GDPR Status Partially aligned

Privacy posture, stated plainly.

OneAlbum has implemented several privacy and security controls, but we do not currently represent the service as fully GDPR compliant. This page is a transparency snapshot, not a certification.

Last reviewed

06 April 2026

Implemented

Controls that are already live in the current product and codebase.

Partial

Areas where the direction is right but the implementation is not complete enough to treat as finished.

Open Gaps

Remaining issues before OneAlbum could credibly describe itself as fully GDPR compliant.

Controls In Place

Account and session security

Passwords are hashed, CSRF protection is enforced on state-changing requests, and session cookies are marked HttpOnly.

Album access controls

Private galleries require owner access or a contributor email-based access flow before media is shown.

Owner deletion and export tools

Album owners can delete albums or individual media items and can export album files.

Abuse prevention

Sign-in and upload paths are rate limited, and first-time uploads can require Cloudflare Turnstile verification.

Published privacy information

Privacy, terms, and contact details are published as part of the public site.

Upload-key minimisation

New uploads no longer place raw contributor email addresses in S3 object keys.

Partially Covered

Retention management

Plan-based expiry is enforced for access, but fully automated end-to-end deletion evidence is still being tightened.

Data subject rights handling

Requests can be handled manually by support, but complete self-service export, correction, and erasure flows are not yet shipped.

Processor and transfer transparency

The service-provider list is clearer, but ongoing contractual and transfer documentation still needs formal maintenance.

Third-party public-page resources

Some public pages still load third-party fonts and CDN assets, so further minimisation work remains open.

Still Open

Formal records of processing

A maintained internal record of processing activities and per-flow lawful-basis review is still required.

Automated retention cleanup

Expired content cleanup should be automated and auditable rather than relying only on access expiry and manual deletion.

Account-level privacy tooling

User-facing flows for full account export, rectification, and deletion are not yet available.

Third-party asset hardening

Public marketing pages should move toward self-hosted assets or consent-backed alternatives where required.

What We Are Doing Next

Finish a per-flow lawful-basis review and maintain a record of processing activities.

Automate retention cleanup for expired albums and record deletion events.

Add account-level data export and account deletion flows.

Reduce third-party requests on public pages by self-hosting fonts or equivalent assets.

Keep this status page updated as controls move from planned to complete.

Important Note

This page is an engineering and product transparency update. It is not a legal opinion, independent certification, or promise that every GDPR obligation has been satisfied.

For the current privacy notice and support contact details, see the Privacy Policy.

If you want to raise an access, correction, or deletion request, contact admin@rubicksware.com.