The Service is operated by PhotoMetal (the "Controller"). For any privacy enquiries please contact us via the website above.

You own your photos. By uploading photos to the Service you confirm that:

• You are the author of the photos, or you have the explicit permission of the copyright holder to upload and print them.
• Every identifiable person in the photos has consented to their image being used to create a printed photobook.
• The photos do not contain illegal content, content of minors in inappropriate contexts, or content that infringes any third-party rights.

We use your photos only to: (a) render the live preview in your browser, (b) produce the final high-resolution composite for printing, and (c) print and ship your photobook. We do not sell, license, or otherwise share your photos with any third party, and we do not use them to train AI models.

When you use the Service we process:

• Uploaded photos — stored on our server while your order is being prepared.
• Your name and email address — needed to contact you about your order and send confirmations.
• Order metadata — the templates you chose, slot positions, scale and crop you set.
• Technical data — IP address (forwarded to Cloudflare for the human-verification check), browser type, and basic server logs needed to operate the Service securely.
• Payment data — handled entirely by Stripe. We never see your card number; we only receive a confirmation that payment was successful.

We process your data under Article 6(1)(b) GDPR (performance of a contract — fulfilling your order) and Article 6(1)(f) GDPR (legitimate interest — protecting the Service from abuse via the Cloudflare Turnstile check).

We use only strictly-necessary cookies:

• ipw_verified — a signed cookie that records you successfully completed the Cloudflare human-verification check. Lifetime: 2 hours. HttpOnly, SameSite=Lax.
• Cloudflare cookies (e.g. cf_clearance, __cf_bm) — set by Cloudflare to protect the Service from automated abuse.

We do not use any analytics, advertising or tracking cookies.

Your data is shared only with:

• Cloudflare, Inc. — bot protection (Turnstile) and CDN. EU-US Data Privacy Framework certified.
• Stripe Payments Europe, Ltd. — payment processing.
• Our print & shipping partner — receives only the final composite files and shipping address needed to deliver your photobook.

Uploaded source photos are deleted automatically once your order has shipped, or within 30 days, whichever comes first. Final composite files and order metadata (name, email, templates chosen) are retained for up to 12 months for customer-service purposes, and longer only where required by tax or accounting law.

Under the GDPR you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased once it is no longer needed to fulfil your order;
• restrict or object to certain processing;
• data portability;
• lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr).

To exercise any of these rights, contact us via www.photometal.gr.

Uploads are transferred over HTTPS. Files are stored on servers inside the EU with access restricted to authorised personnel. We do not store payment card data.

If we materially change this notice we will update the "Last updated" date above. Continued use of the Service after a change constitutes acceptance of the new notice.