Privacy policy.

This policy covers people who sign up for an img apis account. It doesn't cover end users whose images you transform through our API — we don't see their personal data, and we don't run analytics against their requests.

Account data — your email (for OTP login), your business name, workspace settings, and any teammates you invite.

Billing data — handled by Stripe. We store your subscription state and plan tier; Stripe holds the card details. We never see or store your card number.

Usage telemetry — per request, we record the operation (transform/info/grid/placeholder), cache hit or miss, calling Origin (the site embedding your image, taken from the Origin header), HTTP status, response byte count, latency, the credit cost, and your workspace namespace. We also keep a one-way hash of the canonical URL solely to deduplicate retries and avoid double-billing. We don't log request bodies, response bodies, or any request header beyond Origin.

We don't see, store, or log the image bytes you transform. Originals stay in your storage; transformed outputs live in our Cloudflare R2 cache and at the edge, expiring on schedule.

We don't run third-party advertising or fingerprinting scripts on this marketing site or in the dashboard. No Google Analytics, no Facebook pixel, no session replay.

We don't build a profile of your end users — we handle their image bytes statelessly and don't associate requests with identifying information.

Product usage (API calls, credit consumption, cache hits, latency) is recorded by Cloudflare Analytics Engine — server-side at the edge, no client-side beacon, no cookies, no IP storage. The same telemetry powers your dashboard and your bill; we don't run a separate analytics pipeline.

There is no client-side analytics script on this marketing site or in the dashboard — no Google Analytics, no Facebook Pixel, no session replay, no Cloudflare Web Analytics beacon.

Account data and usage telemetry live in AWS DynamoDB, region us-east-1 (N. Virginia). Billing data lives in Stripe. Transformed image outputs are persisted in Cloudflare R2 and served through Cloudflare's edge cache globally, expiring per their TTL (1 year for transforms, 24 hours for /info).

If you keep image originals in your own R2 or S3 bucket, residency follows your bucket region — we just fetch.

• Cloudflare — edge compute, R2 object storage, image cache, Analytics Engine (usage telemetry), custom hostname / SSL provisioning, and transactional email (OTP login codes, billing receipts). SOC 2 Type II, ISO 27001, ISO 27018.
• AWS — DynamoDB (us-east-1) for account data and usage telemetry. SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1.
• Stripe — billing. PCI DSS Level 1.

We don't sell or share your data with anyone else.

We use a single session cookie to keep you logged into the dashboard. That's it — no tracking cookies, no third-party cookies, no cookie banner to dismiss.

• Export — download your account data from the dashboard.
• Correct — change anything from the dashboard.
• Delete — cancel and email hello@imgapis.com to request full erasure. We'll delete your account data within 30 days.
• Object — stop using the service at any time.

If you're in the EU, UK, or California, you have additional rights under GDPR, UK-GDPR, and CCPA. Email hello@imgapis.com to exercise them.

img apis is not intended for children under 16. We don't knowingly collect data from minors.

When we change this policy in a way that affects you, we'll email the account contact at least 14 days before the change takes effect.

Privacy questions or data requests: hello@imgapis.com.