Privacy Policy
Effective date: October 30, 2025 • Last updated: November 11, 2025
👋
A Message from the Creator
Hi! I'm Eda Gurkan, a fellow iStock contributor just like you. I created RoyaltyHit because I wanted a better way to track my own royalty earnings and understand which content performs best. As a member of our creative community, I know how important it is to have tools that help us make informed decisions about our work. This tool is my contribution to help all of us succeed together. Happy creating! 💜
⚠️ Important Notice: RoyaltyHit is an independent tool and is not affiliated with, endorsed by, or officially connected to Getty Images, iStock, or any other platform.
Table of Contents
- 1. Introduction
- 2. Information We Collect
- 3. How We Use Your Information
- 4. Data Storage and Retention
- 5. Security Measures
- 6. Data Encryption and Protection
- 7. Your Rights and Choices
- 8. Cookies and Tracking
- 9. Data Sharing and Third Parties
- 10. International Data Transfers
- 11. Children's Privacy
- 12. Changes to This Policy
- 13. Contact Information
1. Introduction
RoyaltyHit ("we", "us", "our", or "the Service") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, protect, and process your information when you use our website and services.
By using RoyaltyHit, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.
2. Information We Collect
2.1 Account Information
- Email Address: Required for account creation, authentication, and communication
- Password: Stored using industry-standard bcrypt hashing (never stored in plain text)
- Nickname (Display Name): Optional custom display name (2-20 characters, must be unique) that you can set to appear in the navigation bar instead of your email username. This is publicly visible within your account interface and can be changed or cleared at any time
- Account Creation Date: Timestamp of registration
- Account Settings: User preferences and configuration options
2.2 Royalty Statement Data
- Financial Information: Royalty statements you voluntarily upload from Getty Images/iStock, including earnings, product IDs, download counts, and dates
- File Metadata: Original filename, upload timestamp, file size
- Parsed Analytics: Aggregated statistics derived from your statements for dashboard visualization
2.3 Technical and Usage Data
- IP Address: Collected for security monitoring and fraud prevention
- Browser Information: User agent string, browser type and version
- Device Information: Operating system, device type (desktop/mobile)
- Login History: Timestamps and approximate location of login attempts
- Usage Patterns: Pages visited, features used, session duration (anonymized)
3. How We Use Your Information
We process your data for the following legitimate purposes:
| Purpose |
Data Used |
Legal Basis |
| Account Management |
Email, password hash, settings |
Contract performance |
| Service Delivery |
Royalty data, analytics |
Contract performance |
| Security & Fraud Prevention |
IP address, login history, device info |
Legitimate interest |
| Service Improvements |
Anonymized usage patterns |
Legitimate interest |
| Communication |
Email address |
Contract performance / Consent |
We will never:
- Sell your personal data to third parties
- Share your financial information with advertisers
- Use your royalty data for any purpose other than providing you with analytics
- Contact you with unsolicited marketing without your explicit consent
4. Data Storage and Retention
4.1 Storage Infrastructure
- Database: Your data is stored in a MySQL database with restricted access
- File Storage: Uploaded royalty statements are stored on secure servers with access controls
- Backups: Regular encrypted backups are maintained for disaster recovery (retained for 30 days)
- Location: All data is stored on servers located in secure data centers with physical security measures
4.2 Data Retention Periods
| Data Type |
Retention Period |
Reason |
| Account Information |
Until account deletion |
Service provision |
| Royalty Statements |
Until manually deleted or account closure |
Service provision |
| Login History |
90 days |
Security monitoring |
| Backup Data |
30 days |
Disaster recovery |
| Usage Analytics |
12 months (anonymized) |
Service improvement |
5. Security Measures
We implement comprehensive security controls to protect your data:
5.1 Technical Security
- Encryption in Transit: All data transmission uses TLS 1.2+ encryption (HTTPS)
- Password Security: Passwords are hashed using bcrypt with salt (never stored in plain text)
- SQL Injection Prevention: Parameterized queries and prepared statements throughout
- XSS Protection: Output encoding and Content Security Policy headers
- CSRF Protection: Token-based validation for state-changing operations
- Session Management: Secure, HttpOnly cookies with appropriate expiration
5.2 Access Controls
- Authentication: Login required for all sensitive operations
- Authorization: User data is isolated - you can only access your own information
- Database Access: Restricted to application layer only, no direct public access
- Admin Access: Limited to essential personnel with audit logging
5.3 Monitoring and Response
- Regular security audits and vulnerability assessments
- Automated monitoring for suspicious activity and intrusion attempts
- Login notifications to alert you of account access
- Incident response procedures for data breaches (notification within 72 hours if applicable)
6. Data Encryption and Protection
6.1 Encryption Standards
- Data in Transit: TLS 1.2+ with modern cipher suites
- Password Storage: Bcrypt hashing algorithm with per-user salt
- Sensitive Data: Additional encryption layers for financial information at rest
6.2 File Upload Security
- File type validation and sanitization
- Size limits to prevent denial-of-service attacks
- Malware scanning on uploaded files
- Isolated storage with restricted execution permissions
7. Your Rights and Choices
You have the following rights regarding your personal data:
7.1 Access and Portability
- Right to Access: Request a copy of all personal data we hold about you
- Right to Portability: Receive your data in a structured, machine-readable format
- How to Exercise: Contact privacy@royaltyhit.com (fulfilled within 30 days)
7.2 Correction and Deletion
- Right to Rectification: Correct inaccurate or incomplete personal data (you can update your nickname in Settings at any time)
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Account Deletion: Available in Settings page - permanently removes all your data including email, nickname, and uploaded files within 30 days
7.3 Restriction and Objection
- Right to Restrict Processing: Limit how we use your data in certain circumstances
- Right to Object: Opt out of processing based on legitimate interests
- Marketing Opt-Out: Unsubscribe from promotional emails at any time
7.4 Withdrawal of Consent
Where processing is based on consent, you may withdraw it at any time by contacting us. This does not affect the lawfulness of processing before withdrawal.
8. Cookies and Tracking
8.1 Cookies We Use
| Cookie Type |
Purpose |
Duration |
| Session Cookie |
Authentication and session management |
Session (deleted on logout) |
| Authentication Token |
Keep you logged in between visits |
30 days |
| Preference Cookie |
Remember your settings |
1 year |
8.2 Third-Party Cookies
We do not use third-party advertising or analytics cookies that track you across websites. Any third-party services are limited to essential functionality only.
8.3 Managing Cookies
You can control cookies through your browser settings. However, disabling cookies may limit website functionality, including the ability to log in.
9. Data Sharing and Third Parties
9.1 When We Share Data
We only share your personal data in the following limited circumstances:
- Legal Obligations: When required by law, court order, or governmental regulation
- Service Providers: With essential service providers (hosting, email delivery) under strict confidentiality agreements
- Business Transfers: In the event of a merger, acquisition, or sale (you will be notified)
- Your Consent: With your explicit permission for specific purposes
9.2 What We Never Share
- Your royalty statements or financial data with advertisers or data brokers
- Personal information for marketing purposes
- Individual user data with other users (unless explicitly designed as a feature)
9.3 Third-Party Services
We may use the following categories of service providers:
- Email Delivery: For sending account notifications and alerts
- Hosting Infrastructure: Secure servers for data storage and application hosting
All third-party providers are contractually obligated to protect your data and may only use it for specified purposes.
10. International Data Transfers
Our services are operated from servers that may be located in different countries. By using RoyaltyHit, you consent to the transfer of your data to these locations. We ensure appropriate safeguards are in place for international transfers, including:
- Data processing agreements with service providers
- Compliance with applicable data protection regulations (GDPR, CCPA, etc.)
- Encryption and security measures during transit and at rest
11. Children's Privacy
RoyaltyHit is not intended for users under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us at privacy@royaltyhit.com.
12. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
- The "Last Updated" date at the top will be revised
- Material changes will be communicated via email to registered users
- Continued use of the service after changes constitutes acceptance
- Previous versions will be archived and available upon request
We encourage you to review this policy periodically to stay informed about how we protect your data.
13. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
Data Protection Authority
If you are located in the European Economic Area (EEA), you have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data appropriately.
Disclaimer: RoyaltyHit is an independent, community-created tool. It is not affiliated with, endorsed by, or officially connected to Getty Images, iStock, or any other platform.