Privacy Policy

1. Who we are

Culllab is operated by Horváth Media s.r.o., a company registered in the Slovak Republic.

• Registered office: S. H. Vajanského 5351/9
• Company registration number (IČO): 55255477
• VAT / DIČ: SK2121912551
• Contact: hello@culllab.com

For the purposes of the EU General Data Protection Regulation (GDPR), Horváth Media s.r.o. is the data controller for personal data processed through the Culllab service. We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR; privacy enquiries are handled at the address above.

2. Scope

This policy applies to culllab.com and the Culllab web application (the “Service”). It does not apply to third-party websites you may reach via links from the Service.

3. Data we collect

We only collect the personal data we need to provide and improve the Service.

Account data (account holders)

• Email address (used as your sign-in identifier and for transactional emails).
• Full name (provided during sign-up or returned by Google when you sign in with Google).
• Your Google account identifier (the sub claim) if you choose to sign in with Google.

Service data (account holders)

• Photos and other files you upload to your galleries.
• Gallery metadata (titles, descriptions, settings, sharing links).
• Comments, selections, and proofing activity created by you or your invited viewers.

Data about invited gallery viewers

When you (an account holder) share a gallery with your client, that client’s browser interacts with Culllab and our CDN. We process the following about invited viewers:

• IP address, browser, and device information (needed to deliver gallery content and to prevent abuse).
• Viewing and selection activity within the gallery (so we can share those selections back to the photographer who invited them).
• Any comments or other content they voluntarily submit while reviewing the gallery.

For invited viewers, the photographer or other account holder who shared the gallery is the data controller for the gallery’s contents and for any communication with their client; Culllab acts as their processor for that data. Culllab remains the controller for the technical data we collect to operate and secure the Service.

Technical data (everyone using the Service)

• IP address, browser type and version, device type, and operating system.
• Request logs (URL, timestamp, status code) needed to operate and secure the Service.
• Error and crash reports when the application encounters a problem.

Analytics

• Product-usage events (e.g., pages viewed, features used) collected via PostHog. If you accept the “Analytics” cookie category, these are collected with cookies and, while you are signed in, linked to your account so we can understand how features are used.
• If you decline the “Analytics” category, we still collect anonymous, cookieless usage statistics (such as visitor and page-view counts and basic interaction events). These use no cookies or other browser storage and identify visitors only through a server-side hash that rotates daily, so they cannot be traced back to you.
• Independently of your cookie choice, our servers also record anonymous, aggregated counts of how often a shared gallery is opened. These counts use no cookies or browser storage; visitors are distinguished only by a hash of network and request information that rotates daily and is never stored in raw form, so the counts cannot be traced back to you.

4. Legal basis for processing

Under Article 6 GDPR we rely on:

• Performance of a contract (Art. 6(1)(b)) — to create and maintain your account, store your galleries, and deliver them to your invited viewers.
• Legitimate interest (Art. 6(1)(f)) — to keep the Service secure, prevent abuse, capture error reports, and improve product quality. You can object to processing based on legitimate interest at any time by contacting us.
• Consent (Art. 6(1)(a)) — for analytics cookies and for any optional features that require it; you may withdraw consent at any time without affecting prior lawful processing. Anonymous, cookieless usage statistics collected when you decline this consent are not based on consent: they involve no access to your device and are processed in anonymous form (and, to the extent any data is personal, under our legitimate interest in Art. 6(1)(f) to improve the Service).
• Legal obligation (Art. 6(1)(c)) — where we must retain data to comply with applicable law (e.g., invoices for paid plans).

5. Third-party processors

We use the following processors to operate the Service. Each is bound by a data-processing agreement that meets the requirements of Article 28 GDPR.

We do not sell your personal data and we do not share it with third parties for their own marketing purposes.

We may add or change processors over time. Material changes will be reflected on this page; where the change affects the legal basis or location of processing, we will notify account holders by email.

6. International transfers

Most processing takes place within the European Union. Where a processor (notably Google) may transfer personal data outside the EU, the transfer is governed by Standard Contractual Clauses approved by the European Commission and the supplementary safeguards required by GDPR.

7. How we protect your data

We apply technical and organisational measures appropriate to the risks of the processing, in line with Article 32 GDPR. These include:

• TLS encryption for all data transmitted between your browser, our servers, and our processors.
• Passwords (where set) hashed with bcrypt before storage; one-time codes hashed before storage; we never store plaintext credentials.
• Short-lived JWT access tokens with rotating refresh tokens stored in HttpOnly cookies.
• Principle of least privilege for staff access to production systems; access scoped, logged, and reviewed.
• Encrypted backups, with restricted access.
• Regular dependency updates and monitoring for known vulnerabilities.
• Rate limiting and abuse-prevention controls on authentication endpoints.

No system is perfectly secure, and we cannot guarantee absolute security. You play a part by keeping your sign-in credentials confidential and notifying us promptly of any suspected unauthorised access.

8. Data breach notification

In the event of a personal-data breach, we will notify the Slovak supervisory authority (Úrad na ochranu osobných údajov SR) within 72 hours of becoming aware of it, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay (Article 34 GDPR), describing what happened, what data was affected, what we are doing about it, and how you can protect yourself.

9. Retention

• Account and service data: kept while your account is active and for up to 30 days after deletion, for backup recovery.
• Request and error logs: up to 90 days.
• Analytics events: up to 12 months.
• Account inactivity: if your account has been inactive for 24 months, we will email you and, if you do not respond within 30 days, delete the account and its associated content.
• Records we are required by law to keep (e.g., invoices and accounting records for paid plans) are retained for the statutory period.

10. Automated decision-making

We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

11. Marketing communications

We will not send you marketing emails unless you have opted in. Transactional emails that you receive as part of using the Service (such as sign-in codes, gallery notifications, and important service announcements) are sent under the contract you have with us and do not require separate consent. You can withdraw consent to marketing emails at any time via the unsubscribe link in any marketing message, or by emailing hello@culllab.com.

12. Your rights

If you are in the EU/EEA you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased (the “right to be forgotten”);
• restrict or object to certain processing;
• receive your data in a portable format;
• withdraw any consent you have given, without affecting prior lawful processing;
• lodge a complaint with the Slovak supervisory authority — Úrad na ochranu osobných údajov SR (dataprotection.gov.sk) — or with the supervisory authority in your country of residence.

To exercise any of these rights, email hello@culllab.com. We will respond within the time limits set by GDPR (typically within one month, extendable by a further two months for complex requests).

13. Cookies and similar technologies

Culllab uses cookies and similar browser storage in two categories:

• Necessary — always active. Includes the cookie that stores your consent choices, the refresh-token cookie that keeps you signed in, and your browser’s localStorage entry that stores your short-lived access token. Sentry may set a short-lived cookie when an error is reported so we can correlate the report with the affected session; we treat this as necessary for the security and reliability of the Service.
• Analytics — cookie-based analytics are off by default and activated only if you accept this category in the cookie banner. We use PostHog to collect product-usage events that help us understand which features are useful and where users get stuck. If you decline or later withdraw consent, no analytics cookies are used and any previously set PostHog cookies are cleared from your browser; PostHog then switches to cookieless mode, collecting only anonymous, aggregated usage statistics (visitor and page-view counts and basic interaction events) via a daily-rotating server-side hash that uses no browser storage and does not identify you.

You can change your cookie choices at any time via the “Cookie preferences” link in the footer of culllab.com, or by clearing the cookieConsent cookie from your browser.

14. Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

15. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email to the address on your account at least 30 days before they take effect, and the “Last updated” date at the top of this page will be revised. Non-material changes (e.g., clarifying wording, fixing typos) may be made without notice.