Last updated: March 20, 2026
SammaPix (“we”, “us”, or “the Service”) is a browser-based image optimisation platform operated by Luca Sammarco, an individual based in Italy. This Privacy Policy explains what personal data we collect about you, why and on what legal basis we process it, who we share it with, and the rights you hold over it.
We are committed to processing personal data lawfully, fairly, and transparently in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Italian Personal Data Protection Code (Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018), and other applicable data protection laws.
The data controller for all personal data processed in connection with the Service is:
For the vast majority of tools, your images never leave your device.
The following tools process all image data entirely within your web browser using local CPU and browser APIs. No image data is transmitted to SammaPix's servers or to any third party at any point during processing:
AI tools: limited and temporary transmission to Google Gemini
The following tools require a signed-in account and send data to Google's Gemini 2.5 Flash API for AI analysis. In each case, only a reduced-resolution thumbnail (maximum 512 pixels on the longest side) is transmitted, not the full original file:
SammaPix does not retain any copy of the thumbnail or audio file after the API call to Google Gemini completes. The thumbnail or audio exists transiently in server memory solely for the purpose of making the API request and is not logged, cached, or stored.
Google's handling of data submitted to the Gemini API is governed by Google's own privacy policy and the Gemini API Additional Terms of Service. We are not responsible for Google's data handling practices. You should review Google's documentation before using AI tools if you have concerns about the data you are submitting.
The legal basis for transmitting thumbnail data to Google Gemini is the performance of the contract with you (Article 6(1)(b) GDPR) — specifically, the provision of the AI tool features you have requested.
SammaPix offers optional integrations with Google Drive and Dropbox to allow you to import files directly from your cloud storage into the browser for processing.
drive.readonly OAuth scope. SammaPix reads only the files you explicitly select. We do not browse your entire Drive, store your files, or retain your Google access token beyond the active browser session.Once imported, files are processed locally in your browser in exactly the same way as files you upload directly. No additional data is transmitted as a result of using these integrations (except for AI tools, where the thumbnail-only policy described in Section 2 applies).
A signed-in account is required to use AI tools and to access Pro plan features. When you create an account, we collect and store the following personal data:
Legal basis: Performance of a contract (Article 6(1)(b) GDPR) — specifically, the provision of the Service and the enforcement of plan limits under these Terms of Service.
We do not sell your personal data to any third party. We do not use your email address for marketing communications without your prior explicit consent or a separate legal basis under applicable law.
Authentication is handled by NextAuth.js. You may sign in using Google OAuth, GitHub OAuth, or email (magic link). When you sign in via Google or GitHub, we request only the minimum OAuth scopes necessary for identity verification: your email address and public profile information. We do not request access to your Google Drive, Gmail, GitHub repositories, or any other services beyond what is needed to authenticate your identity.
Session tokens are stored as secure, HTTP-only, same-site cookies and expire after 30 days of inactivity or immediately upon sign-out. These cookies are strictly necessary for authenticated access to the Service and are set on the legal basis of contract performance (Article 6(1)(b) GDPR).
The specific session cookies set by NextAuth are:
next-auth.session-token — stores your authenticated session. Required for login to function. Expires after 30 days of inactivity or on sign-out.next-auth.csrf-token — cross-site request forgery protection token. Session-scoped.next-auth.callback-url — stores the redirect URL during the OAuth flow. Session-scoped.Payment processing for Pro plan subscriptions is handled entirely by Stripe, Inc. When you subscribe to Pro, you provide your payment details directly to Stripe through their hosted payment interface. SammaPix does not receive, process, or store your full card number, CVV, bank account details, or any other raw payment credentials. The only payment-related data we store is your Stripe customer ID and your subscription status (active, cancelled, trialing, etc.), which are necessary to determine your plan entitlements.
Stripe processes your payment data as an independent data processor subject to PCI DSS compliance. Stripe's handling of your payment information is governed by the Stripe Privacy Policy.
Legal basis: Performance of a contract (Article 6(1)(b) GDPR) for processing related to subscription management; compliance with a legal obligation (Article 6(1)(c) GDPR) for retention of payment records required by Italian and EU tax law.
Vercel Analytics (always active, cookieless)
We use Vercel Analytics to collect anonymised, aggregated page view data and web vital metrics (such as page load times). Vercel Analytics is cookieless and does not use fingerprinting or any other technique to identify individual users. No personally identifiable information is transmitted. This service is active for all users without requiring cookie consent and operates on our legitimate interest in maintaining and improving the Service (Article 6(1)(f) GDPR).
Google Analytics 4 (GA4) — behind cookie consent
We use Google Analytics 4 to understand how users interact with the Service. GA4 may collect your IP address (which Google partially anonymises), browser type, device type, geographic region, pages visited, and events such as tool usage. GA4 sets persistent cookies to distinguish users across sessions. GA4 is only activated after you grant cookie consent through our consent banner.
Legal basis: Your consent (Article 6(1)(a) GDPR), which you may withdraw at any time by updating your cookie preferences.
Meta Pixel (Facebook Pixel) — behind cookie consent
We use the Meta Pixel to measure the effectiveness of our advertising campaigns on Meta platforms (Facebook and Instagram). The Pixel may collect your IP address, browser information, the URL of pages you visit, and actions you take on the Service (such as signing up or starting a trial). The Pixel sets persistent cookies in your browser. The Meta Pixel is only activated after you grant cookie consent.
Legal basis: Your consent (Article 6(1)(a) GDPR), which you may withdraw at any time. You may also manage Meta's use of your data through Meta's cookie controls.
Meta Conversions API (server-side)
In addition to the client-side Meta Pixel, we also use Meta's Conversions API to send certain conversion events (such as account registration and subscription purchase) directly from our server to Meta for advertising attribution purposes. This server-side integration transmits:
The Conversions API is activated only when you have granted cookie consent. Your email and IP address are hashed before transmission and Meta receives only the hashed values, not the originals. Despite hashing, this constitutes processing of personal data and is subject to your consent.
Legal basis: Your consent (Article 6(1)(a) GDPR).
Google Ads — behind cookie consent
We use Google Ads conversion tracking (via the Google tag / gtag.js) to measure the effectiveness of our Google advertising campaigns. Google Ads may collect your IP address and set cookies to attribute conversions (such as Pro plan subscriptions) to ad clicks. Google Ads tracking is only activated after you grant cookie consent.
Legal basis: Your consent (Article 6(1)(a) GDPR).
Users on the Free plan may see advertisements served by Google AdSense. Google AdSense uses cookies and similar tracking technologies to display advertisements that may be personalised based on your browsing history, interests, and inferred demographics. AdSense is only activated after you grant cookie consent through our consent banner.
You can manage your ad personalisation preferences at any time through Google Ad Settings or by opting out of personalised advertising via the Digital Advertising Alliance opt-out.
Users on the Pro plan do not see AdSense advertisements.
Legal basis: Your consent (Article 6(1)(a) GDPR).
Email delivery is handled by Resend, Inc., a transactional email service provider. We use Resend to send two categories of email:
Transactional emails
These emails are necessary for the operation of the Service and your account. They include: account verification and magic link sign-in emails, password change notifications, subscription confirmation and payment receipts, subscription cancellation confirmations, and material notices about changes to these Terms or our Privacy Policy. These emails are sent on the legal basis of contract performance (Article 6(1)(b) GDPR) and cannot be unsubscribed from while you have an active account.
Marketing emails
If you have opted in to marketing communications, or where permitted by applicable law (such as the soft opt-in provision for existing customers under the Italian Privacy Code and the ePrivacy Directive), we may send you product updates, new feature announcements, tips, and promotional offers. These emails are sent on the legal basis of your consent or legitimate interest (Article 6(1)(a) or (f) GDPR). You may unsubscribe from marketing emails at any time by clicking the unsubscribe link in any marketing email or by contacting us at luca@sammapix.com. Unsubscribing from marketing emails does not affect your receipt of transactional emails.
Resend processes your email address and email delivery data as a data processor on our behalf. Resend's privacy practices are described in the Resend Privacy Policy.
We use a cookie consent banner to give you control over non-essential cookies. The categories below explain which cookies we set and on what basis.
Strictly Necessary — No consent required
These cookies are essential for the Service to function and cannot be switched off. They are set on the basis of contract performance.
| Cookie name | Purpose | Expiry |
|---|---|---|
next-auth.session-token | Authenticated session management | 30 days / on sign-out |
next-auth.csrf-token | CSRF attack prevention | Session |
next-auth.callback-url | OAuth redirect flow | Session |
cookie-consent | Stores your cookie consent preference | 1 year |
Preferences — No consent required
These store your display preferences locally and contain no personal data.
| Key (localStorage) | Purpose | Expiry |
|---|---|---|
theme | Light / dark mode preference | Persistent (localStorage) |
Analytics and Advertising — Consent required
These cookies are only set after you grant consent via our cookie banner. You may withdraw consent at any time.
| Cookie name | Provider | Purpose | Expiry |
|---|---|---|---|
_fbp | Meta | Identifies browsers for ad attribution; set by Meta Pixel on page load | 90 days |
_fbc | Meta | Stores the Meta click ID (fbclid) when arriving from a Facebook or Instagram ad | 90 days |
_gcl_au | Google Ads conversion linker cookie; tracks ad conversion events | 90 days | |
_ga | Google Analytics 4 — distinguishes unique users | 2 years | |
_ga_* | Google Analytics 4 — session state persistence | 2 years | |
__gads | Google AdSense — ad personalisation and frequency capping (Free plan only) | 13 months | |
__gpi | Google AdSense — ad personalisation (Free plan only) | 13 months |
You may withdraw or change your cookie consent at any time by clicking “Cookie Settings” in the footer of any page. You may also disable cookies through your browser settings, but doing so may impair the functionality of certain features of the Service. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
The following third-party services may process personal data in connection with the Service. All international transfers of personal data outside the EEA are made on the basis of Standard Contractual Clauses (SCCs) adopted under Article 46(2)(c) GDPR, adequacy decisions, or other appropriate safeguards under Chapter V of the GDPR.
| Service | Provider | Purpose | Data processed | Location |
|---|---|---|---|---|
| Gemini 2.5 Flash API | Google LLC | AI image and audio analysis | Image thumbnails, audio files | USA |
| Google OAuth | Google LLC | Sign-in authentication | Email, name, profile picture | USA |
| GitHub OAuth | GitHub, Inc. | Sign-in authentication | Email, username, profile picture | USA |
| Stripe | Stripe, Inc. | Payment processing | Payment card data, billing name, email | USA / EU |
| Vercel | Vercel, Inc. | Hosting, infrastructure, serverless functions, cookieless analytics | IP addresses (transient, in request logs), anonymised page metrics | USA / global edge |
| Meta Pixel | Meta Platforms, Inc. | Ad conversion measurement (consent-gated) | IP address, browser info, page events, cookies (_fbp, _fbc) | USA |
| Meta Conversions API | Meta Platforms, Inc. | Server-side ad attribution (consent-gated) | Hashed email, hashed IP address, event type | USA |
| Google Ads (gtag) | Google LLC | Ad conversion tracking (consent-gated) | IP address, cookies (_gcl_au), conversion events | USA |
| Google Analytics 4 | Google LLC | Behavioural analytics (consent-gated) | Anonymised IP, browser, device, pages, events, cookies (_ga, _ga_*) | USA |
| Google AdSense | Google LLC | Ad serving — Free plan only (consent-gated) | Browser info, interest profiles, cookies (__gads, __gpi) | USA |
| Resend | Resend, Inc. | Transactional and marketing email delivery | Email address, name, email open/click events | USA |
If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with equivalent data protection laws, you have the following rights in relation to your personal data:
To exercise any of these rights, contact us at luca@sammapix.com. We will acknowledge your request within 72 hours and respond substantively within 30 days. Where requests are complex or numerous, we may extend the response period by a further two months, in which case we will notify you within the initial 30-day period.
We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, as permitted by Article 12(5) GDPR.
If you believe we have not adequately addressed your rights, you have the right to lodge a complaint with your competent supervisory authority. In Italy, the supervisory authority is the Garante per la protezione dei dati personali (Italian Data Protection Authority). EU residents may also contact the supervisory authority in their country of habitual residence.
The Service is not directed at or intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have inadvertently collected personal data from a child under 16 without verifiable parental consent, we will take prompt steps to delete that data from our systems.
If you are a parent or legal guardian and you believe your child under 16 has provided personal data to us, please contact us immediately at luca@sammapix.com and we will take appropriate action.
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include HTTPS encryption for all data in transit, HTTP-only and same-site session cookies, server-side rate limiting on API endpoints, input validation and sanitisation, and access controls on systems that process personal data.
However, no method of transmission over the internet or method of electronic storage is completely secure. While we use commercially reasonable efforts to protect your personal data, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33 GDPR) and, where required, will notify affected users without undue delay (Article 34 GDPR).
We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our data practices. When we make material changes — particularly changes that expand the categories of data we collect, change the legal basis for processing, or introduce new third-party processors — we will update the “Last updated” date at the top of this page and, where required by applicable law or where the change materially affects your rights, notify registered users by email or by a prominent notice within the Service at least 14 days before the change takes effect.
Continued use of the Service after the effective date of an updated Privacy Policy constitutes acceptance of the revised policy. If you do not accept material changes to this policy, you must stop using the Service and may request deletion of your account.
For privacy-related questions, requests to exercise your GDPR rights, or any other data protection enquiries, please contact us:
Please include your name, email address associated with your account, and a clear description of your request or concern. We may need to verify your identity before processing certain requests to protect against fraudulent access to your data.
This Privacy Policy is provided for informational purposes and reflects our current data practices as of the date shown above. This document does not constitute legal advice. Consult with a qualified attorney for legal advice specific to your situation.