← Back to Home
Privacy Policy
Last Updated: June 4, 2026
At Photomosaic, we value your privacy. This policy explains how we handle your data when you use our service.
1. Information We Collect & Google OAuth Scopes
When you use Photomosaic, we collect the following types of information, including data accessed via Google OAuth API scopes:
- Account Information: Your name, email address, and profile picture (via Google Sign-in or Email Sign-in) to create and identify your account.
- Google OAuth Scopes & Data Usage: To provide core features, we request access to Google APIs through the following specific scopes:
https://www.googleapis.com/auth/drive.file: Used to let you select and download specific images from your Google Drive using the secure Google Picker to use as tiles or target images, and to upload the final generated photomosaic back to your Google Drive at your explicit request.
https://www.googleapis.com/auth/photospicker.mediaitems.readonly: Used to browse, list, and download photos that you select via the Google Photos Picker to include in your photomosaic.
- Usage Data: Source images and target images you upload for mosaic generation. These are stored temporarily and automatically purged (see Section 5).
- Payment Information: Processed securely via SafePay; we do not store your credit card details.
2. How We Use Information
We use your personal and Google user data solely to:
- Authenticate your identity and manage your Photomosaic account.
- Process and generate your customized photomosaics using selected images.
- Upload the final generated mosaic back to your Google Drive (when selected by you).
- Manage credit balances and account subscriptions.
- Provide customer support and respond to inquiries.
3. Google API Services User Data Policy Compliance (Limited Use Disclosure)
Photomosaic's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
4. Data Protection and Security
We implement robust technical and organizational security measures to protect your personal information and Google user data. Our data protection mechanisms include:
- Encryption in Transit: All communications and data transfers between our application, backend servers, and Google APIs are encrypted using industry-standard Secure Sockets Layer (SSL) and Transport Layer Security (TLS 1.2 or TLS 1.3) protocols to prevent unauthorized interception.
- Encryption at Rest: Access tokens, refresh tokens, and user account metadata retrieved from Google APIs are stored securely in our database (Supabase) using AES-256 encryption at rest.
- Security Controls & RLS: Our database uses Row Level Security (RLS) to ensure that users can only access their own data. Google OAuth access tokens are handled with strict security scopes.
- Access Control: Access to Google user data, credentials, and keys is restricted via strict Identity and Access Management (IAM) controls, limited only to automated backend processes executing user-triggered tasks and authorized system operations personnel.
- Volatile Storage for Media: Images and photos retrieved from Google Drive or Google Photos are processed in-memory or transient storage and are never stored permanently on our servers.
5. Data Retention, Deletion, and Revocation
We adhere to strict data minimization principles, retaining your Google user data only for the minimum duration required to provide our service:
- Google User Data & Token Retention: Authentication tokens, names, emails, and profile pictures obtained from Google are retained only as long as you maintain an active account on Photomosaic. If you do not interact with the service, your OAuth session tokens will automatically expire and be deleted.
- Google User Data Deletion Process: You can request the complete and permanent deletion of your account and all associated Google user data at any time. To do so, email us at hello@photomosaic.work with the subject line "Delete Account". We will purge your profile, credentials, access/refresh tokens, and all other Google-related metadata from our databases within 7 business days. We will send you a confirmation email once the deletion is complete.
- Transient Media Deletion: Any source images retrieved from your Google Drive or Google Photos Picker are stored temporarily in secure, volatile scratch areas during the mosaic generation process. They are permanently and irreversibly deleted immediately upon successful completion or failure of your mosaic generation. We do not persist raw source images or tiles.
- Revoking Access: You can revoke Photomosaic's access to your Google account at any time. Simply visit the Google Security Settings Page and remove permissions for this application. Once revoked, all access to your Google account is severed.
6. Third-Party Sharing
We do not share, sell, or rent Google user data, credentials, or uploaded images with any third parties under any circumstances. All data is used solely to construct your photomosaic and handle account authentication.
7. Contact Us
If you have any questions about this Privacy Policy, please contact us at hello@photomosaic.work.