reLux PhotoBook

Privacy & data use

PhotoBook consists of a WebKit based client (reLux app for iOS) and its backend server. This page explains how Sign in with Apple works, what lives inside the database, and which controls exist for your data.

Last updated November 15, 2025

Scope reLux PhotoBook server + App client

Legal basis Consent (cookies, optional location) & Legitimate interest (community hosting)

Account creation & Sign in with Apple

Accounts are created the first time Apple validates you. We never see your Apple password.

On reLux app

AppleSessionService exchanges the system-provided identityToken, plus the email/full name Apple shares (when you allow it), with the backend endpoint oauth/apple_session.php over HTTPS (RemoteConfig.appleSessionEndpoint).
PhotoBookSessionStore tracks whether the server already issued a session cookie so we avoid resending tokens unnecessarily; it stores the Apple user identifier, identity token, PhotoBook user id, and nickname inside UserDefaults (see UserDefaults) until you sign out in-app.

On the server

Server/includes/auth.php verifies the token signature using Apple's JWKS, then creates/updates your row in user_oauth_accounts (provider apple, subject id, optional email/full name) and users (nickname, timestamps, optional email/info).
oauth/apple_session.php sets $_SESSION['user_id'] and issues the essential session cookie (PHPSESSID, photobook_session, or relux_session); the cookie lifetime is 10 years (see includes/bootstrap.php) but you can clear it via Settings → Logout or by removing website data.

We do not store your Apple refresh tokens. Authentication happens per-request via the short-lived Apple identityToken or via the session cookie created after a successful validation.

What the database contains

The schema defined in Server/setup.php and Server/database/migrations runs on the database configured in Server/db.php (MySQL in production, SQLite for local testing). Tables and their contents are:

users Stores your nickname, optional Apple email (only if Apple shared it), optional 256-character profile note (users.info via profile_info.php), and timestamps.
user_oauth_accounts Keeps the Apple sub identifier plus optional email/full name so we can reconnect your Apple ID without saving Apple access tokens.
photos Links each upload to your user_id, the randomized filename in /uploads, caption, optional latitude/longitude, derived aspect ratio, and timestamps.
photo_tags Stores each normalized tag string you attach to an upload (duplicates are prevented by a unique index).
photo_likes Records which signed-in user liked which photo (unique photo_id + user_id) plus a timestamp.
photo_reports Contains the reason text you submit via report_photo.php, the optional reporter id, status/handling metadata, and moderation timestamps.

Uploaded images are stored on disk inside Server/uploads/ with the randomized names generated in upload_api.php. Removing a photo also deletes its file.

What stays on your device

Session + profile cache

UserDefaults (see Settings/UserDefaults) stores four fields: photoBookUserIdentifier, photoBookIdentityToken, photoBookServerUserId, and photoBookNickname. They are deleted when you sign out (PhotoBookSessionStore.clear()) or uninstall the app.
Cookie detection in PhotoBookSessionStore only inspects the shared web view cookie jar for the PhotoBook domains listed in serverSessionCookieNames. No cookie contents leave your device.

Uploads & location

PhotoUploadService only attaches latitude/longitude when you grant location access and choose to include it. Omitting location leaves location_lat/lon null.
Uploads travel over HTTPS endpoints declared in RemoteConfig and must include the Apple identity token plus an HMAC signature computed in UploadSecurity. The secret is validated server-side in upload_api.php to block unofficial clients.

Cookies & consent

Essential cookies

A single session cookie (PHPSESSID/photobook_session/relux_session) keeps you signed in. It contains only a random identifier; the actual account id lives in the server session.
We configure the cookie lifetime to 10 years in includes/bootstrap.php so the native app can reuse the session cookie in its embedded web views.

Consent tracking

The GDPR banner toggled in includes/footer.php stores a boolean cookie named photobook_cookie_consent for 12 months via cookie_consent.php.
No analytics, advertising, or third-party tracking scripts run on PhotoBook pages; the only remote calls go to Apple (Sign in with Apple JS/CSS) and to fetch Apple's public keys.

Your controls & retention

In-product tools

Change or remove info: update your username in settings.php or clear the optional bio via profile_info.php.
Delete content: remove single photos (delete.php) or all of them (delete_all.php). Both paths delete the database rows plus the files in /uploads.
Delete your profile: the Settings → “Delete your entire profile” flow calls delete_profile.php, which removes your user row, OAuth link, likes, tags, reports, and uploaded files, then destroys every session.

Requests under GDPR/CCPA

Email privacy@relux.geckos.ink if you need a data export, objection, or restriction beyond what the UI already offers. We respond within 30 days.
When you delete content, related likes/tags/reports cascade automatically because of the foreign-key constraints defined in setup.php; nothing remains in backups longer than the standard server snapshot rotation.

Reports you file about someone else's photo remain until moderators close them. If the underlying photo or your account is removed, the report row is deleted automatically.

Third parties & disclosures

Apple — we rely on Sign in with Apple; your Apple identifier and consent choices are governed by Apple.
Hosting — PhotoBook runs on the host specified using a local database and serves static assets directly; we do not embed external analytics or ad networks.
Security caching — cache stores Apple's public keys locally to avoid re-downloading them for every login; it contains no personal data.

We will update this page before shipping new sensors, processors, or data uses.