Privacy Policy | Pixshift

Last updated: April 2026

1. Controller

The controller responsible for data processing on this website is:

Nico Beyer
Email: pixshift@proton.me

2. Overview of Data Processing

We process personal data only to the extent necessary to provide our website and the services offered (image conversion, compression, cropping, resizing, and URL import). Image processing is performed entirely server-side on our own infrastructure — your images are not transmitted to external services. We use the following data processors to operate the website:

Vercel Inc. (USA) – Website hosting and Vercel Analytics
Supabase Inc. (EU, Stockholm) – Database hosting
Google Ireland Ltd. – Google Analytics and Google OAuth sign-in
Resend Inc. (USA) – Contact form email delivery

3. Legal Basis

Personal data is processed based on: Art. 6(1)(a) GDPR (consent, e.g. for analytics cookies), Art. 6(1)(b) GDPR (contractual performance, e.g. providing the user account and image processing services), Art. 6(1)(f) GDPR (legitimate interest, e.g. security and abuse prevention through rate limiting).

4. Hosting and Vercel Analytics

This website is hosted by Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). When visiting the website, Vercel automatically collects technical data such as IP address, browser type, operating system, referrer URL, access time, and data volume transferred. This is technically necessary for delivering the website (Art. 6(1)(f) GDPR). We also use Vercel Analytics to analyze website usage. Vercel Analytics collects anonymized usage data (page views, load times, country of origin) without using cookies. Vercel participates in the EU-U.S. Data Privacy Framework. More info: https://vercel.com/legal/privacy-policy

5. Database (Supabase)

User data, processed image metadata, and usage statistics are stored in a PostgreSQL database hosted by Supabase (Supabase Inc.). The database server is located in the EU (AWS Region eu-north-1, Stockholm). No image data is stored in the database — only metadata (filename, file size, format, processing time). More info: https://supabase.com/privacy

6. Cookies

This website uses the following cookies: (a) Technically necessary cookies: A session cookie (next-auth.session-token) for authenticating logged-in users. This cookie is HttpOnly, cannot be read by JavaScript, and is required for providing the user account (Art. 6(1)(b) GDPR). (b) Analytics cookies: Google Analytics sets cookies (_ga, _gid) to analyze website usage. These are only activated with your explicit consent (Art. 6(1)(a) GDPR). You may revoke your consent at any time.

7. Google Analytics

This website uses Google Analytics 4, a web analytics service provided by Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics uses cookies that enable analysis of your use of the website. The information generated by the cookie is usually transmitted to a Google server in the USA. We have activated IP anonymization so that your IP address is truncated within the EU. Google participates in the EU-U.S. Data Privacy Framework. You can prevent collection by Google Analytics by installing a browser add-on: https://tools.google.com/dlpage/gaoptout

8. Registration and User Account

When registering via the sign-up form, we store: username (optional), email address, password (encrypted with bcrypt, 12 rounds). When signing in via Google OAuth, we additionally store: profile image URL and name from your Google account. This data serves to provide your user account (Art. 6(1)(b) GDPR). You can permanently delete your account and all associated data at any time via the dashboard settings.

9. Image Processing

Uploaded images are processed server-side using the Sharp library. Processed images are stored temporarily on the server and automatically deleted after a maximum of 7 days. The following metadata is stored: original filename, original size, processed size, format, tool used, timestamp. For logged-in users, this metadata is linked to the user account to provide an overview in the dashboard. Non-logged-in users can process images anonymously — no personal attribution occurs in this case. No original images are permanently stored.

10. Rate Limiting and IP Addresses

To protect against abuse, we store your IP address for rate limiting purposes. The following is recorded: IP address, number of processed files, and transferred data volume within a 24-hour time window. After this window expires, the counters are reset. Processing is based on our legitimate interest in the security and availability of the service (Art. 6(1)(f) GDPR).

11. Contact Form

When you send us a message via the contact form, your name, email address, and message are transmitted to us. The email is sent via Resend (Resend Inc., USA). The data is not stored in our database but only delivered via email. Resend processes data according to its privacy policy: https://resend.com/legal/privacy-policy. Processing is based on your consent (Art. 6(1)(a) GDPR), which you provide by submitting the form and confirming the privacy policy.

12. Internal Usage Analytics

With each image processing operation, an anonymous analytics event is stored containing the tool used, file format, and file size. For logged-in users, this event is linked to the user ID to display personal statistics in the dashboard. These internal analytics serve to improve the service and are not shared with third parties.

13. Your Rights

Under the GDPR, you have the following rights: Right of access (Art. 15), Right to rectification (Art. 16), Right to erasure (Art. 17), Right to restriction of processing (Art. 18), Right to data portability (Art. 20), Right to object (Art. 21), Right to withdraw consent (Art. 7(3)). To exercise your rights, contact us via the contact form or the contact details in the legal notice. You also have the right to lodge a complaint with a data protection supervisory authority.

14. Data Security

We employ technical and organizational measures to protect your data: encrypted transmission via HTTPS/TLS, password hashing with bcrypt (12 rounds), JWT-based authentication with signed tokens, database server located in the EU (Stockholm), HttpOnly cookies to protect against XSS attacks.

15. Changes to this Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or changes to the service. The current version is always available on this page.