Privacy Policy
🔒 Proof.show is designed around a simple principle: we collect only what is strictly necessary. We do not sell your data, build advertising profiles, or share your information with third parties for commercial purposes.
1. Who We Are
Proof.show ("we", "us", "our") operates a photo authenticity verification platform accessible at proof.show and its subdomains. This Privacy Policy applies to all users of the website, mobile applications, and API.
As a service used by people within the European Union and EEA, we comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the ePrivacy Directive 2002/58/EC.
2. Data We Collect
| Category | Data | Purpose | Legal Basis |
|---|---|---|---|
| Account | Email address, hashed password | Authentication & identity | Contract (Art. 6(1)(b)) |
| Proof records | SHA-256 image hash, timestamp, 8-char Proof Code | Verification service | Contract (Art. 6(1)(b)) |
| Technical | IP address, browser type, request timestamps | Security, abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Analytics | Anonymised page views, referrer, country (no personal ID) | Service improvement | Consent (Art. 6(1)(a)) |
| API keys | Hashed API key tokens | Developer access | Contract (Art. 6(1)(b)) |
We never store the original image. Only the cryptographic hash is retained. Images processed in-browser or via the mobile app are never uploaded to our servers unless you explicitly share a proof.
3. Cookies & Similar Technologies
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| proof_session | Keeps you logged in securely | Session | Essential |
| proof_consent_v1 | Stores your cookie preference | 1 year | Essential |
| _analytics (if consented) | Anonymous usage statistics | 30 days | Analytics |
You can manage or withdraw your cookie consent at any time by clicking . Withdrawing consent does not affect the lawfulness of processing before withdrawal.
4. How We Use Your Data
- Providing the proof verification service (generating and validating Proof Codes)
- Securing your account and preventing unauthorised access
- Responding to abuse reports and legal requests
- Improving the platform based on anonymised analytics (only with your consent)
- Sending transactional emails (verification confirmations, if applicable)
We do not use your data for advertising, profiling, automated decision-making with legal effects, or selling to third parties.
5. Data Retention
- Proof records: Retained indefinitely (hashes are public by design — they allow verification without revealing the image)
- Account data: Deleted within 30 days of account deletion request
- Technical logs: Automatically purged after 90 days
- Analytics data: Aggregated & anonymised; not attributable to individuals
6. Your Rights Under GDPR
If you are located in the EU/EEA, you have the following rights:
- Access (Art. 15): Request a copy of the personal data we hold about you
- Rectification (Art. 16): Correct inaccurate personal data
- Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Restriction (Art. 18): Limit how we process your data
- Portability (Art. 20): Receive your data in a structured, machine-readable format
- Object (Art. 21): Object to processing based on legitimate interests
- Withdraw consent (Art. 7(3)): Withdraw analytics consent at any time without penalty
To exercise any of these rights, email us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (e.g., CNIL in France, BfDI in Germany, AEPD in Spain, ICO in the UK).
7. International Transfers
Our infrastructure is hosted within the EU/EEA where possible. Where data is processed outside the EEA (e.g., CDN edge nodes), we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission under Art. 46 GDPR.
8. Third-Party Services
We use a minimal set of third-party services:
- Database hosting: PostgreSQL on EU-region infrastructure
- CDN / static assets: May include edge caching — no personal data is included in cached responses
We do not integrate advertising networks, social media trackers, or data brokers.
9. Children's Privacy
Proof.show is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact [email protected] and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy. Significant changes will be communicated via a notice on the website. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after changes constitutes acceptance of the updated policy.
11. Contact
For privacy-related questions, requests, or complaints:
- Email: [email protected]
- Subject line: "GDPR Request — [your request type]"