Privacy Policy
Last updated: May 2026 · App v0.7.5
Who we are
The Judge's Eye is operated by Joe Houghton, trading as Houghton Photo (joe.houghton@gmail.com), based in Ireland. We are a data controller under the General Data Protection Regulation (GDPR).
Contact for data queries: joe.houghton@gmail.com
What data we collect
- Email address— used to authenticate you via a one-time passcode. We don't collect your name or any other profile data.
- Critique images — photos you upload for critique. We resize them server-side (max 1024px, JPEG) and store the resized copy in Cloudflare R2. Your original file is never stored.
- Critique results — the AI-generated score, feedback text, and any app-specific advice we generate for your images. Stored in our database so you can revisit your critique history.
- Billing data — processed entirely by Paddle (our Merchant of Record). We store only a customer ID and subscription status — no card numbers or full payment details.
- Usage counters— how many critiques you've used this month. Used solely to enforce your plan limits.
- Session data — a short-lived JWT cookie so you stay signed in. Expires after 30 days.
- Feedback messages — if you submit a bug report or feature request, we store the message and optionally your email.
Legal basis for processing
- Contract (Art. 6(1)(b)) — processing your email and critique data to deliver the service you signed up for.
- Legitimate interest (Art. 6(1)(f)) — server-side logging and abuse prevention (rate limiting, error monitoring).
- Legal obligation (Art. 6(1)(c)) — retaining transaction records as required by Irish tax law.
Sub-processors
| Processor | Purpose | Location |
|---|---|---|
| Vercel | App hosting and CDN | EU regions |
| Neon (PostgreSQL) | Database (accounts, critiques, billing status) | Ireland (EU) |
| Cloudflare R2 | Critique image storage | EU |
| Brevo | Transactional email (sign-in codes, account notices) | EU |
| Google (Gemini API) | AI analysis of your uploaded images | Google Cloud |
| Paddle | Payment processing (acts as Merchant of Record) | UK / Global |
Note on Google Gemini: Images you upload are sent to Google's Gemini API for analysis. Google's API terms apply. We do not store your original image — only the resized server-side copy.
Retention
- Your account — kept while your account is active. Accounts inactive for more than 25 months are automatically erased.
- Critique images and results — deleted when you delete individual critiques, when you close your account, or on the 25-month inactivity threshold above.
- Sign-in codes — expire after 10 minutes and are pruned daily.
- Sessions — expire after 30 days and are pruned daily.
- Erasure log — a hashed (SHA-256) record that an erasure took place, kept for audit purposes under Art. 17. No personal data is readable from this log.
Your rights
You have the right to:
- Access — request a copy of all data we hold about you (SAR).
- Erasure — delete your account and all associated data via Account Settings, or by emailing us.
- Portability — receive your data in a machine-readable format (JSON).
- Rectification — correct inaccurate data (your email is your identity — contact us to update it).
- Restriction — ask us to restrict processing in limited circumstances.
- Object — object to processing based on legitimate interest.
To exercise any right, email joe.houghton@gmail.com. We will respond within 30 days.
Supervisory authority
You have the right to lodge a complaint with Ireland's Data Protection Commission: dataprotection.ie.
Cookies
We use a single session cookie (HttpOnly, Secure, SameSite=Lax) to keep you signed in. No advertising cookies, no third-party tracking.
Changes to this policy
If we make material changes, we'll update the "Last updated" date above and notify signed-in users on next login.