Back to Home

Privacy Policy

Last Updated: April 25, 2026 — We may update this Policy from time to time. Continued use of the Service after any update constitutes your acceptance of the revised Policy.

1. Introduction & Scope

EventSnaps ("we," "us," "our") operates a photo-matching platform for events. This Privacy Policy describes how we collect, use, store, share, and protect personal information — including biometric data — when you use our Service as a Host or a Guest.

This Policy applies globally. Where local law grants you additional rights or imposes stricter obligations, those local provisions supplement and, where they conflict, take precedence over this Policy. Jurisdiction-specific rights are set out in §10.

By using the Service you confirm that you have read and understood this Policy. If you do not agree, you must not use the Service.

2. Who We Are

EventSnaps is the data controller for account and platform data. For event-specific Guest data, the Host who created the event is the data controller and EventSnaps acts as a data processor on the Host's instructions. Hosts are required by our Terms of Service to comply with all applicable privacy and biometric data laws.

Contact details for privacy enquiries are provided in §15.

3. Information We Collect

3a. Account & Authentication Data

  • Name, email address, and profile image provided via your authentication provider.
  • Authentication tokens used to access your connected cloud storage — stored encrypted and never exposed to the client.

3b. Event & Customisation Data

  • Event name, welcome message, accent colour, and font preference set by the Host.
  • Event branding images (e.g., background) uploaded by the Host, stored securely.
  • A unique, randomly generated token that links Guests to an event without exposing any Host account identifier.

3c. Biometric Data

  • Facial feature vectors: When a Host indexes an event's photos, our system generates anonymous mathematical representations of facial features present in those photos. These vectors cannot be reverse-engineered to recreate an image.
  • Guest selfie (transient): A selfie uploaded by a Guest is processed in memory solely to search for matching facial vectors. It is discarded immediately after the search completes. We do not store, log, or retain Guest selfies.

3d. Usage & Technical Data

  • Aggregate search counts and indexing statistics, used for service operation and billing estimation.
  • Standard server logs (IP address, browser type, timestamps) retained for security and abuse prevention, automatically deleted after 90 days.

4. Legal Bases for Processing

We rely on the following legal bases (required under GDPR Art. 6 and Art. 9, and equivalent legislation):

  • Contract performance (Art. 6(1)(b)): Processing your account and authentication data is necessary to provide the Service you have signed up for.
  • Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)): Processing biometric data requires and is based on your explicit consent. Hosts consent when they index event photos. Guests consent when they voluntarily submit a selfie for matching. You may withdraw consent at any time — see §10.
  • Legitimate interests (Art. 6(1)(f)): Server log retention for security and fraud prevention, where our interests do not override your fundamental rights.
  • Legal obligation (Art. 6(1)(c)): Where we are required to retain or disclose data by applicable law.

5. Biometric Data — Special Provisions

Biometric data is among the most sensitive categories of personal information. We apply the following protections in addition to our general practices, including to comply with the Illinois Biometric Information Privacy Act (BIPA), Texas TDPSA, GDPR Art. 9, and equivalent laws worldwide.

  • Written policy: This section constitutes our written policy on biometric data retention and destruction, as required by Illinois BIPA (740 ILCS 14/15(a)).
  • No sale or profit: We do not sell, lease, trade, or otherwise profit from biometric data. Ever. This applies regardless of jurisdiction.
  • No third-party disclosure: We do not disclose biometric data to third parties except to the specialised processing infrastructure used to perform matching, which is contractually bound to the same restrictions.
  • Retention & destruction: Biometric facial vectors are retained only for as long as the event exists in the system. When a Host deletes an event or account, all associated biometric vectors are permanently and irreversibly destroyed — and in all cases within three (3) years of collection, consistent with Illinois BIPA.
  • Consent withdrawal: You may withdraw consent for biometric processing at any time by contacting us at the address in §15. Withdrawal does not affect processing already completed. Guest selfies are never stored, so there is nothing to delete post-search.
  • No identity verification use: Biometric matching is probabilistic and for photo discovery only. It must not be relied upon for identity verification, access control, or any purpose other than locating event photos.

6. How We Use Your Information

  • To create and maintain your account and authenticate your identity.
  • To connect to your cloud storage account and index event photos on your instruction.
  • To match Guest selfies against indexed facial vectors and return relevant photos.
  • To display and facilitate download of event photos to authorised Guests.
  • To send service communications (account notices, support responses). We do not send marketing emails without separate consent.
  • To detect, investigate, and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations and enforce our Terms of Service.

We do not use your data to train AI or machine learning models, build advertising profiles, or share data with third-party advertisers.

7. Data Sharing & Disclosure

We do not sell, rent, or share your personal data with third parties for their own marketing or commercial purposes.

We may share data only in the following limited circumstances:

  • Service Providers (Processors): We use contracted third-party processors for cloud infrastructure, biometric matching, and authentication. These providers are bound by data processing agreements and may not use your data for any purpose other than performing services for us.
  • Legal Requirements: We may disclose data if required by law, subpoena, court order, or government request, or where necessary to protect the rights, property, or safety of EventSnaps, our users, or the public.
  • Business Transfers: In the event of a merger, acquisition, or sale of substantially all assets, your data may be transferred to the successor entity. We will notify you via the email address on your account before your data becomes subject to a different privacy policy.
  • With Your Consent: For any other purpose, only with your explicit prior consent.

8. International Data Transfers

EventSnaps operates from the United States. If you access the Service from outside the US, your data will be transferred to, processed, and stored in the United States.

  • EU / EEA & UK: We transfer personal data to the US under Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional safeguards where required. UK transfers rely on the UK's International Data Transfer Agreement (IDTA) or equivalent mechanism.
  • Other Jurisdictions: Where your local law requires a specific transfer mechanism (e.g., Canada's cross-border transfer protections, Brazil LGPD Art. 33, India DPDP Act), we apply the appropriate contractual or equivalent safeguard.
  • Biometric data specifically is processed by third-party infrastructure located in the United States. By using the biometric matching feature outside the US, you explicitly consent to this cross-border transfer as required under GDPR Art. 49(1)(a) and equivalent provisions.

9. Data Retention & Deletion

  • Account data is retained while your account is active and deleted within 30 days of account deletion.
  • Biometric facial vectors are deleted when the associated event or account is deleted, and in all cases within 3 years of collection.
  • Guest selfies are never stored — they are processed in memory and discarded immediately after each search.
  • Event media resides exclusively in your own cloud storage. We never store it on our servers and cannot delete it on your behalf.
  • Server logs are automatically purged after 90 days.
  • You may request deletion of your data at any time — see §10. We will fulfil deletion requests within 30 days except where retention is required by law.

10. Your Privacy Rights

To exercise any right below, contact us at the address in §15. We will respond within 30 days (or the period required by your local law). We will not discriminate against you for exercising your rights.

Rights available to all users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request erasure of your personal data, subject to legal retention requirements.
  • Withdraw Consent: Withdraw consent for biometric processing at any time. This does not affect prior processing.

EU / EEA & UK residents (GDPR / UK GDPR)

  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Request that we restrict processing while a dispute is resolved.
  • Object: Object to processing based on legitimate interests.
  • Supervisory Authority: Lodge a complaint with your national data protection authority (e.g., your EU Member State DPA, or the UK ICO at ico.org.uk).

California residents (CCPA / CPRA)

  • Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Do Not Sell or Share: We do not sell or share your personal information as defined under CCPA § 1798.100 et seq. No opt-out is needed, but you may confirm this at any time.
  • Limit Sensitive Data Use: Request that we limit our use of sensitive personal information, including biometric data, to what is necessary to provide the Service.
  • Non-Discrimination: We will not deny service, charge different prices, or provide a different quality of service for exercising your CCPA rights.

Illinois residents (BIPA)

  • You have the right to know our biometric data retention schedule and destruction guidelines (see §5).
  • You have the right to request deletion of biometric data collected from you.
  • We will not sell, lease, trade, or profit from your biometric data under any circumstances.

Canada residents (PIPEDA / Quebec Law 25)

  • You have the right to access and correct your personal information.
  • Quebec residents additionally have the right to data portability and to withdraw consent, and may lodge a complaint with the Commission d'accès à l'information (CAI).

Australian residents (Privacy Act 1988)

  • You may access and correct your personal information. Complaints may be lodged with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Brazil residents (LGPD)

  • You have rights of confirmation, access, correction, anonymisation, portability, deletion, information about sharing, and the right to object to processing. Complaints may be lodged with the Autoridade Nacional de Proteção de Dados (ANPD).

India residents (DPDP Act 2023)

  • You have the right to access information, correction and erasure of personal data, and to grieve before the Data Protection Board of India.

Singapore residents (PDPA)

  • You have the right to access and correct personal data we hold about you. Complaints may be directed to the Personal Data Protection Commission (PDPC).

11. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data — and especially not biometric data — from anyone under 16. This threshold is set to satisfy both the US Children's Online Privacy Protection Act (COPPA, which applies to children under 13) and the GDPR's digital consent age (16 in most EU Member States).

If you believe a minor under 16 has submitted data through the Service, please contact us immediately at the address in §15 and we will delete it without delay.

12. Data Security

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption of data in transit and at rest, access controls, and regular security reviews.

No system is perfectly secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities within the timeframes required by applicable law (e.g., 72 hours under GDPR Art. 33).

13. Google API Disclosure

EventSnaps' use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We do not use Google user data to serve advertisements.
  • We do not allow humans to read Google user data unless you have given us explicit permission, it is necessary for security purposes, or we are required by law.
  • We do not use or transfer Google user data for training AI or machine learning models.
  • Our use of Google user data is limited to providing and improving the features you requested.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, legal requirements, or for other operational reasons. When we do, we will revise the "Last Updated" date at the top of this page. For material changes — particularly those affecting how we handle biometric data — we will notify you directly by email where we hold your address. Your continued use of the Service after the effective date of any update constitutes your acceptance of the revised Policy.

15. Contact Us

For privacy questions, data requests, consent withdrawals, or complaints, please contact us at barium.signets_0l@icloud.com.

EU/EEA residents may also contact us to identify the appropriate supervisory authority in their Member State. If you are unsatisfied with our response, you have the right to escalate to your national data protection authority.