Privacy Policy

Effective: February 8, 2026

img402.dev ("Service") is operated by img402 ("we", "us", "our"). This policy explains what data we collect, how we use it, and your rights.

The short version: we collect almost nothing. No accounts, no cookies, no tracking. The only data we store is what's necessary to host your image and verify your payment.

1. Information We Collect

Data we store

• Uploaded image — stored for 1 year, then automatically deleted
• Wallet address — the blockchain address that signed the x402 payment (pseudonymous)
• Payment transaction hash — identifies your payment on the Base blockchain
• Upload timestamp
• Image metadata — content type, file size, generated image ID

Data we do not collect

• No names, email addresses, or account information
• No cookies, tracking pixels, or analytics
• No device fingerprinting
• No behavioral data

Data collected by infrastructure providers

Our infrastructure providers (Cloudflare, Fly.io, Tigris) may temporarily log IP addresses, user agents, and other standard HTTP metadata in accordance with their own privacy policies. We do not control or access these logs.

2. How We Use Your Information

• Provide the Service — store your image, serve it via CDN, process payment verification
• Legal compliance — respond to law enforcement requests, DMCA takedowns, and CSAM reporting obligations under the REPORT Act
• Enforce our Terms — block wallet addresses associated with repeat violations

We do not use your data for advertising, profiling, or any purpose beyond operating the Service and complying with the law.

3. Content Scanning

All uploaded images are subject to automated content scanning via Cloudflare to detect child sexual abuse material (CSAM). We do not manually review images unless flagged by automated systems or reported by users.

4. How We Share Your Information

• Publicly — uploaded images are publicly accessible via their URL. Anyone with the URL can view the image.
• On-chain — your payment transaction is recorded on the Base blockchain and is publicly visible. Your wallet address and payment amount are permanently associated with the transaction.
• Infrastructure providers — Cloudflare (CDN, content scanning), Tigris (object storage), Neon (database), Fly.io (compute) process data on our behalf.
• Law enforcement — when required by law, subpoena, or court order, or to report CSAM to NCMEC.

We do not sell your data.

5. Wallet Address Privacy

Your wallet address is a pseudonymous identifier. We do not attempt to link wallet addresses to real-world identities unless compelled by law enforcement with valid legal process.

6. Blockchain Data

Payment transactions are recorded on the Base blockchain. This data is:

• Public — anyone can view it on a block explorer
• Permanent — blockchain data cannot be modified or deleted
• Outside our control — we cannot erase on-chain records

Deletion requests (see Section 8) apply only to our off-chain database and stored images, not to on-chain transaction data.

7. Data Retention

• Images — 1 year from upload, then automatically deleted from storage
• Database records (wallet address, tx hash, metadata) — retained for 1 year, consistent with REPORT Act requirements
• Infrastructure logs (IP, user agent) — retained per provider policies, typically 30–90 days
• CSAM-related data — retained for at least 1 year per the REPORT Act, or longer if required by law enforcement

8. Your Rights

All users

You may request deletion of your uploaded image by contacting [email protected] with the image URL and proof of upload (e.g., wallet address or transaction hash). We will remove the image from our storage and database. On-chain transaction data cannot be deleted.

EU/EEA residents (GDPR)

Wallet addresses are treated as pseudonymous personal data. You have the right to access, rectification, erasure (off-chain data only), data portability, restriction of processing, and objection. Our legal basis for processing is: (a) legitimate interest in providing the Service, and (b) legal obligation for CSAM reporting.

By using the Service, you acknowledge that on-chain blockchain data is permanent and not subject to erasure requests. Contact [email protected] for data protection inquiries. You have the right to lodge a complaint with your supervisory authority.

California residents (CCPA)

You have the right to know what personal information is collected, to request its deletion, and to opt out of the sale of personal information. We do not sell personal information. We will not discriminate against you for exercising these rights.

9. Data Security

• All traffic served over HTTPS
• Storage encrypted at rest
• No user credentials to protect (no accounts)

No system is perfectly secure. We cannot guarantee the absolute security of your data.

10. Children's Privacy

The Service is not directed at children under 13 (or 16 in the EU). We do not knowingly collect data from children. All uploads are scanned for CSAM, and detected material is immediately removed and reported.

11. International Data Transfers

Data is stored and processed in the United States on Fly.io infrastructure. If you use the Service from outside the US, your data will be transferred to the US. For EU/EEA users, this transfer is necessary for the performance of the service you requested.

12. Changes to This Policy

We may update this policy at any time. The current version is always available at img402.dev/privacy. Continued use of the Service after changes constitutes acceptance.

Contact

Privacy inquiries: [email protected]