Page

Data Protection Impact Assessment (DPIA)

img.lu DPIA – Browser-side WebP/AVIF compression with zero uploads and zero server processing. Extremely low-risk, privacy-by-design service based in Luxembourg.

Data Protection Impact Assessment (DPIA)

Date: 28 March 2026

Controller: img.lu (Luxembourg)

Processing Activity: Browser-side image compression and conversion to WebP/AVIF formats

1. Description of Processing

img.lu now operates entirely client-side. Image compression and format conversion happen directly in the user's browser using efficient JavaScript and WebAssembly libraries.

Key characteristics:

  • Zero uploads: No images are ever sent to our servers.
  • Zero server processing: No temporary or permanent storage of user images occurs on our infrastructure.
  • Zero compromise: The user's original images and processed files never leave their device.

The only data processed by img.lu itself consists of: - Minimal technical metadata (e.g., anonymized or pseudonymized IP address, basic browser and device information) collected automatically when visiting the website. - Aggregated, non-personal usage statistics collected via Simple Analytics for load management and service improvement.

No user accounts, no emails, no cookies for tracking, and no storage of any user-generated content.

2. Necessity and Proportionality

The processing is strictly limited to what is necessary for delivering a functional website and basic service analytics. The core functionality (image compression) requires no personal data processing at all from our side, as it occurs locally in the browser.

This design follows privacy by design and by default (GDPR Article 25) and strongly aligns with the principles of data minimization and user control promoted by both the GDPR and the EU Data Act.

3. Risk Assessment

Identified risks: Very low.

  • No exposure of user images to any third party or our own servers.
  • Only minimal technical data is collected (largely non-personal or pseudonymized).
  • Simple Analytics collects no personal data, uses no tracking cookies, and provides only aggregated insights.
  • No profiling, no automated decision-making, no large-scale processing of sensitive data, and no monitoring of public areas.

Likelihood and severity of risks to the rights and freedoms of natural persons: Extremely low.

Overall residual risk level: Low, well below the threshold that would require prior consultation with the supervisory authority.

4. Measures Taken to Mitigate Risks

  • All image processing moved to the client-side (browser).
  • Complete elimination of any server-side handling of user images.
  • Use of privacy-friendly analytics (Simple Analytics) that complies with GDPR without collecting personal data.
  • Strong data minimization: only technical data required for web functionality is processed.
  • Transparent communication to users via Privacy Policy, Cookie Policy, and this DPIA.
  • Servers (if any) remain in the EU/EEA with appropriate technical and organizational security measures.

5. Consultation

No prior consultation with the Commission Nationale pour la Protection des Données (CNPD) is required. The processing does not meet the criteria for high-risk processing under Article 35 GDPR.

6. Conclusion

This DPIA demonstrates that img.lu’s browser-side image compression service presents very low risk to the rights and freedoms of individuals.

By performing all compression locally in the browser, we achieve:

  • Zero uploads
  • Zero servers involved in image processing
  • Zero compromise on user privacy

The service is designed with the highest standards of data protection in mind and goes significantly beyond basic GDPR compliance. We will review and update this DPIA if the technical architecture changes in any material way.

Approved by: img.lu (Luxembourg)

Compress your images for free

Converts to WebP · runs in your browser · nothing leaves your device

Try the Compressor