Privacy Policy

Framis is operated by KLB Solutions FZCO. The Data Controller for all personal data processed through framis.app is KLB Solutions FZCO at the address above. For privacy enquiries, data subject requests, or to exercise your rights under applicable law, contact privacy@framis.app. We aim to respond within 30 days.

We collect three categories of personal data:

• Account data— the email address, display name, and authentication tokens you provide when you sign up, plus any optional profile fields (studio name, website, bio).
• Photographic library— the images you upload to your private library, plus derived perceptual hashes and visual embeddings used to detect unauthorised online use. Original photographs are stored encrypted at rest in Supabase Storage and never leave the EU-West-2 region without your instruction.
• Recovery activity— matches discovered on the open web, the email addresses we discover for parties using your images, the AI-drafted outreach we generate, and the responses we receive on your behalf. Stripe payment metadata is processed on our behalf by Stripe and is subject to Stripe’s separate privacy policy.

We process your data to provide the Service you have asked us to provide (Article 6(1)(b) GDPR — performance of a contract). We process recovery activity data on the basis of legitimate interest (Article 6(1)(f)) — specifically your interest in recovering income owed for unauthorised use of your work, balanced against the interests of third parties whose data appears in recovery records.

Where we use cookies or similar technologies that are not strictly necessary, we do so only with your consent (Article 6(1)(a)).

We use a small number of vetted sub-processors to operate the Service. Each is contractually bound to protect your data:

• Supabase(database, storage, authentication) — data hosted in EU-West-2 (London).
• Stripe(payment processing & Stripe Connect payouts to photographers).
• Resend (transactional email + inbound email ingestion).
• Google Cloud Vision (reverse-image-search of uploaded library against the public web; only the perceptual hash leaves our infrastructure, never the original).
• Firecrawl (page-level scraping of detected infringement URLs to discover licensing contact details).
• OpenAI(drafting outreach emails & classifying replies; processed under OpenAI’s zero-data- retention agreement for API customers).
• Vercel(web hosting & edge delivery).
• Cloudflare(DNS & domain management).
• GCP Cloud Run (perceptual hashing microservice; no original images stored).

A current sub-processor list can be requested from privacy@framis.app and will be sent within 14 days.

Your data may be transferred to and processed in countries outside the UAE, EU, and UK — specifically the United States (Stripe, OpenAI, Cloudflare, Resend) and other jurisdictions where our sub-processors operate. We rely on Standard Contractual Clauses (SCCs) and equivalent UAE PDPL mechanisms to ensure appropriate safeguards.

We retain account and library data for as long as your account is active. Recovery activity records are retained for the legally-required period for audit and dispute resolution (typically 7 years following the close of the financial year of the recovery, in line with UAE corporate-tax recordkeeping requirements). Webhooks, logs, and security audit trails are retained for 90 days unless required for ongoing investigation.

You may request deletion of your account at any time by emailing privacy@framis.app. Where we are required to retain certain records (e.g. issued licence agreements as legal documents), we will explain the retention basis at the time of your request.

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request deletion (right to erasure) of data not subject to a legal retention obligation.
• Restrict or object to specific processing activities.
• Receive a portable copy of your data in a machine-readable format.
• Withdraw consent for processing based on consent (without affecting prior lawful processing).
• Lodge a complaint with the UAE Data Office, the UK ICO, or your local EU supervisory authority.

We protect your data with industry-standard measures including TLS 1.3 in transit, AES-256 at rest, principle-of-least-privilege access controls, audit logging of all administrative actions, and regular penetration testing of our public surfaces. Despite all reasonable precautions, no system is perfectly secure; we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in risk to data subjects.

We use a minimal set of cookies and equivalent technologies: a session cookie set by Supabase Auth that keeps you signed in, and CSRF protection cookies. We do not run third-party advertising trackers. We do not run analytics that profile individuals beyond aggregated, anonymised pageview counts.

We may revise this Privacy Policy from time to time. Material changes will be notified to active users by email at least 14 days before they take effect. The effective date at the top of this page reflects the most recent revision.