Privacy Policy

1. Introduction

GoBird OÜ ("we", "our", or "us") operates HelloIMG, an image optimization API service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. We process personal data in accordance with the EU General Data Protection Regulation (GDPR).

2. Personal Data We Process

2.1 Information You Provide

• Account information (email address, name)
• Payment information (processed by third-party payment processors)
• API keys and authentication credentials
• Support and communication data

2.2 Automatically Collected Information

• Usage data (API calls, optimization statistics)
• Log data (IP address, browser type, timestamps)
• Device information
• Cookies and similar tracking technologies

2.3 Image Data

We temporarily process images you upload for optimization purposes. Optimized images and any intermediate processing artifacts are retained for up to 24 hours to enable download, retries, and cache performance, and are then automatically and irreversibly deleted. We do not use your images for training or human review, and we do not grant human access to your images except where strictly necessary to resolve a support request you initiate.

3. How We Use Your Information (Purposes)

• Provide, maintain, and improve our services
• Process your transactions and manage your account
• Send administrative information and updates
• Respond to your inquiries and support requests
• Monitor and analyze usage patterns and trends
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations

4. Legal Bases for Processing (GDPR Art. 6)

• Contract (Art. 6(1)(b)): To provide the service, operate the API, and manage your account.
• Legitimate interests (Art. 6(1)(f)): To ensure security, prevent abuse, measure performance, and improve the service. We balance these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): For optional cookies/analytics and for certain communications, where applicable. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): To comply with accounting, tax, and other regulatory requirements.

5. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

• Account Data: Retained while your account is active and for 30 days after deletion
• Image Data: Optimized images and processing artifacts are stored for up to 24 hours, then automatically deleted
• Usage Logs: Retained for 90 days for security and operational purposes
• Billing/Transactions: Retained as required by applicable accounting and tax laws

6. Recipients and Processors

We do not sell your personal information. We share data with trusted service providers acting as processors under written agreements, and with other recipients where required by law.

• Hosting/CDN/Storage: Infrastructure providers to deliver and cache content globally.
• Payment processors: To process payments; we do not store full card details.
• Analytics/Error monitoring: To measure performance and troubleshoot issues (only with consent where required).
• Communications: Email and support tools to respond to your requests.
• Legal requirements: Where necessary to comply with law or protect rights, safety, and property.
• Business transfers: In connection with a merger, acquisition, or asset sale, in compliance with applicable laws.

7. Cookies and Similar Technologies

We use necessary cookies to operate the site and service. With your consent, we may use optional analytics to understand usage and improve performance. You can manage your preferences via your browser settings and, where available, our cookie banner.

8. Security

We implement appropriate technical and organizational measures to protect your personal data. No method of transmission over the Internet or electronic storage is 100% secure. Measures include encryption in transit, access controls, least‑privilege, monitoring, and regular security reviews.

9. Your GDPR Rights

You have the following rights under the GDPR, subject to conditions and limitations:

• Access your personal data (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure ("right to be forgotten") (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Objection to processing, including profiling based on legitimate interests (Art. 21)
• Withdraw consent at any time (Art. 7(3))
• Not to be subject to decisions based solely on automated processing that produce legal effects (Art. 22) – we do not perform such processing.

To exercise your rights, contact us at [email protected]. You also have the right to lodge a complaint with your local supervisory authority. In Estonia, this is the Data Protection Inspectorate (Andmekaitse Inspektsioon).

10. International Data Transfers

Where personal data is transferred outside the EEA/UK, we ensure appropriate safeguards, such as adequacy decisions (GDPR Art. 45) or Standard Contractual Clauses (Art. 46). We also implement supplementary measures where necessary to ensure an essentially equivalent level of protection.

11. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact us and we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

13. Contact and Complaints