Website Privacy Policy

Effective: 14 April 2026 · Version 2.0 · Supersedes the version dated 21 June 2021

Looking for the mobile app policy? See the Application Privacy Policy.

1. Who we are

The data controller responsible for processing your personal data under this policy is:

Mobileware Studio, S.L.
Registered office: Paseo de la Castellana 194, 28046 Madrid, Spain
Tax identification number (CIF): B02821767
Registered at the Mercantile Register of Madrid: [volume, folio, and sheet to be completed]
Email (privacy matters): support@phototransferapp.com
Email (corporate / legal): info@mobilewarestudio.com

We have not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR. You may nonetheless direct any privacy question or rights request to the contact details above.

2. What this policy covers

This policy explains how we process personal data collected through phototransferapp.com and related subdomains that we operate. It does not cover personal data processed inside the Photo Transfer App mobile or desktop applications — those are addressed in our Application Privacy Policy.

This policy applies regardless of where you access the website from. We designed it to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR), the ePrivacy Directive (Directive 2002/58/EC) as implemented in Spain by Law 34/2002 and Law 9/2014, the UK GDPR and the Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), the Brazilian Lei Geral de Proteção de Dados (LGPD), the Canadian PIPEDA, and the South African POPIA.

3. Personal data we process

We keep data collection on the website to the minimum needed to operate and measure it:

Category	Examples	Source
Technical and connection data	IP address, user-agent, request timestamps, referrer URL, response codes	Collected automatically by our hosting provider
Analytics data	Pages viewed, session duration, device type, approximate location (country/region), clicks on app store CTAs (store, campaign identifier, destination URL)	Collected via Google Analytics 4 when you grant analytics consent
Consent records	Timestamp, categories accepted or rejected, policy version, a random identifier stored in your browser	Collected by our cookie consent tool when you interact with the banner
Correspondence	Email address and message content	Provided by you when you contact support

We do not host user accounts, payment forms, or advertising on this website. We do not run email or SMS marketing campaigns from the website. We do not combine website analytics with mobile app analytics to identify individuals.

4. Purposes and legal bases

Under Article 6 GDPR we rely on the following legal bases:

Operating and securing the website (serving pages, preventing abuse, diagnosing errors, keeping server logs) — Article 6(1)(f), legitimate interest in running a functional and secure service. Server logs are retained briefly and are not combined with your analytics identifier.
Measuring how the website is used (page analytics, campaign attribution for app store buttons) — Article 6(1)(a), your consent given through the cookie banner. You can withdraw that consent at any time, with effect for the future.
Proving compliance with consent and privacy laws (keeping consent records) — Article 6(1)(c), legal obligation under the GDPR and ePrivacy rules.
Responding to your enquiries — Article 6(1)(b) when you contact us about our service, or Article 6(1)(f) when you raise a general question.
Responding to rights requests and legal demands — Article 6(1)(c), legal obligation.

5. Cookies and similar technologies

The first time you visit the site we show a cookie banner. Until you make a choice, Google Consent Mode v2 keeps analytics_storage, ad_storage, ad_user_data, ad_personalization, functionality_storage, and personalization_storage set to denied. Google Tag settings url_passthrough and ads_data_redaction are enabled so that no analytics cookies are written and measurement data is redacted while consent is denied.

Cookie / storage	Category	Purpose	Retention
`cc_cookie`	Strictly necessary	Remembers your cookie banner choice and version accepted	6 months
`_ga`, `_ga_<ID>`	Analytics (consent required)	Distinguishes unique users for Google Analytics 4 session and campaign attribution	Up to 2 years
`_gid`	Analytics (consent required)	Distinguishes unique users for 24-hour aggregation	24 hours

When you accept analytics, our Google Analytics 4 property (ID G-9EB1HBZTVY) receives page-view events and outbound click events for app store buttons. IP addresses are truncated by Google before storage. We have not enabled Google Signals, ad remarketing, or data sharing with Google advertising products.

You can change your preferences at any time by clicking the "Cookie preferences" link in the footer, or by clearing the cookies for this site in your browser. Rejecting analytics has no impact on your ability to browse the website.

6. Service providers and processors

We use a limited set of service providers. Each acts on documented instructions under Article 28 GDPR or, where applicable, a joint-controller arrangement:

Provider	Role	Processing location
Cloudflare, Inc.	Website hosting (Cloudflare Pages), CDN, DDoS protection, basic traffic logging	Global edge network; EU edges prioritised for EU traffic
Google Ireland Ltd. / Google LLC	Google Analytics 4 (only after analytics consent)	EU servers with possible transfer to the United States
Google Fonts	Serving Material Symbols icon font	Global CDN operated by Google
Help Scout, Inc.	In-page help widget (Beacon) — documentation access and contact form. Cookies set only when you open the widget.	United States, with EU data residency options

8. International data transfers

Some of our providers process personal data outside the European Economic Area, mostly in the United States. Where that happens we rely on the following transfer mechanisms under Chapter V GDPR:

The European Commission's adequacy decision for the EU–US Data Privacy Framework (Implementing Decision (EU) 2023/1795) for certified providers such as Google LLC and Cloudflare, Inc.
The European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) as a back-up mechanism, together with supplementary measures where required following the Schrems II judgment.
The UK Information Commissioner's International Data Transfer Addendum for transfers from the United Kingdom.

A copy of the relevant clauses is available on request via the contact details in section 1.

9. Retention

Server logs: up to 30 days, then deleted or fully anonymised.
Google Analytics 4 event data: 14 months, the shortest retention Google currently offers.
Consent records: up to 24 months, as proof that consent was obtained.
Support correspondence: as long as needed to handle your enquiry, and then up to 3 years to document the exchange, unless a longer period is required by law.

When a retention period expires we delete the data, anonymise it so it can no longer be linked to you, or block it and hold it only for the periods required by applicable law.

10. Your rights

Subject to local law you have the following rights:

Access — confirmation of whether we process your data, and a copy of it.
Rectification — correction of inaccurate or incomplete data.
Erasure — deletion where processing is no longer necessary or where you withdraw consent.
Restriction — limitation on processing in certain situations, for example while you challenge the accuracy of your data.
Objection — to processing based on our legitimate interests.
Portability — to receive data you have provided in a structured, machine-readable format.
Withdrawal of consent — at any time, without affecting the lawfulness of processing before withdrawal.
Automated decision-making — we do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise your rights, write to support@phototransferapp.com. We will respond within 30 days (extendable by two further months for complex requests). We may need to verify your identity before acting on a request.

You also have the right to lodge a complaint with a supervisory authority. In Spain that is the Spanish Data Protection Agency — Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid — aepd.es. You may also complain to the supervisory authority in your country of habitual residence.

11. California-specific disclosures (CCPA/CPRA)

If you are a California resident, the CCPA as amended by the CPRA gives you the following rights:

Right to know the categories and specific pieces of personal information we collect, the sources, and the purposes.
Right to delete personal information we have collected, subject to legal exceptions.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising, and to limit the use of sensitive personal information.
Right to non-discrimination when exercising any of the above.

We do not sell or share your personal information in the CCPA sense, and we do not use sensitive personal information beyond the limited purposes permitted by law. We honour the Global Privacy Control signal when your browser transmits it: if we detect a GPC signal we treat it as a request to opt out of sale/sharing and to disable non-essential analytics for that session.

To exercise a CCPA right, email support@phototransferapp.com. You may designate an authorised agent; we will ask for written proof of authorisation.

Categories of personal information collected in the past 12 months, using the CCPA categories: Identifiers (IP address, online identifiers), Internet or other electronic network activity (browsing history on the website, click events, referral data), Geolocation (approximate, country/region level only), Inferences are not drawn from this data.

12. Brazil-specific disclosures (LGPD)

If you are in Brazil, the Lei Geral de Proteção de Dados (Law 13.709/2018, LGPD) applies. In addition to the rights in section 10, you may request information about public and private entities with which we have shared your data and information about the possibility of refusing consent and the consequences of such refusal. To exercise these rights, contact support@phototransferapp.com. The supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd.

13. UK-specific disclosures (UK GDPR)

Users in the United Kingdom have equivalent rights under the UK GDPR and the Data Protection Act 2018. The supervisory authority is the Information Commissioner's Office (ICO) — ico.org.uk.

14. Children

The website is intended for a general audience and is not directed at children under 16. We do not knowingly collect personal data from children under 16 (or the equivalent minimum age under applicable national law). If you believe a child has provided us with personal data, contact us at support@phototransferapp.com and we will delete it.

15. Security

We use industry-standard technical and organisational measures, including HTTPS across the website, hardened hosting on Cloudflare's edge network, restricted administrative access, and regular review of providers. No method of transmission over the internet is fully secure, so we cannot guarantee absolute security. If we become aware of a personal data breach affecting you, we will notify you and the competent supervisory authority in line with Articles 33–34 GDPR.

16. Changes to this policy

We may update this policy to reflect changes to the website, to our processors, or to the law. The "Effective" date at the top of the page indicates the current version. For material changes (new purposes, new categories of data, or new categories of recipients) we will ask for fresh consent where required. We recommend reviewing this policy periodically.

17. Contact and complaints

Questions, rights requests, or complaints: support@phototransferapp.com. Corporate and legal matters: info@mobilewarestudio.com. Postal address: see section 1.