Privacy notice
Last updated: May 12, 2026
What we collect
- Account data: e-mail, optional name, hashed password.
- Photographs: anything you upload, and the AI output we generate from it.
- Usage: which tool you used on which photograph, when, and the result status.
- Payment: handled by Stripe. We never see your card number; we receive a customer ID and invoice amounts.
- Server logs: IP, user agent, requested URL. Rotated weekly, deleted after thirty days.
Why we collect it
To provide the service, to bill you for paid plans, to detect abuse, and to comply with our legal obligations.
Where it lives
Our application servers are in Falkenstein, Germany (Hetzner). The processing models are operated by Replicate in the United States. When we send a photograph to Replicate, it is transferred across the Atlantic for the duration of the job. The job result and Replicate-side cache is deleted within an hour of completion.
How long we keep it
- Your photographs and outputs: until you delete them, or thirty days after account closure.
- Account data: until you ask us to delete it.
- Payment records: seven years, because Croatian tax law says so.
- Server logs: thirty days.
Your rights under GDPR
You can ask us for a copy of your data, ask us to delete it, ask us to correct it, and ask us not to process it for any particular purpose. Write to [email protected]. We will respond within thirty days.
Who we share with
Stripe (payments). Replicate (AI processing of the photograph). Postmark (transactional e-mail). That is the complete list. We do not work with advertising networks. We do not sell data.
Cookies
One session cookie to keep you signed in. One language preference cookie. One CSRF token. No analytics cookies. No tracking pixels. No third-party scripts on the marketing pages.
Children
Looks Back is not directed at children under 13. If you are a parent and believe your child has an account, write to us and we will close it.
Complaints
You can complain to the Croatian Personal Data Protection Agency (AZOP) at any time.