Where your photos live, and what we never collect
Before and after photos are optional in Tidywell. When you do use them, here's where they go, how long they stick around, and the bits about storage we'd rather be upfront about than hide in a privacy policy.
Photos are an optional extra, not a requirement
You can use Tidywell forever without attaching a single photo. Most people don't bother. Where they earn their keep is on tasks where you want a record: a before-and-after for a deep clean, proof a kid's chore got done before pocket money lands, or a reminder of where the grout actually was last time.
If approval is on for a profile (typically a kid's), the parent reviewing the completion sees the attached photo in the approval envelope. There's a separate guide on how approvals work end-to-end at /guide/approvals.
Your phone, then a private bucket, then your household
When you attach a photo, it goes from your phone up to Tidywell's storage backend (Supabase). The bucket is private. Reading a photo back into the app needs a signed URL the app generates on your behalf. Nothing about the photo is publicly listed or indexable.
Your phone
Captured by the camera or chosen from your library
Private bucket
Tidywell's Supabase Storage, named task-photos
Your household
Visible only to members you've invited
Plain English: nobody else's account can see your photos. The app doesn't ship a tool that lists everyone's uploads. Database-level rules (the next callout) enforce this in the database itself, not just app behaviour.
Not public, not indexable
The bucket is set to private. There is no public link to your photo. Search engines can't crawl it. The only way to view a photo is for the app to mint a signed URL after checking you're a member of the right household.
Row-level security at the database
Photos are stored under a path scoped to your household ID. Postgres row-level security blocks any read or list attempt from a different household, even if someone had a valid app session. The rule is enforced in the database itself, not in the client.
10 photos for 7 days on free, 50 for 35 days on premium
Photos take up real disk space, so there are caps. The numbers below are exact. After the day count passes, the oldest photos are deleted automatically.
Free
Photos
10
Days kept
7
Premium
Photos
50
Days kept
35
Free is generous enough to cover a typical week of before-and-after shots. Premium is sized so a household can keep a month's worth of context, plus a buffer for the odd long-running project.
Cleanup runs on app open, not in real time
If you're on free and a photo is now 8 days old, it gets cleaned up the next time you launch the app. Not on the dot of day 7. So you might briefly see a slightly-over-window photo if you re-open after a long gap. It'll be gone by the time you do anything with it.
The 11th photo on free is blocked
Once you're at the cap, attaching another photo shows a friendly message asking you to delete an older one first. We don't silently bin a photo to make room. You stay in control of which ones go.
Things we don't pull off your photos
When you attach a photo, the file goes up along with the task ID, the household ID, and the timestamp of the upload. That's it. Specifically, here's what we don't do.
No GPS or location
We don't read or store location data from photo metadata. The fact that a photo was taken at home isn't useful to us, and broadcasting where you live isn't useful to anyone.
No model training
Your photos are never used to train models. Not ours, not OpenAI's, not anyone's. The AI task breakdown feature is text-only and ignores photos entirely.
No marketing use
Photos don't show up in adverts, in case studies, in tweets, or in App Store screenshots. The photos in our marketing are stock or staged.
No third-party sharing
Photos aren't sold, shared with marketers, or handed to data brokers. The only third party in the chain is our storage provider, who processes the upload on our behalf and is covered in the caveats below.
Two ways to get rid of a photo
Auto-cleanup handles old ones once they're past the retention window. You can also delete on demand whenever you like.
Delete one at a time
Tap a photo from a task, then tap delete. Gone from your device and from the server in one step. There's no recycle bin, so be sure.
Delete your account
Settings → Account → Delete Account removes your account and your local data. If you're the only admin in a household, the household is deleted with it. We're working on tightening the cascade so every server-side photo blob is cleared in the same step. Until then, anything still attached to your account is wiped, and old uploads age out under the normal retention rules.
What we'd rather you knew up front
There are a few things that would feel sneaky to leave buried in a privacy policy. Reading them shouldn't worry you, but you deserve to know.
Signed URLs last 10 years
When the app loads a photo, it gets back a temporary URL signed by the storage layer. We set the validity to 10 years so photos don't fail to load mid-session. Practical effect: if you copy that URL out of the app and post it somewhere public, anyone with the link could view that one photo until the URL expires. Treat a copied photo URL like any other private link.
Photos are stored in plaintext
We don't apply client-side or end-to-end encryption to photo files. They're stored in the bucket as you uploaded them, protected by access rules rather than by per-file encryption. This is the industry-standard setup for app photo storage. We mention it because we'd rather not let you assume something stronger than what's true.
Supabase is the subprocessor
Supabase processes photo uploads and storage on our behalf. They're listed in our privacy policy with the rest of our subprocessors. They don't use your photos for anything beyond running the storage service for us.
Want the full version with all the legal phrasing? It's in our privacy policy.