Data Security Policy

Image Handling

• Client-Side Processing: Whenever possible, image processing happens entirely in your browser on your device. Tools such as our iPhone Pic Converter or compressor run locally, so no image data ever reaches our servers. This design means your original images and outputs stay on your machine unless you explicitly download them.
• Ephemeral Server Processing: In cases where server-side processing is required, we handle images in-memory only. Any uploaded file is held in a secure, temporary buffer and is never written to persistent disk. Once processing is complete (for example, after conversion or scaling), the image data is immediately purged from memory and not retained. In short, we do not store or cache your images at all.
• No Use of Uploaded Images: We do not inspect, analyze, or use your images for any purpose other than completing the requested transformation. We explicitly do not use uploaded images for training, promotion, or any secondary purpose. In fact, as our Privacy Policy states, we "do not upload, store, or transmit your image files" beyond the immediate processing task.

Server-Side Safeguards

• Secure Infrastructure: Our servers are housed in a secure data center with physical and digital protections. We employ firewalls and network monitoring to block unauthorized access. All software is run with limited permissions to contain any potential breach.
• TLS Encryption: All communications between your device and our servers use TLS (HTTPS). This ensures that image files and any account data are encrypted in transit, preventing interception. Security experts emphasize that "TLS encryption ensures that anyone trying to intercept your data can only see incomprehensible characters".
• Access Controls: Administrative access to servers and databases is strictly controlled. We use strong authentication (complex passwords, key-based login, two-factor authentication) for any access. Database credentials and other secrets are stored securely, separate from source code.
• Regular Updates & Patching: We apply security updates to all systems (operating systems, frameworks, libraries) as soon as feasible. Keeping software up-to-date is a fundamental security measure; researchers note it's "crucial to update your software to enhance the safety of your website". This reduces the risk of attackers exploiting known vulnerabilities.
• Backups and Recovery: We maintain regular backups of any essential system data (such as configurations), butwe do not back up user images or personal data. Because no images are stored, they do not appear in backups. Any backup data is encrypted and stored off-site in a secure location.
• Monitoring and Logging: Our servers run intrusion detection and malware scanning tools. Logs of server operations are kept to detect unusual behavior (like repeated failed logins) but these logs do not contain personal information. Automated alerts notify our team of suspicious activity so we can respond quickly.

General Security Practices

• Password Security: User passwords are never stored in plaintext. We hash and salt passwords using modern algorithms (such as bcrypt or Argon2). This means that even if someone obtained our password database, they could not easily recover your actual password.
• Data Encryption: Any personal data we do store (email addresses, hashed passwords, etc.) is encrypted at rest in our database. We use strong encryption standards (e.g. AES-256) for stored data so that even physical access to disks would not reveal sensitive information.
• Principle of Least Privilege: We develop and operate on the principle of least privilege. Services and applications run with only the permissions they need. We also limit employee access to customer data; only team members who require access (for example, to respond to support tickets) are given that access under supervision.
• No Third-Party Trackers: We do not embed any advertising or external analytics in our site. By not using third-party trackers or ad networks, we reduce exposure to potential security vulnerabilities and protect user privacy.
• Secure Development: Our code is reviewed and tested for security issues (such as SQL injection or cross-site scripting) following OWASP Top 10 guidelines. We use trusted libraries and frameworks and sanitize any user inputs. Regular code reviews help ensure security best practices are followed.
• Incident Response: In the event of any security incident, we have procedures to contain and fix the issue quickly. We will investigate any breach, mitigate its impact, and notify affected users if personal data may have been compromised. Transparency and prompt communication are part of our policy.

Contact and Reporting

If you identify a security vulnerability or have concerns about data security, please contact us immediately atsecurity@picmari.com. We take all reports seriously and will investigate promptly.

We encourage transparency: if you believe your data has been misused or you notice unusual activity on your account, let us know atsecurity@picmari.com so we can address it.

Contact Us

For any questions about this Data Security Policy, please emailprivacy@picmari.comor use our website's contact form. We are committed to answering your questions and maintaining your trust.