Privacy Policy

Last updated: 2026

Editing happens in your browser. Downloads are encrypted on our server. We never look at your photos. We never use them to train AI.

What this means in practice

When you drop a photo on velvetmade.app, the file is loaded directly into your browser's memory. Every filter, slider adjustment and live preview is computed by JavaScript running on your own device. Your original photo never leaves your browser.

When you click Download on a full-resolution result, the rendered image is also generated locally — and a copy is then sent over an encrypted connection (HTTPS) to your private account folder on our server. This copy is encrypted at rest using AES-256, kept for 30 days so you can re-download it from your profile, and then automatically deleted. The original photo you uploaded is never sent to our server — only the rendered output you chose to download.

How we treat your photos

The stored rendered files are visible only to you, accessible only through your authenticated account. We do not access them in normal operation; we cannot view them with regular image viewers because they are encrypted on disk. We commit, as a matter of policy:

Not to view, share, sell, license, publish or distribute any photo you create with velvetmade.app.
Not to use your photos to train AI or machine-learning models, whether ours or any third party's. Your work will not be ingested by any AI system through us.
Not to keep stored copies past 30 days, with no exceptions.
To delete all of your stored photos within 7 days if you delete your account.

The only circumstance in which we could be compelled to provide access to stored files is a lawful order from a court of competent jurisdiction. We would notify you in advance if legally permitted to do so.

What data we do collect

The site itself loads from our server, so standard web request information (IP address, browser type, referrer) appears in our server logs the way it does for any website. We use this for security and basic traffic statistics only, and rotate logs after 30 days.

If you create an account or buy credits, we collect:

Your email address (for login and receipts)
Hashed password (we never store plaintext passwords)
Transaction records (which credit pack you bought, when, and how much you paid)
Credit balance and activity log (which effect was used at which resolution — separate from the photo file)

Cookies and local storage

We use browser local storage to keep a few non-personal preferences (your most recently uploaded photo so you can switch between effects without re-uploading, your last-used effect, and your session token if you're logged in). We do not use third-party advertising cookies or cross-site trackers. If we add analytics in the future, we will use a privacy-respecting option (no IP collection, no behavioural profiling) and update this page.

Payments

Payments are processed by Stripe (and optionally PayPal). When you make a purchase, your card details are submitted directly to Stripe — we never see or store them. Stripe sends us a confirmation that includes your email and the amount paid, which we record so we can grant your credits.

Third-party services

We use minimal third-party services. Transactional emails (account confirmations, password resets, purchase receipts) are sent via Resend, which receives your email address and the message content. If you sign in with Google or another OAuth provider, that provider tells us only your email address — we do not request access to your photos, contacts or any other data.

Your rights

If you have an account with us, you can request:

A copy of the data we hold about you
Correction of incorrect information
Deletion of your account and all associated records (including all stored photos within 7 days)
Export of your stored rendered files before deletion

Email us to make any of these requests. As we are based in the EU, the General Data Protection Regulation (GDPR) applies; you may also lodge a complaint with your national data protection authority.

Children's privacy

velvetmade.app is not directed at children under 13. We do not knowingly collect personal data from anyone under 13.

Changes to this policy

If we make significant changes, we will update the "Last updated" date at the top of this page. Material changes affecting account holders will also be communicated by email.

Contact

For privacy questions: hello@velvetmade.app