Privacy Policy

The controller of personal data processed in connection with ThumbnailUp (“the Service”) is Trebuh, a private individual based in Poland. You can reach the controller at trebuhdev@gmail.com.

This policy explains what personal data the Service collects, why we collect it, who we share it with, how long we keep it, and what rights you have under the EU General Data Protection Regulation (GDPR) and Polish law.

Browsing the Service (no account required). When you load pages, our hosting infrastructure receives standard request metadata: IP address, user agent, referring URL, and timestamp. This is used to keep the Service running and to detect abuse. We do not combine it with any account.

Newsletter signup.If you submit your email address to our newsletter, we store the email address and the timestamp. That’s all.

Future account features. When accounts are introduced, we will additionally collect your email address and a hashed password (or a Google account identifier if you use Google sign-in). This policy will be updated before that release.

Future generator features. When AI thumbnail generation is introduced, we will additionally collect the prompts you submit, the images generated from them, and the cost of each generation. This policy will be updated before that release.

To run the Service — request metadata is processed based on our legitimate interest (Article 6(1)(f) GDPR) in operating, securing, and debugging the Service.

To send you the newsletter — your email is processed based on your consent (Article 6(1)(a) GDPR) given at the moment of signup. You can withdraw consent at any time by clicking the unsubscribe link in any email or by contacting us.

To comply with legal obligations — for example, responding to lawful requests from authorities, or to copyright takedown notices (Article 6(1)(c) GDPR).

We share personal data only with the following categories of processors, each acting on our instructions:

• Hosting provider — runs the servers that store the database and serve the Service. Hosted in the European Union.
• Email delivery service — used to send the newsletter once a real email provider is wired in (until then, newsletter signups are stored but no emails are sent).
• YouTube (Google LLC)— your browser loads thumbnail images directly from YouTube’s CDN (i.ytimg.com). YouTube may receive your IP address and user agent as part of those requests, governed by the Google Privacy Policy.
• Future processors — when paid features ship, we will additionally use a payment processor (e.g. Stripe) and an AI generation provider (e.g. OpenAI). This list will be updated at that time.

We do not sell personal data and we do not share it with advertising networks.

Some of our processors may be based outside the European Economic Area (notably YouTube, and in the future OpenAI and Stripe). Where this is the case, transfers are made under the European Commission’s Standard Contractual Clauses or another lawful transfer mechanism described in Chapter V of the GDPR.

• Newsletter signups — kept until you unsubscribe or ask us to delete the record.
• Server request logs — kept for up to 30 days for security and debugging, then deleted or aggregated.
• Future account data — kept for as long as your account is active, then deleted within 30 days of account closure (longer if we are required by law to keep records, e.g. for invoicing).

The current version of the Service does not set tracking cookies. We may use a single, technically necessary cookie to remember your UI preferences (such as a closed banner). If we add analytics or session cookies in the future, we will display a cookie banner and ask for consent where required by EU rules.

You have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data deleted (the “right to be forgotten”) where we no longer have a lawful basis to keep it;
• restrict or object to certain processing;
• receive a portable copy of data you provided to us in a machine-readable format;
• withdraw consent at any time, where processing is based on consent;
• lodge a complaint with the Polish data protection authority, Prezes Urzędu Ochrony Danych Osobowych (UODO), at uodo.gov.pl.

To exercise any of these rights, write to trebuhdev@gmail.com. We will respond within 30 days.

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data to us, contact trebuhdev@gmail.com and we will delete it.

We apply reasonable technical and organisational measures to protect personal data — encryption in transit (HTTPS), access controls on the database, and password hashing for any account credentials. No system is perfectly secure; if a data breach materially affects you, we will notify you and the supervisory authority as required by Article 33–34 GDPR.

We may update this policy as the Service evolves (especially when accounts, payments, or AI generation are added). The “Last updated” date at the top reflects the most recent version. Material changes will be communicated through the Service.

Questions, requests, or complaints about how we handle your data: write to trebuhdev@gmail.com.