PhotoDove is built so that we can't see your photos, not merely that we promise not to. This page explains what that means in plain language. It's an expression of how the product works, not a liability shield.
PhotoDove is operated by We Remagine One AB (Swedish company registration 559316-0228), Karlstad, Sweden. For anything covered by data-protection law, we are the data controller. Contact: we@remagine.one.
There is no sign-up. No email, no phone number, no name, no contacts access. Your app has an anonymous installation identifier used only to enforce limits and measure aggregate health; it resets if you reinstall and is never tied to who you are.
When you send photos, they are encrypted on your phone before they leave it. The decryption key travels inside the QR code or link you hand to the recipient — it never reaches our servers. What we relay through the cloud is encrypted data we have no ability to read, scan, or open. The recipient's app decrypts on their phone.
The encrypted files live in EU cloud storage for at most one hour, and are deleted the moment the transfer completes — usually within minutes. Deletion is real removal, not hiding or flagging. If a send is never received, it is still erased within the hour, unconditionally. The sender can also delete it sooner.
PhotoDove never requests your location and never adds or removes metadata. Because your photos are delivered byte-for-byte, any EXIF or GPS data inside them is preserved exactly — you are sending your own photo to someone you chose, and it arrives unchanged. Since everything is encrypted end-to-end, we cannot read that metadata either.
We cannot see your photos, their contents, filenames, or the name you give a transfer (that name is encrypted too). To move the files and enforce limits, our servers do handle a small amount of non-content information: the number and byte-size of files, whether each is a photo or video, timestamps, and the anonymous installation identifier of the sender. None of this is the content of your photos.
Once a transfer is deleted, we keep only anonymous, aggregate statistics — counts such as how many transfers happened and how many bytes moved, with no identifiers, no names, and no content. These cannot be traced back to you or to a specific transfer.
Because the service is encrypted, we cannot proactively scan content. If someone reports a specific link as abusive, we freeze and delete that transfer and, for reported transfers only, retain minimal non-content information (sizes, timestamps, the sender's anonymous identifier, and the originating IP address) for a short period to respond to the report and, where legally required, to law enforcement.
PhotoDove is not directed at children and keeps no accounts or profiles of anyone.
Under the GDPR you have rights of access, rectification, and erasure. Because we hold no account and no content — and delete transfers within the hour — there is in practice almost nothing to request. For any question, contact we@remagine.one. You may also complain to the Swedish Authority for Privacy Protection (IMY).
Processing happens in the EU. Our sub-processors are our cloud infrastructure providers (Cloudflare R2 for encrypted file relay, Supabase for anonymous coordination), used on EU regions. They only ever handle encrypted data and non-content coordination information.
If this policy changes, we'll update the date above. Material changes will be reflected in the app.