Privacy Policy
Last updated: 27 May 2026 · Version 2.0
1. Who we are (the data controller)
Squeezekit at squeezekit.com is operated by I.T.FURTHER ENTERPRISE (SSM Registration No. 201703271255 / JM0818262-D), registered in Johor, Malaysia. For all data-protection enquiries, including requests under the EU GDPR, UK GDPR, Malaysian PDPA, or California CCPA, use the contact form on this site.
2. The data we collect, why, and on what legal basis
We collect only what we need to operate the Service. The table below sets out each category, the purpose, and the lawful basis under the EU GDPR (Article 6).
| Category | Purpose | Lawful basis (GDPR) |
|---|---|---|
| Uploaded images (JPG, PNG, WebP, AVIF) | Compress / convert the file you submitted | Art 6(1)(b) — contract performance |
| Account info (email, name, hashed password) | Create + maintain your account, send service emails | Art 6(1)(b) — contract performance |
| Usage counters (jobs run, bytes processed) | Enforce plan limits, detect abuse | Art 6(1)(b) + 6(1)(f) — legitimate interest |
| Server logs (IP, request path, timestamp) | Security monitoring, debug, rate-limiting | Art 6(1)(f) — legitimate interest |
| Payment data (card last 4, billing country) | Process Pro/Ultra payments via Stripe | Art 6(1)(b) — contract performance |
| Contact-form messages | Reply to your question / complaint | Art 6(1)(b) / 6(1)(a) — consent |
| API keys (Ultra tier only) | Authenticate Chrome extension and API requests | Art 6(1)(b) — contract performance |
| Essential cookies (session ID) | Keep you logged in | Art 6(1)(b) — contract performance |
3. What we DO NOT do
- We never use your images to train AI / machine learning models, ours or anyone else's.
- We never sell, rent, or share your images, your email, or any other personal data with marketers or data brokers.
- We do not run third-party advertising on the Service.
- We do not set marketing or cross-site tracking cookies. See our Cookies Policy for the complete list.
- We do not read, view, or analyse your images beyond what the compression engine needs.
4. Retention — how long we keep things
- Browser-side compression: small files compressed entirely in your browser via WebAssembly. They never reach our servers.
- Server-side compression: input and output files are deleted from our servers within 24 hours of processing.
- Account & subscription records: kept until you delete your account, then permanently removed.
- Server access logs: rolled off after 30 days.
- Billing records / invoices: retained for 7 years as required by Malaysian and most overseas tax law.
5. Where the data lives + international transfers
Our application servers are hosted in Singapore. Stripe processes payments in their global infrastructure (mainly EU/US). Cloudflare proxies our HTTP traffic via its global edge network. When data of EU/UK residents is transferred outside the EU/UK, we rely on Stripe's and Cloudflare's Standard Contractual Clauses (SCCs) as the legal mechanism.
6. Subprocessors
- Contabo GmbH — virtual server hosting (Singapore region).
- Cloudflare, Inc. — DNS, CDN, TLS termination, DDoS protection.
- Stripe, Inc. — payment processing for Pro / Ultra plans.
- Google Fonts — Inter typeface delivered from Google's CDN.
7. Your rights
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct anything inaccurate.
- Erasure — delete your account directly from your Account page; we will also cancel any active subscription.
- Restriction — ask us to stop processing pending a dispute.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — at any time, where processing relies on consent.
- Lodge a complaint — with your local data protection authority (e.g. UK ICO, Malaysian PDPC, an EU supervisory authority).
To exercise any of these rights, use the contact form. We respond within 30 days.
8. California residents — CCPA notice
If you reside in California, the California Consumer Privacy Act gives you the right to know what personal information we collect, to delete it, and to opt-out of "sales" of personal information. We do not sell personal information, full stop. To exercise CCPA rights use the contact form with subject "CCPA request".
9. Children's privacy
The Service is not intended for children under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us personal data without parental consent, please contact us and we will delete it.
10. Security
We use industry-standard safeguards: TLS 1.2+ for all transport, bcrypt for passwords, Stripe Checkout (no card data on our servers), least-privilege server access, automatic file deletion. No system is 100 % secure; we cannot guarantee absolute protection against unauthorised access. If we ever experience a data breach affecting your personal data we will notify you within 72 hours, in line with GDPR Article 33-34.
11. Automated decision-making
We do not subject you to automated decisions that produce legal or similarly significant effects without human review.
12. Cookies & similar technologies
See our standalone Cookies Policy. We use one essential session cookie and no marketing cookies.
13. Changes to this policy
If we update this policy, we will change the "Last updated" date at the top. Material changes will be notified via the dashboard or by email at least 14 days in advance.
14. Contact
For any privacy-related question, request, or complaint, use the contact form. We acknowledge receipt within 3 business days and reply substantively within 30 days.