Privacy Policy
Effective date:
This Privacy Policy describes how Tempaloo (“Tempaloo”, “we”, “us”) collects, uses, and protects personal data when you use the Tempaloo WebP plugin, the Tempaloo API, and the website at tempaloo.com (collectively, the “Service”).
We take a deliberately minimalist approach to data: the Service is designed to process images, not to profile people. We collect only what we need to authenticate your licence, deliver the conversion, and bill your subscription.
1. Who we are
Data controller: Tempaloo, 12 rue de la Paix, 75002 Paris, France.
For any privacy question, please reach us through our contact form (pick the “Other” topic and mention “privacy” in your message). We aim to respond within 30 days as required by the GDPR.
2. What we collect
2.1 Account and licence data
When you generate a licence or sign in:
- Email address, collected either directly at activation or through Google OAuth.
- Display name and profile picture URL, only if you choose to sign in with Google.
- Licence key we issue, associated with your account.
- Activated sites: the domain (e.g.
example.com) of any WordPress install that uses your licence. You can deactivate a site at any time from your dashboard.
2.2 Technical data sent by the plugin
When the plugin runs on your WordPress site, it sends us:
- The licence key (in the request header) to authenticate the call.
- The site URL to bind activations to the licence.
- Your WordPress and plugin version for diagnostics and compatibility statistics.
- The image bytes you are converting, streamed to our API at the moment of the request. Images are held in memory only, converted, and streamed back. They are never written to disk on our servers and never shared.
2.3 Usage telemetry
- Per-conversion metadata: timestamp, input byte size, output byte size, conversion duration, format chosen (WebP or AVIF), and whether the call was
auto(on upload) orbulk. We use this to enforce quotas, compute savings, and surface analytics in your dashboard. - Anonymous page analytics on
tempaloo.comand its subdomains, collected by Vercel Analytics (no cookies, no cross-site tracking).
2.4 What we do NOT collect
- We do not store or retain your images after conversion.
- We do not read, index, or analyse the content of your images.
- We do not set third-party advertising cookies.
- We do not sell, rent, or lend any personal data.
3. Why we process this data (legal basis)
Under Article 6 GDPR, we rely on:
- Performance of a contract (Art. 6(1)(b)) — authenticating your licence, converting images you submit, enforcing your plan’s quotas, billing paid plans. Without these, the Service cannot work.
- Legitimate interest (Art. 6(1)(f)) — anonymous analytics to improve the product, protecting the Service against abuse, and compatibility diagnostics based on WordPress/plugin versions.
- Consent (Art. 6(1)(a)) — only if we later introduce an explicit opt-in feature; at the moment we do not rely on consent for any processing.
- Legal obligation (Art. 6(1)(c)) — retaining invoices as required by French/EU tax law.
4. How long we keep your data
| Data | Retention |
|---|---|
| Account & licence records | Until you delete your account. After deletion: 3 months in case you reopen, then full erasure. |
| Activated-sites list | Deleted immediately when you deactivate the site from your dashboard. |
| Per-conversion metadata (usage logs) | 12 months rolling. Used for billing reconciliation and abuse analysis. |
| Image bytes | Never stored. Discarded at the end of the conversion request. |
| Invoices / tax records | 10 years (French Code de commerce, art. L123-22). |
| Webhook and API logs | 30 days for operational debugging. |
5. Who we share your data with
We share the minimum necessary with a short list of sub-processors, each contractually bound to process data only on our instructions and to GDPR standards:
| Sub-processor | Purpose | Data hosted | Region |
|---|---|---|---|
| Render | API hosting | None stored — compute only | Frankfurt, EU |
| Neon | Postgres database | Accounts, licences, usage metadata | Frankfurt, EU |
| Freemius | Payment processing for paid plans | Payment details, billing address | US (SCCs) |
| Vercel | Website hosting + analytics | Anonymous usage counters | EU edge |
| Google LLC | OAuth sign-in only (if you choose to use it) | OAuth identifiers | US (SCCs) |
Freemius acts as the merchant of record for all paid subscriptions. When you buy a paid plan, your payment is contractually between you and Freemius, and your billing details never touch our servers. Their full privacy policy is at freemius.com/privacy.
6. International data transfers
Your account and conversion data are stored in the European Union (Frankfurt region). Where a sub-processor is based outside the EU (Freemius, Google), we rely on the European Commission’s Standard Contractual Clauses to safeguard the transfer, plus any additional measures documented in their data processing agreements.
7. Your rights under the GDPR
You can exercise the following rights at any time through our contact form:
- Access — receive a copy of the personal data we hold about you.
- Rectification — ask us to correct data that is inaccurate.
- Erasure — ask us to delete your account and associated data (subject to our legal retention duties for invoices).
- Restriction — ask us to pause processing in certain cases.
- Portability — receive your data in a structured, machine-readable format (JSON).
- Objection — object to processing based on legitimate interest.
- Withdraw consent — if any processing is ever based on consent, you can withdraw it at any time without affecting prior processing.
- Lodge a complaint with your local data protection authority. In France, that is the CNIL.
We will respond within one month. For complex requests we may extend the response time by up to two more months, and will tell you if we do.
8. Cookies and similar technologies
Tempaloo does not use tracking cookies. We set exactly two technical cookies, both on tempaloo.com:
- Session cookie (Better Auth) — maintains your login. Required for the dashboard to work. Deleted when you log out.
- Theme preference (localStorage, not a cookie) — remembers your light/dark choice. Local to your browser, never sent to us.
Analytics on the marketing pages are provided by Vercel Analytics, which is cookieless and does not cross-track users between sites.
9. Children
The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a minor has registered, send us a message via our contact form and we will delete the account.
10. Security
We apply common-sense technical and organisational measures: TLS 1.2+ on every endpoint, HMAC-signed webhooks, hashed licence keys, key rotation on compromise, principle of least privilege for internal access, audit logs on all database changes. Despite these, no service can guarantee absolute security; in the event of a confirmed personal-data breach we will notify the CNIL within 72 hours as required by the GDPR and affected users without undue delay.
11. Changes to this policy
We will update this policy as the Service evolves. Material changes (new sub-processor, new category of data collected) will be announced by email to active account holders at least 30 days before taking effect. The current version and its effective date are always shown at the top of this page.
12. Contact
Tempaloo — privacy
Use our contact form for any privacy or data-protection request
Tempaloo, 12 rue de la Paix, 75002 Paris, France