Unpinched
Contents

Privacy Notice

Last updated: 18 May 2026

This is the general privacy notice for the Unpinched website and service: what we collect, why, how long we keep it, and your rights over it. A separate notice covers the beta volunteer programme; this page applies to everything else.

At a glance

We collect very little. No third-party analytics, advertising, or behavioural-tracking cookies. We do not sell, rent, or share your information for marketing. The cookies we set are the few we need to keep you signed in, remember your preferences, and protect the site from abuse.

Who we are

The data controller is Actibility Limited, operator of the Unpinched service.

  • Private company registered in England, Company Number 10607409
  • Registered Office: 124 City Road, London, EC1V 2NX, United Kingdom
  • Privacy contact: [email protected]

Unpinched is a small operation and is not currently required under UK GDPR to designate a statutory Data Protection Officer. The privacy contact above handles all data-protection enquiries.

What we collect, and when

Grouped by what you are doing, not by data type — that is usually the more useful way to read it.

When you visit the site

  • The cookies listed in the Cookies section below
  • Standard server-log information — IP address, time, page requested, user-agent string, referring page if any
  • Nothing else. No Google Analytics, Plausible, Fathom, Mixpanel, Facebook Pixel, or any other behavioural-analytics or advertising tool

When you create an account

Unpinched distinguishes three names. We hold all three; only one is ever published.

  • Login name (username) — what you sign in with. Internal to Unpinched, never published.
  • Copyright name — your author attribution. Generated by the Unpinched name selector (screened against known trademarks and well-known names), or established via the Verified Copyright Name route. Personal names only; no studios or companies. Published on every licence we issue, embedded in EXIF / XMP of accepted images, and shown on the public registry.
  • Legal name — collected when you sign the Contributor Licence Agreement. Links your copyright name to an identifiable person; not published. Used where ownership has to be proved.

We also hold a one-way hash of your password (we never see the password), your email address (private; account and service messages only), your preferences and dismissal flags, and the dates your account was created and last used.

Your copyright name choice is permanent. Once your first submission is accepted, the copyright name cannot be re-chosen — every licence is bound to it. UK GDPR rectification rights cover genuine errors (typographical corrections, for example); they do not extend to re-making the choice. We say this clearly at the point of choosing.

For a Verified Copyright Name we also hold the documentation submitted to support the verification (typically a sample of published credits and identity-linking evidence reviewed by hand). That documentation is private and is retained for the lifetime of the verified name.

When you submit a photograph

  • The image file itself
  • Selected EXIF / metadata from the image — camera make and model, capture date, exposure settings
  • The IP address from which the submission was made, and the copyright declaration you confirmed at submission time
  • An audit-log entry recording the submission and any subsequent moderation actions

EXIF privacy — what we deliberately strip. Before publication, the submission pipeline always removes GPS coordinates and software-fingerprint fields from EXIF, regardless of what was in the uploaded file. The location at which you took the photograph is not retained on the published file, and editing-software fingerprints that could identify a specific machine are dropped. Stock libraries typically retain everything; we have built this in so a published image cannot leak where a contributor lives or which device they used. Camera make, model, capture date, and exposure remain — those are legitimate provenance signals.

If your work is later published, the photograph becomes publicly visible by design. Your copyright name is shown against the work; your login name, email address, and legal name are not.

When you buy tokens, or use tokens to buy a licence

Unpinched runs on a token-based payment system. There are two distinct data classes, kept separate:

  • Token purchase records. Card payment flows through Stripe. Unpinched receives the transaction reference, amount, and confirmation — never your full card details. We hold your token balance and a record of each purchase (date, amount, reference).
  • Token redemption records. When you spend tokens — submission fee, licence purchase, or any other in-platform charge — we record the redemption (date, purpose, amount). Submission fees are non-refundable. Balances and redemptions are private to your account.

When tokens are redeemed against a licence, the licence itself is published to the public registry, described next.

The public licence registry

The registry is the public, permanent, machine-readable record of every licence Unpinched issues. It is the chain of provenance the platform stands on; it cannot work if entries can be withdrawn at will.

For each issued licence, the registry records:

  • The image's UIIID (its canonical identifier)
  • The licence serial within the edition of 100
  • The photographer's copyright name (not their login name, email, or legal name)
  • The date and time the licence was issued
  • For resales, the new holder's relevant identifier on the platform

Buyer pseudonym option. Buyers can ask, at purchase, for their registry entry to use a pseudonymous handle rather than their account name. The pseudonym is still tied to the underlying account internally (we must be able to prove ownership if asked), but it is what the public registry shows. Request this from your dashboard at purchase, or by emailing [email protected].

Consequences for GDPR erasure rights are described in the Retention and Your Rights sections below. We are upfront about this because it is the single largest constraint on the rights we can offer photographers.

When you contact us

  • Whatever you choose to send us (email body, attachments, return address)
  • The fact and date of the correspondence

Why we collect it — legal bases under UK GDPR

We rely on four lawful bases:

  • Contract performance (Art. 6(1)(b)) — running your account, accepting submissions, processing licence purchases, providing the service you asked for.
  • Legitimate interests (Art. 6(1)(f)) — site security, fraud and abuse prevention, audit logs, day-to-day platform operation. We do not use this basis for marketing or profiling.
  • Consent (Art. 6(1)(a)) — things you actively agree to: accepting the content standards, opt-in communications.
  • Legal obligation (Art. 6(1)(c)) — financial records for HMRC, and any disclosure required by court order, regulator, or copyright-infringement notice.

Cookies

We use cookies only where strictly necessary to operate the site, plus one that records your onboarding choice. We do not use cookies for analytics, advertising, profiling, or behavioural tracking, so PECR does not require a consent banner — but we list every cookie we set below so you can see exactly what is happening.

Cookie Purpose Lifetime Category
cf_auth_token Keeps you signed in. Stored in localStorage — listed here for transparency. Until sign-out or clearing browser storage Strictly necessary
beta_session Confirms admission to the closed beta. 90 days Strictly necessary
consent_accepted Records the version of the content standards you accepted. 180 days Strictly necessary
onboarding_seen Remembers that you have seen the welcome overlay. 24 hours Strictly necessary

No third-party trackers. No Facebook, Google, or X pixels. No third-party fonts, scripts, or images that would set cookies on your browser. The onboarding consent panel confirms only the functional cookies listed above (auth, preferences, onboarding state, consent state); no third-party embeds set cookies anywhere on the site.

What we don't do

Plainly:

  • We do not sell, rent, or share your personal information for marketing.
  • We do not run ads, place ads, or share data with ad networks.
  • We do not build behavioural profiles or run automated decision-making with legal or similarly significant effects.
  • We do not share data outside the platform except where we have to (a court order, regulator, tax authority, copyright-infringement notice, or a processor acting strictly on our instructions).

Who we share data with

We share personal information only with the processors we need to run the platform. Each is engaged under a written data-processing agreement and acts only on our instructions.

Processor Role Typical region
Cloudflare, Inc. DNS, CDN, edge security, Workers, D1 database, R2 object storage UK / EU points of presence; D1 and R2 regions noted below
Stripe Payments UK, Ltd. Payment processing for licence purchases UK / EU
Apple Inc. Email service for @unpinched.com mailboxes (privacy, names, and other scoped addresses) Global (US-headquartered)

No other third party by default. If we ever add a processor (e.g. an email-delivery provider), we will update this notice and tell registered users before the change takes effect.

We disclose information when legally required — court order, regulator request, properly served copyright-infringement notice. We will tell you about such a request where we are permitted to.

Where your data lives

  • Web traffic and CDN — Cloudflare's UK and EU points of presence, typically London or Amsterdam.
  • Account and licence database (D1) — Cloudflare D1, configured to place its primary replica in Western Europe (WEUR).
  • Image storage (R2) — Cloudflare R2, located in Western Europe (WEUR). Note: this is a placement hint, not a contractual data-residency guarantee. We are configured for WEUR placement and have no need or intent to use other regions. We track the migration to jurisdiction-locked EU buckets internally (see our roadmap) for buyers and partners who need a strict residency contract; ask if this matters to you.
  • Payment data — Stripe's UK / EU environment.
  • Mailboxes — Apple iCloud Mail; messages may be processed on servers outside the UK.

International transfers

Where data leaves the UK or EEA — principally for the Apple-hosted mailboxes, and for any Cloudflare edge processing routed through a non-UK/EU point of presence — we rely on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Cloudflare and Apple have published their own SCC commitments.

Where data does not leave the UK or EEA, no transfer mechanism is needed.

How long we keep it

This section uses three different categories: records (kept because the registry, your licences, and HMRC require it), operational logs (kept while useful for running the service), and everything else (kept while useful to you).

Records — kept for years.

  • Published works and their licence records — retained indefinitely. The public registry is the chain of provenance; removing entries would undermine the trust it exists to provide. If you ask us to take your work down, the image file and account details can be withdrawn from the active platform, but already-issued licence entries — UIIID, serial, copyright name, timestamps, and the licence record exactly as it stood at point of sale — remain. Full erasure of a published and licensed image is not available to us without breaking the platform's core promise. For content-related takedowns, see our standards page.
  • Audit log entries — moderation actions, takedowns, registry edits, and similar platform-integrity records. Retained for 7 years, in line with our wider record-keeping policy.
  • Financial records relating to licence transactions — retained for 7 years. The Companies Act 2006 sets six years as the statutory minimum for accounting records; we keep them seven to give a safety margin.

Operational logs — kept short.

  • HTTP access and application logs — request paths, response codes, IP addresses, user-agent strings, and equivalent operational signals. Kept in active systems for up to 30 days then deleted. We do not archive these to cold storage.
  • Security-event logs — a narrower subset of operational logs flagged as relevant to a security incident or investigation. Retained for up to 1 year for that purpose, then deleted.

Account and personal data.

  • Account data for users who have never licensed or purchased an image — kept until you ask us to delete it, or for 3 years if the account has been inactive (in which case we delete it). Where you have published works or hold licences, see the records section above: account data linked to those records is retained as part of the registry, even after the account is closed.
  • Photographer portfolios that have been dormant for 3 years — taken offline (the images are withdrawn from the gallery and discovery; data is preserved on the platform). On-request equivalents are available for members who have died or otherwise withdrawn.
  • Submitted images you have not yet published — until you delete them, or delete your account.
  • Support correspondence2 years after the last reply, then deleted.

Your rights under UK GDPR

You have the right to:

  • Access — ask for a copy of the personal information we hold about you
  • Rectification — ask us to correct anything that is wrong or out of date. This includes typographical corrections to a copyright name; it does not extend to re-choosing a copyright name once your first submission has been accepted (see the Retention section above)
  • Erasure — ask us to delete your information, subject to the public-registry constraint described above. Login name, email, legal name, and the documentation behind a Verified Copyright Name can all be erased; the published copyright name and the licence entries issued against it cannot
  • Restriction — ask us to stop processing your information while a question about it is resolved
  • Portability — ask us for your data in a machine-readable format (we provide JSON)
  • Objection — object to processing we have based on legitimate interests
  • Withdraw consent — at any time, for any processing we do on the basis of your consent

To exercise any of these rights, email [email protected]. We will respond within one month. There is no charge for most requests.

If you are unhappy with how we have handled your information, you can complain to the UK Information Commissioner's Office at ico.org.uk or by calling their helpline on 0303 123 1113.

Children

Browsing is open to anyone, but creating an account, submitting work, and buying or selling a licence are restricted to users aged 18 and over. We recommend parental supervision for visitors under 13.

We do not knowingly collect personal information from children under 13. If you believe a child has provided personal information — for example by creating an account with a misleading date of birth — contact [email protected] and we will delete the account and associated data.

Changes to this notice

We may update this notice from time to time. The "Last updated" date at the top reflects the most recent change. For any material change — anything that alters what we collect, how we use it, or who we share it with — registered users receive email notice at least 14 days before the change takes effect. Minor or clarifying edits may be made without prior notice. The version of this notice in force at the time you accepted it is recorded against your account, and we do not retrospectively apply a newer version to processing that happened under an earlier version.

How to get help — and which channel to use

  • Account, profile, preferences, token balance, submissions, licence history — manage from your dashboard.
  • Data-subject rights (access, rectification, erasure, restriction, portability, objection, withdrawing consent) — [email protected].
  • Verified Copyright Name and copyright-name questions[email protected].
  • Content concerns, takedowns, standards — see our standards page.
  • General help, how-to, troubleshooting — see our Help pages.

The supervisory authority for the United Kingdom is the Information Commissioner's Office (ico.org.uk), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

If anything is unclear, write to [email protected]. Postal mail: Actibility Limited, 124 City Road, London, EC1V 2NX, United Kingdom.