Privacy PolicyPrivacy Policy

Vortyk ("we", "us", "our") operates the Vortyk platform at app.vortyk.com and the website at vortyk.com.

This Privacy Policy describes how we collect, use, store, and share your personal information when you use our services.

By accessing or using Vortyk, you acknowledge that you have read and understood this Privacy Policy.

If you do not agree, you must discontinue use of the services.

Account Information

Name, email address, company name, and password (hashed with bcrypt).

Billing Information

Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor. Vortyk does not collect, store, or have access to your full credit card number. We receive only the last four digits of your card, card brand, and billing status from Stripe for record-keeping purposes.

Photos and Media

Photos you upload including JPEG, PNG, HEIC, and WebP files up to 20 MB each. We generate thumbnail and medium-size derivatives for display performance.

GPS and Geolocation Data

When you upload photos, we extract GPS coordinates and camera bearing data from the EXIF metadata embedded in each image by your device. This data originates entirely from your device's GPS hardware and operating system. Vortyk does not independently generate, calculate, or verify geolocation coordinates. GPS accuracy depends on your device hardware, satellite availability, atmospheric conditions, building obstructions, and signal interference, all of which are beyond Vortyk's control.

Photo Metadata (EXIF Data)

We extract and display metadata embedded in your photos by your device or camera, including capture date and time (from your device clock), GPS coordinates, camera bearing and orientation, image dimensions, and device model. This metadata is generated by your device before upload and is not modified by Vortyk.

Usage and Analytics Data

Pages visited, features used, session duration, and interaction patterns collected through Vercel Analytics and Google Analytics.

Device and Browser Information

IP address, browser type and version, operating system, screen resolution, and referring URLs.

Vortyk classifies GPS coordinates as sensitive personal information in accordance with the California Consumer Privacy Rights Act (CPRA) and other applicable state privacy laws.

GPS coordinates extracted from your photos originate from your device's GPS hardware and operating system. Vortyk reads this data from photo EXIF metadata but does not generate, calculate, modify, or independently verify it.

Typical smartphone GPS accuracy ranges from 5 to 30 meters in open sky conditions and may exceed 50 meters indoors, in dense urban areas, or in areas with limited satellite visibility. Accuracy is affected by device hardware capabilities, satellite constellation geometry, atmospheric interference, building and tree obstructions, multipath signal errors, and network connectivity. All of these factors are outside Vortyk's control.

Vortyk makes no representation or warranty regarding the accuracy, precision, reliability, or completeness of any GPS coordinates or geolocation data. You are solely responsible for verifying the accuracy of geolocation data before relying on it for any professional, regulatory, legal, insurance, or compliance purpose.

You may disable GPS collection by turning off location services on your device before capturing photos. You may request deletion of geolocation data associated with your account by contacting privacy@vortyk.com.

EXIF metadata is embedded in your photos by your device or camera at the time of capture, before the photos are uploaded to Vortyk.

Vortyk extracts and displays this metadata to provide features such as photo organization, map views, and report generation.

Vortyk does not modify, alter, validate, or verify EXIF metadata. The accuracy of timestamps, GPS coordinates, camera settings, and other metadata fields depends entirely on your device hardware and settings.

Certain EXIF data fields, including timestamps and location, can be modified through your device settings before or during photo capture. Vortyk has no way to detect or prevent such modifications.

When photos are shared through third-party services (email, messaging apps, social media), metadata may be stripped, compressed, or corrupted. Vortyk is not responsible for metadata integrity outside of the Vortyk platform.

If you intend to use photo metadata for compliance, legal, insurance, or regulatory purposes, you must independently verify the accuracy of all metadata through supplementary documentation, professional inspection, or other independent means.

We use the information we collect for the following purposes:

• To provide, maintain, and improve the Vortyk platform and its features
• To process your subscription payments and manage your billing account through Stripe
• To display your photos on interactive maps using extracted GPS coordinates
• To generate PDF photo log reports containing your photos, captions, and metadata
• To facilitate client sharing through password-protected project links
• To send you service-related communications (billing confirmations, security alerts, product updates)
• To analyze usage patterns and improve platform performance and user experience
• To detect, prevent, and address fraud, abuse, and security incidents
• To comply with legal obligations and respond to lawful requests from authorities

We share information with the following categories of service providers who assist us in operating the platform:

Stripe (Payment Processing)

Receives your billing information to process subscription payments. Stripe is PCI DSS Level 1 certified. Vortyk does not have access to your full payment card details. Stripe's privacy policy governs their use of your data.

Vercel (Hosting and Infrastructure)

Hosts the Vortyk platform and may process your IP address, request headers, and usage data for performance optimization and security.

Google Analytics (Usage Analytics)

Receives anonymized usage data including pages visited, session duration, and interaction patterns. Google Analytics does not receive your photos, GPS data, or account information.

Cloud Storage Provider (Photo Storage)

Stores your uploaded photos and generated reports in encrypted storage. Access is controlled through signed URLs with one-hour time-to-live expiration.

We do not sell your personal information to any third party. We do not share your photos, GPS data, or project content with third parties except as described above or as required by law.

When you create a client sharing link for a project, the recipient can view photos, metadata (including GPS coordinates and timestamps), and download reports associated with that project.

You control what is shared. Vortyk provides the sharing mechanism, but you are solely responsible for determining what content is appropriate to share and with whom.

Client sharing links are protected by passwords you set and expire on dates you choose. You can revoke sharing links at any time.

Vortyk is not responsible for how recipients use, store, forward, or distribute information accessed through client sharing links. Once data is viewed or downloaded by a recipient, it is outside Vortyk's control.

If you share project data containing GPS coordinates, timestamps, or other metadata with clients or third parties, those recipients should understand that metadata originates from the photographer's device and should be independently verified before being used for any business, legal, or compliance purpose.

Essential Cookies

Required for the platform to function. These include session cookies for authentication and security tokens. You cannot opt out of essential cookies while using the service.

Analytics Cookies

Used by Vercel Analytics and Google Analytics to understand how visitors interact with our website. These cookies collect anonymized data about page views, session duration, and navigation patterns.

Functional Cookies

Store your preferences such as theme selection and display settings to improve your experience.

Managing Cookies

You can manage or disable cookies through your browser settings. Disabling essential cookies may prevent you from using the platform. Most browsers allow you to block third-party cookies while permitting essential cookies. For more information, consult your browser's help documentation.

We do not use cookies for advertising, retargeting, or cross-site tracking purposes.

Account Data

We retain your account information for as long as your account is active. If you delete your account, we will delete your personal information within 30 days, except where retention is required by law.

Photos and Project Data

Your photos, surveys, projects, and reports are retained for as long as your account is active. When you delete specific photos or projects, they are permanently removed from our systems within 30 days. When you delete your account, all associated photos and project data are permanently deleted within 30 days.

Billing Records

We retain billing and transaction records for up to 7 years as required by applicable tax and financial regulations.

Usage Analytics

Aggregated, anonymized analytics data that cannot identify individual users may be retained indefinitely for product improvement purposes.

Backup Retention

Data may persist in encrypted backups for up to 90 days following deletion before being permanently purged.

Depending on your state of residence, you may have the following rights under applicable privacy laws including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and comprehensive privacy laws in Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Delaware, Iowa, Tennessee, Indiana, Kentucky, and other states:

Right to Know

You can request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes of collection, and the third parties with whom we share it.

Right to Delete

You can request that we delete the personal information we have collected from you, subject to certain exceptions (completing transactions, detecting fraud, complying with legal obligations, internal analytics).

Right to Correct

You can request that we correct inaccurate personal information we maintain about you.

Right to Opt-Out of Sale or Sharing

You can opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. Note: Vortyk does not sell your personal information or share it for behavioral advertising purposes.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not charge you different prices, provide different quality of service, or deny you service for exercising your rights.

Right to Limit Use of Sensitive Personal Information

Under CPRA, you can direct us to limit the use of your sensitive personal information (including precise geolocation data) to purposes necessary to provide the services you requested.

To exercise any of these rights, contact us at privacy@vortyk.com. We will respond to your request within 45 days. If we need additional time, we will notify you and may extend the response period by an additional 45 days.

Vortyk does not sell your personal information to third parties as defined under the CCPA/CPRA.

Vortyk does not share your personal information with third parties for cross-context behavioral advertising purposes.

Under the CCPA, "sale" means disclosing personal information to a third party for monetary or other valuable consideration. "Sharing" means disclosing personal information for cross-context behavioral advertising. Vortyk does neither.

We honor Global Privacy Control (GPC) signals as a valid opt-out request where required by applicable law.

If our data practices change in the future, we will update this policy and provide appropriate notice and consent mechanisms before engaging in any sale or sharing of personal information.

Email privacy@vortyk.com with your request. Please include your full name, email address associated with your Vortyk account, and a description of your request.

We will verify your identity before processing your request. Verification may require you to confirm information associated with your account.

We will acknowledge your request within 10 business days and provide a substantive response within 45 days. If we need additional time, we will notify you of the extension and the reason.

You may designate an authorized agent to make requests on your behalf. Authorized agents must provide written authorization from you and verify their own identity.

There is no fee for submitting privacy requests. If requests are manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or decline the request, with explanation.

Vortyk is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16.

If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided personal information to Vortyk, please contact us at privacy@vortyk.com so we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features.

When we make material changes, we will notify you by email (sent to the address associated with your account) and by posting a prominent notice on the platform at least 30 days before the changes take effect.

Your continued use of Vortyk after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.