Legal
Privacy Policy
Last updated: June 4, 2026
Subsets is a product of Workwind, Inc. (“Workwind,” “we,” “us,” or “our”), a company incorporated in Delaware, USA. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the Subsets mobile applications and website (collectively, the “Service”).
By creating an account or using Subsets, you agree to this Privacy Policy. If you do not agree, do not use the Service.
1. Who This Policy Applies To
This policy applies to all users of Subsets worldwide, including users in:
- The United States (COPPA, CCPA/CPRA apply)
- The European Economic Area and United Kingdom (GDPR and UK GDPR apply)
- All other jurisdictions
Where regional laws impose additional requirements, those are addressed in the relevant sections below.
2. Information We Collect
2.1 Account Data
Information you provide when creating or updating your account:
- Name
- Username
- Email address
- Password (stored as a cryptographic hash — never in plain text)
- Profile photo (optional)
2.2 Content You Upload
- Photos and images you upload to the Service
- Album names and descriptions
- Captions and comments you write
2.3 Social Connections
- The Subsets users you mutually add as close friends
- Invitations sent or received
2.4 Device and Technical Data
Information automatically collected when you use the Service:
- Device type, operating system version, and app version
- IP address
- Session identifiers and authentication tokens
- Error logs and crash reports (for service stability only)
2.5 Push Notification Tokens
If you grant permission, we collect a device push token to deliver notifications about activity on your account (new connection requests, friend activity, etc.). You can revoke this permission at any time in your device settings.
2.6 Photo EXIF Data — Important
We do not store EXIF metadata from your photos. EXIF data (including any embedded GPS coordinates, camera details, or timestamps) is stripped from all photos at the point of upload before storage.
On the Subsets mobile app, EXIF data may be read locally on your device before upload solely to display contextual information to you (such as the photo’s capture date or location for your own reference). This data never leaves your device and is not transmitted to our servers.
3. Information We Do Not Collect
- We do not use third-party analytics tools (no Mixpanel, Amplitude, Firebase Analytics, Google Analytics, or similar).
- We do not collect advertising identifiers (IDFA, GAID).
- We do not use tracking pixels or cross-site tracking technologies.
- We do not collect payment information (Subsets is free to use).
4. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide and maintain your account | Account data, content | Performance of contract |
| Deliver photos to your chosen friends | Content, connections | Performance of contract |
| Authenticate your identity and secure your session | Account data, device data | Performance of contract |
| Send push notifications you have opted into | Push token | Consent |
| Prevent fraud, abuse, and violations of our Terms | All categories | Legitimate interests |
| Diagnose technical errors and maintain service stability | Device/technical data, crash logs | Legitimate interests |
| Comply with legal obligations | All categories as required | Legal obligation |
| Enforce our Terms of Service | All categories as required | Legitimate interests |
We do not use your data for advertising, profiling, or any purpose beyond operating the Service.
5. How We Share Your Information
We do not sell your personal data. We do not share your data with third parties for their marketing purposes.
We share data only in the following limited circumstances:
5.1 With Friends You Choose
Photos and content you share are visible only to the specific Subsets users you have mutually added as friends. No content is publicly visible.
5.2 With Service Providers (Sub-processors)
We use trusted infrastructure providers to operate the Service. These providers process data only on our instructions and under strict data processing agreements:
| Provider | Role | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, storage | USA (and applicable regions) |
| Cloudflare | CDN, DDoS protection, network security | USA / global edge network |
| Postmark (ActiveCampaign) | Transactional email (e.g., account confirmations) | USA |
5.3 Legal Requirements
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
5.4 Business Transfers
If Workwind is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
6. International Data Transfers
Workwind is based in the United States. If you use the Service from the European Economic Area (EEA), United Kingdom, or other regions with laws governing data collection and use, your data will be transferred to and processed in the United States and other countries where our service providers operate.
For transfers of personal data from the EEA or UK to the USA, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with AWS, Cloudflare, and Postmark.
- UK International Data Transfer Addendum (IDTA) for UK-to-USA transfers.
You may request a copy of the applicable transfer safeguards by contacting [email protected].
7. Data Retention
We retain your personal data for as long as your account is active.
| Data Category | Retention Period |
|---|---|
| Account data and content | Until account deletion |
| Active session tokens | Until logout or session expiry |
| Crash logs and error reports | 90 days |
| Backup copies | Purged within 30 days of account deletion |
| Email delivery logs (Postmark) | 45 days |
When you delete your account:
- Your content and account data are deleted from active systems within 30 days.
- Residual copies in encrypted backups are purged within 90 days.
- Some data may be retained longer if required by law or to resolve active disputes.
8. Your Privacy Rights
8.1 Rights for All Users
Regardless of location, you may:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your data or account
- Export your data in a portable format (photos, account data)
To exercise any of these rights, email [email protected]. We will respond within 30 days.
8.2 Additional Rights for EEA and UK Users (GDPR / UK GDPR)
You also have the right to:
- Restrict processing of your data in certain circumstances
- Object to processing based on legitimate interests
- Withdraw consent at any time where processing is based on consent (e.g., push notifications)
- Lodge a complaint with your local data protection supervisory authority
Relevant authorities include:
- EU: Your country’s national DPA (e.g., CNIL in France, BfDI in Germany)
- UK: Information Commissioner’s Office (ICO) — ico.org.uk
8.3 Rights for California Residents (CCPA/CPRA)
California residents have the right to:
- Know what categories of personal information we collect and how it is used
- Delete personal information we hold about you
- Correct inaccurate personal information
- Opt out of sale or sharing — We do not sell or share your personal information for cross-context behavioral advertising.
- Non-discrimination — we will not deny, charge more, or provide a lesser service because you exercised your privacy rights
To submit a verifiable consumer request, email [email protected]. We will respond within 45 days (extendable to 90 days with notice).
Categories of personal information collected in the past 12 months:
- Identifiers (name, email, username, IP address)
- Photos and user-generated content
- Internet or other network activity (device/session data)
- Push notification tokens
We do not sell or share any of these categories.
9. Children’s Privacy
9.1 Minimum Age
- Global: Subsets is not intended for users under 13 years of age.
- European Economic Area and United Kingdom: Users must be at least 16 years of age in accordance with GDPR Article 8 and the UK Age Appropriate Design Code.
9.2 COPPA Compliance (USA)
We do not knowingly collect personal information from children under 13 in the United States. If we discover that a user is under 13, we will promptly delete their account and all associated data.
If you believe a child under 13 has created an account on Subsets, please contact us immediately at [email protected].
9.3 EU/UK Minor Users (Ages 16–17)
For users aged 16–17 in the EEA or UK, we process data based on their own consent as permitted under applicable law. We do not process data for profiling, behavioral advertising, or any purpose beyond operating the Service.
10. Security
We implement technical and organizational measures to protect your personal data, including:
- Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2 or higher.
- Encryption at rest: Stored data is encrypted using AES-256.
- Password hashing: Passwords are never stored in plain text and are hashed using bcrypt or equivalent.
- EXIF stripping: Sensitive photo metadata is removed at upload.
- Access controls: Internal access to user data is restricted to authorized personnel on a need-to-know basis.
No security system is impenetrable. In the event of a data breach that affects your personal data, we will notify affected users and applicable supervisory authorities within the timeframes required by law (72 hours under GDPR).
11. Cookies and Tracking
Our website (subsetsapp.com) uses only essential cookies required for the site to function (e.g., session management). We do not use advertising cookies or third-party tracking cookies.
Our mobile apps do not use cookies. We do not use cross-app or cross-device tracking.
12. Push Notifications
If you grant permission, we send push notifications to your device for service-related events (e.g., friend requests, shared albums). You can withdraw this permission at any time in your device settings (iOS: Settings → Notifications; Android: Settings → Apps → Subsets → Notifications). Withdrawing permission does not affect your ability to use the Service.
13. What We Don’t Do
- We do not sell your data.
- We do not show ads.
- We do not make your profile or photos publicly visible.
- We do not use your photos to train AI or machine learning models.
- We do not track you across other apps or websites.
- We do not share data with data brokers.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:
- Sending a push notification or in-app notice, and
- Emailing you at the address associated with your account
The updated policy will be effective upon posting. Continued use of the Service after notification constitutes acceptance of the updated policy.
15. Contact Us
For privacy questions, data requests, or concerns:
Privacy Team — Workwind, Inc. Email: [email protected] Address: 1111B S Governors Ave #47719, Dover, DE 19904
We aim to respond to all requests within 30 days.