← HomePrivacy

Privacy

Privacy by architecture, not by promise

Why this page exists

Most privacy policies tell you what the company is allowed to do, in language built to make you stop reading. This one is the opposite.

VestaNabu is paid software. You pay the bill, so nothing else has to be sold — not your photos, your faces, your relationships, or the words under your pictures. The rest of this page is how the architecture makes that real.

What we don’t do

  • No advertising. No ad surface, no ad revenue, no ad business. Ever.
  • No data sales. Not to brokers, not to insurers, not to anyone. Your photos and metadata are never the product.
  • No cross-user training. The AI that finds your photos runs only against your library. It never reads anyone else's.
  • No engagement metrics. Nothing counts likes, ranks content, scores users, or recommends what to look at. You see what you asked for.
  • No friends-of-friends access. A room you share with grandma cannot be discovered by her cousin. Sharing is explicit, every time.

What the platform can and can’t see

Every family has its own key, locked away in a way only your family has access to. Photos are sealed on your device before they leave it; the storage provider and the network provider in front of it see only sealed bytes. A stolen drive in a data center yields nothing readable.

Two families uploading the same photo produce two different sealed copies. The platform can't tell they were the same picture.

What the AI does, and where it runs

Some image work runs on your device — your photos aren't uploaded anywhere to be analyzed:

  • Document detection (passport / tax / ID flagging at upload).
  • Sensitive-content detection at upload, with a reminder again before sharing.
  • Face detection (the bounding boxes).

Other work runs in the cloud, scoped to your library only:

  • Face clustering, so you can name a person once.
  • Semantic embeddings, so “Maria at the beach” works.
  • Place clustering and auto-categorization.
  • Library cleanup hints — duplicate candidates we surface for you to review (we never collapse anything on our own).

You can turn any of these off in Settings. Off means off — the inference does not run and the data is not generated.

Sharing

When you share a room with someone outside your family, they see that room — and only that room. Not your library, not your other rooms, not your other family members' photos. Sharing is one room at a time.

You choose what each room allows: nothing leaves it, a watermarked copy, or the full file. The same photo can sit in two rooms, and each room has its own conversation underneath.

Take a share away whenever you want. The next time the person looks, the room is closed.

Deletion

Delete a photo and it's gone for everyone, right away. We hold the bytes for 30 days so you have one chance to bring it back if you change your mind. After 30 days a daily clean-up removes the bytes and any trace they were there.

Close your account and the deletion is total. Your photos are removed, your records are removed, and the key your family used to lock everything is destroyed too — so even if any sealed copy of a photo lingered somewhere, no one can open it. We don't keep a back door.

What we do keep is the bill and the audit trail, for as long as the law makes us keep them, no longer. Those records hold no photos — only what was charged and when.

Minors

Adulthood is computed from the date of birth on the account and flips at UTC midnight on the 18th birthday. No flag, no review, no human in the loop. Minors flow through the same family-level limits as every other member — including the rolling 7-day sharing-viewing cap that applies to every Free family. Minors cannot have a Private room by default; one can be requested and approved by a Payer per ADR-0097, with the existence visible in the family activity log.

What we hold about you

Your email, your username, your name, your date of birth (for the adulthood check above), and the family you belong to. The notes that came with your photos — when each was taken, where if the camera knew, what camera took it if it said. Sealed copies of the photos themselves. A record of every photo stored or shared so the bill can be checked.

What we don't hold: where else you browse, an advertising ID, your phone contacts, messages with other services, or anything we don't need to run the service you're paying for.

Reach a human

Privacy questions go to support@vestanabu.com. If something here is wrong, unclear, or contradicted by what the product actually does, that's a bug we want to hear about.

For our current list of sub-processors, see /legal/sub-processors.