Your Privacy Matters

**Personal Information:** When you create an account, we collect your name, email address, and password (hashed and securely stored).

**Event Data:** Event names, dates, photos, and settings you provide when creating events.

**Biometric Data (Face Embeddings):** When guests use the "Find My Photos" feature, a selfie is captured and processed using AWS Rekognition to generate face embeddings (mathematical representations of facial features). These embeddings are used solely to match guests with event photos.

**Usage Data:** We collect anonymized analytics including page views, feature usage, and device information to improve our services.

**Payment Information:** Payment processing is handled by Razorpay. We do not store credit card numbers, UPI PINs, or banking credentials on our servers. We only store transaction IDs and payment status for billing records.

We use your information for the following purposes:

• **Service Delivery:** To create events, process photos, and enable AI-powered face matching. • **Face Recognition:** Selfie data is sent to AWS Rekognition for real-time face matching. Face embeddings are stored in an encrypted database linked to the specific event. • **Communication:** To send account-related emails such as signup confirmation, password resets, and billing receipts. • **Improvement:** To analyze usage patterns (anonymized) and improve our product. • **Legal Compliance:** To comply with applicable laws and regulations.

We do **NOT** sell, rent, or trade your personal data to third parties for marketing purposes.

We implement industry-standard security measures to protect your data:

• **Encryption:** All data is encrypted in transit (TLS 1.3) and at rest. • **Row-Level Security:** Supabase PostgreSQL database uses Row-Level Security (RLS) policies to ensure data isolation between users. • **Access Controls:** Only the event host can manage their event data. Guests can only view photos from events they've been invited to. • **Infrastructure:** We use Vercel (for hosting), Supabase (for database), AWS (for face recognition), and Cloudflare (for storage) — all SOC 2 compliant providers. • **Passwords:** User passwords are hashed using bcrypt and never stored in plain text.

• **Event Data:** Photos and event data are retained for 30 days after event expiry, after which they are automatically deleted. • **Face Embeddings:** Face embeddings are deleted when the associated event is deleted or expires. • **Guest Selfies:** Selfie images captured for face matching are processed in real-time and are **NOT permanently stored**. They are discarded immediately after generating match results. • **Account Deletion:** You can request account deletion at any time by contacting us at support@eventpix.in. We will delete all your data within 30 days. • **Cached Results:** Guest search results cached in the browser (localStorage) expire after 7 days and can be cleared by the guest at any time.

Under India's Digital Personal Data Protection Act (DPDPA) 2023, facial recognition data is classified as sensitive personal data. Here's how we handle it:

• **Consent:** Guests are shown a clear consent prompt before their selfie is captured for face matching. No biometric processing occurs without explicit consent. • **Purpose Limitation:** Face embeddings are used exclusively for matching guests with their event photos. They are never used for surveillance, advertising, or any other purpose. • **Data Minimization:** We only generate face embeddings (128-dimensional vectors) — we do not store the original selfie images. • **Third-Party Processing:** Face detection is performed by AWS Rekognition (Amazon Web Services), which is GDPR and SOC 2 compliant. AWS processes images in real-time and does not retain them. • **Right to Erasure:** You have the right to request deletion of your biometric data at any time.

We use the following third-party services:

| Service | Purpose | Data Shared | |---------|---------|-------------| | Supabase | Database & Auth | Email, password (hashed), event data | | AWS Rekognition | Face matching | Selfie images (real-time, not stored) | | Cloudflare R2 | Photo storage | Event photos | | Google Drive | Photo storage (BYOC) | Event photos via user's own Drive | | Razorpay | Payments | Transaction details (no card data stored by us) | | Vercel | Hosting | Application logs, IP addresses |

Each third-party provider has their own privacy policy. We recommend reviewing them for details on their data handling practices.