Privacy policy
Last updated June 13, 2026
The short version
PhotoMagic is a tool that helps you triage photos that already live in your Google Drive or Google Photos. We don’t copy your photo files onto our servers. We only store the small bits of metadata we need to remember your selections and let collaborators see them.
What we ask Google for
When you sign in with Google, we request the following OAuth scopes:
openid email profile— to identify your account and show your name and avatar.drive— to list image files in the folders you point us at, to read thumbnails for triage, and (only when you click those buttons) to create a destination folder and copy/shortcut the selected files, or apply lossless EXIF rotation to a photo you rotated in the UI.photoslibrary.appendonly— only used if you click Send to Photos. Lets us add your picks to a new Google Photos album we create. We cannot read your existing Photos library.
What we store
The following lives in our Supabase database:
- Your Google user id, email, name, and avatar URL.
- A row per Drive folder you’ve opened, with the folder’s id and name.
- Per-photo selection state (
pick/maybe/reject) referenced by Drive file id — never the file contents. - An append-only event log of selection changes so you can scrub through your history.
- Optional small per-file metadata for AI features: perceptual hash, image dimensions, capture time. We never store the photo itself.
- Only if you turn on People recognition for an event (it is off by default): face “embeddings” (numeric faceprints) computed in your browser, the face positions, and any names you add — all scoped to that one event. See the dedicated section below; you can delete it at any time.
- If you publish a lookbook, we store the layout spec and the thumbnail URLs (already-public Google-hosted thumbnails) so anyone with the link can view the page.
- An encrypted Google refresh token, when Google provides one, so we can keep your Drive connection working without asking you to re-consent every hour. It is encrypted at rest and only used to mint short-lived Google access tokens for the features you choose to run.
What we don’t store
- Your raw image files. Ever.
- Unencrypted Google access or refresh tokens. Access tokens are short-lived and used only to call Google APIs on your behalf.
- Any face or biometric data unless you explicitly turn on People recognition for an event — and even then it is computed in your browser, scoped to that event, never shared across users, and deletable at any time (see the next section).
- Third-party advertising trackers or marketing pixels.
People recognition (optional, off by default)
PhotoMagic can group an event’s photos by who appears in them, so you can make sure everyone is covered and quickly find a specific person. Because this analyzes faces, it is strictly opt-in and works like this:
- Off until you turn it on for a specific event, after an explicit consent step where you confirm you have the authority to do so — including for any minors in the photos.
- It runs in your browser. The face analysis happens on your device; your raw photos are never uploaded to us for this. Only the resulting numeric “faceprints” (embeddings) are stored.
- Find someone’s photos. You can upload a single clear photo of one person to pull every shot they appear in. That photo is matched against the event’s faceprints entirely in your browser and discarded immediately — it is never uploaded to us or stored.
- What we store: per-face embeddings, face positions, and any names you assign — all scoped to that one event in our Supabase database, readable only by that event’s members.
- Not a cross-user index. We never build a cross-user identity database, never share faceprints with Google or any third party, never sell them, and never use them to train any model.
- Remembered people (optional, your account only). You can choose to “remember” a person you’ve named so we can suggest their name at your future events. When you do, we save that name and their face embedding to a private library scoped to your account — never shared with other users. Suggestions are always yours to confirm (never auto-applied). You can forget one person, or your whole library, anytime from the People panel; deleting your account removes it.
- Suggestions only. Groupings are suggestions you review and correct; we never auto-hide, reject, or delete a person or their photos, and we do not infer age, gender, race, or any other demographic attribute.
- Delete anytime.One click — “Turn off & delete face data” — stops processing and permanently deletes every embedding and person for that event. Deleting the event deletes them too, and you can email us to erase your face data.
How we protect your data
We treat the data you connect through Google — your Drive file metadata, your profile, and especially your Google OAuth tokens — as sensitive, and protect it with the following safeguards:
- Encryption in transit. Every request to our app and to Google’s APIs travels over HTTPS (TLS 1.2+). Your photos stream directly from Google to your browser over Google’s own encrypted connections.
- Encryption at rest. Our database (Supabase Postgres) and all backups are encrypted at rest with AES-256 by the cloud provider.
- Extra encryption for your Google refresh token. The single most sensitive item we hold is the Google refresh token. Before it is written to the database it is encrypted a second time, in our application layer, using
AES-256-GCMwith a key that lives only in server environment variables and never in the database. So even with database access, the token cannot be read without that separate key. It is decrypted only in memory, on the server, to mint a short-lived access token for an action you initiated. - Strict access control. Every row is protected by Supabase row-level security: you can only read or write your own selections, and collaborators can only read sessions they were explicitly invited to. Privileged database keys are used only in server-side code, never exposed to the browser.
- Data minimization. We request the narrowest Google access our features need, and we store only lightweight metadata (file ids, selection state, small derived values) — never your photo contents.
- Trusted infrastructure. Data is hosted on Google, Supabase, and Vercel — providers that maintain industry-standard security certifications (e.g. SOC 2, ISO 27001). Access to production systems is limited to the app’s operator.
- Retention & deletion. You can revoke access at any time (see below). On request we delete your stored data — including the encrypted refresh token, selections, and event history — within 7 days. Revoking the app in your Google account immediately invalidates any token we hold.
No method of transmission or storage is ever 100% secure, but we work to protect your data using the measures above and review them as the app evolves.
Who can see your selections
Only you and any collaborators you explicitly invite to a session (by sharing the session URL). We enforce this with Supabase row-level security — collaborators can only read sessions they’re a member of.
Public lookbooks are the one exception: when you click Share as web page, anyone who has the unguessable slug URL can view the assembled book (and grab the PDF). They cannot see your other sessions or pick state.
Usage analytics
To understand how PhotoMagic is used and where it can be improved, we record anonymous, aggregate product events — for example “a session was created”, “a first pick was made”, or “the export dialog was opened”. These land in our own database; we do not sell them or share them with advertisers.
Events are keyed to a random in-browser id (no cookie, no name, no email) and may include a coarse device class (mobile/desktop) and country/region derived at the edge — we never store your IP address. We also use Vercel’s cookieless Analytics and Speed Insights for aggregate traffic and performance. If your browser sends a Do Not Track signal, we skip product-event tracking entirely.
Cookies
We set a single first-party cookie to keep you signed in (the Supabase auth session). No third-party cookies, no marketing cookies, and no cookie-based analytics.
Revoking access
You can revoke PhotoMagic’s access at any time:
- Go to myaccount.google.com/permissions → find PhotoMagic → Remove access.
- To also delete your data on our side, email hello@photomagic.live from the account address. We delete your row(s), session memberships, and event history within 7 days.
Where data is stored
Database: Supabase (Postgres) in the Northeast Asia (Tokyo) region. Hosting: Vercel. Photos themselves never leave Google’s infrastructure on the way to your browser.
Changes to this policy
If we change anything substantive we’ll update the date at the top and, for existing users, surface the change on next sign-in.
Contact
Questions? Reach out at hello@photomagic.live.