Home Download Pricing Documentation Blog Help & Support

Privacy Policy

Last Updated: March 2026

1. Introduction

Bombajom Photos ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App").

By using Bombajom Photos, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our App.

2. Information We Collect

2.1 Photos and Videos

We do not collect, store, or process your photos or videos. Your photos and videos are transferred directly from your device to your Network Attached Storage (NAS) device. We never see, analyze, or have access to your media files.

  • Photos and videos remain on your device until successfully transferred to your NAS
  • All transfers occur over your local network or encrypted connections
  • We do not maintain copies of your photos or videos on any of our servers

2.2 NAS Credentials

To connect to your NAS, the App requires your NAS username and password. This information is stored securely on your device:

  • iOS: Stored in the Secure Enclave/Keychain, protected by Face ID, Touch ID, or device passcode
  • Android: Stored in Android Keystore with hardware-backed encryption (when available)
  • Credentials are encrypted at rest and never transmitted to our servers
  • We never have access to your NAS credentials

2.3 Device Information

We may collect limited device information for app functionality and error reporting:

  • Device model and operating system version
  • App version number
  • Device identifiers (anonymized where possible)
  • Network connectivity information

2.4 Error and Crash Reports

When the App encounters errors or crashes, we may collect diagnostic information through third-party services (see Section 5) to help us fix issues:

  • Error messages and stack traces
  • App state at time of error
  • Device information (model, OS version)
  • No personal data or photo content is included in error reports

2.5 Usage Data

We may collect anonymized usage statistics to improve the App:

  • App feature usage (which features are used, not what content)
  • Sync success/failure rates (anonymized)
  • Performance metrics (sync speed, connection times)

3. How We Use Your Information

We use the information we collect for the following purposes:

  • App Functionality: To enable photo backup to your NAS, manage sync queues, and provide core features
  • Error Resolution: To identify and fix bugs, crashes, and technical issues
  • App Improvement: To understand how the App is used and improve user experience
  • Security: To protect against fraud, abuse, and security threats
  • Legal Compliance: To comply with applicable laws and regulations

We do not:

  • Access, view, or analyze your photos or videos
  • Share your data with third parties for advertising or marketing
  • Sell your personal information
  • Use your photos for machine learning or AI training

4. Data Storage and Location

4.1 Your Photos and Videos

Your photos and videos are stored exclusively on your NAS device. We do not maintain any servers that store your media files. All data remains under your control on your local network.

4.2 App Data

The following data is stored locally on your device:

  • NAS connection credentials (encrypted in device keychain/keystore)
  • Sync queue and status information
  • App settings and preferences
  • Local database of synced assets (metadata only, not photo content)

This data remains on your device and is not transmitted to our servers, except for anonymized error reports (see Section 5).

5. Third-Party Services

5.1 Sentry (Error Monitoring)

We use Sentry (sentry.io) to monitor app crashes and errors. Sentry may collect:

  • Error messages and stack traces
  • Device information (model, OS version, app version)
  • App state at time of error

No personal data or photo content is sent to Sentry. For more information, see Sentry's Privacy Policy: https://sentry.io/privacy/

5.2 Stripe (Payment Processing)

We use Stripe (stripe.com) to process subscription payments made through our website. Stripe may collect:

  • Payment card details (processed directly by Stripe, never stored by us)
  • Billing address
  • Transaction history

We never store or have access to your full payment card details. For more information, see Stripe's Privacy Policy: https://stripe.com/privacy

5.3 App Stores

When you download the App from the Apple App Store or Google Play Store, those platforms may collect information according to their respective privacy policies. We do not control this data collection.

5.4 Google ML Kit (On-Device Only)

The App uses Google ML Kit for on-device image labeling. This processing occurs entirely on your device:

  • No images or image data are sent to Google servers
  • The ML model is bundled with the App (~3 MB)
  • Generated labels are stored locally in the App's encrypted database

5.5 Subprocessor List

The following table lists all third-party services that may process personal data on our behalf. We maintain Data Processing Agreements (DPAs) with processors that handle personal data subject to GDPR.

Subprocessor Purpose Data Processed Location
Sentry (Functional Software, Inc.) Error monitoring Error logs, device info, app state (no PII) United States
Stripe, Inc. Payment processing Payment details, billing address, transaction history United States
Apple Inc. (App Store) App distribution, in-app purchases Purchase history, device identifiers United States
Google LLC (Play Store) App distribution, in-app purchases Purchase history, device identifiers United States
Plausible Insights OÜ (Analytics) Privacy-friendly website analytics Page views, referrers (no cookies, no PII) European Union

This list was last updated in March 2026. We will update this list when we add or remove subprocessors and notify users of material changes.

6. Data Security

We implement appropriate technical and organizational measures to protect your information:

  • Encryption: NAS credentials are encrypted using device hardware security (Secure Enclave, Android Keystore)
  • Secure Connections: All data transfers use encrypted protocols (SMB3, HTTPS/WebDAV)
  • Local Processing: All photo processing occurs on your device, not on remote servers
  • No Cloud Storage: We do not maintain cloud servers that could be compromised
  • Minimal Data Collection: We only collect the minimum information necessary for app functionality

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have certain data protection rights under the General Data Protection Regulation (GDPR):

7.1 Right to Access

You have the right to request copies of your personal data. You can export your app data (including settings, sync queue, and metadata) through the App's Privacy Rights section in Settings → About → Privacy Rights.

7.2 Right to Rectification

You have the right to request correction of inaccurate personal data. You can update your NAS credentials and app settings directly in the App.

7.3 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data. You can delete all app data, including stored credentials, through the App's Privacy Rights section. Note: Deleting app data will require you to reconfigure your NAS connection.

7.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can export your data as JSON through the App's Privacy Rights section.

7.5 Right to Object

You have the right to object to processing of your personal data. You can disable error reporting in the App settings (if available) or uninstall the App.

7.6 Right to Restrict Processing

You have the right to request restriction of processing of your personal data. You can stop using the App or disable specific features.

7.7 Right to Withdraw Consent

Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. You can do this by uninstalling the App or disabling features that require consent.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR. Contact your local data protection authority.

To exercise any of these rights, please contact us at privacy@bombajom.com.

8. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

8.1 Right to Know

You have the right to request that we disclose what personal information we collect, use, and disclose about you. The categories of personal information we collect are described in Section 2 of this Privacy Policy.

8.2 Right to Delete

You have the right to request deletion of your personal information. You can delete all app data through the App's Privacy Rights section in Settings → About → Privacy Rights.

8.3 Right to Correct

You have the right to request correction of inaccurate personal information. You can update your settings and credentials directly in the App.

8.4 Right to Opt-Out of Sale or Sharing

We do not sell or share your personal information as defined under the CCPA/CPRA. We do not sell personal information to third parties for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising.

8.5 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge you different prices, or provide a different quality of service because you exercised your rights.

8.6 Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

Category Collected Sold Disclosed for Business Purpose
Identifiers (device ID, IP address) Yes No Yes (Sentry — error monitoring)
Internet activity (app usage, error logs) Yes No Yes (Sentry — error monitoring)
Commercial info (purchase history) Yes No Yes (Stripe, App Stores — payment processing)
Geolocation No No No
Biometric data No No No
Sensitive personal information No No No

8.7 How to Exercise Your Rights

To exercise your CCPA rights, you may:

  • Use the in-app Privacy Rights section (Settings → About → Privacy Rights)
  • Email us at privacy@bombajom.com

We will respond to verifiable consumer requests within 45 days. If we need more time (up to 90 days total), we will inform you of the reason and extension period in writing.

9. Children's Privacy

Our App is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

10. Data Retention

We retain your information only for as long as necessary to provide the App's functionality and comply with legal obligations:

  • App Data: Retained on your device until you delete the App or clear app data
  • Error Reports: Retained by Sentry according to their retention policies (typically 90 days)
  • Analytics Data: Retained in anonymized form for up to 2 years

When you delete the App, all locally stored data is removed. We do not maintain backups of your app data on our servers.

11. International Data Transfers

Your photos and videos are stored on your NAS device, which is located on your local network. App data is stored locally on your device. Error reports and analytics data may be processed by third-party services (Sentry) that may be located outside the EEA.

We ensure that any international transfers comply with applicable data protection laws, including GDPR requirements for transfers outside the EEA.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

Material changes will be communicated through:

  • In-app notifications (if significant)
  • Email notification (if you have provided your email address)
  • Update to this page

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Email: privacy@bombajom.com

Support Email: support@bombajom.com

Website: https://photos.bombajom.com