Privacy Policy

How OneAlbum handles personal data.

Effective date: 6 April 2026. This notice describes the data OneAlbum collects through account creation, album hosting, guest uploads, billing, consent settings, and related support or security workflows.

Controller and contact

OneAlbum is the controller for the website and hosted service described here. For privacy questions, access requests, correction requests, deletion requests, or objections, email admin@rubicksware.com or use the Privacy Center.

Consent and cookies

Essential cookies stay on because they are needed for security and core service features. Analytics and marketing storage stay off until you opt in. You can reject, customize, or withdraw consent later through the cookie banner, Cookie Policy, or the Privacy Center.

Data we collect

Account data

Email address, password hash, pricing tier, Stripe customer identifier where created, and account creation timestamps.

Album and upload data

Album names, album visibility settings, uploaded files, file metadata, contributor email addresses, upload timestamps, comments, reactions, and generated secure-access links.

Security and operations data

Session information, CSRF tokens, rate-limit records, upload CAPTCHA clearance state, page-view aggregates, and privacy request records.

Consent and marketing data

Cookie choices, first-party attribution data when analytics consent is active, and Meta Pixel events when marketing consent is active on approved marketing pages.

Why we use personal data and our legal bases

Purpose Typical data used Legal basis
Create accounts, host albums, process uploads, and provide secure album access Account details, upload metadata, contributor emails, album settings Contract or steps requested by the user
Take payments and manage billing Account email, pricing tier, Stripe customer/payment metadata Contract and legal obligations
Secure the service and prevent abuse Session data, CSRF tokens, IP-linked rate-limit data, CAPTCHA results Legitimate interests in service security
Measure approved marketing pages after opt-in Consent cookie, first-party attribution cookie, Meta Pixel browser events Consent
Handle privacy requests and compliance records Contact email, request type, request notes, request status Legal obligations and legitimate interests

Recipients and service providers

  • Amazon Web Services: stores uploads in S3 and sends transactional email through SES.
  • Stripe: processes card payments and billing metadata.
  • Cloudflare Turnstile: verifies selected first-time uploaders when CAPTCHA is enabled.
  • Meta Platforms: receives Pixel events only if marketing consent is active and the current page is within the approved marketing scope.
  • Public-page asset providers: some pages still load third-party fonts, CDN assets, or linked media, which means those providers may receive IP address and browser request data when those pages render.

International transfers

OneAlbum uses vendors that may process data outside the UK or EEA. Where transfers occur, OneAlbum expects the relevant vendor terms and transfer safeguards to apply. Contractual and transfer documentation remains an operational compliance task and may be requested through the Privacy Center.

Retention

  • Essential session cookies normally expire at the end of the browser session.
  • The cookie preference record is stored for 180 days unless you change it sooner.
  • The first-party analytics attribution cookie is stored for 30 days, but only after analytics opt-in.
  • Album and upload data are retained while the album remains active or until the owner deletes the content, subject to plan-based expiry and operational backups.
  • Billing and security records are retained as needed for fraud prevention, accounting, and operational support.
  • Privacy request records are retained long enough to manage the request and keep a compliance history.

Your rights

  • You can request access to personal data OneAlbum holds about you.
  • You can ask for inaccurate data to be corrected.
  • You can object to some processing or ask for restriction where applicable.
  • You can ask for deletion of your account or uploaded data, subject to legal and operational limits.
  • You can withdraw consent for analytics or marketing at any time through the cookie settings controls.

Use the Privacy Center for request intake, or contact admin@rubicksware.com.

Security and changes

OneAlbum uses hashed passwords, CSRF protection on state-changing requests, session cookie protections, rate limits, and response security headers. No service is perfectly secure, so if you believe your data or credentials may have been exposed, contact us immediately.

If we materially change this notice, we will update the publication date and publish the revised version here.