Privacy Policy

Who we are

Final Eyes is operated by Hard Out Ltd, a company registered in England and Wales (company number 17267842). Our registered address is Station House, Station Approach, East Horsley, Surrey, KT24 6QX. When this policy refers to "we", "us", or "our", it means Hard Out Ltd trading as Final Eyes.

Hard Out Ltd is the data controller for personal data processed through Final Eyes. For any questions about how we handle your data, contact us at hello@finaleyes.app.

What data we collect

Account holders (project owners). When you create an account we collect your email address, which is used to authenticate you and send you service communications. When you subscribe to a paid plan, Stripe processes your payment and we receive a billing record containing your email address, Stripe customer ID, and subscription status. We never see or store your card details. We also store usage data including your storage consumption (in bytes) and the metadata of projects you create, including project names, client names, folder names, and configuration such as notification preferences.

Reviewers and collaborators. Reviewers do not create accounts. When someone accesses a review link they enter a display name, which is stored alongside any feedback they leave. If a reviewer is invited by email, their name and email address are stored as part of the invite record, along with the time the invite was sent and first accessed. We also store feedback data: star ratings, written comments (up to 5,000 characters), annotation boxes with position and text, freehand drawings with stroke data and notes, and image approval decisions, each attributed to the reviewer's display name and timestamped.

Access requestors. If someone requests access to a project via the review portal, we store their submitted name, email address, and any optional message they provide, alongside the time of the request.

Uploaded files. Images and videos uploaded to Final Eyes are stored on Cloudflare R2 infrastructure. We store the file itself along with its filename, size, dimensions (where detectable), and the storage path used to retrieve it. Supported file types include common image formats (JPEG, PNG, WebP, HEIC, TIFF, GIF, AVIF, BMP) and video formats (MP4, MOV, AVI, WebM, MKV, MPEG). The maximum file size is 500 MB per file.

How we use your data

We use account data to provide the service, authenticate sessions, manage subscriptions, enforce storage limits, and send service-related emails. We use reviewer feedback data to display it within the project to the account holder and their team. We use billing data to manage your subscription via Stripe.

We send the following categories of email: invite emails to reviewers on your behalf when you use the invite feature; notification emails to you when reviewers leave feedback (approvals, comments, annotations, ratings), either as instant notifications or as scheduled digest summaries depending on your preference; one-time access codes (OTPs) to reviewers as part of identity verification; and transactional emails such as password resets. We do not send marketing email without your explicit consent.

We do not sell, rent, or share your personal data with third parties for their own marketing or commercial purposes.

Legal basis for processing (UK GDPR)

We process account holder data on the basis of contract: it is necessary to provide the service you have signed up for. We process billing data on the same basis. We process reviewer data on the basis of legitimate interests, specifically the interest of the account holder in receiving feedback on their work, and the interest of the reviewer in participating in a review they have been invited to. We process error and diagnostic data on the basis of our legitimate interest in maintaining a secure and functional service.

Third-party services

Supabase: authentication and database. Account credentials, project data, reviewer invites, and all feedback records are stored here. Supabase is hosted on AWS infrastructure in the EU.

Cloudflare R2: file storage. All uploaded images and videos are stored in R2 object storage operated by Cloudflare, Inc. Files are served via Cloudflare's global CDN.

Stripe: payment processing. All billing, subscription management, and card data is handled exclusively by Stripe under their own privacy policy. We do not store card numbers or full payment details.

Resend: transactional email. Invite emails, OTP codes, and notification emails are delivered via Resend. Email addresses used in this context are processed by Resend as a data processor on our behalf.

Vercel: hosting and infrastructure. All requests to Final Eyes are served through Vercel, which processes IP addresses and request metadata as part of normal web infrastructure operation.

Cookies and local storage

We use HTTP cookies solely for authentication: to maintain your logged-in session as an account holder, and to maintain a reviewer's verified session on a review portal. All session cookies are HttpOnly, Secure, and SameSite=Lax. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

We use browser local storage to remember your display preferences (viewer background colour, thumbnail size, filename visibility) and to cache image dimensions for faster rendering. This data is stored only in your browser and is never transmitted to our servers.

Error reporting

Final Eyes automatically captures technical errors that occur during normal use. Error logs may include the URL where the error occurred, your browser user agent, and a technical stack trace. These logs are stored in our database, are only accessible to Final Eyes staff, and are used solely for debugging and improving the service. They are not shared with third parties.

Security

All data is transmitted over HTTPS. Data at rest is encrypted by our infrastructure providers. Both Supabase and Cloudflare R2 apply encryption at rest by default. Authentication is handled by Supabase using industry-standard JWT sessions validated server-side on every request. Database access is enforced at the row level, ensuring queries only return data belonging to the authenticated account. All authentication endpoints are rate-limited to prevent brute-force attacks.

Review links use unique, randomly generated tokens. Uploaded files are stored at unpredictable paths and are not indexed or publicly browsable. Review portals can optionally be protected with a password, and reviewers can be required to verify their identity via a one-time code sent to their email address.

Data retention

We retain your account data and uploaded files for as long as your account is active. Reviewer invite records and feedback data are retained for the lifetime of the associated project. If you close your account or request deletion, we will remove your personal data and associated files within 30 days. To request deletion, email hello@finaleyes.app.

Your rights

Under UK GDPR you have the right to access, correct, or erase the personal data we hold about you. You also have the right to restrict or object to certain processing, and to receive a copy of your data in a portable format. To exercise any of these rights, contact us at hello@finaleyes.app. We will respond within one calendar month.

You have the right to lodge a complaint with the Information Commissioner's Office if you believe we have not handled your data lawfully. More information is available at ico.org.uk.

Changes to this policy

We may update this policy from time to time. We will notify account holders of material changes by email. The date at the top of this page reflects when the policy was last revised.