Privacy Policy

1. Introduction

Gallery Sweep ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Gallery Sweep mobile application ("App", "Service").

By using Gallery Sweep, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create an account through third-party authentication:

• Email Address: From Apple Sign-In or Google Sign-In
• User ID: Unique identifier from authentication provider
• Display Name: From your Apple or Google account (if provided)
• Authentication Tokens: Secure tokens for login verification

2.2 Media Metadata (Not Content)

We collect minimal metadata about your backups:

• Backup Information: Backup name, creation date, file size
• Device Information: Device model, OS version (for compatibility)
• Storage Usage: Amount of cloud storage used

2.3 Usage Data

We collect anonymized usage statistics to improve the Service:

• Feature usage (e.g., number of backups created)
• App performance metrics
• Crash reports and error logs (anonymized)
• Device type and OS version

2.4 Subscription Information

• Subscription plan and tier
• Purchase history (managed by Apple/Google)
• Storage capacity and usage
• Renewal status

3. How We Use Your Information

3.1 Core Service Functions

• Authentication: Verify your identity and provide secure access
• Backup Management: Store, organize, and manage your encrypted backups
• Restore Operations: Retrieve and decrypt your backups when requested
• Subscription Management: Process and verify your subscription status
• Storage Tracking: Monitor storage usage and capacity

3.2 Service Improvement

• Analyze anonymized usage patterns to improve features
• Identify and fix bugs or performance issues
• Optimize backup and restore performance
• Develop new features based on user needs

3.3 Communications

• Send essential service notifications (backup status, subscription expiry)
• Respond to support requests
• Send important security or policy updates

4. End-to-End Encryption and Zero-Knowledge Security

4.1 Client-Side Encryption

All photos and videos are encrypted on YOUR device before upload:

• AES-256-GCM: Military-grade encryption algorithm
• Unique Key: Encryption key derived from your user ID
• On-Device Processing: Encryption happens before data leaves your phone
• Automatic: All backups are encrypted by default (no opt-out)

4.2 Zero-Knowledge Architecture

We CANNOT access your photos or videos:

• Encryption key never leaves your device
• We store only encrypted data blobs
• Server cannot decrypt your backups
• Even if our servers are compromised, your data remains encrypted
• We cannot recover your backups if you lose account access

4.3 What This Means for You

5. Data Storage and Security

5.1 Where Your Data is Stored

• Encrypted Backups: Stored on AWS S3 (secure cloud storage)
• Account Data: Stored on Google Firebase (authentication and database)
• Geographic Location: Primarily US-based servers (AWS US-East-1)

5.2 Security Measures

We implement multiple layers of security:

• Client-Side Encryption: AES-256-GCM before upload
• Transit Encryption: HTTPS/TLS 1.3 for all data transmission
• Server-Side Encryption: AWS KMS encryption at rest
• Access Controls: Strict IAM policies and role-based access
• S3 Bucket Security: All public access blocked, versioning enabled
• Key Rotation: Automatic rotation of server-side encryption keys

5.3 Data Retention

• Active Subscriptions: Backups retained indefinitely while subscribed
• Expired Subscriptions: 30-day grace period before deletion
• Account Deletion: All data permanently deleted within 30 days
• Analytics Data: Anonymized data retained for service improvement

6. Data Sharing and Disclosure

6.1 We Do NOT Sell Your Data

Gallery Sweep does not sell, rent, or trade your personal information to third parties for their marketing purposes.

6.2 Service Providers

We share limited data with trusted service providers necessary to operate the Service:

Authentication and Database:

• Google Firebase: User authentication, account database
• Data Shared: Email, user ID, authentication tokens
• Privacy Policy: Firebase Privacy

Cloud Storage:

• Amazon Web Services (AWS S3): Encrypted backup storage
• Data Shared: Encrypted backup files (server cannot decrypt)
• Privacy Policy: AWS Privacy

Subscription Management:

• RevenueCat: Subscription status verification
• Data Shared: User ID, subscription tier, purchase status
• Privacy Policy: RevenueCat Privacy

Payment Processing:

• Apple App Store / Google Play Store: Payment processing
• Data Shared: Handled directly by Apple/Google (we don't see payment details)
• Privacy Policies: Apple | Google

6.3 Legal Requirements

We may disclose information if required by law or to:

• Comply with legal processes (subpoenas, court orders)
• Protect our rights, property, or safety
• Protect users' safety or the public
• Investigate violations of our Terms of Service

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you via email or in-app notice before your data is transferred and becomes subject to a different Privacy Policy.

7. Your Privacy Rights and Controls

7.1 Access Your Data

You can access your data at any time:

• View account information in the app
• Download your backups from cloud storage
• Request a copy of your account data (email privacy@mychronicle.app)

7.2 Delete Your Data

You have the right to delete your data:

• Delete Individual Backups: Remove specific backups from cloud storage
• Delete All Backups: One-click deletion of all cloud backups in User Profile
• Delete Account: Permanently delete your account and all associated data

How to Delete Your Account:

1. Open Gallery Sweep app
2. Go to User Profile screen
3. Scroll to bottom and tap "Delete Account"
4. Confirm deletion (this is permanent and cannot be undone)
5. All data will be permanently deleted within 30 days

7.3 Data Portability

You can export your data:

• Download all backups to your device
• Decrypt and restore photos to your photo library
• Request account data export (email privacy@mychronicle.app)

7.4 Correct Your Data

• Update account information through authentication provider (Apple/Google)
• Contact support to correct any inaccurate data

7.5 Regional Privacy Rights

For European Economic Area (EEA) Users (GDPR):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

For California Users (CCPA/CPRA):

• Right to know what personal information is collected
• Right to know if personal information is sold or shared
• Right to say no to sale of personal information (we don't sell data)
• Right to delete personal information
• Right to non-discrimination for exercising privacy rights

To exercise these rights, contact us at privacy@mychronicle.app

8. Children's Privacy

Gallery Sweep is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@mychronicle.app, and we will delete the information immediately.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your jurisdiction.

Data Transfer Safeguards:

• End-to-end encryption protects your content regardless of location
• Service providers comply with applicable data protection frameworks
• We use standard contractual clauses for international transfers

10. Cookies and Tracking

10.1 No Web Cookies

Gallery Sweep is a native mobile app and does not use web cookies.

10.2 Mobile Analytics

We use minimal, privacy-preserving analytics:

• Firebase Analytics (anonymized usage data)
• Crash reporting (anonymized error logs)
• No cross-app or cross-site tracking
• No advertising tracking or identifiers

10.3 Do Not Track

Our app does not track users across other apps or websites. We do not respond to browser "Do Not Track" signals as we are a mobile app, not a website.

11. Third-Party Links and Services

Gallery Sweep may contain links to third-party websites or services (e.g., support resources, authentication providers). We are not responsible for the privacy practices of these third parties. Please review their privacy policies before providing them with your information.

12. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

• Notify you via email within 72 hours of discovering the breach
• Provide details about the breach and affected data
• Explain steps we are taking to address the breach
• Recommend actions you can take to protect yourself

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Update the "Last Updated" date at the top
• Notify you via in-app notification
• Send email notification to registered users
• Require acceptance for material changes

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:

Privacy Inquiries:

• Email: privacy@mychronicle.app
• Subject Line: "Privacy Inquiry - Gallery Sweep"
• Response Time: Within 48 hours

Data Protection Officer:

• Email: dpo@mychronicle.app

General Support:

• Support Center: Gallery Sweep Support
• General Email: support@mychronicle.app