This Privacy Policy describes how Papaview (“we,” “us,” or “Papaview”) collects, uses, and shares information when you use papaview.com and the Papaview software (the “Service”). By using the Service, you agree to this Policy.
Who we are
Papaview is a service that lets families display photos on a TV wall. Photos are uploaded by account holders and by guests they invite. The operator of the Service is the Papaview entity identified on papaview.com.
Information we collect
Information you provide
- Account information: email address, display name, and authentication events (magic-link sign-ins).
- Content: photos, short videos, voice notes, captions, and album names you or people you invite upload.
- Payment information: we use Stripe to process payments. Your card number is sent directly to Stripe and is never stored on our servers. We receive only a customer ID, the last four digits, and billing status.
- Cloud-integration tokens: if you connect Dropbox or Google Photos, we store access and refresh tokens encrypted at rest (AES-256-GCM) so we can fetch the folders you choose to watch.
Information collected automatically
- Usage data: pages viewed, features used, request timestamps, and error diagnostics.
- Device + network data: IP address, user-agent string, approximate location derived from IP, and viewport characteristics (used by the display to pick a sensible density).
- Cookies and similar technologies: required cookies for sign-in sessions and anti-CSRF. We do not use third-party advertising cookies.
Information we do not collect
- We do not collect biometric data.
- We do not sell or rent your data to advertisers.
- We do not knowingly collect data from anyone under 13 (see Children below).
How we use information
- Provide, operate, and improve the Service.
- Render photos on displays you own or have been granted access to.
- Process subscriptions and send transactional emails (welcome, receipts, storage-usage alerts).
- Detect, prevent, and respond to abuse, illegal content, and security issues — including automated hash comparison of uploads against the NCMEC hash list of known child sexual abuse material.
- Comply with legal obligations, including mandatory reporting to the National Center for Missing & Exploited Children (NCMEC) under 18 U.S.C. § 2258A.
When we share information
We share information only with service providers acting on our behalf and, where legally required, with authorities. We do not sell personal information.
Service providers
- Supabase — database, storage, and auth (hosting).
- Stripe — payment processing.
- Resend — transactional email delivery.
- Cloudflare (optional) — CSAM scanning and content delivery.
- Northflank — application hosting.
- YouTube / Facebook / Vimeo — only if you opt into live streaming. We push video data to your account, not the other direction.
- Dropbox / Google — only if you connect a cloud-photo integration and only for the folders you pick.
Legal disclosures
We disclose information when legally compelled (subpoena, court order, search warrant), to report suspected child exploitation to NCMEC, and to prevent imminent physical harm. We contest disclosures we believe are overbroad or invalid where we have good-faith grounds.
How long we keep information
- Photos and videos: until you delete them or close your account, whichever comes first.
- Content flagged or reported for review: preserved for at least 90 days from the date of the report to comply with NCMEC and law-enforcement obligations, even if you attempt to delete it.
- Account data: until you request deletion; backups are purged within 30 days of account deletion.
- Payment records: retained as required for tax and accounting purposes (typically 7 years).
Your rights
Regardless of where you live, you can:
- Access a copy of your data.
- Correct inaccurate information.
- Delete your account and data (subject to retention obligations above).
- Export your photos and captions in a portable form.
- Opt out of non-essential email (Settings → Billing).
Email privacy@papaview.com to exercise these rights.
California (CCPA/CPRA)
California residents have the right to know what personal information we collect and how we use it, to request deletion, to correct inaccurate information, and to not be discriminated against for exercising these rights. We do not “sell” personal information as that term is defined under the CCPA/CPRA.
Other U.S. states
Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws have substantially similar rights. Contact us at the address above to exercise them.
Security
We encrypt data in transit (TLS) and at rest. Authentication tokens, cloud-integration credentials, and RTMP stream keys are encrypted with AES-256-GCM using a server-side application secret. No system is perfectly secure; we promptly notify affected users in the event of a breach.
Children
The Service is not directed at children under 13 and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has created an account, contact us and we will delete the account.
International users
Papaview operates in the United States. If you are located outside the U.S., information you provide will be transferred to and processed in the United States. We have not certified to the EU-U.S. Data Privacy Framework.
Changes to this policy
We may update this Policy. If we make material changes we'll notify active account holders by email at least 30 days before changes take effect.
Contact
Papaview · privacy@papaview.com · papaview.com