Privacy Policy
Last Updated: April 10, 2026
1. Introduction
CopyImageToText.com ("we," "us," or "our") is committed to being transparent about how your data is handled. This Privacy Policy explains precisely what we collect, what we store, who can access it, and what your rights are.
We want to be upfront about two things:
- Guest users (not signed in): your uploaded files and extracted text are never stored on our servers. You get your result, and nothing is retained.
- Authenticated users (signed in): your extracted text is stored in our database to power the extraction history feature. As with any cloud-hosted service, we as the operators have administrative access to that database.
2. Information We Collect
2.1 Guest Users (Not Signed In)
| Data | Stored? | Details |
|---|---|---|
| Uploaded file | No | Transmitted to Google Cloud Vision and immediately discarded |
| Extracted text | No | Returned to your browser and discarded — never written to our database |
| Raw IP address | No | Never stored |
| Hashed IP address | Yes | SHA-256 hash with daily rotating salt — non-reversible, used for rate limiting only |
| Session ID | Yes | Random UUID in a _sid cookie — not linked to your identity |
| Usage metrics | Yes | Anonymous only: file type, file size, processing time, country code, referrer category |
2.2 Authenticated Users (Signed In)
Everything in 2.1 applies, plus:
| Data | Stored? | Details |
|---|---|---|
| Email address | Yes | Used for account authentication only |
| Extracted text | Yes | Stored in your extraction history so you can retrieve it |
| Filename | Yes | Stored with each history record for your reference |
| Page count | Yes | Stored with PDF history records |
| Extraction timestamp | Yes | Date and time of each extraction |
| Account tier | Yes | basic or pro |
Your uploaded file is not permanently stored in either case — only the extracted text output is saved to your history.
3. Extraction History — Honest About Access
We believe in telling you the truth.
Your extraction history is stored in our database. As the operators of this Service, we have administrative access to the database, which means we could read extraction records stored in your account. We do not routinely do so. We access the database only for operational purposes: maintaining infrastructure, investigating reported Terms violations, responding to legal requests, and fixing technical issues at your request.
If you are working with highly confidential documents — legal filings, medical records, financial data, or anything sensitive — we recommend using the Service as a guest (without signing in). Guest extractions are never stored in our database.
This is the same model used by Google Docs, Notion, Dropbox, and every comparable cloud service: the provider has infrastructure-level access to hosted data. We simply tell you plainly rather than obscuring it.
4. How Your File Is Processed
- Your file is received by our server over HTTPS
- Your file is transmitted to Google Cloud Vision API for text extraction
- Google returns the extracted text to our server
- Guest: text is returned to your browser and immediately discarded from our server
- Signed in: text is returned to your browser and saved to your extraction history in our database
- Your original uploaded file is discarded in both cases
5. Hashed IP Addresses
We never store your raw IP address. For rate-limiting purposes we store a SHA-256 hash of your IP address combined with a daily-rotating salt. This hash cannot be reversed to recover your IP address, and changes every calendar day so it cannot be tracked across days.
6. Cookies
| Cookie | Purpose | Duration |
|---|---|---|
_sid | Random session UUID for rate limiting | Session (cleared on browser close) |
| Supabase auth cookie | Keeps you signed in | 7 days, refreshed on use |
We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
7. Analytics
We do not use Google Analytics, Meta Pixel, or any third-party analytics platform. All usage analytics are collected in-house and contain only the anonymous metrics listed in Section 2.1. No extracted text content is ever included in our analytics.
8. Google Cloud Vision AI
Your files are processed by Google Cloud Vision API (Google LLC). Google does not use data submitted via the API to train its models without your consent. Google may retain API request data for a limited period for abuse prevention. Google's data processing terms are available at cloud.google.com/terms/data-processing-addendum.
9. Other Third-Party Services
| Provider | Role | Privacy Policy |
|---|---|---|
| Google Cloud Vision | OCR processing | cloud.google.com/privacy |
| Vercel | Web hosting; server logs retained up to 30 days | vercel.com/legal/privacy-policy |
| Supabase | Database hosting for accounts and extraction history | supabase.com/privacy |
We do not sell your data to any third party.
10. Data Retention
| Data | Retention |
|---|---|
| Uploaded files | Not stored — discarded immediately after processing |
| Guest extracted text | Not stored — discarded immediately after delivery to browser |
| Authenticated extraction history | Retained until you delete it or close your account |
| Hashed IP rate-limit records | Reset daily; deleted after 90 days of inactivity |
| Anonymous analytics metrics | Retained up to 24 months, then deleted |
| Account email address | Retained until account deletion |
| Email correspondence | Retained as long as necessary to resolve your inquiry |
11. Data Security
- All data is transmitted over HTTPS (TLS encryption)
- Row Level Security (RLS) is enabled on all database tables — no user can access another user's data through the application
- IP addresses are hashed before storage using SHA-256 with a daily rotating salt
- Database write access is server-side only — the database is not exposed to the browser
- We do not store payment information
No security system is perfect. We have designed the Service to store only what is needed to provide it, which limits the impact of any potential breach.
12. Your Rights
Depending on your location, you may have rights including:
- Access — request a copy of the personal data we hold about you
- Deletion — delete your extraction history directly in account settings, or contact us to close your account entirely
- Correction — request correction of inaccurate account data
- Portability — request your extraction history in a portable format
- Objection — object to our processing of your personal data
- Complaint — lodge a complaint with your local data protection authority
To exercise any right, contact hello@copyimagetotext.com. We will respond within 30 days.
Note for guest users: because we do not store your extracted text or raw IP address, there is generally no personal data attributable to you for us to retrieve, correct, or delete.
13. GDPR (European Users)
| Processing Activity | Legal Basis |
|---|---|
| Performing OCR extraction | Contractual necessity (Art. 6(1)(b)) |
| Storing extraction history | Consent — you choose to sign in and use the history feature (Art. 6(1)(a)) |
| Rate-limiting via hashed IP | Legitimate interests — preventing abuse (Art. 6(1)(f)) |
| Anonymous analytics | Legitimate interests — improving the Service (Art. 6(1)(f)) |
We do not transfer personal data outside the EU/EEA except to service providers (Google, Vercel, Supabase) operating under adequate safeguards including Standard Contractual Clauses.
14. Australian Privacy Act
We handle personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles. If you believe we have breached these Principles, contact us at hello@copyimagetotext.com. If unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.
15. Children's Privacy
The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.
16. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. Material changes will be communicated to registered users by email where practicable.
17. Contact
Email: hello@copyimagetotext.com Website: https://copyimagetotext.com
We respond to all privacy inquiries within 30 days.