Skip to content
RawPickerRawPicker

RawPicker Privacy Policy

Last updated: March 30, 2026

1. General Provisions

1.1. This Privacy Policy defines the rules for processing and protecting the personal data of users of the RawPicker service (hereinafter: "Service"), available at rawpicker.com, as well as the RawPicker mobile and desktop applications.

1.2. RawPicker is a cloud-based tool for culling and managing RAW/JPEG photos, designed for photographers, offered under a subscription model (Free, Plus, and Pro plans).

1.3. The controller of personal data collected through the Service is HexBit - Wojciech Osak (hereinafter: "Controller").

1.4. Protecting users' personal data is our priority. We make every effort to ensure that personal data is processed in accordance with:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: "GDPR");
  • The Polish Act of 10 May 2018 on the Protection of Personal Data;
  • The Polish Act of 18 July 2002 on the Provision of Electronic Services;
  • The ePrivacy Directive (2002/58/EC) and its implementing provisions;
  • Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (EU AI Act) -- to the extent applicable;
  • Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services (Digital Services Act).

1.5. Use of the Service is voluntary. Providing personal data is also voluntary, with the caveat that:

  • failure to provide data required for account registration (email address) prevents use of Service features that require authentication;
  • failure to provide data required by law prevents the Controller from fulfilling its legal obligations.

2. Data Controller

2.1. The controller of personal data is:

HexBit - Wojciech Osak
ul. Herbu Janina 9A/25
02-972 Warsaw, Poland
Tax ID (NIP): 5381859620

2.2. For all matters related to personal data processing, the Controller can be reached at: admin@rawpicker.com.

2.3. The Controller has not appointed a Data Protection Officer (DPO). All inquiries concerning personal data protection should be directed to the email address specified in section 2.2.

3. Scope of Personal Data Processed

3.1. Registration and authentication data:

  • Email address (required) -- registration form / Google OAuth
  • First and last name (optional) -- Google OAuth (if shared)
  • Avatar URL (optional) -- Google OAuth (if shared)
  • Google ID (optional) -- Google OAuth
  • Terms acceptance timestamp (required) -- system (automatic)

3.2. Device data (license management):

  • Device identifier (device fingerprint);
  • Device name;
  • Operating system;
  • First seen and last seen timestamps.

3.3. Photos and metadata (Pro/Plus plans):

  • Photo files in RAW and JPEG formats uploaded by the user;
  • EXIF metadata: camera make and model, lens, ISO, aperture, shutter speed, focal length, date and time of capture, orientation;
  • Organizational data: ratings (1-5 stars), flags, color labels, project names.

3.4. Contact form data:

  • First name;
  • Email address;
  • Subject;
  • Message content.

3.5. Data collected automatically:

  • IP address;
  • Session data (session identifier stored as the connect.sid cookie);
  • Server system logs;
  • Crash reports and diagnostic data (PostHog, EU server: eu.i.posthog.com): device type, operating system version, application version, error stack traces;
  • Product analytics telemetry (desktop JVM application only, PostHog): pseudonymous user identifier, subscription tier, platform, screen views, high-level product events (sign-in, import, export, sharing).

3.5a. ML analysis data processed locally on the user's device:

The following data is generated and processed exclusively on the user's device using local ML models (ONNX Runtime). This data is not transmitted to the Controller's servers or to any third parties:

  • Image quality scores (sharpness, exposure, noise);
  • Face detection scores (presence, open eyes, smile, occlusion);
  • Face count per image;
  • Neural embedding vectors (used for duplicate detection);
  • Duplicate detection hashes;
  • Overall quality scores.

3.6. Payment data:

  • Billing cycle type (monthly/yearly);
  • Selected subscription plan.

Payment processing is handled by PayProGlobal Inc., which acts as the Merchant of Record. The Controller does not store credit card data or detailed transaction data -- these are processed exclusively by PayProGlobal.

3.7. Data used for fraud detection:

  • Risk score (scale 0-100);
  • Disposable email detection;
  • IP-based risk assessment;
  • Device fingerprint;
  • Blocked email, IP, and domain lists;
  • Chargeback and refund data.

4. Purpose and Legal Basis for Data Processing

4.1. The Controller processes personal data for the following purposes and on the following legal bases:

  • User account registration and management (email, first and last name, avatar, Google ID, terms acceptance timestamp) -- Art. 6(1)(b) GDPR -- performance of a contract
  • Providing photo storage and management services (photos, EXIF metadata, organizational data) -- Art. 6(1)(b) GDPR -- performance of a contract
  • License and device management (device ID, device name, operating system, timestamps) -- Art. 6(1)(b) GDPR -- performance of a contract
  • Payment processing and subscription management (billing cycle, subscription plan, data transmitted to PayProGlobal) -- Art. 6(1)(b) GDPR -- performance of a contract
  • Handling contact form inquiries (first name, email, subject, message content) -- Art. 6(1)(f) GDPR -- legitimate interest (responding to inquiries)
  • Fraud detection and prevention (risk score, device fingerprint, IP data, blocked lists, chargeback data) -- Art. 6(1)(f) GDPR -- legitimate interest (Service security and fraud protection)
  • AI-based photo processing (automatic culling, photos uploaded by the user) -- Art. 6(1)(b) GDPR -- performance of a contract (Pro plan feature)
  • Error monitoring and crash reporting (PostHog: diagnostic data, device information, application version) -- Art. 6(1)(f) GDPR -- legitimate interest (service stability and quality)
  • Product analytics telemetry (PostHog, desktop JVM only: pseudonymous identifier, plan, platform, product events) -- Art. 6(1)(f) GDPR -- legitimate interest (improving usability and reliability)
  • Tax and accounting obligations (billing data) -- Art. 6(1)(c) GDPR -- legal obligation
  • Establishment and defense of legal claims (account data, transaction data, logs) -- Art. 6(1)(f) GDPR -- legitimate interest
  • Sending service-related (transactional) emails (email address) -- Art. 6(1)(b) GDPR -- performance of a contract

4.2. Where data processing is based on consent (Art. 6(1)(a) GDPR), the user has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.

4.3. Where data processing is based on the Controller's legitimate interest (Art. 6(1)(f) GDPR), the user has the right to object to such processing.

5. Data Retention Period

5.1. The Controller retains personal data for the period necessary to fulfill the purposes for which they were collected:

  • User account data: for the duration of the account + 14 days after deletion
  • Photos and metadata: for the duration of the account; deleted when the account is deleted
  • Deleted files (trash): 30 days (Free plan), 90 days (Pro/Plus plans) from the time of deletion, then permanently erased
  • Session data (connect.sid cookie): 30 days
  • Contact form data: up to 12 months after the inquiry has been handled, unless required for the pursuit of claims
  • Accounting and tax data: 5 years from the end of the calendar year in which the tax payment was due (under Polish tax law)
  • Fraud detection data: up to 2 years from the time of collection
  • Crash reports (PostHog): up to 90 days
  • Product analytics telemetry (PostHog): in accordance with PostHog's retention policy; retained only for product analysis purposes
  • ML analysis data (local): stored on the user's device; the Controller does not control local data retention
  • System logs: up to 90 days

5.2. After the retention period expires, personal data is permanently deleted or effectively anonymized.

6. Data Recipients

6.1. The Controller may share personal data with the following categories of recipients (sub-processors):

  • Google LLC -- OAuth authentication (Sign in with Google) -- USA, EU-US Data Privacy Framework
  • PayProGlobal Inc. -- Merchant of Record, payment processing and subscription management -- Canada/USA, DPA + Standard Contractual Clauses (SCCs)
  • Wasabi Technologies LLC -- photo file storage (S3-compatible object storage) -- USA (headquarters), data stored in the EU
  • Proton AG -- ProtonMail SMTP, transactional email delivery -- Switzerland, European Commission adequacy decision
  • PostHog Inc. -- backend error monitoring and crash reporting -- EU (eu.i.posthog.com)
  • PostHog Inc. -- product analytics telemetry (desktop JVM application only) -- EU (eu.i.posthog.com)
  • Hosting provider -- servers, PostgreSQL database, Redis -- EU

6.2. The Controller does not sell users' personal data to any third parties.

6.3. The Controller may disclose personal data upon request by authorized state authorities, including courts, prosecutors, police, the President of the Polish Data Protection Authority (UODO), or the President of the Office of Competition and Consumer Protection (UOKiK) -- to the extent required by applicable law.

6.4. Each sub-processor is bound by a Data Processing Agreement (DPA) to ensure an adequate level of personal data protection in compliance with GDPR requirements.

7. Data Transfers Outside the EEA

7.1. In connection with the services described in section 6, personal data may be transferred to third countries (outside the European Economic Area). The Controller ensures that data transfers are carried out with an adequate level of protection:

7.2. United States:

  • Google LLC and Microsoft Corporation participate in the EU-US Data Privacy Framework (European Commission implementing decision of 10 July 2023), which constitutes a legal basis for data transfer under Art. 45 GDPR.
  • PayProGlobal Inc. -- data transfer is safeguarded by Standard Contractual Clauses (SCCs) adopted by European Commission Decision 2021/914, pursuant to Art. 46(2)(c) GDPR, along with a Data Processing Agreement (DPA).
  • Wasabi Technologies LLC -- headquartered in the USA, however user data (photos) is stored on servers located in the European Union.

7.3. Switzerland:

  • Proton AG -- Switzerland is covered by a European Commission adequacy decision on the level of personal data protection (Art. 45 GDPR).

7.4. Canada:

  • PayProGlobal Inc. -- Canada is covered by a European Commission adequacy decision with respect to entities subject to the Canadian PIPEDA. Additionally, Standard Contractual Clauses (SCCs) are applied.

7.5. Users have the right to obtain a copy of the safeguards applied to data transfers outside the EEA by contacting the Controller at: admin@rawpicker.com.

8. User Rights (GDPR)

8.1. Under the GDPR, every user has the following rights:

8.1.1. Right of access (Art. 15 GDPR) -- the user has the right to obtain confirmation from the Controller as to whether personal data concerning them is being processed, and if so, to access such data and the information specified in Art. 15 GDPR.

8.1.2. Right to rectification (Art. 16 GDPR) -- the user has the right to request the prompt rectification of inaccurate personal data concerning them, and to request the completion of incomplete personal data.

8.1.3. Right to erasure ("right to be forgotten") (Art. 17 GDPR) -- the user has the right to request the prompt erasure of personal data concerning them where one of the grounds specified in Art. 17 GDPR applies.

8.1.4. Right to restriction of processing (Art. 18 GDPR) -- the user has the right to request the restriction of processing in the cases specified in Art. 18 GDPR.

8.1.5. Right to data portability (Art. 20 GDPR) -- the user has the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used, and machine-readable format, and has the right to transmit such data to another controller.

8.1.6. Right to object (Art. 21 GDPR) -- the user has the right to object at any time to the processing of personal data concerning them based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.

8.1.7. Right to withdraw consent (Art. 7(3) GDPR) -- to the extent that the basis for processing is consent, the user has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.

8.1.8. Right not to be subject to a decision based solely on automated processing (Art. 22 GDPR) -- see section 11.

8.2. To exercise the above rights, the user may:

  • contact the Controller at: admin@rawpicker.com;
  • delete their account directly in the Service settings (resulting in the deletion of account data and all uploaded photos).

8.3. The Controller shall respond to the user's request without undue delay, no later than one month from receipt of the request. If necessary, this period may be extended by a further two months due to the complexity of the request or the number of requests.

8.4. Right to lodge a complaint with a supervisory authority -- the user has the right to lodge a complaint with the President of the Polish Data Protection Authority (UODO):

President of the Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Website: https://uodo.gov.pl

9. Processing of Data by Artificial Intelligence

9.1. As part of the Pro plan, the RawPicker service offers an automatic photo culling feature powered by artificial intelligence (AI processing).

9.2. Scope of AI processing:

  • AI analyzes photos uploaded by the user solely for the purpose of automatic evaluation and culling (e.g., detecting sharpness, exposure, composition);
  • AI processing is performed as a component of the service covered by the contract (Pro plan), pursuant to Art. 6(1)(b) GDPR.

9.3. Transparency of AI processing:

  • AI results are advisory in nature -- the final decision on photo culling belongs to the user;
  • AI does not make automated decisions producing legal effects concerning the user within the meaning of Art. 22 GDPR;
  • The user is informed that a given feature uses AI before activating it.

9.4. On-device ML processing:

  • In the desktop and mobile RawPicker applications, photo analysis (quality scoring, face detection, duplicate detection) is performed exclusively on the user's device using the ONNX Runtime library;
  • No photo data or analysis results are transmitted to the Controller's servers or to any third parties as part of ML processing;
  • The user has full control over ML data stored locally on their device.

9.5. Data protection in the context of AI:

  • User photos are not used to train AI models;
  • Data processed by AI is not shared with third parties for training purposes;
  • AI processing is subject to the same security standards as all other data operations within the Service.

9.5. In accordance with Regulation (EU) 2024/1689 (EU AI Act), the Controller informs users that the AI system used in the Service does not qualify as a high-risk AI system. The use of AI is limited to assisting users in the photo culling process and does not affect the rights or freedoms of natural persons.

10. Rights of Users in the United States

10.1. This section applies to users who are residents of the United States and supplements the information contained in other sections of this Privacy Policy with rights arising from US state privacy regulations.

10.2. California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA):

California residents have the right to:

  • Right to Know -- obtain information about the categories and specific pieces of personal data we collect, the purposes for which we collect them, the categories of sources, and the categories of third parties with whom we share data;
  • Right to Delete -- request the deletion of personal data, subject to statutory exceptions;
  • Right to Opt-Out of Sale -- the Controller does not sell users' personal data within the meaning of CCPA/CPRA and has no intention of doing so;
  • Right to Correct -- request the correction of inaccurate personal data;
  • Right to Limit Use of Sensitive Personal Information -- the Controller does not collect sensitive personal information within the meaning of CPRA;
  • Right to Non-Discrimination -- the Controller does not discriminate against users who exercise their rights.

10.3. Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and other state privacy laws:

Residents of states with comprehensive privacy laws may have the right to:

  • access their personal data;
  • request correction of inaccurate data;
  • request deletion of data;
  • obtain a copy of data in a portable format;
  • opt out of data processing for targeted advertising, data sales, or profiling (the Controller does not engage in these activities);
  • appeal a denial of a request.

10.4. To exercise these rights, please contact us at: admin@rawpicker.com. The identity of the requestor will be verified before the request is fulfilled. Responses are provided within 45 days (CCPA/CPRA) or 45 days (VCDPA/CPA/CTDPA) of receiving a verifiable request.

10.5. The Controller does not share personal data in exchange for monetary consideration ("does not sell" data within the meaning of the aforementioned laws) and does not share personal data for cross-context behavioral advertising purposes.

11. Automated Decision-Making and Profiling

11.1. The Controller employs automated data processing for fraud detection, which includes:

  • automated risk scoring (scale 0-100) based on IP address, device characteristics, email address, and transaction history;
  • detection of disposable (temporary) email addresses;
  • verification of IP addresses, emails, and domains against blocked lists;
  • analysis of chargeback and refund history.

11.2. Purpose of profiling: Protecting the Service and its users against fraud, abuse, and unauthorized access.

11.3. Legal basis: Art. 6(1)(f) GDPR -- the Controller's legitimate interest in ensuring the security of the Service and protecting against financial losses resulting from fraud.

11.4. Consequences of profiling: Based on the risk score, a user account may be flagged for manual review or temporarily restricted. No decision producing legal effects or significantly affecting the user is made in a fully automated manner -- every such decision is subject to human review.

11.5. The user has the right to:

  • obtain information about the logic involved in profiling and its significance and expected consequences;
  • challenge the risk score and request human review;
  • express their point of view regarding a decision made with the involvement of profiling.

11.6. To exercise these rights, please contact us at: admin@rawpicker.com.

12. Digital Services Act (DSA)

12.1. In accordance with Regulation (EU) 2022/2065 (Digital Services Act), the Controller informs that:

12.2. RawPicker enables users to upload and store content (photos). Accordingly, the Controller takes measures to prevent the storage and sharing of illegal content.

12.3. DSA point of contact: All reports concerning illegal content can be directed to: admin@rawpicker.com.

12.4. Content moderation: The Controller reserves the right to remove content that is illegal or violates the terms of service. Moderation decisions are made by a human and are not fully automated.

12.5. Content reporting mechanism: Any person may report content that they believe to be illegal by sending a notification to admin@rawpicker.com. The notification should include: identification of the content, the reasons for the report, and the reporter's contact information.

12.6. If a decision is made to remove or restrict access to a user's content, the Controller will inform the user of this fact, providing the reasons for the decision and information about available remedies.

12a. Children's Data

12a.1. The Service is not intended for, nor directed at, persons under the age of 16. The Controller does not knowingly collect personal data from children under 16.

12a.2. If the Controller becomes aware that personal data has been collected from a child under 16 without appropriate parental or legal guardian consent, it will promptly take steps to delete such data.

12a.3. If you believe that a child under 16 has provided us with personal data, please contact us at: admin@rawpicker.com.

12b. Sharing Features

12b.1. The Service allows users to share photos and projects with others through:

  • Public galleries -- accessible to anyone with the link, optionally password-protected;
  • Project sharing -- collaborative access for other RawPicker users with defined permission levels (Full, Preview, Editor);
  • Invitation links -- allowing recipients to join shared projects.

12b.2. The user is solely responsible for managing access to shared content. Content shared via public links may be viewed by anyone who obtains the link.

12c. Third-Party Software Integrations

12c.1. The RawPicker desktop application may integrate with third-party software installed on the user's device, including Adobe DNG Converter, Adobe Photoshop, and Adobe Lightroom Classic. These integrations are performed via standard operating system mechanisms (e.g., command-line interface, file associations).

12c.2. As part of these integrations, no user data is transmitted to Adobe Inc. or any other third party. RawPicker is not affiliated with, endorsed by, or sponsored by Adobe Inc.

12c.3. Adobe, Adobe DNG Converter, Adobe Photoshop, and Adobe Lightroom Classic are trademarks of Adobe Inc.

13. Cookies

13.1. The Service uses cookies. Detailed information about the cookies used, their types, purposes, and management options can be found in a separate document -- Cookie Policy.

13.2. The Service uses the following categories of cookies:

  • Essential: ensuring the proper functioning of the Service, including user session management (connect.sid -- validity 30 days, httpOnly, secure, sameSite=none);
  • Functional: remembering user preferences.

13.3. In accordance with the ePrivacy Directive and applicable law, cookies essential for the provision of the service do not require user consent. Analytical and marketing cookies require prior, voluntary consent.

14. Data Security

14.1. The Controller implements appropriate technical and organizational measures to ensure the protection of processed personal data, including:

14.1.1. Technical measures:

  • encryption of data in transit (SSL/TLS);
  • password hashing (for legacy login method);
  • passwordless authentication -- one-time 6-digit codes;
  • cookies with httpOnly, secure, and sameSite attributes;
  • rate limiting on contact forms (3 submissions per hour per IP address);
  • anti-spam protection (honeypot);
  • encryption of data at rest in cloud storage;
  • regular backups;
  • security event monitoring and logging.

14.1.2. Organizational measures:

  • restriction of access to personal data to authorized individuals only;
  • application of the principle of least privilege;
  • regular review and updating of security measures;
  • Data Processing Agreements (DPAs) with sub-processors.

15. Changes to the Privacy Policy

15.1. The Controller reserves the right to amend this Privacy Policy in order to adapt it to changes in legislation, changes in the Service, or data processing practices.

15.2. Users will be notified of significant changes to the Privacy Policy via an announcement in the Service or an email sent to the address provided during registration, at least 14 days before the changes take effect.

15.3. The current version of the Privacy Policy is always available at: rawpicker.com/privacy-policy.

15.4. Date of the last update to this Privacy Policy: March 30, 2026.

16. Contact

16.1. For all matters related to personal data processing, including the exercise of your rights, please contact:

HexBit - Wojciech Osak
ul. Herbu Janina 9A/25
02-972 Warsaw, Poland
Email: admin@rawpicker.com

16.2. The supervisory authority responsible for personal data protection matters:

President of the Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Website: https://uodo.gov.pl
Helpline: 606-950-000

Effective date: March 30, 2026

This Privacy Policy has been prepared in accordance with the requirements of GDPR (Regulation EU 2016/679), the Personal Data Protection Act, the Act on the Provision of Electronic Services, the EU AI Act (Regulation EU 2024/1689), and the Digital Services Act (Regulation EU 2022/2065).