AI provider policy

What this is

Pictage uses AI to suggest keepers, generate galleries, draft blog posts, and write social captions. This page documents how customer photo data is handled when it crosses a third-party AI provider boundary, and the guarantees we enforce in code.

Vendor data handling and retention

When an AI feature is enabled, Pictage sends the minimum input needed for the task to a third-party AI vendor. We do not operate these vendors under zero-retention (ZDR) terms. Under their standard commercial terms, a vendor may retain the inputs we send for up to 30 days for abuse monitoring, safety, and security, then delete them. The controls we do enforce:

• No use of your content to train AI models. We do not opt into training and we send no-training settings where the vendor exposes them.
• Data minimization: downscaled images and metadata only, never full-resolution originals (see “What gets sent”).
• Up to 30-day vendor-side retention for trust and safety, after which the vendor deletes the inputs.
• Consent first: AI features run only after you accept the AI processing agreement, which explicitly covers this 30-day vendor retention.

For Anthropic, Pictage still sends the anthropic-data-storage-policy: no_retention header on every real request. That header further limits retention only on Anthropic tiers that honor it; on standard tiers the up-to-30-day retention described above applies.

Real AI providers are off by default. Customer-photo workflows run against a mock or local path until an owner explicitly enables a provider for the account. We do not silently switch a workflow to a real vendor.

What gets sent

AI calls only send the minimum needed for the task. For culling, that is a downscaled thumbnail (max 1024px on the long edge) plus EXIF capture time. The full-resolution original never leaves our infrastructure.

For text generation (blog, captions), we send EXIF metadata + workspace brand voice + the user's draft, not the photos themselves.

Provider abstraction

Pictage routes all AI calls through a provider abstraction in lib/ai/providers/. This means we can swap providers without rewriting product code, and we can run an AI workflow against a mock provider in test + local dev so customer data never touches a real third-party in the wrong environment.

The default in dev + CI is the mock provider. Production flips to a real provider only when both the provider selector and the explicit owner-authorization environment variable for that provider are set. Until both are set, gated AI workflows return mock or unavailable responses rather than sending customer photos to a vendor.

Audit log

Every AI call is logged to ai_usage with the workspace id, the user who triggered it, the provider, the model, the input + output token count, the cost in USD, and the timestamp. You can see your AI spend on your account settings page; we use the same log internally for provider unit-economics tracking.

Customer photo data outside AI

Originals are stored on Cloudflare R2 with signed URLs only. No public bucket access. Derivatives (thumb / web / hero JPEGs) are generated server-side via sharp and stored alongside the originals. Signed URLs have a 1-hour TTL.

Changes

We update this page whenever we change provider, model, or policy. The git history of this file is the canonical changelog.

Questions

Email support@pictage.ai for anything not covered here.