XG Blur
XG Blur
This page is meant for DPOs, compliance officers and buyers. It documents how we process data and guarantee user rights.
⚠️ This content is informational and does not replace a formal analysis by the data controller's DPO.
Three main regulations govern the processing of minors' images in Spain.
General Data Protection Regulation. Applies across the EU. Data minimisation (art. 5.1.c) and explicit consent (art. 6.1.a) principles.
Spanish data protection and digital rights act. Applies together with the right to one's own image (LO 1/1982), which reserves decisions on publishing images to the legal representative until age 18.
Organic law on the right to honour, privacy and one's own image. Recognises one's own image as a personality right: the minor's maturity has doctrinal precedence.
Documentation of the technical and organisational measures implemented.
Each user (or their guardian) must actively tick the "I grant image rights" box. The box is never pre-checked. The adjacent text explains the consequences.
Each consent change is saved with a timestamp in the database. This mark is legal evidence before any AEPD audit or later claim.
All linked centres get an immediate email when one of their members changes consent. No centre can claim they didn't know.
A user can have different decisions for each centre they are linked to. For example: accept at school but not at summer camp. The system applies the specific decision of the context processing the image.
Under 18: consent over one's own image is always granted by the legal representative (LO 1/1982). The minor cannot decide alone, not even at 16 or 17. From 18: exclusive control by the holder.
A user can withdraw consent from their profile anytime. They can also leave a centre with one click. The new state propagates to the next processing, and all centres are notified.
When someone processes a photo, only admins or the linked centre see real names. Everyone else sees "Registered person". Names are never printed on the final image; they live only in the permissioned table. Strict application of the minimisation principle (GDPR art. 5.1.c).
Processed photos are kept for 48 hours (free) or 30 days (premium). Then an internal scheduler deletes them automatically from the database and disk. No copy is kept indefinitely.
All processing happens on the server in Spain. Emails are served via EU SMTP. No international data transfers outside the EEA.
XG Blur lets you exercise all rights recognised by the GDPR.
Each user can see their data, facial encodings, linked centres and consent decisions from their profile.
The user can modify their personal data and password anytime from their own profile.
Full account and facial encoding deletion can be requested. Cascade: it also deletes all related records (photos, consents).
The user can withdraw consent for a specific centre without affecting others. They can also hide their face in a one-off photo without logging in.
Upon request to the DPO, an export of personal data is provided in a structured format (JSON/SQL).
Facial recognition is only used to apply consents. No commercial or advertising profiling is created.
Defences at server, transport and database level.
Automatic Let's Encrypt TLS certs. HSTS with one-year maxAge. Content is never exposed over plain HTTP.
X-Frame-Options: DENY, X-Content-Type-Options: nosniff, strict Referrer-Policy, restrictive Permissions-Policy.
Werkzeug PBKDF2 with random salt. Passwords are never stored in plain text.
Each login requires a 6-digit PIN sent by email. Even if someone gets the password, they cannot enter without email access.
Facial registration images are inaccessible via direct URL. They are only served via Flask with authorisation.
Login-free actions (like hiding a face in a photo) use tokens cryptographically signed with the SECRET_KEY. They cannot be forged.
All forms and AJAX requests carry a unique per-session CSRF token. It blocks malicious cross-site requests.
Strict limits on /login, /registre and /recupera_contrasenya to prevent brute-force attacks and user enumeration.
Daily backup of code, database, uploads and configuration. 14-day rotation with optional off-site copy.
Each consent change is stored in a blockchain-style SHA-256 chain. PostgreSQL triggers reject any UPDATE or DELETE — the DB itself prevents tampering with history. A public verifier checks the chain for AEPD/GDPR audits.
The container has a healthcheck that probes /healthz every 30s. If the app hangs, Docker restarts it automatically. Optional external monitoring via UptimeRobot.
Each centre has an adjustable active-photo limit. If you exceed it due to a downgrade you get 30 grace days before the automatic trim, and the oldest photos go to the trash first (7 days to recover them).
If you're a DPO or compliance officer and need a more detailed analysis (RoPA, technical documentation, data-processor agreement...), let's talk.
📧 Contact XG Innova