Privacy Policy

We collect only the data necessary to provide and improve the GalleryID service. Here’s exactly what we collect and why:

All data collected is used for the specific purpose of providing the GalleryID service to you. We do not use your data for any unrelated purpose. Specifically, we use your data to:

• Operate the Service — store and serve your photos, process AI identifications, manage galleries and rosters
• Manage Your Account — authenticate logins, process billing, enforce subscription limits
• Communicate With You — send service notifications (gallery processing complete, subscription updates), respond to support requests
• Improve the Service — understand usage patterns to fix bugs, improve performance, and develop new features
• Maintain Security — detect and prevent unauthorized access, abuse, or fraud
• Send Push Notifications — notify you via our iOS app when gallery processing completes, face recognition finishes, or other account events occur (you can disable notifications at any time in your device settings)

We use Google Analytics to understand how visitors interact with our website. Google Analytics collects information such as:

• Pages visited and time spent on each page
• Referring websites and search terms
• Device type, browser, and operating system
• General geographic location (city/region level, not precise location)

This data is used solely to improve the GalleryID website and user experience. Google Analytics uses cookies to collect this information. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

For more information, see Google’s Privacy Policy.

We use a limited number of third-party services to operate GalleryID. These providers process your data only as necessary to provide their services to us:

• Cloud infrastructure providers — Database hosting, authentication, CDN, and photo storage
• Payment processor (Stripe) — Stripe handles all payment card data directly; we never see or store your card numbers
• AI processing services — Facial recognition and image analysis (photos are sent for processing and results are returned; images are not retained by the provider)
• Google Analytics — Website usage analytics (as described above)
• Apple Push Notification service (APNs) — Delivers push notifications to your iOS device; Apple receives your device token but no personal data or photo content
• Firebase Cloud Messaging (Google) — Delivers push notifications to your Android device; Google receives your device token but no personal data or photo content. Subject to Google’s privacy practices.
• Public sports data APIs — Roster data for professional and college sports (no personal data from you is shared with these providers)

We do not share your data with any third parties beyond what is described here.

GalleryID offers companion apps for iOS (Apple App Store) and Android (Google Play). Both apps connect to the same account you use on the web at galleryid.ai. The mobile apps do not create separate accounts or collect data independently from the web service. All data accessed through the mobile apps is the same data described throughout this policy.

Push Notifications. When you enable push notifications, your device’s push token (Apple Push Notification service token on iOS, Firebase Cloud Messaging token on Android) is stored on our servers and associated with your user account. This token is used solely to deliver notifications about your galleries (such as when face recognition processing completes). You can disable push notifications at any time through your device’s Settings app. When you sign out of the app, your device token is automatically deleted from our servers.

Camera and Photo Library. The mobile apps request access to your camera for capturing athlete headshots and to your photo library for selecting photos to upload. On iOS this uses the Apple Photos picker and camera APIs; on Android this uses the Android Photo Picker (or, on older Android versions, the system file picker) and the standard camera intent. These permissions are requested only when you initiate a headshot capture or photo upload. Photos and images are transmitted to our servers using the same encrypted channels as the web application. The apps do not access your camera or photo library in the background or for any purpose other than what you explicitly initiate.

Biometric Login (Optional). If you opt in to biometric login (Face ID, Touch ID, or Optic ID on iOS; fingerprint or face unlock on Android), your biometric template is processed entirely by your device’s operating system and never leaves the device. The GalleryID app only receives a yes/no match result, which is used to unlock your saved email + password. Your biometric data is never transmitted to GalleryID or any third party. You can disable biometric login at any time from inside the app.

No Background Data Collection. The mobile apps do not collect location data, access your contacts, track your activity across other apps, or perform any data collection in the background. The apps communicate with our servers only when you are actively using them, with the exception of receiving push notifications.

Apple App Store and Google Play disclosures. Our App Store and Google Play data-disclosure forms (App Privacy on iOS, Data Safety on Android) reflect the data practices described in this policy. Where the store listing surfaces a summary, this policy is the authoritative source of detail.

When you upload a headshot for roster indexing, our system generates a mathematical representation (a “face embedding”) of the facial features. This is a numerical vector, not an image. These embeddings are used solely to match faces in your uploaded photos against your roster.

Face embeddings are stored securely and are associated with your organization’s account. They are not shared across organizations, not used for surveillance, and not accessible to other users.

Collection and purpose. We collect facial recognition data — specifically, face embedding vectors derived from headshot photos you upload — for the sole purpose of identifying athletes in sports photographs within your organization’s account. We do not collect facial recognition data from any other source, and we do not use it for any purpose other than providing the identification features of the Service.

Retention and destruction schedule. Face embeddings are retained for as long as your organization’s account is active and the associated person record exists. Face embeddings are permanently destroyed in the following circumstances:

• When you delete an individual person from your roster (embedding deleted immediately)
• When you delete your account (all embeddings deleted within 30 days)
• When a subscription lapses and the account is deactivated (embeddings deleted within 90 days)
• Upon written request via our contact page (completed within 30 days)

We do not sell, lease, trade, or profit from facial recognition data.

Your consent responsibilities. By enabling facial recognition features and uploading headshots, you confirm that you have obtained any consent required by applicable law from the individuals whose biometric data you are submitting for processing. Several U.S. states — including Illinois (BIPA), Texas, and Washington — require written consent prior to collecting biometric identifiers. GalleryID does not provide legal advice; you are solely responsible for your compliance obligations in your jurisdiction.

You may delete any person’s facial data at any time by removing them from your roster, which also permanently deletes the associated face embedding.

We take the security of your data seriously and implement industry-standard measures including:

• All data transmitted over HTTPS/TLS encryption
• Account passwords are managed by our authentication provider and are not accessible to GalleryID staff
• Row-level security policies restrict data access to authorized users and organizations
• Authentication tokens are short-lived and automatically refreshed
• Photos are stored in cloud object storage with access controls
• Third-party credentials such as FTP passwords are hashed at rest

While we implement reasonable security measures, no system is 100% secure. We cannot guarantee absolute security of your data.

We retain your data for as long as your account is active. You can delete your account at any time directly from inside the iOS or Android app (User tab → Delete Account) or by emailing support@galleryid.ai. Full step-by-step instructions, including what gets deleted and what we retain, are documented at galleryid.ai/account-deletion.

When you delete your account:

• Your data is retained for 30 days in a recoverable state to allow for cancellation if the deletion was requested in error
• After 30 days, your photos, galleries, roster data, face embeddings, share links, upload links, and mobile device push tokens are permanently deleted
• Aggregated, non-identifying server logs are retained for up to 90 days for security and abuse prevention
• Billing records may be retained longer as required by law (typically 7 years for US tax compliance)
• Anonymized, aggregated analytics data (not linked to you) may be retained indefinitely

For plans with ephemeral storage, photos are automatically deleted after the specified retention period (e.g., 14 days).

You have the right to:

• Access your data — View and export your photos, galleries, and account information at any time
• Correct your data — Update your account information, roster data, and gallery details
• Delete your data — Delete individual photos, galleries, roster entries, or your entire account
• Download your data — Export your photos with embedded metadata at any time
• Opt out of analytics — Disable Google Analytics using browser settings or add-ons

To exercise any of these rights, use the relevant features in your account settings or contact us.

GalleryID is operated from the United States and is primarily intended for users in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with data protection laws (such as the GDPR or UK GDPR), you may have additional rights including:

• Right of access — Request a copy of the personal data we hold about you
• Right to rectification — Request correction of inaccurate personal data
• Right to erasure — Request deletion of your personal data
• Right to data portability — Receive your data in a structured, machine-readable format
• Right to object — Object to certain types of data processing
• Right to restrict processing — Request limits on how we process your data

To exercise any of these rights, contact us. We will respond to requests within 30 days.

By using the Service from outside the United States, you consent to the transfer of your personal data to the United States for processing as described in this policy.

GalleryID processes facial recognition data, which may be classified as biometric data under certain laws. Several U.S. states — including Illinois, Texas, and Washington — have enacted biometric privacy laws with specific requirements regarding notice, consent, and data handling.

You are responsible for ensuring your use of GalleryID’s facial recognition features complies with all applicable laws in your jurisdiction. This may include obtaining written consent from individuals whose photos you upload for facial recognition processing. GalleryID does not provide legal advice regarding your compliance obligations.

GalleryID is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. Note that photos of minor athletes may be uploaded by authorized photographers and organizations — the responsibility for appropriate use and distribution of those photos rests with the uploading organization.

We use a minimal number of cookies:

• Authentication cookies — Essential for keeping you logged in (required for the Service to function)
• Google Analytics cookies — For website analytics (can be opted out of)

We do not use advertising cookies, tracking pixels from ad networks, or any third-party marketing cookies.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice within the Service. The “Last Updated” date at the top of this page reflects the most recent revision.

Questions about this Privacy Policy or your data? Contact us.