Privacy Policy

Last Updated: April 2026

1. Introduction & Data Controller

RemoveMD ("we", "our", "us") operates the metadata removal service at www.removemd.com and a companion Chrome extension.

The data controller within the meaning of the GDPR is:

  • Jules ESNAULT โ€” Sole trader (auto-entrepreneur)
  • SIRET: 100 640 192 00017 โ€” Paris, France
  • Contact: contact@removemd.com

This policy explains what personal data we process, on what legal basis, for how long, and your rights under GDPR, UK GDPR and CCPA.

2. Data We Process & Legal Basis

2.1 Files you upload

Files are processed in memory or on a temporary filesystem strictly to strip metadata, then immediately discarded. We do not open, index, analyse or store the content.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

2.2 Anonymous account

To use paid features we generate a random 10-character identifier. No email, name or personal details are required. We store this identifier, your credit balance, subscription status and a Stripe customer reference.

Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

2.3 Payment data

Payments are handled entirely by Stripe. We never see or store your card number. We only receive the transaction identifier, country (for tax), amount and subscription status.

Legal basis: performance of a contract (Art. 6(1)(b)) and legal obligation for accounting (Art. 6(1)(c)).

2.4 Technical logs

Our server temporarily logs IP address, user agent, URL and timestamps for security and debugging.

Legal basis: legitimate interest in securing the service (Art. 6(1)(f)).

2.5 Analytics & cookies

We use Google Analytics with IP anonymisation. No analytics or marketing cookies are set before you give explicit consent through our banner.

Legal basis: your consent (Art. 6(1)(a) GDPR). You can withdraw at any time via the "Cookies" link in the footer.

3. Retention Periods

  • Uploaded files: deleted immediately after processing.
  • Anonymous account: kept while active. Deleted within 30 days of your request.
  • Billing records: 10 years, as required by French tax law.
  • Technical logs: 30 days rolling, then automatically purged.
  • Analytics: aggregated data retained up to 14 months in Google Analytics.

4. Chrome Extension

Our Chrome extension processes files locally in your browser or forwards them to our API using the same anonymous identifier as the website. It does not read your browsing history, tabs or any unrelated data.

Extension-specific disclosures: /privacy-extension.

5. Recipients & Sub-Processors

  • Hostinger (hosting, EU) โ€” server infrastructure.
  • Stripe Payments Europe Ltd (Ireland) โ€” payment processing.
  • Google Ireland Ltd โ€” analytics, only if you consent.

Transfers outside the EEA rely on the European Commission's Standard Contractual Clauses.

6. Security

  • All traffic served over HTTPS with modern TLS.
  • Strict Content Security Policy, CSRF protection, rate limiting and security headers.
  • Files never touch long-term storage โ€” memory released immediately after processing.
  • Secrets stored in environment variables, never in the codebase.

7. Your GDPR Rights

Under GDPR and the UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data ("right to be forgotten") โ€” also available from your dashboard.
  • Restrict or object to processing.
  • Portability โ€” receive your data in a structured, machine-readable format.
  • Withdraw consent at any time for cookies and analytics.
  • Lodge a complaint with a supervisory authority (France: CNIL).

To exercise any right: contact@removemd.com. We respond within 30 days.

8. California Residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request its deletion, to correct inaccuracies and to opt out of any "sale" or "sharing" of personal information.

We do not sell or share personal information within the meaning of the CCPA/CPRA.

To submit a verifiable consumer request, email contact@removemd.com with "CCPA request" in the subject line.

9. Children

The Service is not directed at children under 15 (EU) or under 13 (US). We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, contact us and we will delete it.

10. Changes

We may update this Privacy Policy to reflect changes in the Service or the law. The "Last Updated" date at the top always reflects the current version. Material changes will be announced on the homepage.