Privacy Policy

Last updated: February 14, 2026

1. Introduction

At Deebop, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. Please read this policy carefully.

Data Controller

Deebop is the data controller responsible for your personal data. For any data protection queries or to exercise your rights, please contact us.

2. Information We Collect

Information You Provide

  • Account information (email, username, password)
  • Profile information (display name, bio, avatar)
  • Content you upload (images, videos, panoramas, text, audio recordings, and articles)
  • Photo tags (tagging other users at specific coordinates on images)
  • Provenance declarations (whether content is AI-generated, AI-assisted, original, or composite)
  • Your metadata visibility preferences (whether to show or hide technical metadata on your posts publicly)
  • Audience group memberships and priority follower designations
  • Client gallery data (client name, email address, image selections, and notes) when using the photo proofing feature
  • Payment information (processed securely by Stripe)
  • Communications with us

Information Collected Automatically

  • Device information (browser type, operating system, user agent string)
  • Device type for analytics purposes (mobile, tablet, or desktop)
  • Usage data (pages visited, features used)
  • Content interaction data (likes, saves, shares, view counts)
  • IP address and approximate location
  • Cookies and similar technologies

Information Extracted from Uploaded Media

When you upload media to Deebop, we automatically extract and store technical metadata embedded in the files. This may include:

  • Image metadata (EXIF/XMP/IPTC): Camera make and model, lens model, ISO, aperture, shutter speed, focal length, colour space, bit depth, software used to edit the image, date taken, and image dimensions
  • Location data: GPS coordinates (latitude, longitude, and altitude) embedded in image files by your camera or device. If you do not wish for location data to be captured, you should remove it from your files before uploading or disable location tagging in your camera settings
  • Video and audio metadata: Codec, resolution, frame rate, bitrate, sample rate, channels, duration, container format, and creation date
  • AI-generation indicators: We scan uploaded files for technical markers that may indicate the content was generated or modified by AI tools, including software identification fields, generation parameters embedded in PNG files, IPTC digital source type fields, and Content Credentials (C2PA) manifests

Content Creation Signals

To support content authenticity and anti-abuse measures, we collect limited signals about how content is composed:

  • Whether media was captured within the Deebop app or uploaded from your device
  • The duration of your content creation session (time between opening the form and publishing)
  • For articles: aggregate input method data (proportion of text typed versus pasted) — we do not log individual keystrokes or clipboard contents

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Send you technical notices and support messages
  • Respond to your comments and questions
  • Detect, investigate, and prevent fraudulent transactions and abuse
  • Personalize and improve your experience
  • Serve and display advertising based on subscription tier and feed context (we do not use personal data for ad targeting)
  • Calculate trending scores and content recommendations for the Explore page
  • Provide post insights and analytics dashboards to content creators (available on Creator, Pro, and Teams tiers)
  • Verify content authenticity by comparing AI-detection results against user-declared provenance labels
  • Display technical metadata (camera settings, file details) in the provenance record for posts, subject to your privacy preferences
  • Support platform moderation by providing administrators with full technical metadata, including GPS coordinates, to investigate reported content

4. Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide your account, host your content, manage subscription services, and deliver client gallery features
  • Legitimate interests: Platform security, fraud prevention, content authenticity verification (including metadata extraction and AI-generation detection), service improvement, analytics, and calculating trending content scores — where these interests are not overridden by your rights
  • Consent: Marketing emails, analytics cookies, and advertising personalisation. You can withdraw consent at any time through your account settings
  • Legal obligation: Retaining tax records related to payments, and responding to valid law enforcement requests

5. Information Sharing

We do not sell your personal information. We may share your information in these circumstances:

  • With your consent
  • With service providers who assist our operations
  • To comply with legal obligations
  • To protect our rights and prevent fraud
  • In connection with a merger or acquisition

6. Technical Metadata and Your Privacy Controls

When you upload media, the technical metadata we extract is stored alongside your content. You have control over how this metadata is displayed to other users, but it is important to understand the distinction between public visibility and data retention:

Your Visibility Controls

  • You can toggle "Show Technical Metadata" on or off in Settings > Privacy. When turned off, other users will not see your camera, exposure, or file details in the provenance record
  • When metadata is hidden, viewers will see a "Technical metadata verified and on record" badge instead — this confirms that verified capture data exists without revealing the details
  • You can also hide metadata on individual posts for more granular control

What Hiding Metadata Does Not Do

  • Hiding metadata controls public visibility only — it does not delete the metadata from our systems
  • Platform administrators retain access to all extracted metadata, including GPS coordinates, for trust and safety, content moderation, and legal compliance purposes
  • Metadata that is hidden from public view may still be used internally for authenticity verification and abuse prevention

GPS and Location Data

GPS coordinates extracted from your images are never displayed publicly, even when your metadata visibility is turned on. GPS data is only accessible to platform administrators for moderation purposes. If you do not want GPS data stored at all, we recommend stripping location data from your files before uploading. Most camera apps and photo editors provide options to remove location metadata.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

8. Your Rights

Under the UK GDPR, all users in the UK and EEA have the following data protection rights. We are committed to honouring these rights regardless of your location:

  • Right of access: You can request a copy of the personal information we hold about you
  • Right to rectification: You can correct inaccurate or incomplete information via your profile settings
  • Right to erasure: You can delete your account and personal data, including all extracted technical metadata. Use the Delete Account feature in Settings > Privacy to initiate this process. Your data will be permanently removed after a 30-day recovery period
  • Right to restrict processing: You can request that we limit how we use your data
  • Right to object: You can object to processing based on legitimate interests
  • Right to data portability: You can export your data in a machine-readable format, including extracted technical metadata. Use the Export My Data feature in Settings > Privacy to download a copy of your information
  • Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time through your account settings

To exercise any of these rights, please contact us. We will respond within one month of receiving your request.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

We use cookies and similar technologies to provide functionality, remember your preferences, and analyze how our service is used. For full details, please see our Cookie Policy.

10. Service Providers

We work with trusted third-party service providers to operate our platform. These providers only have access to the information necessary to perform their services and are obligated to protect your data:

Payment Processing (Stripe)

We use Stripe to process payments. When you subscribe or make a purchase:

  • Your payment card details are sent directly to Stripe and never touch our servers
  • Stripe provides us with limited information: last 4 digits of your card, card type, expiry date, and billing postcode
  • Stripe may collect additional information for fraud prevention
  • See Stripe's Privacy Policy for details

Email Communications (Resend)

We use Resend to send transactional emails (verification, password reset, notifications):

  • Resend receives your email address and username to deliver emails
  • Email delivery data (opens, bounces) may be tracked for service quality
  • See Resend's Privacy Policy for details

Data Storage (Supabase)

We use Supabase for database and file storage:

  • Your account data and content metadata are stored in Supabase's PostgreSQL database
  • Media files (images, videos, panoramas) are stored in Supabase Storage
  • Client gallery data — including client names, email addresses, image selections, and notes — is also stored in Supabase. This data is only accessible to the gallery creator and Deebop administrators
  • Data is hosted in secure data centres with encryption at rest
  • See Supabase's Privacy Policy for details

Video Hosting & Delivery (Bunny Stream)

We use Bunny Stream for video transcoding and content delivery:

  • Videos you upload are processed and stored on Bunny's infrastructure for transcoding and adaptive streaming
  • Bunny may collect technical data (IP address, device information) for delivery optimisation and security
  • Video content is delivered via Bunny's global CDN for optimal playback performance
  • See Bunny's Privacy Policy for details

11. Third-Party Links

Our service may contain links to third-party websites and services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

12. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

  • Account data: Retained while your account is active and for up to 30 days after deletion to allow recovery
  • Content you post: Retained until you delete it or delete your account
  • Technical metadata: Retained for as long as the associated content exists. When you delete a post or your account, the extracted metadata is deleted with it
  • Content creation signals: Session timing and input method data are retained for as long as the associated post exists
  • Payment records: Retained for 7 years for tax and legal compliance
  • Usage logs: Retained for up to 90 days for security and debugging purposes
  • Analytics data: Aggregated analytics may be retained indefinitely in anonymised form

When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.

13. Children's Privacy

Deebop is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it promptly. Users between 13-15 have additional protections including restricted access to certain content types.

14. International Transfers

Your information may be transferred to and processed in countries other than your own, including the United States where some of our service providers are based. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses where required by GDPR.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us.