This Policy applies to all users of the Service worldwide. It forms part of our Terms of Service. By accessing or using the Service, you agree to the practices described below.

Controller: For GDPR and similar laws, Spectracular is the data controller for personal data processed via rsz.app and its API.

We do not intentionally collect sensitive personal data (e.g., health or biometric data). If you choose to include such data in images, you are responsible for ensuring you have the legal right to do so.

We process information to:

• Provide, maintain, and improve the Service
• Authenticate users and secure accounts
• Monitor, detect, and prevent fraud or abuse
• Respond to inquiries and support requests
• Generate aggregated statistics that do not identify individuals
• Comply with legal obligations and enforce our Terms

We rely on one or more of the following bases:

• Contractual necessity - to deliver the Service you request
• Legitimate interests - to secure and improve the Service
• Consent - for optional cookies or marketing communications
• Legal obligation - to comply with applicable law or lawful requests

• Content Data: deleted automatically within 90 days of processing unless you request earlier deletion or retain copies in your account.
• Account & Billing Records: retained for as long as your account is active and as required for tax, accounting, and legal compliance (typically up to 7 years).
• Logs: retained up to 90 days for security and troubleshooting, then aggregated or deleted.

We do not sell, rent, or share personal data with third parties for their own marketing. We may disclose information only:

• Service Providers - vetted subcontractors that perform hosting, payment, or support functions under contractual confidentiality obligations
• Legal Compliance - when required by law, court order, or governmental request
• Business Transfers - in connection with a merger, acquisition, or sale of assets, provided the acquirer assumes equivalent privacy commitments

We operate globally using servers located in the United States and the European Economic Area. When we transfer personal data across borders we rely on:

• Adequacy decisions of the European Commission
• Standard Contractual Clauses or UK Addendum
• Other legally recognized transfer mechanisms

We implement industry-standard administrative, technical, and physical safeguards, including:

• HTTPS/TLS encryption in transit
• Encryption at rest for stored Content Data
• Least-privilege access controls and API key management
• Regular penetration testing and vulnerability scanning

No method of transmission or storage is entirely secure; therefore, we cannot guarantee absolute security.

Depending on your jurisdiction, you may have rights to:

• Access, correct, or delete personal data
• Object to or restrict processing
• Data portability
• Withdraw consent at any time
• Lodge a complaint with a supervisory authority

To exercise these rights, contact us at [email protected]. We will respond within 30 days or as required by law.

We use first-party cookies for authentication and Google Analytics (IP anonymization enabled) to understand site usage. You can disable non-essential cookies in your browser or via our cookie banner.

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will delete it promptly.

You must keep your API keys confidential, comply with rate limits, and ensure that any end-user data you submit has been lawfully obtained and is adequately anonymized or encrypted if required.

We may update this Policy periodically. Material changes will be posted on this page with a new “Last updated” date and, where required, notified to you by email.

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact: