Security

How img402 stores, serves, and protects uploaded images.

Public by default

All uploaded images are publicly accessible via their URL. Anyone with the link can view the image. There is no private hosting, no access control, and no authentication on image serving.

Do not upload sensitive, private, or confidential content. Once uploaded, an image is publicly accessible until it expires or is removed.

Data we collect

We store the minimum data needed to host your image and verify payment:

• The uploaded image file
• Image metadata (content type, file size, generated ID)
• Upload timestamp and expiration date
• Wallet address (for paid uploads)
• Payment hash (for paid uploads)

We do not collect names, emails, IP addresses, cookies, analytics, or any tracking data. See our Privacy Policy for full details.

Infrastructure

• All traffic served over HTTPS
• Images encrypted at rest in object storage
• Database encrypted at rest and in transit
• Cloudflare CDN — global edge caching, DDoS protection, TLS termination

Content safety

All served images pass through Cloudflare's automated CSAM (child sexual abuse material) scanning. Detected material is immediately removed and reported to NCMEC's CyberTipline in compliance with 18 U.S.C. § 2258A and the REPORT Act of 2024.

We do not manually review images unless flagged by automated systems or reported by users.

Abuse handling

To report prohibited content (copyright infringement, illegal material, or other violations), see our abuse reporting page.

Prohibited content includes:

• Child sexual abuse material (CSAM)
• Non-consensual intimate imagery
• Content promoting terrorism or violent extremism
• Copyrighted material without authorization
• Malware, phishing, or deceptive content
• Doxxing or unauthorized personal information
• Non-consensual deepfakes of real persons

See our Terms of Service for the full list.

Retention and deletion

• Free tier — images are deleted 7 days after upload
• Paid tier — images are deleted 1 year after upload

After expiry, images are permanently deleted from object storage and return 404. Database records are retained for 1 year consistent with REPORT Act requirements.

To request early deletion, email [email protected] with the image URL and proof of upload (wallet address or transaction hash).

Payment security

Payments are processed via the x402 protocol on the Base network. Payment verification and settlement are handled by the Coinbase CDP facilitator.

We never have access to your private keys. Payment authorization is signed client-side. We only receive the signed proof, which we forward to the facilitator for verification.

No accounts

img402 has no user accounts, no passwords, and no API keys. There are no credentials to leak, rotate, or protect. For the paid tier, payment is authentication — the signed x402 proof is the only credential, and it's single-use.