Skip to content
Cuppafolio
Legal

Privacy Policy

Last updated 17 May 2026

This policy explains what personal data Cuppafolio collects, why we collect it, where it is stored, how long we keep it, and the rights you have over it. We keep it deliberately plain — if anything here is unclear, email us at support@cuppafolio.com.

Who we are

Cuppafolio is a web-first album-design tool for professional photographers. We are the data controller for the account and billing information you provide, and a data processor for the photographs and album content you upload while using the service. For privacy enquiries or to exercise your rights, contact support@cuppafolio.com.

What we collect

We collect only what we need to run the service:

  • Account data — your name, email address, hashed password (or your identity provider's token), and studio settings.
  • Content data — the photographs you upload and the album layouts you create. We treat this as your confidential material; we do not view, train on, or share it.
  • Billing data — your subscription tier and status, and the customer and invoice identifiers returned by our payment processor. Full card numbers are handled by Stripe and never touch our servers.
  • Usage & technical data — basic logs and privacy-friendly, aggregate analytics needed to keep the service secure and reliable.

How we use your data

We use your data to provide and secure the service, to process your subscription, to send transactional email (such as email verification, password resets, billing notices and export-ready alerts), and to provide support when you ask for it. We do not sell your data, and we do not operate a marketing mailing list — every email we send relates directly to your account or a request you made.

Where your data is stored

Your data is stored in the European Union. Account, project and metadata records are held in our database in an EU region (Supabase, EU). Uploaded photographs and exported PDFs are stored in EU object storage (Cloudflare R2, EU). Where a sub-processor listed below necessarily processes limited data outside the EU, that transfer is covered by appropriate safeguards such as Standard Contractual Clauses.

How long we keep your data

Photos and album content are retained according to your subscription and the project lifecycle:

  • When a project is marked delivered, it is automatically archived after 60 days.
  • Editor working state for an archived project is retained for a further 90 days in case you need to revisit it, then purged.
  • If your subscription lapses, your account enters a 7-day grace period (read-only access). After that, content is scheduled for deletion 30 days later unless you reactivate or export it first.

Account and billing records may be retained for as long as legally required (for example, to meet tax and accounting obligations) after you close your account.

Your rights (GDPR)

You have the right to access, correct, export, restrict, or delete your personal data, and to object to certain processing. You can:

  • Export your data — request a machine-readable export of your account data and content from your account settings. Exports are fulfilled within 24 hours.
  • Delete your account — request permanent deletion from your account settings. Your content is deleted within 24 hours, subject only to records we are legally required to keep.

You also have the right to lodge a complaint with your local data protection authority. We'd appreciate the chance to put things right first — please reach out to support@cuppafolio.com.

Sub-processors

We use a small set of trusted providers to operate the service. Each only processes the data needed for its function:

  • Supabase (EU) — database, authentication and metadata storage.
  • Cloudflare R2 (EU) — storage of uploaded photos and exported PDFs.
  • Stripe — subscription payments and card processing. We never store full card details.
  • Resend — delivery of transactional email only (no marketing).
  • Vercel — application hosting and delivery.

Cookies & analytics

We use a minimal set of essential cookies needed to keep you signed in and to keep the service secure — these cannot be switched off without breaking core functionality. We also use privacy-friendly, aggregate analytics to understand overall usage and improve the product; this does not build advertising profiles or track you across other websites. We do not use third-party advertising or marketing cookies.

Security

Access to your content is protected by authentication and row-level access controls so that only your studio can see your projects. Data is encrypted in transit, and privileged operations are isolated from the browser. No system is perfectly secure, but we take reasonable, industry-standard measures to protect your work.

Changes to this policy

If we make material changes to this policy we will update the “last updated” date above and, where appropriate, notify you by email. Continued use of the service after a change means you accept the updated policy.