Privacy policy

BGbust ("we", "us") operates bgbust.com, a web-based AI background-removal tool. This policy explains what data we collect, why, how long we keep it, and the choices you have. We aim for plain language. If anything is unclear, email privacy@bgbust.com.

What we collect

Account data: email address and a salted bcrypt password hash (we never store the password itself). Billing data: customer ID, subscription ID, plan, and last four digits of the card — all managed by Stripe (we do not store card numbers). Usage data: timestamps and counts of background removals per account (no image contents). Technical data: IP address, browser user-agent, locale, and request timestamps for security and rate limiting.

What we deliberately don't collect

We do not store the images you process. The Free tier runs entirely in your browser — images never leave your device. Paid-tier images are streamed to our processing partner (Photoroom), receive the cutout, and are then discarded by both us and Photoroom within seconds. We do not run face recognition, content classification, or any ML on your images beyond the requested background removal.

Third parties we share data with

Stripe (payments, subscriptions, billing portal — strictly the data needed to process your purchase). Photoroom (cloud background removal for paid tiers — receives the input image and returns the cutout). Hetzner (server hosting in Germany). Cloudflare (DDoS protection, edge CDN). Google Analytics and Meta Pixel (only if you opt in via the cookie banner). Each partner is bound by a Data Processing Agreement.

Cookies & tracking

Essential cookies (session, security) are always on. Analytics and marketing cookies are off by default and only activate after explicit consent via our cookie banner. You can change your preferences any time at /cookies. We honor Global Privacy Control (GPC) signals.

How long we keep data

Account data: as long as your account exists, plus 30 days after deletion request for backups to expire. Billing records: 7 years (legal accounting requirement). Usage logs: 90 days, then aggregated. Security logs (rate-limit, login attempts): 30 days. Email support correspondence: 2 years.

Your rights (GDPR, CCPA)

Access: request a copy of all data we hold about you. Rectification: correct inaccurate data. Erasure: delete your account and all associated data (we honor this within 30 days). Portability: receive your data in JSON. Restriction: pause processing of your data. Objection: opt out of analytics, marketing, or any specific use. Withdraw consent: at any time, at no cost. To exercise any right, email privacy@bgbust.com from the address on file.

International transfers

Our servers are in Germany (EU). Stripe processes payments globally — for EU customers, Stripe uses Standard Contractual Clauses (SCCs) when transferring data outside the EU. Photoroom is incorporated in France (EU). Cloudflare and Google operate under SCCs and the EU-US Data Privacy Framework.

Children

BGbust is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has created an account, email privacy@bgbust.com and we will delete it.

Data security

All traffic is encrypted in transit (TLS 1.2+). Passwords are bcrypt-hashed with cost factor 12. Session tokens are httpOnly cookies with SameSite=Lax. Sensitive credentials (API keys) are AES-256-GCM encrypted at rest. We perform regular security audits and run a private bug bounty.

Changes to this policy

We will notify registered users by email at least 30 days before any material change takes effect. The current version is always at https://bgbust.com/privacy. Continued use of the service after a change means you accept the updated terms.

Contact

Privacy inquiries: privacy@bgbust.com. Data Protection Officer (for EU GDPR matters): same address — a human reviews and responds within 2 business days. Postal: BGbust, c/o Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (forwarding only).