Privacy Policy

Last Updated: 27 February 2026

1. Introduction

imgup.uk ("we", "us", "our") respects your privacy and is committed to protecting your personal data.

This Privacy Policy explains what data we collect, how we use it, and your rights under UK GDPR and Data Protection Act 2018.

2. Data Controller

Service: imgup.uk

Contact: admin@imgup.uk

3. What Data We Collect

When you upload an image:

  • IP Address: To enforce rate limits and prevent abuse
  • User Agent: Browser/application information for security monitoring
  • Timestamp: Date and time of upload
  • User ID: Your API key identifier (not the key itself)
  • Image metadata: File size, dimensions, format

When you submit an abuse report:

  • IP Address: To prevent spam reports
  • Email (optional): If you choose to provide it for follow-up
  • Report content: Your description of the issue

When you visit our website:

  • Basic access logs: IP, timestamp, pages accessed (standard web server logs)
  • Cookies: We use minimal cookies for admin authentication only

We do NOT collect:

  • Email addresses (optional, for abuse reports only)
  • Payment information (service is currently free)
  • Tracking/analytics beyond basic server logs
  • EXIF metadata from your images (we strip it)

4. Legal Basis for Processing

We process your data under the following legal bases:

  • Legitimate Interest: Operating the Service, preventing abuse, ensuring security
  • Consent: When you use the Service with an API key, you consent to data logging
  • Legal Obligation: Responding to lawful requests from authorities

5. How We Use Your Data

  • To provide image hosting and delivery services
  • To enforce rate limits and prevent abuse
  • To respond to abuse reports and takedown requests
  • To comply with legal obligations
  • To improve Service security and performance
  • To log cryptographic hashes of reported illegal images (CSAM) for detection and prevention

We do NOT: Sell, rent, or share your data with third parties for marketing.

Content Monitoring: We do not monitor or pre-screen uploads. Content is user-generated and hosted privately unless shared via direct link.

6. Data Retention

  • Uploaded images: Stored until deleted by admin or auto-retention policy (if enabled)
  • Upload logs: IP, user agent, timestamps retained for up to 12 months
  • Abuse reports: Retained for 24 months for legal/compliance purposes
  • Access logs: Retained for 90 days

Deleted content is purged from backups within 30 days.

7. Data Security

We implement appropriate technical and organizational measures:

  • HTTPS encryption for all connections
  • Secure password hashing (bcrypt)
  • Rate limiting to prevent brute force attacks
  • Regular security updates to server software
  • Access controls on admin panel

However, no system is 100% secure. Use the Service at your own risk.

8. Your Rights (UK GDPR)

You have the right to:

  • Access: Request a copy of data we hold about you
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Limit how we process your data
  • Portability: Receive your data in a structured format
  • Object: Oppose processing based on legitimate interest
  • Complaint: Lodge a complaint with the ICO (Information Commissioner's Office)

To exercise these rights, contact us at admin@imgup.uk.

9. Third-Party Services & Data Processors

We may use the following third-party services:

  • IONOS: Hosting provider (servers in EU/UK, GDPR compliant)
  • Cloudflare (optional): CDN and DDoS protection (if enabled by operator)

Data Processor Agreement: IONOS acts as our data processor under GDPR, with servers located in the UK/EU. We have a Data Processing Agreement (DPA) in place with IONOS to ensure compliance with data protection regulations.

We do not use third-party analytics (Google Analytics, etc.) by default.

10. Cookies

We use minimal cookies:

  • Session cookies: For admin panel authentication only
  • Essential cookies: To prevent CSRF attacks

No tracking or advertising cookies are used.

11. International Transfers

Your data is stored on servers located in the EU/UK (IONOS hosting).

If we use S3 storage, it will be configured to use EU/UK regions.

We do not transfer data outside the UK/EEA unless necessary and with appropriate safeguards.

12. Legal Disclosure

We may disclose your data if required by law or in response to valid legal requests, including:

  • Court orders or subpoenas
  • Law enforcement investigations
  • National security requirements
  • Regulatory authority requests

We will notify affected users unless legally prohibited from doing so.

13. Data Breach Notification

In the event of a data breach likely to result in a risk to individuals' rights or freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware
  • Notify affected users without undue delay
  • Describe the nature of the breach, potential consequences, and measures taken

14. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect data from children.

If you believe a child has uploaded content, please report it immediately.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

Continued use after changes constitutes acceptance.

16. Contact & Complaints

Data Protection Contact: admin@imgup.uk

UK Regulator: Information Commissioner's Office (ICO)
Website: ico.org.uk