Privacy

Last updated: 20 May 2026

This is a translation of the original Dutch version. In case of any discrepancy, the Dutch text prevails.

What you share stays yours. We don’t sell your data, we show no ads, we don’t use your photos or videos to train AI models, and we don’t pass anything on to third parties for marketing purposes. Below is exactly what we do do.

What we store

• Account: email address, name (optional), and a hashed version of your password.
• Photos & videos: the files themselves plus the associated EXIF metadata (camera, date, GPS if it was embedded in the file). Plus IP address and user agent for each upload.
• Folder structure and sharing settings: the folders and sharing options you create yourself.
• Comments and likes: what you leave on shared photos and videos, visible to the other members of that circle.
• Derived data: face clusters (only if you’ve enabled face recognition on your profile — off by default), automatic tags, and thumbnails. These are generated locally on our own servers; we never send your photos to external AI APIs.
• Push notification token: if you enable notifications on your phone, Apple or Google sends us an anonymous device token. We only use it to notify you when your processing is done or when someone shares something in your circle.
• Payment data: if you take a paid subscription we use Mollie (NL) to process the payment. We only see whether the payment succeeded, never your IBAN, card number or CVC — those stay with Mollie.

Retention periods

• Photos, videos and albums: as long as your account is active. On cancellation everything is deleted immediately — in practice within minutes from both our database and object storage. There is no recovery window.
• Account: your profile data (email address, name, hashed password, sessions, push tokens) is deleted immediately on cancellation.
• Billing history: invoice records (invoice number, plan, amount, VAT, date and the email address we used as billing address) are kept for at least 7 years to comply with the Dutch fiscal retention obligation (art. 52 AWR). The email address on the invoice is not anonymised — fiscally it belongs to the invoice.
• Security audit logs (IP, user agent): we record login, MFA and account events with IP address and user agent. These records are automatically deleted after 90 days.
• Face embeddings: removed immediately when you disable face recognition, or on account cancellation.

Face recognition & biometrics

Face embeddings fall under special categories of personal data (GDPR art. 9). We only process them after your explicit consent via an opt-in on your profile page. You can withdraw consent at any time; on withdrawal we immediately delete all existing embeddings and clusters.

Where we store it

All data is held on servers within the European Union. Photos don’t leave our servers for processing — face detection and tagging also run in our own environment, not via external AI APIs.

Who can access it

Only you and the people you invite to a folder. We don’t look at your photos; the only exception is an administrator intervening for an acute technical problem, in which case we log what was viewed.

Errors and crash reports

To find and fix bugs quickly we collect technical crash reports from the app and website. A report contains your user ID, the error type, the location in the code and the HTTP route — no email address, no IP address, and no contents of photos, comments or upload requests. The reports run on our own server (errors.ohhi.nl); no third party receives them. Retention: 90 days.

What we don’t do

• No ads or ad networks
• No tracking cookies or third-party analytics
• No training of AI models on your photos
• No sale or transfer of data to third parties

Cookies

We use two strictly necessary cookies: ohhi_token remembers your login session and ohhi_locale your language preference. No tracking, no analytics, no consent banner needed.

Sub-processors

We use a limited number of partners to run Ohhi — each under a data processing agreement. The original storage of your photos and videos is with Hetzner in the EU; delivery runs through Bunny CDN, which may briefly cache them at edge locations worldwide. For partners outside the EU/EEA we rely, where required, on the European Commission’s Standard Contractual Clauses (SCCs) or a valid adequacy decision.

• Storage & hosting: Hetzner Online GmbH (Germany/Finland) — server hosting and object storage for your photos and videos.
• Content delivery (CDN): BunnyWay d.o.o. (Slovenia) — Bunny CDN, used to deliver your photos and videos quickly; processes IP address and the requested URL.
• Payments: Mollie B.V. (Amsterdam) — payment processing for subscriptions.
• Transactional email: Brevo (Sendinblue SAS, France) — confirmations, password resets, notifications.
• Place search (geocoding): Komoot GmbH (Germany) — Photon geocoding when you tag a location; receives your search query and IP address as you type.
• Map tiles & reverse geocoding: OpenStreetMap Foundation (United Kingdom) — map view; receives your IP address and the region you’re viewing.
• Push notifications iOS & Sign in with Apple: Apple Inc. (United States) — device token only, no message content; and Sign in with Apple for accounts that log in with an Apple ID.
• Push notifications Android: Google LLC (United States) — Firebase Cloud Messaging, device token only (no message content).
• Web push for Firefox: Mozilla Corporation (United States) — Mozilla autopush; receives the encrypted message and delivery endpoint, no content.

Your rights

Under the GDPR you have the right to access, correct, erase, restrict, port and object to the processing of your data. For any of these requests — including a data export — Open een support-ticket from your account. We respond within 30 days. Not happy with our response? You can lodge a complaint with the Dutch Autoriteit Persoonsgegevens or your local data protection authority.