Privacy policy

Framed is operated by Jan Jedlinski (Vienna, Austria). For privacy questions, contact legal@joinframed.com. We are the data controller for the information described below.

• Account data — your email address (used to sign you in via one-time code) and the username, display name, bio, and avatar you choose.
• Content you upload — the photos you scan, the AI-generated identification we attach to them (title, artist, description, tags), and any edits you make.
• Social activity — who you follow, who follows you, the frames you like, accounts you block, and reports you file.
• Notifications — in-app notifications you receive and your preferences for email digests.
• Technical data — your IP address (briefly, for rate-limiting abuse) and basic logs of when requests reach our servers.

We do not use advertising cookies or third-party tracking. We do not sell data to anyone.

• To provide the service (contract): account creation, signing in, hosting your photos, AI identification, showing frames to other users when you choose to share.
• To keep the service safe (legitimate interest): rate limiting, preventing abuse, moderating reported content.
• To communicate with you (consent and contract): sign-in codes, transactional notices, the daily email digest you opted into.
• To meet legal obligations: responding to copyright takedowns (DMCA / EU DSA), and to lawful requests from authorities.

We rely on a small number of subprocessors to actually run the service. Each one only sees the data needed for their job:

• Supabase (Frankfurt, EU) — database, auth, storage. Holds your account, profile, photos, and social graph.
• Vercel (US, SCCs) — hosting and edge network. Sees request traffic.
• Anthropic (US, SCCs) — runs the AI that identifies your scans. Receives the image plus a fixed prompt. We don’t share your identity, email, or other photos.
• Resend (US/EU, SCCs) — sends transactional and digest emails. Receives your email address and the message body.
• Cloudflare (US/EU, SCCs) — Turnstile (anti-bot check on sign-up) and image moderation. Receives request metadata and, for moderation, the image being uploaded.
• Upstash (US, SCCs) — rate-limiting counters keyed by user or IP.

We don’t share your data for any other purpose without your explicit consent.

Most of our subprocessors operate in the EU; some operate in the United States. Where transfers leave the EU, they’re covered by Standard Contractual Clauses (SCCs) approved by the European Commission.

We keep your data for as long as your account is active. When you delete your account, we delete your photos, profile, social activity, and personal data within 30 days. We retain anonymised, aggregated statistics, and we keep records of moderation actions (without your personal data) where the law requires it.

We reserve a deleted account’s username for 90 days to prevent impersonation.

Under the GDPR, you have the right to:

• Access — ask for a copy of the data we hold about you.
• Rectify — correct anything that is wrong.
• Erase — delete your account and data (from Settings → Delete account, or by emailing us).
• Restrict or object to specific processing.
• Portability — receive your data in a machine-readable format.
• Withdraw consent at any time (e.g. unsubscribe from the digest).
• Complain to your supervisory authority. In Austria, that’s the Datenschutzbehörde.

To exercise any of these rights, email legal@joinframed.com. We respond within 30 days.

All traffic to Framed is encrypted in transit (HTTPS). At rest, your data is encrypted by our subprocessors. We use strict row-level security so users can only access their own data, with narrow, audited exceptions for moderation. Sensitive keys live only in encrypted environment storage, never in code.

Framed is not directed at users under 16. If we learn we’ve collected data from someone under 16 without parental consent, we’ll delete it.

We may update this policy as the service evolves. When we make material changes we’ll surface a notice in the app and update the effective date above. Continued use after a change means you accept the new version.

Email legal@joinframed.com for any privacy question.