loops.so (email service provider)
  • Retention: Until product launch plus 6 months, or until you unsubscribe, whichever comes first

b) Website Analytics

  • Purpose: Understand how visitors use our website to improve the experience
  • Data collected: Pages visited, time on site, referring source, browser type, device information, approximate location (country/region level). IP addresses are not stored in full
  • Legal basis: Consent (Article 6(1)(a) GDPR). Analytics tracking only activates after you consent
  • Mandatory? No. You can decline analytics and use the site normally
  • Recipients: PostHog (analytics provider)
  • Retention: 24 months

c) App Usage Data (Future)

  • Purpose: Improve the app experience
  • Data collected: Anonymized, aggregate statistics (e.g., number of photos organized, storage freed). Never your actual photos or personally identifiable information
  • Legal basis: Consent (Article 6(1)(a) GDPR)
  • Mandatory? No. You can use the app without sharing usage data
  • Recipients: To be determined at launch
  • Retention: 24 months

Data Sharing and Third-Party Processors

We do not sell your personal information to third parties. We share data only with the following service providers ("processors") who act on our instructions:

  • Loops.so (Astrodon Corporation): Email service provider. Receives your email address for waitlist communications. US-based
  • PostHog, Inc.: Analytics provider. Receives website usage data as described above. US-based
  • Cloudflare, Inc.: Website hosting and content delivery. Processes requests through its global edge network

Apple: Your photos are managed through Apple's iCloud Photos under Apple's own privacy policy. We access photos on your device using Apple's PhotoKit framework but do not send them to Apple or anyone else on our behalf. Apple may also process data related to App Store downloads, in-app purchases, and crash reports under their own terms.

International Data Transfers

Deep Dive Dev Inc. is based in Canada, which benefits from an EU adequacy decision for transfers of personal data from the EU.

Our processors (PostHog, Loops.so) are based in the United States. For transfers to US-based processors, we rely on appropriate safeguards, such as the EU-US Data Privacy Framework where applicable and Standard Contractual Clauses.

We maintain Data Processing Agreements with our processors.

Data Retention

Data type Retention period
Waitlist email Until product launch + 6 months, or until you unsubscribe
Website analytics 24 months
App usage data (future) 24 months
Support correspondence 48 months after resolution

When retention periods expire, we delete or anonymize your data. If deletion is not immediately possible (e.g., data in backups), we securely store it and isolate it from further processing until deletion is possible.

Data Security

We use reasonable administrative, technical, and organizational measures to protect your information. Our website uses HTTPS encryption for data in transit. Access to personal data is restricted on a need-to-know basis.

Your Rights

If you are in the European Economic Area (EEA) or the UK, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data when it is no longer necessary, you withdraw consent, or it was unlawfully processed
  • Restriction: Request that we limit processing while a dispute is resolved
  • Data portability: Receive your data in a structured, commonly used format
  • Object: Object to processing based on legitimate interests. For direct marketing, this is an absolute right
  • Withdraw consent: You can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal

How to exercise your rights: Email [email protected]. Requests are free. We respond within 30 days. For complex requests, we may extend this by up to two months and will inform you of any extension.

Automated decision-making: We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

Supervisory authority: If you are unsatisfied with our response, you have the right to lodge a complaint with a data protection supervisory authority in your country of residence. A list of EU supervisory authorities is available at edpb.europa.eu.

Cookies and Tracking

Our website uses PostHog for analytics. PostHog may use cookies or similar technologies to track site usage.

For visitors in the EU, analytics tracking is not activated until you provide consent. You can withdraw consent or manage your preferences at any time through the cookie settings on our website.

Essential cookies that are strictly necessary for the site to function do not require consent.

Children's Privacy

Photo Monster is not directed at children. We do not knowingly collect personal information from children. If we learn that we have collected data from a child without appropriate parental consent, we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

Contact Us

If you have questions about this privacy policy or want to exercise your data rights, please contact us at [email protected].

Deep Dive Dev Inc.
6510 Gateway Boulevard Suite 1029
Edmonton, AB T6H 5Z5
Canada

For information about our EU representative status, see the "Who We Are" section above.