← Back to SwiftCull

Privacy Policy

Last updated: March 27, 2026

1. Who We Are

SwiftCull is developed and published by Shadeholt, based in France (European Union). We build desktop software for photographers. Our licensing infrastructure (KeySeal) is operated by Shadeholt at license.swiftcull.app.

Data controller: Shadeholt
Contact: privacy@shadeholt.com

2. What Data We Collect

2.1 Information you provide

• Email address — provided when you activate a trial or purchase a license. Used to deliver your license key and for account management.

2.2 Information collected automatically

• Machine fingerprint (hashed hardware identifier) — a one-way hash derived from your hardware configuration. This is used solely to enforce the per-device license limit (maximum 2 machines). We cannot reverse this hash to identify your hardware.

2.3 Payment information

All payments are processed by Paddle (Paddle.com Market Limited), which acts as our Merchant of Record. Paddle collects your payment details (credit card, PayPal, etc.) directly. We never see, store, or have access to your payment card numbers. Paddle handles VAT calculation, billing, invoicing, and refunds on our behalf.

See Paddle's privacy policy: paddle.com/legal/privacy

3. What We Do NOT Collect

SwiftCull is designed with privacy at its core:

• Your photos never leave your machine. All image processing, AI scoring, culling, and export happen 100% locally on your computer.
• No telemetry by default. We do not collect usage statistics, feature analytics, or behavioral data. Crash reporting is available as an opt-in feature only.
• Optional anonymous crash reports. On first launch, SwiftCull asks if you would like to send anonymous crash reports to help improve the software. If you accept, only the error type and anonymized stack trace are sent (via Sentry). All file paths are scrubbed before sending — no photo names, no personal directories, no user data. You can change this setting at any time in Preferences > General.
• No tracking. The desktop application does not contain any advertising tracker or third-party analytics tool.
• No cloud processing. AI face detection, blur detection, and quality scoring run entirely on your CPU/GPU. Nothing is sent to any server.

4. Why We Collect Data (Legal Basis)

Data	Purpose	Legal Basis (GDPR)
Email address	License activation, trial management, license key delivery, support	Performance of contract (Art. 6(1)(b))
Machine fingerprint hash	Enforce per-device license limit (2 machines max)	Legitimate interest (Art. 6(1)(f))
Payment data (via Paddle)	Process purchase, VAT compliance, invoicing	Performance of contract (Art. 6(1)(b))
Anonymous crash data (opt-in)	Improve software stability	Consent (Art. 6(1)(a))

5. Third-Party Services

We use a minimal set of third-party services:

5.1 Paddle (Merchant of Record)

Paddle processes all payments on our behalf. When you purchase a license, Paddle collects your billing information, processes the payment, handles VAT, and issues invoices. Paddle is based in the UK with operations in the EU.

Privacy policy: paddle.com/legal/privacy

5.2 Cloudflare (Website hosting and security)

Our website is hosted on Cloudflare Pages. Cloudflare may process IP addresses and basic request metadata for security and performance purposes (DDoS protection, CDN). We also use Cloudflare Turnstile for bot protection on the license activation form.

Privacy policy: cloudflare.com/privacypolicy

5.3 KeySeal (Licensing server)

KeySeal is our licensing infrastructure, operated by Shadeholt (same company) at license.swiftcull.app. It stores your email address and machine fingerprint hashes for license management. It runs on Cloudflare Workers.

5.4 Sentry (Crash reporting — opt-in only)

If you choose to enable anonymous crash reporting, error data is sent to Sentry (hosted in the EU, Frankfurt). Only the error type and anonymized stack trace are transmitted. All file paths are scrubbed locally before sending — no photo names, directory names, or personal data are included. Sentry does not receive your IP address (we use send_default_pii=False). You can disable this at any time in Preferences > General.

Privacy policy: sentry.io/privacy

5.5 Google Fonts

Our website loads typefaces (Montserrat, Roboto Slab) from Google Fonts. This causes your browser to make requests to Google's servers, which may log your IP address.

Privacy policy: policies.google.com/privacy

6. Cookies and Similar Technologies

Our website uses a minimal set of cookies and browser storage:

Cookie / Technology	Provider	Purpose	Duration
Cloudflare Turnstile	Cloudflare	Bot protection on license activation form	Session
Paddle checkout	Paddle	Payment processing, fraud prevention	Session / as set by Paddle
Cloudflare (__cf_bm)	Cloudflare	Bot management, security	30 minutes

We do not use any analytics cookies, advertising trackers, or social media pixels on our website.

7. Data Retention

• License data (email, machine fingerprint hashes) is retained for as long as your license is active.
• After license expiry or cancellation, we retain data for up to 12 months for support and legal compliance purposes, then delete it.
• On request, we will delete your data promptly (see Section 8).
• Payment records are retained by Paddle according to their data retention policy and applicable tax law (typically 7-10 years for invoices).

8. Your Rights (GDPR Articles 15-22)

As an EU/EEA resident, you have the following rights under the General Data Protection Regulation:

• Right of access (Art. 15) — Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) — Ask us to correct inaccurate data.
• Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten").
• Right to restriction (Art. 18) — Request that we limit how we use your data.
• Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — Object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@shadeholt.com. We will respond within 30 days.

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with a supervisory authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertes).

9. International Data Transfers

Your data is primarily processed within the European Union (Cloudflare's EU data centers). Some third-party services (Google Fonts, Paddle, Cloudflare) may transfer data to servers outside the EU/EEA. These transfers are covered by Standard Contractual Clauses (SCCs) or adequacy decisions as required by the GDPR.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Machine fingerprints are stored as irreversible hashes (cannot be reversed to identify hardware).
• All communications with our licensing server use HTTPS/TLS encryption.
• License keys are cryptographically signed using Ed25519.
• Access to infrastructure is restricted and authenticated.

11. Children's Privacy

SwiftCull is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@shadeholt.com and we will delete it promptly.

12. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For significant changes, we may also notify you via email if we have your contact details.

13. Contact Us

For any questions about this privacy policy or your personal data:

Email: privacy@shadeholt.com
Company: Shadeholt
Location: France, European Union