What counts as a transformation?

A transformation is any request that modifies the image (resize, format conversion, quality adjustment). Cached requests from the CDN don't count toward your limit.

What happens when I reach my limit?

On the Free plan, uploads and transformations are blocked until the next billing cycle. On the Pro plan, you can purchase Resource Packs ($10 each) to extend your quota instantly with +10 GB storage, +10,000 API requests, and +10,000 transformations.

Can I downgrade from Pro to Free?

Yes, you can cancel your Pro subscription anytime. Your images remain accessible, but you'll be limited to Free plan quotas after the billing period ends.

Is there a bandwidth limit?

No. Thanks to Cloudflare R2's zero egress fees, img-src.io offers unlimited bandwidth on all plans at no extra cost.

What image formats does img-src.io support?

Input formats: JPEG, PNG, WebP, GIF, BMP, TIFF, ICO, SVG, HEIC/HEIF, AVIF, TGA, PNM, QOI, HDR, EXR. Output formats: WebP (default), AVIF (max 8 megapixels), JPEG, PNG. Images are converted on-the-fly by changing the file extension in the URL.

How do I transform images with img-src.io?

Add URL parameters to your image URL. Use ?w=800 for width, ?h=600 for height, ?fit=cover for crop mode, ?q=85 for quality. Change the file extension to convert format (e.g., photo.webp, photo.avif). Example: https://img-src.io/i/user/photo.webp?w=800&q=85

Privacy Policy | img-src.io

1. Introduction

img-src ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our image hosting and CDN service at img-src.io (the "Service").

This policy is designed to comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Korea's Personal Information Protection Act (PIPA).

By using the Service, you consent to the collection and processing of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

Account Information

When you create an account through our authentication provider (Clerk), we collect:

Email address
Username
Profile picture (if provided via OAuth)
OAuth provider identifiers (Google, GitHub, etc.)

Passkey Credentials (WebAuthn)

If you choose to register a passkey for passwordless authentication, we collect and store:

Credential ID (a unique public identifier for your passkey)
Public key (used to verify your identity during login)
Authenticator type (AAGUID - identifies the type of authenticator used)
Signature counter (for detecting cloned credentials)
Device name (user-provided label, e.g., "MacBook Touch ID")
Registration and last-used timestamps

Important: Your private key and biometric data (fingerprint, face scan, etc.) never leave your device and are never transmitted to or stored on our servers. Passkeys use public key cryptography where only the public key is shared with us.

Content Data

When you upload images, we collect and process:

Image files and their metadata (EXIF data, dimensions, format)
SHA256 hash of image content (for deduplication and integrity)
File names and folder organization
Timestamps (upload, modification, access)

Usage Data

We automatically collect information about your use of the Service:

API requests and response codes
CDN request logs (URLs, transformations, cache status)
Storage and bandwidth consumption
Rate limiting data
Error logs and performance metrics

Technical Data

IP address
Browser type and version
Operating system
Device type and identifiers
Referring URLs
Geographic location (country/region level from IP)

3. How We Use Your Information

We use collected information for the following purposes:

Service Delivery: To provide, maintain, and improve the Service
Image Processing: To upload, transform, cache, and deliver images via our CDN
Account Management: To manage your account and provide customer support
Usage Monitoring: To enforce rate limits and monitor resource consumption
Security: To detect, prevent, and respond to fraud, abuse, and security threats
Legal Compliance: To comply with legal obligations and respond to lawful requests
Communication: To send service-related notifications, security alerts, and updates
Analytics: To analyze usage patterns and improve user experience

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

Contract Performance: Processing necessary to provide the Service you requested (account creation, image hosting, API access)
Legitimate Interests: Processing for security, fraud prevention, service improvement, and analytics, where our interests do not override your fundamental rights
Legal Obligation: Processing required to comply with applicable laws (e.g., reporting illegal content, responding to legal process)
Consent: Where you have given explicit consent for specific processing activities (e.g., marketing communications)

5. Data Sharing and Third-Party Services

We share your information with the following categories of third-party service providers:

Infrastructure Provider: Cloudflare

Services: CDN, edge caching, DDoS protection, R2 storage, D1 database, Workers compute
Data processed: Images, metadata, request logs, IP addresses
Privacy Policy: cloudflare.com/privacypolicy

Authentication Provider: Clerk

Services: User authentication, OAuth integration, session management
Data processed: Email, username, OAuth tokens, session data
Privacy Policy: clerk.com/privacy

Payment Processor: Lemon Squeezy

Services: Payment processing, subscription billing, tax collection (as Merchant of Record)
Data processed: Email, billing information, payment method, transaction history
Privacy Policy: lemonsqueezy.com/privacy

Law Enforcement Cooperation

We may disclose your information without prior notice when:

Required by law, legal process, or government request
We detect illegal content (CSAM, terrorism) - mandatory reporting applies
Necessary to protect our rights, safety, or property
We detect security threats (hacking, DDoS attacks)
There is an emergency involving imminent threat to life

6. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence, including the United States. Our infrastructure uses a global network with data centers in multiple countries.

For EEA/UK Users: When we transfer personal data outside the EEA/UK, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Other lawful transfer mechanisms under GDPR

For Korean Users: By using the Service, you consent to the transfer of your personal information to servers located outside Korea, including the United States. This transfer is necessary to provide the Service and is conducted with appropriate safeguards.

CDN Edge Caching: Images may be cached at edge locations worldwide to optimize delivery performance. This caching is temporary and necessary for Service operation.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service:

Account Data: Retained until you delete your account
Images: Retained until manually deleted by you
Usage Logs: Retained for up to 90 days for analytics and security
CDN Cache: Images cached at edge locations for up to 365 days for performance

Extended Retention: We retain certain data longer when required:

Violation Records: Account data, IP addresses, and evidence related to Terms violations retained for minimum 2 years
Security Incidents: Logs of DDoS attacks, hacking attempts, and abuse patterns retained for minimum 2 years
Legal Hold: Data subject to legal proceedings retained until resolution

Upon account deletion, we will permanently delete your personal data immediately, except where retention is required by law or as described above.

8. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data:

GDPR Rights (EEA/UK Users)

Access: Request a copy of personal data we hold about you
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your personal data ("Right to be Forgotten")
Portability: Request a portable copy of your data in machine-readable format
Restriction: Request restriction of processing in certain circumstances
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time where processing is based on consent
Lodge Complaint: File a complaint with your local data protection authority

PIPA Rights (Korean Users)

Request access to your personal information
Request correction of errors in your personal information
Request deletion of your personal information
Request suspension of processing of your personal information
Request notification of international transfer of personal information

To exercise these rights, contact us at [email protected]. We will respond within 30 days (or as required by applicable law). We may verify your identity before processing requests.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

Identifiers: Email address, username, IP address, account ID
Commercial Information: Subscription status, transaction history
Internet Activity: Browsing history on our Service, API usage, CDN requests
Geolocation: Country/region derived from IP address

Your California Rights

Right to Know: Request disclosure of personal information collected, used, and shared
Right to Delete: Request deletion of personal information
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out: Opt out of the sale or sharing of personal information
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We only share data with service providers as described in Section 5.

To exercise your California privacy rights, contact us at [email protected] or submit a request through your account settings.

10. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

Essential Cookies (Always Active)

These cookies are required for the website to function properly and cannot be disabled.

Clerk Session: Maintains user authentication state
Local Storage: Stores UI preferences like view mode and sort settings
Sentry Error Tracking: Captures errors and exceptions to maintain service stability

Analytics Cookies (Optional)

These cookies help us understand how visitors interact with our website. You can choose to enable or disable these cookies through our cookie preferences.

Sentry Replay: Records user sessions to help diagnose issues and improve user experience. Session recordings may include clicks, scrolls, and page navigation.

Managing Your Preferences

When you first visit our website, you will see a cookie consent banner. You can choose to accept all cookies, reject optional cookies, or customize your preferences. You can change your cookie preferences at any time by clearing your browser's local storage and revisiting the site.

We do not use:

Third-party advertising cookies
Cross-site tracking cookies
Social media tracking pixels

11. Children's Privacy

The Service is not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children under these age limits.

If you believe we have collected information from a child, please contact us immediately at [email protected]. We will promptly delete such information.

12. Data Security

We implement appropriate technical and organizational measures to protect your data:

Encryption in Transit: All data transmitted via TLS/HTTPS
Encryption at Rest: Images and data encrypted in storage
Authentication: JWT-based authentication with JWKS signature verification, and optional passkey (WebAuthn) support for phishing-resistant passwordless login
Access Control: Role-based access controls and principle of least privilege
Rate Limiting: Protection against abuse and DDoS attacks
Audit Logging: Comprehensive logging of access and changes
Infrastructure Security: Enterprise-grade security via Cloudflare

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes:

We will update the "Last updated" date at the top
For material changes, we will notify you via email or prominent notice
We will provide at least 30 days notice before changes take effect

Your continued use after changes become effective constitutes acceptance of the updated policy.

14. Contact Information

If you have questions about this Privacy Policy or our data practices:

Email: [email protected]
Website: https://img-src.io

Data Protection Inquiries: For GDPR, CCPA, or PIPA-related requests, please email [email protected] with "Privacy Request" in the subject line.

EU Representative: For EU residents, you may also contact your local data protection authority if you have concerns about our data processing practices.

Privacy Policy