Privacy Policy

What We Collect and Why

• Account Information: Your username, email, and a scrambled (hashed) version of your password so you can log in.
• Your Images: The files you upload, so we can store and serve them back to you.
• Usage Logs for Image Requests: When your images are viewed, we log technical info like your IP address, browser type (User-Agent), and the site that linked to the image (Referer). We use this only for security, to block abuse, and to keep the service reliable.
• Page-View Analytics: For page views, we store the page path, HTTP method, a truncated referrer header, whether the visitor was anonymous/authenticated/admin, and a daily-changing anonymized session hash (SHA-256 of IP + User-Agent + a salt). We do not keep IP addresses, usernames, emails, or cookies in analytics, and nothing is sent to third parties.
• Cookies: We only use what cookies are necessary for session management and user preferences. We do not use cookies for tracking or advertising.
• Image Backups: When you use the image editor, a temporary backup of the original image is stored on the server. These backups are automatically deleted whenever the server restarts, which can happen at random times.

Legal Basis for Processing

We process your personal data on the following legal bases:

• Contractual Necessity: Processing your account information and images is necessary to provide the service you've signed up for.
• Legitimate Interest: We process usage logs and analytics to maintain security, prevent abuse, and improve the service.
• Consent: By creating an account and using the service, you consent to the processing of your data as described in this policy.

How We Use Your Data

• To provide the service to you (storing images, letting you log in).
• To send you important emails, like account verification or password resets.
• To protect the service from abuse, like blocking bots or malicious users.
• To comply with legal obligations.

Data Retention

• Account Information: Retained for as long as your account is active, or as needed to provide services.
• Images: Retained until you delete them or close your account.
• Image Access Logs: Retained for up to 365 days for security purposes, then automatically Annonomized.
• Analytics Data: Anonymized page view data is retained for up to 90 days for service improvement.
• Deleted Account Data: When you delete your account, all personal data is immediately removed from our systems, except where we are legally required to retain certain information (e.g., for legal claims or compliance).

HIPAA and Health Information

• This service is not a HIPAA Covered Entity or Business Associate.
• Please avoid putting diagnoses or other health identifiers in filenames, folder names, galleries, or member names (ScratchFront).
• You can request removal of health-related content at any time, and we will delete related caches/backups as part of the request.
• We do not use your data for any purpose other than providing the service, and we do not share it with third parties.
• We recommend against uploading PHI, but if you do, we take strong measures to protect it. However, we cannot guarantee absolute security, so please use caution.

What We DON'T Do

• We do not sell or share your personal data with third parties for marketing or advertising.
• We do not track your activity across other websites.
• We do not use your images for anything other than serving them back to you as requested.
• We do not use cookies for tracking or advertising—only for session management and feature preferences.
• We do not use your images or data to train AI models or for any machine learning purposes, its your data and we respect that.
• We do not store IP addresses, usernames, emails, or cookies in page-view analytics—only page counts with an anonymized, daily-changing hash.

Your Control and Data Management

You have full control over your data:

• You can delete your images at any time from your dashboard.
• For assistance with data requests, contact us at admin@8ball.space.

Content Safety Scanning

To keep everyone safe, every upload is scanned for CSAM and malicious files using Bunny.net Shield Upload Scanning (learn more). Bunny.net receives the file data so their in-house antivirus engine can inspect it, but the file never leaves the Bunny platform and remains encrypted in transit. For CSAM detection, Bunny.net derives a PDQ perceptual hash from the file and only that one-way hash is shared with their trusted clearinghouse, never the original image gets shared.

• The PDQ hash cannot be reversed to reconstruct your image.
• Antivirus scanning and decisioning happen entirely inside Bunny.net's infrastructure; Bunny will block the file from being uploaded if its a match.
• If CSAM is detected, Bunny.net's partner handles the mandatory report and the triggering content remains redacted, and it will be blocked.

Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted password
• HTTPS encryption for all data in transit (From you to Bunny and from Bunny to our servers is fully HTTPS in transit.
• Rate limiting and abuse protection
• Regular security audits and updates
• Access controls and authentication
• Data minimization and anonymization practices

International Data Transfers

Your data may be processed in servers located outside your country of residence. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

Changes to This Policy

We may update this privacy policy from time to time. We will notify users of material changes by posting the new policy on this page and updating the "Last Updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

Last Updated: April 4, 2026

Contact Us

For any questions about this privacy policy, your data rights, or to make a data request, please contact:

Email: admin@8ball.space