GDPR Status Partially aligned

Engineering controls improved, governance still ongoing.

OneAlbum now has stronger engineering controls for consent, privacy defaults, and rights intake, but we do not represent the service as fully GDPR compliant. Governance, contracts, retention, and transfer work still require operational follow-through.

Last reviewed

22 May 2026

Implemented

Controls that are live in the current codebase and product.

Partial

Areas that have a working start but still need more operational depth.

Open gaps

Work that still blocks any credible claim of full GDPR compliance.

Latest engineering changes

This section is intended to track the current code-level privacy state rather than broader legal completion.

Current product snapshot

Signed gallery links are now the default access path

Album access emails and the post-upload gallery CTA both use signed album-specific gallery links instead of sending contributors to the generic /albums area.

Consent controls are intentionally scoped

Privacy settings can currently be reopened from the landing page and the Privacy Center, while analytics and Meta remain blocked until opt-in consent is recorded.

Public identity exposure stays reduced

New albums still default to private and public contributor labels remain anonymized rather than being derived from uploader email addresses.

Controls in place

Consent-gated analytics and marketing

Non-essential first-party analytics cookies and Meta Pixel only activate after explicit consent on approved marketing pages, and privacy settings can be reopened from the landing page or Privacy Center.

Account and session security

Passwords are hashed, CSRF protection is enforced on state-changing requests, and production cookie security can enforce Secure, HttpOnly, and SameSite protections.

Privacy by default for albums

New albums are private by default and public gallery contributor names are anonymized instead of being derived from email addresses.

Rights tooling scaffold

OneAlbum now provides a privacy center for consent settings, access/export requests, rectification requests, and account deletion requests.

Signed contributor gallery access

Contributor access emails and the post-upload gallery CTA both issue signed gallery links tied to the uploader email so guests can return directly to the correct album.

Abuse prevention

Sign-in and upload paths are rate limited, and first-time uploads can require Cloudflare Turnstile verification.

Published core privacy pages

Privacy, cookie, terms, and GDPR status pages are published and remain the primary source of current disclosure text for the live service.

Partially covered

Collection-point notices

Signup and secure-access flows still provide inline privacy copy, but the upload form no longer shows the earlier just-in-time notice and should be reviewed before claiming broad coverage.

Retention management

Plan-based expiry is enforced for access, but a fully approved retention schedule and automated end-to-end deletion evidence still need operational completion.

Data subject rights handling

The privacy center captures requests and authenticated users can export account data, but verification, SLA handling, and backup deletion remain operational tasks.

Processor and transfer transparency

The service-provider list is clearer, but ongoing contractual and transfer documentation still needs formal maintenance.

Third-party public-page resources

Some public pages still load third-party fonts, CDN assets, and embedded marketing links, so further minimisation work remains open.

Still open

Formal records of processing

A maintained internal record of processing activities and per-flow lawful-basis review is still required.

Signed vendor and transfer governance

Vendor DPAs, transfer assessments, SCCs or UK addenda, and Meta business terms still need legal review and formal evidence.

Retention and deletion governance

Expired content cleanup, backup deletion, and a signed retention schedule still need to be finalized and evidenced operationally.

Incident response follow-through

Any previously exposed credentials must be rotated, investigated, and documented through an incident response process outside the app itself.

Next steps

Review and standardize just-in-time privacy notices across every live collection point, especially the upload flow.

Complete vendor DPA, transfer, and Meta business terms reviews.

Approve and implement the final retention schedule, including backups and deletion evidence.

Maintain a record of processing activities and DPIA screening outcomes.

Continue reducing third-party requests on public pages where equivalent self-hosted assets are practical.

Keep this page aligned with the live product and compliance operations checklist.

Use this page correctly

This is a transparency snapshot of the live engineering and product state. It is not a legal opinion, independent certification, or representation that every GDPR obligation has been completed.

For current disclosures, see the Privacy Policy and Cookie Policy.

To raise a rights request, use the Privacy Center.