VestigeForensics

Privacy & data handling

Your images. Scored in memory. Never stored.

People check the photos they trust least — disputed evidence, suspected scams, private conversations. So the pipeline is built so that trusting us requires believing our architecture, not our goodwill: we cannot leak, sell, or train on what we never store.

The short version

Three commitments, no asterisks

Scored in memory, never stored

Your image exists on our server for the seconds scoring takes, in memory only. It is never written to disk, never cached, never logged, never added to a training set. The service runs on a read-only filesystem — there is nowhere for it to land.

Chain of custody you can verify

Your browser computes the SHA-256 of the exact bytes before upload. The report states the hash the server scored — and the client refuses any report whose hash differs. What was analyzed is provably what you sent.

Nothing to delete

The report is returned to your browser and kept nowhere else. Deleting it is a local action — there is no server-side copy to purge, no backup for it to linger in, no retention schedule to trust.

The pipeline

What actually happens to your image

Most privacy pages describe policies. This one describes the request path — because the strongest privacy property we have is architectural: there is no storage step.

  1. 01

    local hash

    Before anything is uploaded, your browser computes the SHA-256 of the exact bytes. This is the fingerprint the whole analysis is anchored to.

  2. 02

    transit

    The image travels over TLS to the analysis service. No third-party analytics or storage service ever sees it.

  3. 03

    analysis

    The service decodes the image in memory, scores it with the pinned detector stack, and builds the report. Plaintext pixels exist only for those seconds, only in memory.

  4. 04

    report

    The report — hashes, scores, verdict, limits — is returned in the response. The server keeps no copy; the image buffer is discarded.

  5. 05

    after

    What remains on our side is a size-capped operational log line: timestamp, client IP, the image's SHA-256, and the verdict. Never the image, never the filename, never the report.

Data at rest

What we keep, and for how long

Data minimization isn't a slogan here — the analysis needs your pixels for seconds, so that's how long they exist.

DataRetentionNotes
Image (pixels)Never storedIn server memory for the seconds scoring takes
Forensic reportNot kept server-sideReturned in the response; exists only where you save it
AccountYour browser onlyThe sign-up form writes to your browser's local storage; no account database exists
Abuse-control logSize-capped rolling logTimestamp, client IP, image SHA-256, verdict — no image data, no filenames

We never train on your images. Not for detectors, not for calibration, not “anonymized”. Improving our models uses licensed and public benchmark data only — your uploads are evidence, not fuel. And since uploads are never stored, this is a property of the architecture, not a promise about our restraint.

Deletion

Delete means: it was never kept

Most services make deletion a request you file and a schedule you trust. Here the image is gone the moment scoring finishes, and the report lives only where you keep it.

Image

Discarded from memory when the analysis response is sent. There is no stored copy to delete and no backup for it to survive in.

Report

Returned to your browser and kept nowhere else. Clearing it from your browser removes the last copy in existence — the DELETE endpoint acknowledges for API symmetry, but there is nothing on our side for it to remove.

Verify it

Ask us for the report you generated yesterday. We cannot produce it — that's the point, and it's testable.

Posture

Security practices

Transport encryption

TLS in transit, end to end. Hashes (SHA-256) identify images without exposing content — they appear in reports and abuse logs; pixels never do.

No account database

The sign-up form stores your details in your own browser. There is no server-side account store, no password database, and therefore no credential breach to have.

Minimal, hardened service

The analysis service accepts images, returns reports, and does nothing else: read-only filesystem, no storage backend, size caps and per-IP rate limits, pinned detector checkpoints with hashes on record.

Questions & disclosures

Methodology, calibration references, and security questions: privacy@vestigeforensics.com. Report vulnerabilities to security@vestigeforensics.com.

Try it on an image you'd never email anyone

That's the standard the pipeline is built for. First analysis free — scored in memory, never stored, verified against the hash your own browser computed.