layersmith

Privacy Policy

Last updated July 9, 2026

Layersmith is built so that the honest answer to "what do you do with my images?" is usually nothing, because we never receive them. This policy explains exactly what runs where, what little we store, and your rights over it.

Images

Free local features — opening an image, AI grab, wand/lasso/brush selection, subject separation, edge cleanup, shadow scaffold, and every export (PSD, ORA, PNG) — run entirely in your browser. Your image is never transmitted to us or anyone else. Metadata (EXIF, including GPS) is discarded during import because the image is re-encoded through a canvas.

Server AI features are opt-in, clearly labelled with a credit cost, and only run when you click them. When you use one, the relevant pixels are sent over HTTPS to our infrastructure on Cloudflare, processed, and returned. Batch job files are stored temporarily and deleted automatically within 24 hours; single-image operations are not retained at all beyond processing. We never use your images to train AI models, and we never share them with third parties for their own purposes.

Server-processed images, in detail

When you use a single-image server feature (subject separation, occlusion fill, object detection), the pixels are streamed to Cloudflare's AI infrastructure, processed, and streamed back — we store no copy, our logs contain no image content, and Cloudflare processes it transiently as our sub-processor without using it to train models.

Batch jobs are the one place images rest on our servers: your originals and the processed outputs are held in storage with an automatic lifecycle rule that deletes them within 24 hours. Job metadata — file names, image counts, and timestamps, never pixels — is retained with your account records. If file names are sensitive, rename before uploading.

Illegal content scanning

Images processed or stored on our servers are subject to automated scanning for child sexual abuse material (CSAM) using hash-matching technology, including Cloudflare's CSAM Scanning Tool. This is the single purpose for which server-processed images may be examined. Confirmed or apparent CSAM is reported to the appropriate authorities — the Canadian Centre for Child Protection (Cybertip.ca) and/or the National Center for Missing & Exploited Children — as the law requires, together with associated account information, and related evidence is preserved for law enforcement. The legal basis is our legal obligation and the overriding public interest in child safety.

Account data

If you create an account we store: your email address, session records, your credit ledger (grants and usage), subscription status, and per-job metadata (counts and timestamps — not image content). Payment details are handled by Stripe; we never see your card number. Stripe's processing is described in Stripe's privacy policy.

Cookies

We set exactly one cookie: rl_session, an HttpOnly authentication cookie that keeps you signed in for up to 30 days. No advertising cookies, no cross-site tracking, no third-party analytics scripts.

Emails

We send sign-in links and receipts, and (if subscribed) occasional product updates you can opt out of with one click. Transactional email is delivered via Resend.

Your rights

We operate from British Columbia, Canada, and handle personal information in accordance with PIPEDA and BC PIPA. If you're in the EU/UK, the practices above are our GDPR posture too: data minimisation by architecture, no profiling, no automated decision-making about you.

Contact

Privacy questions: contact us. We aim to respond within 7 days.