— Privacy & data handling
Your images. Scored in memory. Never stored.
People check the photos they trust least — disputed evidence, suspected scams, private conversations. So the pipeline is built so that trusting us requires believing our architecture, not our goodwill: we cannot leak, sell, or train on what we never store.
— The short version
Three commitments, no asterisks
Scored in memory, never stored
Your image exists on our server for the seconds scoring takes, in memory only. It is never written to disk, never cached, never logged, never added to a training set. The service runs on a read-only filesystem — there is nowhere for it to land.
Chain of custody you can verify
Your browser computes the SHA-256 of the exact bytes before upload. The report states the hash the server scored — and the client refuses any report whose hash differs. What was analyzed is provably what you sent.
Nothing to delete
The report is returned to your browser and kept nowhere else. Deleting it is a local action — there is no server-side copy to purge, no backup for it to linger in, no retention schedule to trust.
— The pipeline
What actually happens to your image
Most privacy pages describe policies. This one describes the request path — because the strongest privacy property we have is architectural: there is no storage step.
- 01
local hash
Before anything is uploaded, your browser computes the SHA-256 of the exact bytes. This is the fingerprint the whole analysis is anchored to.
- 02
transit
The image travels over TLS to the analysis service. No third-party analytics or storage service ever sees it.
- 03
analysis
The service decodes the image in memory, scores it with the pinned detector stack, and builds the report. Plaintext pixels exist only for those seconds, only in memory.
- 04
report
The report — hashes, scores, verdict, limits — is returned in the response. The server keeps no copy; the image buffer is discarded.
- 05
after
What remains on our side is a size-capped operational log line: timestamp, client IP, the image's SHA-256, and the verdict. Never the image, never the filename, never the report.
— Data at rest
What we keep, and for how long
Data minimization isn't a slogan here — the analysis needs your pixels for seconds, so that's how long they exist.
| Data | Retention | Notes |
|---|---|---|
| Image (pixels) | Never stored | In server memory for the seconds scoring takes |
| Forensic report | Not kept server-side | Returned in the response; exists only where you save it |
| Account | Your browser only | The sign-up form writes to your browser's local storage; no account database exists |
| Abuse-control log | Size-capped rolling log | Timestamp, client IP, image SHA-256, verdict — no image data, no filenames |
We never train on your images. Not for detectors, not for calibration, not “anonymized”. Improving our models uses licensed and public benchmark data only — your uploads are evidence, not fuel. And since uploads are never stored, this is a property of the architecture, not a promise about our restraint.
— Deletion
Delete means: it was never kept
Most services make deletion a request you file and a schedule you trust. Here the image is gone the moment scoring finishes, and the report lives only where you keep it.
Discarded from memory when the analysis response is sent. There is no stored copy to delete and no backup for it to survive in.
Returned to your browser and kept nowhere else. Clearing it from your browser removes the last copy in existence — the DELETE endpoint acknowledges for API symmetry, but there is nothing on our side for it to remove.
Ask us for the report you generated yesterday. We cannot produce it — that's the point, and it's testable.
— Posture
Security practices
Transport encryption
TLS in transit, end to end. Hashes (SHA-256) identify images without exposing content — they appear in reports and abuse logs; pixels never do.
No account database
The sign-up form stores your details in your own browser. There is no server-side account store, no password database, and therefore no credential breach to have.
Minimal, hardened service
The analysis service accepts images, returns reports, and does nothing else: read-only filesystem, no storage backend, size caps and per-IP rate limits, pinned detector checkpoints with hashes on record.
Questions & disclosures
Methodology, calibration references, and security questions: privacy@vestigeforensics.com. Report vulnerabilities to security@vestigeforensics.com.
Try it on an image you'd never email anyone
That's the standard the pipeline is built for. First analysis free — scored in memory, never stored, verified against the hash your own browser computed.