Legal

Privacy Policy

Effective date: March 8, 2026 · Last updated: March 8, 2026

Prevue ("we," "us," or "our") operates the Prevue platform at prevue.io and related services (collectively, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over your information.

1. Data We Collect

We collect different categories of data depending on how you interact with the Service:

Account & Identity Data

When you sign up via email or social OAuth (Google, GitHub), Clerk — our authentication provider — collects your email address, display name, profile photo, and linked OAuth tokens. We receive a unique user identifier and email from Clerk to provision your account.

Uploaded Images & Session Data

Images you upload are stored in encrypted cloud object storage. We store metadata alongside each image: filename, file size, MIME type, upload timestamp, and any genre or tag you assign. Original files are never publicly accessible — access is controlled by short-lived signed URLs.

Evaluation & Ranking Data

Every pairwise comparison you complete — which image you selected, response timing, and session context — is recorded to compute Bradley-Terry model rankings. When you share a session with a collaborator or invite someone to evaluate, their comparison choices are also stored and associated with their user account (if they have one) or an anonymous session token (if they do not).

The Current — Community Evaluation Pool

If you choose to submit images to The Current, your watermarked images are displayed to other verified users of the platform for community ranking. Submission is always opt-in. Evaluators who rank images in The Current may not be registered users; we record a session token and comparison choice from anonymous evaluators.

Payment & Billing Data

Payments are processed by Stripe. We do not store your full card number, CVV, or bank details. Stripe shares with us: your subscription plan, billing cycle, last-four card digits, billing country, and payment status. You can manage your payment methods directly in your account settings.

Usage & Technical Data

We collect anonymized usage telemetry including: pages visited, features used, session count, image count, and feature flag exposure. We also collect server-side logs containing IP addresses, request timestamps, HTTP status codes, and user agent strings for security and debugging purposes. These logs are retained for 30 days.

2. How We Use Your Data

We use your data to:

  • Provide the Service — authenticate your account, store and display your images, run ranking algorithms, and generate results.
  • Process payments — manage your subscription, send receipts, handle billing errors, and communicate about plan changes.
  • Operate The Current — display watermarked images to community evaluators to generate cross-photographer ranking signals.
  • Improve the algorithm — aggregate, anonymized evaluation patterns help us calibrate pair selection and model accuracy. We do not use individual image content to train generative AI models.
  • Communicate with you — send transactional emails (password reset, billing receipts, session share notifications). We do not send marketing emails unless you opt in separately.
  • Security & abuse prevention — detect and prevent unauthorized access, fraudulent activity, and policy violations.
  • Legal compliance — fulfil our obligations under applicable law and respond to valid legal requests.

3. Legal Bases for Processing (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under GDPR:

Processing ActivityLegal Basis
Account creation and authenticationContract performance (Art. 6(1)(b))
Storing and processing uploaded imagesContract performance (Art. 6(1)(b))
Running ranking algorithms on your imagesContract performance (Art. 6(1)(b))
Processing subscription paymentsContract performance (Art. 6(1)(b))
The Current community poolConsent (Art. 6(1)(a)) — opt-in only
Security logging and fraud preventionLegitimate interest (Art. 6(1)(f))
Anonymized product analyticsLegitimate interest (Art. 6(1)(f))
Legal compliance and responding to legal requestsLegal obligation (Art. 6(1)(c))

4. Data Sharing & Third-Party Processors

We do not sell your personal data. We share data only with the following sub-processors to operate the Service:

ProviderPurposeData Transferred
ClerkAuthentication & identityEmail, display name, OAuth tokens
StripePayment processingBilling info, subscription status
Cloud Object Storage (S3-compatible)Image file storageEncrypted image files, metadata
Vercel / hosting providerApplication hosting & CDNRequest logs, IP addresses
PostHog (if enabled)Product analyticsAnonymized usage events

We may disclose your data to law enforcement or regulators if required by valid legal process, court order, or to protect the rights, property, or safety of Prevue, our users, or the public.

5. Your Images — Ownership & Retention

You retain full copyright over all images you upload. We do not claim any ownership rights over your content. We store your images solely to provide the Service.

Watermarking: Images submitted to The Current are automatically watermarked with a visible Prevue identifier before being shown to community evaluators. The original, non-watermarked file remains private and is never shared.

Retention: Your images and session data are retained for as long as your account is active. If you delete an image or session, it is removed from our storage within 30 days. If you delete your account, all images, sessions, and personal data are permanently deleted within 30 days, subject to any legal retention obligations.

6. Cookies

We use strictly necessary cookies for authentication (managed by Clerk) and optional cookies for analytics if you have consented. For full details, see our Cookie Policy.

7. Your Rights

Depending on your location, you may have the following rights over your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data. You can update most account details directly in your profile settings.
  • Erasure — request deletion of your account and all associated personal data. Use the "Delete Account" option in settings or email us.
  • Portability — request an export of your data in a machine-readable format (JSON/CSV).
  • Withdraw consent — for processing based on consent (e.g., The Current submission), you may withdraw at any time by opting out in your account settings.
  • Objection — object to processing based on legitimate interests for your specific situation.
  • Lodge a complaint — you have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, email us at privacy@prevue.io. We will respond within 30 days (or within the timeframe required by applicable law).

8. Data Security

We use industry-standard measures to protect your data:

  • All data in transit is encrypted using TLS 1.2+.
  • Image files at rest are encrypted using AES-256 server-side encryption.
  • Access to production systems is restricted to authorized personnel with multi-factor authentication.
  • Signed image URLs expire after 15 minutes, preventing unauthorized sharing.
  • Passwords are never stored — authentication is fully delegated to Clerk.

No method of transmission over the internet is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

9. International Transfers

Our servers and sub-processors are located primarily in the United States. If you are located in the EEA, UK, or Switzerland, your personal data may be transferred to the US. We rely on Standard Contractual Clauses (SCCs) and other transfer mechanisms approved under GDPR to ensure adequate protection for such transfers.

10. Children's Privacy

The Service is not directed to individuals under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

11. California Privacy Rights (CCPA/CPRA)

California residents have the right to know what personal information we collect, the right to delete it, the right to opt-out of its sale (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights.

To submit a verifiable consumer request, email privacy@prevue.io with the subject line "CCPA Request."

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the Service at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For questions, requests, or complaints about this Privacy Policy or our data practices:

Prevue Privacy

Email: privacy@prevue.io