Photodove

Privacy Policy

Last updated: 17 July 2026

PhotoDove is built so that we can't see your photos, not merely that we promise not to. This page explains what that means in plain language. It's an expression of how the product works, not a liability shield.

Who runs PhotoDove

PhotoDove is operated by We Remagine One AB (Swedish company registration 559316-0228), Karlstad, Sweden. For anything covered by data-protection law, we are the data controller. Contact: we@remagine.one.

No accounts, no profiles

There is no sign-up. No email, no phone number, no name, no contacts access. Your app has an anonymous installation identifier used only to enforce limits and measure aggregate health; it resets if you reinstall and is never tied to who you are.

Your photos — end-to-end encrypted

When you send photos, they are encrypted on your phone before they leave it. The decryption key travels inside the QR code or link you hand to the recipient — it never reaches our servers. What we relay through the cloud is encrypted data we have no ability to read, scan, or open. The recipient's app decrypts on their phone.

The encrypted files live in EU cloud storage for at most one hour, and are deleted the moment the transfer completes — usually within minutes. Deletion is real removal, not hiding or flagging. If a send is never received, it is still erased within the hour, unconditionally. The sender can also delete it sooner.

Location and photo metadata

PhotoDove never requests your location and never adds or removes metadata. Because your photos are delivered byte-for-byte, any EXIF or GPS data inside them is preserved exactly — you are sending your own photo to someone you chose, and it arrives unchanged. Since everything is encrypted end-to-end, we cannot read that metadata either.

What we can and can't see

We cannot see your photos, their contents, filenames, or the name you give a transfer (that name is encrypted too). To move the files and enforce limits, our servers do handle a small amount of non-content information: the number and byte-size of files, whether each is a photo or video, timestamps, and the anonymous installation identifier of the sender. None of this is the content of your photos.

What survives a completed transfer

Once a transfer is deleted, we keep only anonymous, aggregate statistics — counts such as how many transfers happened and how many bytes moved, with no identifiers, no names, and no content. These cannot be traced back to you or to a specific transfer.

Abuse reports

Because the service is encrypted, we cannot proactively scan content. If someone reports a specific link as abusive, we freeze and delete that transfer and, for reported transfers only, retain minimal non-content information (sizes, timestamps, the sender's anonymous identifier, and the originating IP address) for a short period to respond to the report and, where legally required, to law enforcement.

Children

PhotoDove is not directed at children and keeps no accounts or profiles of anyone.

Your rights

Under the GDPR you have rights of access, rectification, and erasure. Because we hold no account and no content — and delete transfers within the hour — there is in practice almost nothing to request. For any question, contact we@remagine.one. You may also complain to the Swedish Authority for Privacy Protection (IMY).

Where and with whom

Processing happens in the EU. Our sub-processors are our cloud infrastructure providers (Cloudflare R2 for encrypted file relay, Supabase for anonymous coordination), used on EU regions. They only ever handle encrypted data and non-content coordination information.

Changes

If this policy changes, we'll update the date above. Material changes will be reflected in the app.