InstaRedact — GDPR Compliance
Effective Date: January 1, 2026 Last Updated: April 29, 2026
1. Overview
This page sets out how Olmsted Tech LLC ("InstaRedact," "we," "us," or "our") complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR") as it applies to users in the European Economic Area (EEA) and the United Kingdom.
The GDPR grants specific rights to individuals ("data subjects") whose personal data is processed, and places corresponding obligations on organizations that process that data. This page is intended to satisfy the transparency requirements of Articles 12, 13, and 14 of the GDPR by providing a clear, complete, and accessible description of our data processing activities.
This page should be read alongside our:
2. Data Controller Identity
Under the GDPR, InstaRedact acts as the data controller for personal data collected from users of its platform. As data controller, we determine the purposes and means of processing your personal data.
| Controller name | Olmsted Tech LLC (trading as InstaRedact) |
| Registered address | 30 N Gould St Ste R, Sheridan, WY 82801, United States |
| Privacy contact | legal@instaredact.com |
| Data Protection Officer | Not currently appointed (see Section 3) |
3. Data Protection Officer (DPO)
Under Article 37 of the GDPR, a Data Protection Officer is mandatory where an organization's core activities involve large-scale, systematic monitoring of individuals or large-scale processing of special categories of data.
InstaRedact processes images that may contain biometric data (e.g., facial features), which constitutes a special category of personal data under Article 9 GDPR. We take this responsibility seriously. We are currently evaluating whether a formal DPO appointment is required given our current scale of operations and will update this page when that assessment is complete.
In the interim, all data protection inquiries should be directed to: legal@instaredact.com
4. Roles: Controller and Processor
The GDPR distinguishes between data controllers (who determine the purpose of processing) and data processors (who process data on a controller's behalf).
InstaRedact as Controller: When you create an account, log in, or interact with the Service, we act as the data controller for your account information, billing data, and usage data.
InstaRedact as Processor: When you upload images for redaction, you (the user or the organization you represent) are the data controller for the personal data of any third parties depicted in those images. InstaRedact acts as your data processor, processing that content solely as instructed by you to perform the redaction service. You are responsible for ensuring you have a lawful basis for submitting that content.
Sub-processors: We engage third-party sub-processors to help deliver the Service. See Section 8 for the full list. We ensure all sub-processors are bound by appropriate data processing agreements and GDPR-compliant obligations.
5. What Personal Data We Process
The following table describes the categories of personal data we process, the purpose for which it is processed, and the legal basis under Article 6 (and Article 9 for special categories) that we rely on.
| Category of Personal Data | Examples | Purpose | Legal Basis (Art. 6) |
|---|---|---|---|
| Account / Identity data | Name, email address, username | Account creation and management | Art. 6(1)(b) — Contract |
| Authentication data | Hashed password, OAuth tokens, session tokens | Secure sign-in and session management | Art. 6(1)(b) — Contract |
| Billing data | Payment method details (via Stripe), billing address, transaction history | Processing payments, fraud prevention | Art. 6(1)(b) — Contract / Art. 6(1)(f) — Legitimate interests |
| Usage and log data | IP address, browser type, pages visited, API call volume, error logs | Service operation, security, debugging | Art. 6(1)(f) — Legitimate interests |
| Communications data | Support emails, feedback messages | Responding to inquiries and support requests | Art. 6(1)(f) — Legitimate interests |
| User Content — images | Images uploaded for redaction processing | Performing the automated redaction service you requested | Art. 6(1)(b) — Contract |
| Biometric data (special category) | Facial geometry, identifying features detected in uploaded images | Automated detection and redaction as requested | Art. 9(2)(a) — Explicit consent and/or Art. 9(2)(g) — Substantial public interest (where applicable) |
5.1 Note on Biometric Data
Images submitted for redaction may contain biometric data as defined by Article 4(14) GDPR — personal data resulting from specific technical processing relating to physical characteristics that allows unique identification of a natural person (e.g., facial recognition data).
We process this data only to perform the redaction you have instructed. We do not build biometric profiles, use detected biometric features for identification outside the redaction context, or retain biometric data after processing is complete. Where you are submitting images containing biometric data of third parties, you are acting as the data controller for that data and must ensure you have a lawful basis for doing so.
5.2 Note on Automated Processing
The Service uses automated algorithms to detect and redact personal content in images. This processing is not used to make legally significant decisions about any individual. It is a tool you control and direct. However, as required by Article 13(2)(f), we disclose that automated processing takes place, that it is imperfect in nature (false positives and false negatives will occur), and that you retain full control over how outputs are used.
6. Legitimate Interests Assessment
Where we rely on Article 6(1)(f) — Legitimate Interests as our legal basis for processing, we have conducted a balancing test. The legitimate interests we pursue are:
- Service security and fraud prevention: Logging and monitoring access patterns to detect and prevent unauthorized access and abuse.
- Service improvement: Analyzing usage patterns in aggregate to improve the reliability and functionality of the Service.
- Customer support: Retaining communications to provide effective support and resolve disputes.
- Legal protection: Maintaining records necessary to enforce our Terms of Service and defend legal claims.
In each case, we have assessed that these interests are not overridden by your fundamental rights and freedoms, particularly given that: (a) the data involved is not sensitive; (b) processing is limited to what is necessary; and (c) you have reasonable expectations that we will process data for these purposes as part of operating a software service. You may request further details of our balancing tests by contacting legal@instaredact.com.
7. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account and identity data | Duration of account + 3 years post-closure | Legal obligations, dispute resolution |
| User Content (uploaded images) | Deleted upon job completion (active processing only) | Minimum necessary; privacy by design |
| Processed output files | Available in your account for your configured retention period; deleted on account closure | Service delivery |
| Billing and transaction records | 7 years from transaction date | Tax and financial regulatory obligations |
| Log and usage data | 90 days | Security monitoring and operational debugging |
| Support communications | 3 years from last interaction | Dispute resolution and service improvement |
| Cookie consent records | 1 year | Demonstrating compliance with consent obligations |
When retention periods expire, data is securely deleted or irreversibly anonymized.
8. Recipients and Sub-processors
We share personal data with the following categories of recipients. All sub-processors are bound by Data Processing Agreements (DPAs) that impose GDPR-equivalent obligations.
| Sub-processor | Role | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase, Inc. | Database, authentication, backend infrastructure | Account data, session tokens, usage metadata | United States (US region) | Standard Contractual Clauses (SCCs) |
| Google Cloud Platform | Cloud hosting, image processing, storage | User Content (images), usage logs | United States (configurable region) | SCCs / Adequacy (where applicable) |
| Stripe, Inc. | Payment processing | Billing data, payment method details | United States | SCCs |
| Resend, Inc. | Transactional email delivery | Email address, name | United States | SCCs |
| PostHog, Inc. | Product analytics | Usage data, session identifiers, IP address | United States | SCCs |
We do not sell personal data to any third party, and we do not share personal data with third parties for their own independent marketing purposes.
Disclosure to public authorities: We may be required to disclose personal data to law enforcement, courts, or regulatory authorities where required by law. We will notify you of any such request to the extent we are legally permitted to do so.
9. International Data Transfers
InstaRedact is based in the United States, which is not recognized by the European Commission as providing an adequate level of data protection equivalent to the EEA.
Where we transfer personal data from the EEA, UK, or Switzerland to the United States or other third countries, we rely on the following transfer mechanisms as required by Chapter V of the GDPR:
- Standard Contractual Clauses (SCCs): We execute the European Commission's approved SCCs (2021 version) with all sub-processors receiving EEA personal data.
- UK International Data Transfer Agreements (IDTAs): For transfers subject to UK GDPR, we use the UK IDTA or the UK Addendum to the EU SCCs.
- Adequacy decisions: Where the European Commission or UK Secretary of State has issued an adequacy decision for the relevant third country, we may rely on that decision.
You may request a copy of the applicable transfer safeguards by contacting legal@instaredact.com.
10. Your Rights as a Data Subject
Under the GDPR, you have the following rights with respect to your personal data. These rights apply subject to certain conditions and exceptions permitted by law.
10.1 Summary of Rights
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access (Art. 15) | Obtain a copy of the personal data we hold about you and information about how it is processed. | Email legal@instaredact.com |
| Right to Rectification (Art. 16) | Request correction of inaccurate or incomplete personal data. | Account settings or email us |
| Right to Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten"), subject to certain legal exceptions. | Account settings or email us |
| Right to Restriction (Art. 18) | Request that we restrict processing of your data in certain circumstances (e.g., while accuracy is disputed). | Email legal@instaredact.com |
| Right to Portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format, or have it transmitted to another controller. | Email legal@instaredact.com |
| Right to Object (Art. 21) | Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds. | Email legal@instaredact.com |
| Right to Withdraw Consent (Art. 7(3)) | Where processing is based on consent, withdraw consent at any time without affecting prior lawful processing. | Cookie settings or email us |
| Right Not to be Subject to Automated Decisions (Art. 22) | Not to be subject to decisions based solely on automated processing that produce significant legal effects. Our automated redaction does not produce such effects. | N/A (not applicable to our core service) |
10.2 How to Submit a Request
To exercise any of the rights above, please contact us at legal@instaredact.com with the subject line "GDPR Data Subject Request."
We will:
- Acknowledge your request within 72 hours;
- Respond substantively within one calendar month of receipt;
- Extend that period by up to two additional months where requests are complex or numerous (we will notify you of any extension within the first month);
- Verify your identity before processing the request to protect against unauthorized access;
- Provide our response free of charge (we may charge a reasonable fee only where requests are manifestly unfounded or excessive).
10.3 Right to Lodge a Complaint
If you believe we have infringed your GDPR rights, you have the right to lodge a complaint with the supervisory authority in your country of residence or place of work. We would appreciate the opportunity to address your concerns first — please contact us before filing a complaint.
Key supervisory authority contacts:
| Authority | Jurisdiction | Website |
|---|---|---|
| Irish Data Protection Commission (DPC) | Ireland / EU lead for many US tech companies | dataprotection.ie |
| Information Commissioner's Office (ICO) | United Kingdom | ico.org.uk |
| CNIL | France | cnil.fr |
| Bundesbeauftragter für den Datenschutz (BfDI) | Germany | bfdi.bund.de |
A full list of EU supervisory authorities is available at edpb.europa.eu.
11. Privacy by Design and Data Minimization
We design the Service with privacy principles built in, consistent with Article 25 GDPR:
- Data minimization: We collect only the personal data necessary to provide the Service. We do not collect sensitive data beyond what is required for the redaction task you initiate.
- Purpose limitation: Data collected for one purpose is not used for unrelated purposes without fresh consent or another lawful basis.
- Storage limitation: Images are deleted upon job completion by default. We do not retain user-uploaded content indefinitely.
- Integrity and confidentiality: We use TLS encryption in transit, encryption at rest, and Supabase Row Level Security (RLS) to enforce strict data access controls at the database level.
- Pseudonymisation: Usage analytics data (via PostHog) is stored with pseudonymous identifiers rather than directly identifying information wherever possible.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33 GDPR);
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 GDPR);
- Document all breaches in our internal breach register, regardless of whether notification is required.
To report a suspected security vulnerability or data breach, please contact: legal@instaredact.com
13. Data Processing Agreements
If you are using InstaRedact in a capacity where you act as a data controller and InstaRedact acts as your data processor (e.g., you are processing images containing personal data of your own customers or employees), you may require a Data Processing Agreement (DPA) to satisfy your own GDPR obligations.
To request a DPA, please contact us at legal@instaredact.com. We will provide our standard DPA, which incorporates the 2021 EU Standard Contractual Clauses and the UK IDTA Addendum where applicable.
14. Changes to This Page
We may update this GDPR Compliance page as our data processing activities evolve or as regulatory requirements change. Material updates will be communicated via the Site or by email. The "Last Updated" date at the top of this page reflects the most recent revision.
15. Contact
For all GDPR-related inquiries, data subject requests, or DPA requests:
Olmsted Tech LLC Attn: Data Protection 30 N Gould St Ste R, Sheridan, WY 82801, United States legal@instaredact.com
This page was last updated on April 29, 2026.