Privacy Policy

This policy explains what personal data Storeshots processes, why, and the rights you have under the EU General Data Protection Regulation (GDPR) and Turkey's Personal Data Protection Law (KVKK, Law No. 6698). The short version: Storeshots runs in your browser, we do not operate user accounts, and we do not collect your screenshots or your API keys on any server we control.

Who is the data controller?

The official Storeshots site at storeshots.org is operated by Eralp Ozcan. You can reach the author through the GitHub repository.

If you are using a self-hosted copy of Storeshots, the operator of that instance is the controller for their deployment, and this policy may not apply — check the privacy page on that site.

What data we process

Because Storeshots is a client-side application, the following is the exhaustive list of data that leaves your browser:

Data	When	Who receives it	Why
HTTP request metadata (IP, user agent, referer)	Every page load	Netlify + Cloudflare	Serving the page, security, rate limiting, DDoS protection
Your uploaded screenshots, your prompts, your API key	When you click "Generate"	Your chosen AI provider (Anthropic or OpenRouter) — directly from your browser	Generating headlines and extracting colors. Storeshots servers never see this data.

What data we do NOT process

We do not collect names, email addresses, phone numbers, or other identifiers — there is no account system.

We do not upload your screenshots to our servers.

We do not store your AI provider API keys. They live only in your browser's sessionStorage and are wiped when you close the tab.

We do not sell, rent, or share any data with advertisers or data brokers.

We do not use third-party tracking pixels, heatmap tools, or session replay.

Cookies and browser storage

See the dedicated Cookie Policy for a full breakdown. In summary: only strictly necessary, first-party storage is used by default. Analytics and marketing categories are opt-in and currently unused.

Hosting and transmission

The official site is served by Netlify (United States) fronted by Cloudflare. Connection logs typically include your IP address and request time and are retained according to each provider's own policies:

Netlify Privacy Notice Cloudflare Privacy Policy

All traffic is encrypted with TLS (HTTPS). We do not operate an application database, so there is no user data at rest on our side.

Legal basis for processing

GDPR Art. 6(1)(f)

Legitimate interest

Serving the site and basic security logging.

GDPR Art. 6(1)(a)

Consent

Any optional analytics or marketing storage — off by default.

GDPR Art. 6(1)(b)

Contract / pre-contract

The request you initiate to Anthropic or OpenRouter when you click Generate. You decide when to send it.

Your rights

Under the GDPR and KVKK, you have the right to:

Be informed about what we process (this page).

Access any personal data we hold about you — we hold none in an identifiable form.

Request rectification, erasure, or restriction of processing.

Object to processing based on legitimate interest.

Data portability.

Withdraw consent at any time.

You may also lodge a complaint with your supervisory authority — for Turkey, the Kişisel Verileri Koruma Kurumu (KVKK); for the EU, your national data protection authority.

Children

Storeshots is not directed at children under 16. We do not knowingly process data from children. If you believe a child has used the service, contact us and we will help you remove any local data on your device.

International transfers

The hosting and AI providers listed above are based in the United States. When you use Storeshots, data you send (including images you upload and prompts) is transferred to those providers under their own standard contractual clauses and privacy frameworks.

Changes to this policy

We will announce material changes by updating the "Last updated" date above and, where consent is affected, re-prompting for consent via the cookie banner.