Privacy Policy

Framis is operated by KLB Solutions FZCO. The Data Controller for all personal data processed through framis.app is KLB Solutions FZCO at the address above. For privacy enquiries, data subject requests, or to exercise your rights under applicable law, contact privacy@framis.app. We aim to respond within 30 days.

We collect three categories of personal data:

• Account data— the email address, display name, and authentication tokens you provide when you sign up, plus any optional profile fields (studio name, website, bio).
• Photographic library— the images you upload to your private library, plus derived perceptual hashes and visual embeddings used to detect unauthorised online use. Original photographs are stored encrypted at rest. Active library images are held in Supabase Storage (EU-West-2, London). Images migrated to cold-tier archive storage are held in Cloudflare R2 object storage. We configure cold-tier storage in the EU region where technically available. Perceptual hashes and visual embeddings — cryptographic representations of your images used for matching — are stored in our EU-West-2 database. Neither original images nor hashes are transferred outside the EU/EEA/UAE/UK without adequate safeguard mechanisms (Standard Contractual Clauses or equivalent).
• Recovery activity— matches discovered on the open web, the email addresses we discover for parties using your images, the AI-drafted outreach we generate, and the responses we receive on your behalf. Stripe payment metadata is processed on our behalf by Stripe and is subject to Stripe’s separate privacy policy.

We process your data to provide the Service you have asked us to provide (Article 6(1)(b) GDPR — performance of a contract). We process recovery activity data on the basis of legitimate interest (Article 6(1)(f)) — specifically your interest in recovering income owed for unauthorised use of your work, balanced against the interests of third parties whose data appears in recovery records.

Where we use cookies or similar technologies that are not strictly necessary, we do so only with your consent (Article 6(1)(a)).

We use a small number of vetted sub-processors to operate the Service. Each is contractually bound to protect your data:

• Supabase(database, storage, authentication) — data hosted in EU-West-2 (London).
• Stripe Inc. / Stripe Payments UK Ltd(payment processing, Stripe Connect Express account management, and photographer KYC). When you connect a Stripe Express account to receive payouts, Stripe collects your bank account details, identity documents, and tax information directly. This data is processed by Stripe under Stripe’s own privacy policy (stripe.com/gb/privacy) — Framis does not receive, store, or have access to your bank account numbers or identity documents submitted during Stripe onboarding. Stripe is independently responsible as a data controller for the personal data it collects during Connect onboarding. For questions about Stripe’s data practices, contact Stripe directly.
• Resend (transactional email + inbound email ingestion).
• Google Cloud Vision (reverse-image-search of uploaded library against the public web; only the perceptual hash leaves our infrastructure, never the original).
• Firecrawl (page-level scraping of detected infringement URLs to discover licensing contact details).
• OpenAI(drafting outreach emails & classifying replies; processed under OpenAI’s zero-data- retention agreement for API customers).
• Vercel(web hosting & edge delivery).
• Cloudflare(DNS & domain management).
• GCP Cloud Run (perceptual hashing microservice; no original images stored).

A current sub-processor list can be requested from privacy@framis.app and will be sent within 14 days.

In operating the recovery service, we collect personal data about parties who are not our customers — specifically, individuals or entities whose contact details appear on websites where your images have been used without authorisation (“Infringers”). This data is obtained from publicly available sources: WHOIS/RDAP registries, domain registrar contact pages, website “contact us” pages, and public corporate registries. We process this data on the basis of legitimate interest (Article 6(1)(f) GDPR) — specifically, your interest as the copyright owner in recovering fees for unauthorised use. We inform the Infringer of Framis’s involvement in the first outreach email we send on your behalf. The Infringer may exercise the data-subject rights listed in §7 by contacting privacy@framis.app.

Your data may be transferred to and processed in countries outside the UAE, EU, and UK — specifically the United States (Stripe, OpenAI, Cloudflare, Resend) and other jurisdictions where our sub-processors operate. We rely on Standard Contractual Clauses (SCCs) and equivalent UAE PDPL mechanisms to ensure appropriate safeguards.

We retain account and library data for as long as your account is active. Recovery activity records are retained for the legally-required period for audit and dispute resolution (typically 7 years following the close of the financial year of the recovery, in line with UAE corporate-tax recordkeeping requirements). Webhooks, logs, and security audit trails are retained for 90 days unless required for ongoing investigation.

You may request deletion of your account at any time by emailing privacy@framis.app. Where we are required to retain certain records (e.g. issued licence agreements as legal documents), we will explain the retention basis at the time of your request.

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion (right to erasure) of data not subject to a legal retention obligation.
• Restrict or object to specific processing activities.
• Receive a portable copy of your data in a machine-readable format.
• Withdraw consent for processing based on consent (without affecting prior lawful processing).
• Lodge a complaint with the UAE Data Office, the UK ICO, or your local EU supervisory authority.

The UAE Data Office is the supervisory authority for PDPL purposes and can be reached at uaedataoffice.ae. UK data subjects may contact the Information Commissioner’s Office at ico.org.uk. EU data subjects should contact their local supervisory authority (a directory is available at edpb.europa.eu).

We protect your data with industry-standard measures including TLS 1.3 in transit, AES-256 at rest, principle-of-least-privilege access controls, audit logging of all administrative actions, and regular penetration testing of our public surfaces. Despite all reasonable precautions, no system is perfectly secure; we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in risk to data subjects.

We use a minimal set of cookies and equivalent technologies: a session cookie set by Supabase Auth that keeps you signed in, and CSRF protection cookies. We do not run third-party advertising trackers. We do not run analytics that profile individuals beyond aggregated, anonymised pageview counts.

We may revise this Privacy Policy from time to time. Material changes will be notified to active users by email at least 14 days before they take effect. The effective date at the top of this page reflects the most recent revision.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA. You have the right to know what personal information we collect, the right to delete personal information we hold (subject to legal retention obligations), the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of personal information. Framis does not sell personal information. To exercise these rights, email privacy@framis.app with the subject line “CCPA Request.” We will respond within 45 days.