legal
Privacy policy
effective August 1, 2026
This policy explains how Priorframe handles your data. We wrote it in plain language, so you can read it once and understand it. Priorframe helps you prove that you published a photo first, and then watches the public web for copies and AI derivatives. To do that, we handle some of your data with care. Below, we describe what we collect, why we collect it, who helps us, and the choices you have. If a term is technical, we define it the first time we use it.
1. Who we are
Priorframe is a service that signs your photos and monitors the web on your behalf. When you protect a photo, we create a record that shows the photo existed at a certain time and is linked to your account. We then scan the public web, on a best effort basis, and alert you when we find likely copies or derivatives.
Star & Partners Ltd operates Priorframe. Our address is Second Floor, Berkeley Square House, Berkeley Square, London W1J 6BD, United Kingdom. For the purpose of data protection law, we are the data controller for the personal data described here. A data controller is the party that decides why and how your data is processed.
This policy covers our Android app, which we distribute through Google Play, and our web app at app.priorframe.com. It also covers our marketing site at priorframe.com. When we say “we,” “us,” or “our,” we mean Priorframe. When we say “you” or “your,” we mean the person using the service.
2. Account data
To create and run your account, we collect two things: your email address and your name. That is the account data we hold about you. We ask for these two details, and no more, to open and run your account.
We use your email address to sign you in, to send you service messages, to deliver alerts, and to reply when you contact us. We use your name to identify your account, and, if you choose, as your public display name on verify pages. Section 4 explains verify pages in full.
We keep this data for as long as your account is active. Section 9 covers retention. Section 10 covers what happens when you delete your account.
3. Uploaded images and derived data
When you protect a photo, you upload the image to us. We store that image, and we compute three pieces of derived data from it. Derived data is information we calculate from your image. We keep the original image so we can show a preview on your verify page, and so we can compare it against copies we find online.
The first is a content hash. A content hash is a short string of characters computed from the exact bytes of your file. If a single pixel changes, the hash changes. We use the content hash to prove that a specific file existed at a specific time.
The second is a perceptual fingerprint. A perceptual fingerprint is a compact summary of how your image looks. Unlike a content hash, it stays similar even after resizing, cropping, or light edits. We use it to find copies that have been changed in small ways.
The third is an image embedding. An image embedding is a list of numbers that represents the visual meaning of your image. We use it to find AI derivatives and close lookalikes that a fingerprint alone might miss.
We record these three items, along with a timestamp, in our registry. The registry is our internal record of protected works. We use it to power your verify page and to drive our monitoring. We scan the public web on a best effort basis, and we send you an alert when we find a likely copy or derivative. We also generate takedown letter templates that you can use to request removal.
4. Public verify pages
Each protected photo has a public verify page. Anyone who has the link can open it. No account is needed to view it.
A verify page shows five things:
- a preview thumbnail of the signed work,
- the content hash,
- the signing timestamp,
- your account’s public display name,
- the verification status.
The verify page is meant to be shared. It is how you show others that your work is registered, and when. Please keep this in mind when you choose your public display name, because that name appears on the page for anyone with the link. If you delete your account, we unpublish your verify pages. Section 10 has the details.
5. Device push tokens
If you use our app and turn on alerts, we collect a device push token. A push token is a code that identifies your device to a messaging service, so that service can deliver a notification to you.
We use Firebase Cloud Messaging, a Google service, to send these notifications. We use the token only to deliver alerts about your protected photos. If you turn off notifications, we stop using the token to deliver them. You stay in control of alerts from your device settings at any time.
6. Payments
We offer paid plans. On the web, payments are handled by Stripe. In the app, payments are handled by Google Play billing.
We never see or store your full card number. The payment provider collects and processes your card data directly, under its own terms and privacy policy. We receive only limited information, such as whether a payment succeeded and which plan you hold, so we can manage your subscription and send you a receipt.
7. Subprocessors we use
A subprocessor is a company we hire to process data on our behalf. We choose each one for a specific job, and we require each to protect your data. Here are the subprocessors we use, and what each one does:
- Cloudflare: hosting, content delivery, security, and sending transactional email, such as sign-in messages and alerts.
- Stripe: payment processing on the web.
- Google: Play billing in the app, and Firebase Cloud Messaging for push notifications.
- Sightengine, or an equivalent provider: image analysis and content moderation.
- Replicate, or an equivalent provider: running AI models to compute embeddings and detect derivatives.
We may change subprocessors as our service grows. When we do, we will keep this list current.
8. Cookies and analytics
We use functional cookies only. A cookie is a small file that a website stores in your browser. Our functional cookies keep you signed in and keep the service secure. We do not use advertising cookies.
Our marketing site uses Cloudflare Web Analytics to understand traffic. This tool is cookieless, which means it does not store a cookie and does not track you across sites. We do not sell your personal data, and we do not use it for advertising.
9. How long we keep your data
We keep your personal data for as long as your account is active. This includes your account data, your uploaded images, and the derived data described in Section 3.
We do not keep your data longer than we need it for the purpose we collected it. When you delete your account, we begin the deletion process described in Section 10. We may keep limited records where the law requires it, for example certain payment records that tax rules ask us to retain.
10. What happens when you delete your account
You can delete your account at any time. When you do, the following happens:
- We unpublish your public verify pages right away.
- We delete your uploaded images, your derived data (content hashes, perceptual fingerprints, and embeddings), and your personal data within 30 days.
- We purge this data from our backups within 90 days.
Backups are copies we keep so we can recover from a failure. They rotate on a schedule, which is why purging them takes longer than the main deletion.
11. Your rights under the GDPR and UK GDPR
If you are in the European Economic Area or the United Kingdom, the General Data Protection Regulation, or GDPR, and the UK GDPR give you rights over your personal data. Those rights are:
- the right to access the data we hold about you,
- the right to correct data that is wrong,
- the right to delete your data,
- the right to restrict or object to certain processing,
- the right to receive your data in a portable form,
- the right to withdraw consent at any time,
- the right to complain to your local data protection authority.
We rely on these lawful bases to process your data. A lawful basis is the legal reason we are allowed to process it:
- Contract: we process your account data, images, and derived data to provide the service you signed up for.
- Legitimate interests: we process data to keep the service secure, and to operate our monitoring function, which is the core purpose of Priorframe.
- Consent: we send optional marketing email only if you opt in. You can withdraw that consent at any time.
- Legal obligation: we process some data where the law requires it, for example to keep tax records.
To exercise any right, contact us using the details in Section 16.
12. Your rights under the CCPA
If you are a California resident, the California Consumer Privacy Act, or CCPA, gives you rights over your personal information. These include the right to know what we collect, the right to delete it, the right to correct it, and the right not to be treated differently for using your rights.
We do not sell your personal information. We do not share it for cross-context behavioral advertising. To exercise your rights, contact us using the details in Section 16.
13. International data transfers
We are based in the United Kingdom, and our subprocessors may process data in other countries. When we move personal data across borders, we use safeguards approved under data protection law.
For transfers out of the European Economic Area, we use the European Commission’s standard contractual clauses. For transfers out of the United Kingdom, we add the UK international data transfer addendum. These are standard legal terms that require the party receiving the data to protect it to the same standard.
14. Children
Priorframe is not for children. People under 16 are not permitted to use the service. We do not knowingly collect data from anyone under 16. If you believe a child has used Priorframe, please contact us, and we will remove the data.
15. Changes to this policy
We may update this policy as our service changes, or as the law changes. When we make a material change, we will update the effective date at the top, and, where appropriate, tell you by email or in the app. Please review this policy from time to time.
16. How to contact us
If you have a question about this policy or your data, we are glad to help. You can reach us by email at support@priorframe.com. You can also write to us at Second Floor, Berkeley Square House, Berkeley Square, London W1J 6BD, United Kingdom. We will respond within a reasonable time.