WALBUCKET
Privacy commitment

Your face never leaves a trail.

Walbucket is built on a simple bet: a face-search product can be useful without retaining a single byte about you. Here’s exactly how that works.

Ephemeral by design

Selfies, embeddings, and folder indices live only in memory for the duration of your search. Disk writes are forbidden by our infrastructure policy and enforced by a read-only filesystem.

No persistent database

We do not maintain a face index of users, attendees, or models. Nobody — including us — can search for “everyone named Marcus” or build a profile across events.

Compliant by default

Engineered against GDPR (EU/UK), CCPA (California), and BIPA (Illinois) requirements. DPA available on request. SOC 2 Type II in progress (Q3 2026).

Data lifecycle

A typical search, second by second.

Everything we touch is gone before you close the tab.

T+0.0s
Upload
Selfie arrives over TLS 1.3 → loaded into a sandboxed worker’s memory only.
In-memory only
T+0.2s
Vector extract
512-dim face vector computed on-device. Original selfie discarded immediately.
Selfie deleted
T+0.6s
Index
Folder photos streamed (read-only) and embedded. Index stays in RAM.
No copies stored
T+3.2s
Match
Cosine similarity ranked. Direct-link references to original cloud files only.
References, not files
T+3.5s
Wipe
Vector, index, and worker memory destroyed. Audit log retains a hash, not data.
Everything deleted

What we collect, and what we don’t.

Our core principle: the minimum data necessary to deliver results, retained for the minimum time possible.

During a face search

  • The reference selfie you upload — held in memory, never written to disk, deleted within ~200ms of vector extraction.
  • The 512-dimension face vector computed from that selfie — held in the search worker’s memory, deleted at end-of-search.
  • The URL of the public folder you provided — referenced read-only via the source cloud’s API.
  • Per-photo face vectors extracted from the folder during indexing — held in memory, never persisted, destroyed at end-of-search.

What we never collect

  • The original photos from your cloud folder. We read them once for embedding and never copy them to our infrastructure.
  • A persistent face database of you, the search subject, or any folder content.
  • Demographic inference, age estimation, sentiment, or any secondary attribute beyond identity-matching.
The plain-English version: a Walbucket worker is like a temporary scratchpad. We light it up, do the search, then crumple it up. There is no archive. There is no profile. There is no second copy.

How long we keep it.

The default retention for face vectors and selfies is 0 seconds after results are delivered. Indices for searched folders are retained based on plan:

  • Free: 0 seconds. Re-searches re-index from scratch.
  • Pro: 24 hours, per-account, AES-256 encrypted at rest. Deletable at any time from your dashboard.

You can delete a cached index immediately from your dashboard at any time, regardless of plan.

Who we share data with.

We do not sell user data. We share data only with:

  • Paystack — for billing, contains no biometric data.
  • Sentry & Posthog — error and product analytics, IP-anonymized.
  • Your chosen gallery source (Google Drive, Google Photos, or Pixieset) — read-only access to your provided folder or album. We never write, modify, or cache the original photos.

Your rights.

Under GDPR, CCPA, and similar regulations you have the right to access, correct, port, and delete any data we hold about you. Since we don’t retain biometric data, most requests resolve as “we don’t have anything matching that description.” For account-level data, email us and we’ll respond within 7 business days.

Sub-processors.

Our active sub-processor list (updated 1 Mar 2026):

  • Hetzner Cloud — EU-region compute & storage for billing data only
  • Cloudflare — DDoS protection & CDN, no biometric data passes through cache layer
  • Stripe — payments
  • Postmark — transactional email

Contact our DPO.

Data Protection Officer: Elena Kowalski, reachable via email. EU representative: Walbucket EU GmbH, Berlin, Germany.

Have a legal or compliance question?

Our DPO responds to all data-related requests within 7 business days. Enterprise customers can request a Data Processing Agreement on demand.

Email our DPORequest a DPA