Privacy Policy

HabShare is an image hosting and sharing platform accessible at habshare.com. We are the data controller for personal data processed through the Service.

For privacy inquiries, data subject requests, or concerns, contact us at [email protected].

We collect the following categories of personal data:

• Account information - username, email address, and bcrypt-hashed password when you register.
• Date of birth - collected at registration solely to verify that you meet the minimum age requirement (13 years). Your date of birth is never displayed publicly or shared with other users.
• Profile data - optional avatar image, profile visibility settings, and showcase album ordering.
• Uploaded content - images you upload, album names and descriptions, and comments you post. Images are stored on Cloudflare R2 and served via our CDN at cdn.habshare.com.
• IP addresses - your IP address at the time of registration and your most recent login IP, retained for security and abuse prevention purposes.
• Session data - authentication tokens stored as httpOnly cookies in your browser (see Section 5).
• Social activity - likes, favorites, and comments you create, linked to your account.
• Usage data - anonymous per-image view counters (no individual user attribution for views).

We do not collect payment information, location data, or device fingerprints.

We use your personal data to:

• Create and manage your account and authenticate your sessions.
• Verify that you meet the minimum age requirement of 13 years at registration, in compliance with the Children’s Online Privacy Protection Act (COPPA) and applicable law.
• Store, serve, and deliver your uploaded images via our CDN.
• Send transactional emails - email verification, password reset, and security notifications - via Resend.
• Automatically scan uploaded images for prohibited content (e.g., explicit nudity) using Amazon Rekognition, and analyze comments for policy violations using OpenAI moderation.
• Detect, investigate, and prevent fraud, abuse, account compromise, and policy violations, including use of IP address data.
• Enforce our Terms of Service and respond to DMCA takedown notices.
• Comply with legal obligations and respond to lawful law enforcement requests.
• Maintain platform reliability, performance, and security.

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

• Performance of a contract (Article 6(1)(b)) - processing necessary to provide you with the Service you signed up for, including account management, image storage, and session authentication.
• Legitimate interests (Article 6(1)(f)) - security and fraud prevention (IP logging, rate limiting, content moderation), detecting abuse, and improving platform integrity. We have assessed that these interests are not overridden by your fundamental rights.
• Legal obligation (Article 6(1)(c)) - compliance with applicable law, including mandatory reporting of child sexual abuse material (CSAM) to the National Center for Missing and Exploited Children (NCMEC) and cooperation with law enforcement.

We do not rely on consent as a lawful basis for core service operations.

HabShare uses strictly necessary httpOnly cookies only. These cannot be disabled without breaking authentication:

• access_token - a short-lived JWT (15 minutes) used to authenticate API requests. Stored as an httpOnly cookie accessible only to the server.
• refresh_token - a 30-day rotating session token used to issue new access tokens. Stored httpOnly and restricted to the /api/auth path.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies of our own.

This site is protected by Google reCAPTCHA on authentication forms. Google may set its own cookies and collect behavioral data to distinguish humans from bots. Google’s use of this data is governed by the Google Privacy Policy and Terms of Service.

We work with the following sub-processors who may access or process personal data on our behalf. All are contractually bound to process data only as instructed and to maintain appropriate security measures.

• Vercel - frontend hosting and edge delivery (United States). Your browser requests to habshare.com are served by Vercel.
• Railway - backend application hosting (United States). API requests and data processing run on Railway infrastructure.
• Cloudflare R2 - object storage and CDN for uploaded images (global edge network). Images you upload are stored in and served from Cloudflare R2.
• Supabase / PostgreSQL - managed database hosting (United States). All structured account and content data is stored here.
• Resend - transactional email delivery (United States). Used for verification, password reset, and security emails.
• Amazon Web Services - Rekognition - AI-based image content moderation (United States). Uploaded JPEG and PNG images are transmitted to AWS Rekognition for automated policy enforcement. Images are not stored by AWS.
• OpenAI - AI-based text moderation (United States). Comment text is transmitted to OpenAI’s moderation API to detect policy violations. Text is not used for model training under our API agreement.
• Google reCAPTCHA - bot protection on authentication forms. Subject to Google’s own privacy policy.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

We may disclose personal data in the following limited circumstances:

• Legal obligation - when required by law, court order, or valid government request (e.g., subpoena, national security letter).
• CSAM reporting - we are legally required to report child sexual abuse material and related user data to NCMEC and appropriate law enforcement agencies.
• Protection of rights - when we believe disclosure is necessary to protect the safety of any person, prevent fraud, or enforce our Terms of Service.
• Business transfers - in the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

We retain personal data only as long as necessary:

• Account data - retained until you delete your account. Deletion removes your account record, uploaded images, and associated data from our active systems.
• Date of birth - retained for the lifetime of your account as a record of age verification compliance. Deleted when your account is deleted.
• Images and content - retained until you delete them or your account is deleted.
• IP addresses - retained for the lifetime of your account for security and abuse investigation purposes.
• Session tokens - access tokens expire after 15 minutes; refresh tokens expire after 30 days or upon logout.
• Email verification tokens - expire after 24 hours. Password reset tokens expire after 1 hour.
• Backups and logs - infrastructure-level backups and logs maintained by our hosting providers may persist for a limited period after account deletion in accordance with their policies.

Depending on your location, you may have the following rights regarding your personal data. To exercise any of them, contact us at [email protected] or use the in-app controls described below.

• Right to access - request a copy of the personal data we hold about you.
• Right to rectification - correct inaccurate data via your account Settings page.
• Right to erasure (“right to be forgotten”) - delete your account (and all associated content) via Settings > Account. You may also email us to request deletion of specific data.
• Right to data portability - request an export of your data in a machine-readable format by contacting us.
• Right to restriction - request that we limit processing of your data in certain circumstances.
• Right to object - object to processing based on legitimate interests, including security-related processing.
• Right to lodge a complaint - if you are in the EEA, you have the right to lodge a complaint with your national data protection authority (e.g., ICO in the UK, CNIL in France).

California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect and how it is used, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise your rights, contact [email protected]. We will not discriminate against you for exercising your privacy rights.

HabShare is not directed at children under 13 years of age (or the applicable age of digital consent in your jurisdiction, which may be up to 16 in some EU member states). We comply with the Children’s Online Privacy Protection Act (COPPA) and equivalent laws.

To enforce this restriction, we collect your date of birth at registration and block accounts where the stated age is under 13. We do not knowingly collect personal data from children under 13 beyond what is necessary to perform this age check.

If you believe we have inadvertently collected data from a child under 13, please contact us immediately at [email protected] and we will promptly delete the account and all associated data.

We implement technical and organizational measures to protect your personal data, including:

• Passwords hashed with bcrypt (never stored in plaintext).
• Authentication tokens stored as httpOnly cookies, inaccessible to JavaScript, with secure and SameSite attributes enforced in production.
• Rotating refresh tokens with theft detection - reuse of a revoked token invalidates the entire session family.
• Rate limiting on authentication endpoints to prevent brute-force attacks.
• Automated content moderation to detect policy violations on upload.
• TLS encryption for all data in transit.

No system is perfectly secure. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected users and, where required by law, the relevant supervisory authorities within the legally required timeframe (72 hours under GDPR).

HabShare is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States.

For users in the EEA or UK, such transfers are made subject to appropriate safeguards, including data processing agreements with our sub-processors that incorporate standard contractual clauses (SCCs) approved by the European Commission where applicable.

We may update this Privacy Policy from time to time. When we do, we will revise the “Effective Date” at the top of this page. For material changes, we will make reasonable efforts to notify registered users (e.g., via email or an in-app notice).

Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

For any privacy-related questions, data subject access requests, or concerns about this policy, please reach out:

• Email: [email protected]
• DMCA / copyright notices: [email protected] (see our Terms of Service for the full DMCA procedure).

We aim to respond to all privacy requests within 30 days.