Privacy Policy

Last updated: February 2026

1. Who we are

This service is operated by the event organizer who created the photo album you are accessing. If you have questions about how your data is handled, please contact the event organizer directly.

2. What data we collect

  • Email address — used for magic link authentication and to deliver purchased photo downloads.
  • Selfie photo (optional) — if you choose to use the face-matching feature, we temporarily store your selfie to compare it against album photos.
  • Biometric data — when you upload a selfie, facial features are processed using AWS Rekognition to find matching photos. This constitutes biometric data under GDPR Article 9.
  • Payment information — processed by Stripe. We do not store your card details. We receive your email and transaction reference from Stripe.

3. Legal basis for processing

  • Biometric data (selfie matching) — processed on the basis of your explicit consent (GDPR Article 9(2)(a)), which you provide before uploading a selfie. You can withdraw consent at any time.
  • Email and authentication — processed on the basis of contract performance (GDPR Article 6(1)(b)), as necessary to provide you access to the album and deliver purchases.
  • Payment processing — processed on the basis of contract performance (GDPR Article 6(1)(b)).

4. How we use your data

  • To verify your identity and grant access to albums you are authorized to view.
  • To match your selfie against album photos and show you your results (only if you opt in).
  • To process payments and deliver purchased photos.
  • To send you transactional emails (magic links, download links).

We do not use your data for marketing, profiling, or any purpose other than those listed above.

5. Data retention

  • Selfie photos and match results — automatically deleted after 24 hours.
  • Magic link tokens — automatically deleted after expiry.
  • Download links — expire and are deleted after 48 hours.
  • Order records — retained for accounting and legal obligations.

6. Third-party processors

  • Amazon Web Services (AWS) — cloud hosting, image storage (S3), and facial recognition (Rekognition). Data is processed in the EU/EEA region where configured.
  • Stripe — payment processing. Subject to Stripe's Privacy Policy.
  • Resend — email delivery for magic links and download notifications.
  • MongoDB — database hosting.

7. Your rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Request correction or deletion of your data.
  • Withdraw consent for biometric processing at any time.
  • Object to processing of your data.
  • Lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit).

To exercise these rights, contact the event organizer who provided you with the album link.

8. Cookies

We use strictly necessary cookies only: authentication tokens to keep you logged in and album access tokens to verify your authorization. We do not use tracking or analytics cookies.