Legal

AI provider policy

Effective 2026-05-12.

What this is

Pictage uses AI to suggest keepers, generate galleries, draft blog posts, and write social captions. This page documents how customer photo data is handled when it crosses a third-party AI provider boundary, and the guarantees we enforce in code.

Zero-retention guarantee

Every AI provider Pictage uses is invoked under zero-retention terms. That means:

The provider does not store our requests after the response is returned.
The provider does not use our requests to train a model, fine-tune, or improve service quality.
Telemetry on our requests is opt-out and disabled by default.

For Anthropic (our default LLM): we send the anthropic-data-storage-policy: no_retention header on every request, and our test suite pins that header so a regression cannot ship. For image providers (Replicate, Black Forest Labs) we use the dedicated enterprise endpoints that disable retention.

What gets sent

AI calls only send the minimum needed for the task. For culling, that is a downscaled thumbnail (max 1024px on the long edge) plus EXIF capture time. The full-resolution original never leaves our infrastructure.

For text generation (blog, captions), we send EXIF metadata + workspace brand voice + the user's draft, not the photos themselves.

Provider abstraction

Pictage routes all AI calls through a provider abstraction in lib/ai/providers/. This means we can swap providers without rewriting product code, and we can run an AI workflow against a mock provider in test + local dev so customer data never touches a real third-party in the wrong environment.

The default in dev + CI is the mock provider. Production flips to a real provider only when both PICTAGE_AI_PROVIDER and the explicit policy acknowledgement env PICTAGE_ANTHROPIC_POLICY_ACK are set. Until both are set, AI workflows return mock responses.

Audit log

Every AI call is logged to ai_usage with the workspace id, the user who triggered it, the provider, the model, the input + output token count, the cost in USD, and the timestamp. You can see your AI spend on your account settings page; we use the same log internally for provider unit-economics tracking.

Customer photo data outside AI

Originals are stored on Cloudflare R2 with signed URLs only. No public bucket access. Derivatives (thumb / web / hero JPEGs) are generated server-side via sharp and stored alongside the originals. Signed URLs have a 1-hour TTL.

Changes

We update this page whenever we change provider, model, or policy. The git history of this file is the canonical changelog.

Questions

Email apache3corp@gmail.com for anything not covered here.