Privacy Policy

Last updated: February 23, 2026

Introduction

Exivar Ltd ("we", "us", "our") operates Immagin, an image processing platform accessible at immag.in and its subdomains. This Privacy Policy explains what personal data we collect, how we use it, and the choices you have regarding your information. By using Immagin, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Account Information

When you create an account, we collect your name and email address. Your password is never stored in plain text — we store only a cryptographic hash derived using PBKDF2-SHA512 with a unique per-user salt.

Image Data

Images you upload through the Immagin API are stored in our cloud infrastructure. We do not access, analyse, or use your images for any purpose other than providing the service you have requested (storage, transformation, and delivery).

Usage and Log Data

We automatically collect information about how you interact with the service, including:

  • API requests and response metadata
  • Image transformation parameters
  • Cache status (hit or miss) and response times
  • Edge location that served the request
  • Response size and content type
  • Country derived from your IP address

This data is used for usage-based billing, performance monitoring, and service improvement.

Payment Information

Payment processing is handled entirely by Stripe. We do not receive, store, or have access to your full credit card number. We retain only the Stripe customer identifier associated with your account for billing purposes.

Cookies

We use a single httpOnly session cookie (immagin_session) to authenticate you when you are signed in to the console. This cookie is essential for the service to function and cannot be disabled while using the console. We do not use advertising or tracking cookies.

How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Immagin platform
  • Process and deliver image transformations you request
  • Track usage for billing purposes, specifically counting unique image transforms per month per project
  • Communicate with you about your account, including email verification, billing notifications, and service announcements
  • Enforce our acceptable use policies and prevent abuse, fraud, or unauthorised access to the service
  • Improve and optimise the performance of our infrastructure

Third-Party Services

We share data with the following third-party service providers, solely to the extent necessary to operate Immagin:

  • Stripe — processes payments and manages subscriptions. Subject to Stripe's Privacy Policy.
  • Infrastructure providers — we use trusted third-party cloud providers for application hosting, image storage, content delivery, and database services. Each provider is contractually bound to process data only as instructed and in accordance with applicable data protection laws.

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

Data Retention

  • Account data is retained for as long as your account remains active. If you close your account, we will delete your personal information within 30 days, except where we are required to retain it for legal or billing purposes.
  • Images are retained until you delete them through the API or console, or until your account is terminated. Upon account termination, all images associated with your projects are permanently deleted.
  • Usage logs are retained for billing reconciliation and analytics purposes. Aggregated usage data may be retained indefinitely in anonymised form.

You may request deletion of your account and all associated data at any time by contacting us at hello@immag.in.

Data Security

We take the security of your data seriously and implement the following measures:

  • Passwords are hashed using PBKDF2-SHA512 with 100,000 iterations and a unique per-user salt, making them computationally infeasible to reverse.
  • API keys are cryptographically hashed before storage. The full key is shown to you only once at the time of creation and is never stored or recoverable.
  • Image URLs are signed using per-tenant cryptographic secrets, preventing unauthorised access to your images.
  • All traffic between your applications and our services is encrypted using HTTPS/TLS.
  • Session tokens are sealed using authenticated encryption and stored in httpOnly cookies, preventing client-side script access.

While no system is perfectly secure, we continuously review and improve our security practices to protect your data.

Your Rights

European Economic Area (GDPR)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete personal data.
  • Erasure — request deletion of your personal data where there is no compelling reason for its continued processing.
  • Portability — request a machine-readable copy of your data to transfer to another service.
  • Restriction of processing — request that we limit how we use your data in certain circumstances.

California (CCPA)

If you are a California resident, the California Consumer Privacy Act provides you with the following rights:

  • Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete — request deletion of your personal information, subject to certain exceptions.
  • Right to opt-out of sale — we do not sell your personal information, so this right does not apply.
  • Right to non-discrimination — we will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, please contact us at hello@immag.in. We will respond to your request within 30 days.

Children's Privacy

Immagin is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at hello@immag.in and we will take steps to delete the information promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email or through a notice in the Immagin console dashboard prior to the changes taking effect. We encourage you to review this page periodically for the latest information on our privacy practices.

Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at hello@immag.in.

Exivar Ltd
Canada