Privacy Policy
EventFrame · Last updated: 2026-06-12
EventFrame is an event photography platform that helps guests find their photos across albums shared by photographers. This policy explains what we collect, why, and how you can control or delete it.
Biometric data notice: EventFrame uses face recognition to match selfies against event photos. Your face data is encrypted, never shared with other users, and can be deleted at any time from Settings or by deleting your account.
1. Data We Collect
Account information
- Phone number (for OTP login)
- First and last name (optional)
- Email (optional)
- Profile photo / avatar (optional)
- Account role (guest or photographer)
Biometric data (face recognition)
- Selfie image you upload to find yourself in event photos
- A mathematical representation of your face (a "face embedding") used to match against event photos. This is not a photograph and cannot be reversed into a face image.
- Face thumbnails generated from your selfie
You must explicitly consent before we capture or process biometric data. Consent is recorded with a timestamp for audit purposes. You can withdraw consent at any time, which triggers immediate deletion of your face data.
Content you upload
- Event photos uploaded to albums you create or contribute to
- Album metadata (titles, dates, settings)
Usage and device data
- Crash reports and error logs (via Sentry) including device model, OS version, and stack traces
- Anonymous product analytics (which screens you visit, feature usage)
- IP address and approximate location (used for security and rate limiting)
2. How We Use Your Data
- To match your selfie against photos in albums you've been invited to
- To deliver core features (album access, photo download, sharing)
- To diagnose crashes and fix bugs
- To send transactional notifications related to your account
- To prevent abuse and enforce our Terms of Service
We do not sell your data, train external AI models on your photos, or use your face data for advertising.
3. Third-Party Services
We share limited data with the following service providers strictly for the purpose of running EventFrame:
- Cloudflare R2 — encrypted storage of photos and selfies
- MongoDB Atlas — encrypted storage of account and album metadata
- Railway — backend hosting
- Sentry — crash reporting (data stripped of personal content)
- PostHog — product analytics (page views, feature usage). Linked to your account ID so we can debug issues you report.
- SMS providers — OTP delivery
Each provider is bound by data-processing agreements and uses encrypted transit (TLS) and storage.
Face data specifically: selfies and face thumbnails are stored only in Cloudflare R2; face embeddings are stored only in MongoDB Atlas alongside your account. Face data is never sent to Sentry, PostHog, SMS providers, advertising networks, data brokers, or any analytics service. We do not sell, license, or otherwise disclose face data to any third party for their own use.
4. Connected Cloud Accounts (Google Drive, Google Photos, Dropbox)
EventFrame can optionally connect to your own Google Drive, Google Photos, or Dropbox account so that you can import existing photos into a gallery or export finished galleries for permanent storage and client delivery. Connecting is always your choice; you can use EventFrame without ever linking any of these services.
What we request and why
If you choose to connect Google, EventFrame requests the minimum scopes needed for the feature you're using:
- Google Drive — scope
https://www.googleapis.com/auth/drive.file. This is a per-file scope: it grants EventFrame access only to the specific files you explicitly select in the Google Picker, and to folders/files EventFrame creates on your behalf when you export a gallery. EventFrame cannot list, search, or read any other content in your Drive. The same scope covers both imports (you multi-select photos inside the Picker, often pre-navigated to a sub-folder of your event) and exports (EventFrame writes the finished album to a folder you pick in the Picker).
- Google Photos — scope
https://www.googleapis.com/auth/photoslibrary.appendonly. This is an append-only scope: EventFrame can create new albums and add the photos you're exporting into those albums. EventFrame cannot read, list, or modify any existing photos or albums in your Google Photos library.
- Account identity — scopes
openid and email. Used only to identify the Google account you're signing in with and to display your email under Connected Accounts so you can confirm which account is linked.
If you choose to connect Dropbox, EventFrame requests files.content.read (for imports), files.content.write (for exports), and account_info.read (to display your account email so you can confirm you're connecting the right account).
EventFrame's use of information received from these Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
What we do with the data
- Imported photos are streamed from your cloud account to EventFrame's storage (Cloudflare R2) and processed exactly like any other photo you upload — thumbnailing, optional face detection, gallery placement.
- Exported photos are streamed from EventFrame's storage to your cloud account and placed in the folder or album you choose. Once the export completes, EventFrame does not continue accessing the destination.
- The OAuth access and refresh tokens that authorize these operations are stored encrypted at rest (AES-256-GCM) and used only by EventFrame's backend to perform the imports/exports you've requested. Tokens are never shared with third parties, sent to analytics or crash-reporting services, or used for advertising.
- EventFrame does not transfer, share, or sell data obtained from Google APIs to other parties for serving advertisements, lending or credit assessment, or any other unrelated purpose. We do not use this data to train artificial intelligence or machine-learning models.
Disconnecting and revoking access
- You can disconnect a cloud account from EventFrame at any time under Settings → Connected Accounts. Disconnecting deletes the stored OAuth tokens from EventFrame's database.
- You can independently revoke EventFrame's access from your Google account at myaccount.google.com/permissions or from your Dropbox account at dropbox.com/account/connected_apps.
- Revoking access does not delete photos already imported into EventFrame — you can delete those separately from inside the gallery.
- Revoking access does not delete photos already exported to your cloud account — those are now yours to manage in your own Drive/Photos/Dropbox.
5. Data Protection and Security
EventFrame applies the following data protection mechanisms to all user data, with stricter controls for sensitive data (OAuth tokens, face embeddings, account credentials, and photos accessed via Google API scopes).
Encryption in transit
- All connections between your device and EventFrame's services use TLS 1.2 or higher, enforced via HSTS (HTTP Strict Transport Security).
- All connections between EventFrame's backend and our cloud service providers (Cloudflare R2, MongoDB Atlas, Google APIs, Dropbox APIs, Modal / RunPod for face-recognition inference) use TLS 1.2+.
- OAuth authorization flows use the PKCE-style authorization code grant on web and Google Identity Services or system browser flows on mobile. The raw OAuth tokens never transit the user's browser or mobile app — they are exchanged server-side and stored encrypted.
Encryption at rest
- Photos and selfies are stored in Cloudflare R2 with server-side encryption (AES-256). Each object is keyed with a per-album path and not directly accessible without a signed URL.
- Account metadata (user records, album records, sub-events, permissions) is stored in MongoDB Atlas with encryption at rest (AES-256) on disk and in backups.
- OAuth access and refresh tokens for connected Google and Dropbox accounts receive an additional application-layer encryption layer: AES-256-GCM with the encryption key held in a Railway-managed environment variable (not in source control). The encryption key is rotated on any suspected exposure. Tokens are decrypted only at the moment they are needed to call the respective provider API on the user's behalf.
- Face embeddings (numerical vectors used for face recognition matching, not raw images) are stored in MongoDB Atlas with encryption at rest, tied to the user record, and deleted immediately when the user revokes biometric consent or deletes their account.
- Authentication credentials — EventFrame uses passwordless authentication: sign-in is via one-time codes (OTP) sent to your email. The OTP codes are bcrypt-hashed before storage and the plaintext code is never persisted. Optional album passwords (set by photographers to restrict viewer access to specific albums) are also bcrypt-hashed with industry-standard cost factors before storage.
Access control
- Access to production systems (backend servers, databases, R2 buckets, secret stores) is restricted to authorized EventFrame personnel using multi-factor authentication and least-privilege role-based access.
- Direct database access in production is restricted to authorized IP ranges via MongoDB Atlas's network access list, and all administrative actions are logged through Atlas's audit logging. Routine application access uses a least-privilege service account.
- User sessions use short-lived signed JWT access tokens paired with separate refresh tokens stored server-side; refresh tokens can be revoked at any time on logout, on detected compromise, or by the user (single-session revocation or all-sessions revocation from Settings).
- Public endpoints are rate-limited per-account (when authenticated) and per-IP (when unauthenticated) to prevent brute-force and scraping.
Sensitive data isolation and minimization
- OAuth tokens, refresh tokens, OTP code hashes, and face embeddings are never written to application logs, crash reports, analytics events, or third-party services. Where token-related diagnostics are needed for debugging, only the token's length (not its value) is logged.
- Connected Google account data accessed under the
drive.file and photoslibrary.appendonly scopes is used solely to fulfill the import/export action the user initiated, then dropped from working memory. We do not retain copies of cloud-account file lists, search indices, folder structures, or directory metadata beyond what is needed to complete the user-initiated transfer.
- EventFrame's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer, share, or sell Google user data to other parties for serving advertisements, lending or credit assessment, or any other unrelated purpose. We do not use Google user data to train artificial intelligence or machine-learning models.
Token revocation and account deletion
- When you disconnect a connected cloud account from EventFrame, the stored encrypted OAuth tokens are immediately deleted from our database (not just marked as revoked) and EventFrame's access to that account is terminated at the source via the provider's revocation endpoint (Google's
https://oauth2.googleapis.com/revoke, Dropbox's /2/auth/token/revoke).
- When you delete your EventFrame account, all account metadata, photos, face embeddings, OAuth tokens, refresh-token records, and other personal data are removed from the database immediately via a cascaded deletion process. Data may persist in MongoDB Atlas's encrypted backups for up to 90 days per the backup retention policy, after which it is automatically purged.
Vulnerability management and incident response
- Backend and frontend dependencies are reviewed for security advisories from npm, GitHub, and our providers, and updated as needed when security advisories affecting them are published.
- In the event of a security incident affecting personal data, we will notify affected users without undue delay (and within the time frames required by applicable law) and provide guidance on protective steps to take.
- Reports of suspected vulnerabilities can be sent to future.vision3069@gmail.com; we will acknowledge within 5 business days and work in good faith to investigate and remediate.
6. Data Retention
- Account data: retained while your account is active.
- Photos: retained per the album's retention setting (configurable by the album owner).
- Face embeddings: retained until you revoke biometric consent or delete your account.
- Crash logs: retained for 90 days then automatically purged.
7. Your Rights
You have the right to:
- Access — see what data we hold about you (Settings → Profile)
- Correct — update your profile information at any time
- Delete — remove your account and all associated data (Settings → Delete Account, or via /delete-account if you can't sign in)
- Withdraw biometric consent — deletes your face data immediately while keeping your account intact (Settings)
- Export — request a copy of your data by emailing us
8. GDPR / CCPA / BIPA Compliance
For users in the European Union, California, or Illinois, EventFrame complies with applicable data-protection laws including:
- GDPR Art. 9 — biometric data is processed only with explicit, informed consent.
- CCPA — we do not sell personal information; you have the right to know, delete, and opt-out.
- BIPA (Illinois) — we obtain written consent before capturing biometric identifiers and provide a public retention & destruction schedule (above).
9. Children
EventFrame is not directed at children under 13. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete the account.
10. Changes to This Policy
We may update this policy. Material changes will be communicated in-app and require renewed biometric consent if applicable.
11. Contact Us
Questions about privacy? Email future.vision3069@gmail.com.