Privacy-first image editing checklist

Who this checklist is for

Teams evaluating background removal for client portraits, catalog SKUs, legal scans, or HR photos need more than a marketing claim. Use this checklist before standardizing on any tool.

1. Inference data path

• [ ] Does the tool upload the image to a remote API for mask generation?
• [ ] If yes, which region processes data and for how long is it retained?
• [ ] Is there a documented DPA for enterprise use?

nobg.eu note: Core segmentation runs locally in the browser; site analytics are separate—see Privacy Policy.

2. Account and library storage

• [ ] Must users create accounts?
• [ ] Are projects stored in a vendor cloud library by default?
• [ ] Can exports be deleted from vendor servers on request?

3. Telemetry and cookies

• [ ] What analytics load on marketing pages vs the editor?
• [ ] Is consent required before non-essential cookies?
• [ ] Can staff use the tool with analytics rejected?

4. EXIF and metadata

• [ ] Does export strip GPS or serial fields?
• [ ] Are originals retained in browser memory only until the tab closes?

5. Subprocessors and ads

• [ ] If ads fund free tiers, which ad tech loads and under what consent?
• [ ] Are subprocessors listed in privacy docs?

6. Organizational fit

• [ ] Legal/IT signed off for confidential assets?
• [ ] Fallback plan if browser GPU paths fail on managed laptops?
• [ ] SOP documents who may process personal images?

7. Quality and transparency

• [ ] Tool publishes limitation notes (hair, glass, motion blur)?
• [ ] Changelog documents model or export changes?

Decision matrix

| Need | Lean toward | |------|-------------| | Embargoed product shots | Local browser inference | | Overnight 10k batch | Server API with contract | | Client gallery same-day | Local + manual QA | | Regulated health imagery | Legal review + on-prem options |

8. Vendor communication hygiene

• [ ] Privacy contact is published and monitored (not a no-reply form buried in footer)
• [ ] Correction requests for inaccurate marketing claims are acknowledged
• [ ] Security reports have a defined intake address

nobg.eu publishes operator details on About and routes privacy questions to a monitored inbox listed on Contact.

9. Staff training minimum

Even strong tools fail when teams skip basics. Document:

• When to reshoot instead of re-segmenting a hopeless original
• How to verify exports on both white and dark backgrounds
• Which devices are approved for confidential client work
• How to clear downloads folder policies after sensitive edits

10. Re-review triggers

Re-run this checklist when:

• The vendor ships a new model or export default
• You add a new marketplace channel with different image rules
• Legal updates retention requirements in your jurisdiction
• Ads or analytics vendors change on marketing pages

Worked example: catalog embargo week

A merchant preparing a launch keeps pre-release packshots off upload-first APIs. Editors use browser-local segmentation, QA halos at 200% zoom, export transparent PNG masters, then flatten to white only for channels that require it. Analytics cookies are rejected on marketing pages during review. Legal signs off because the data path excludes remote inference processors for mask generation.

Related pages

Privacy in AI image tools, editorial standards, contact, local AI guide.