Privacy Policy & GDPR Compliance

Your privacy and data protection are our top priorities. We're fully committed to GDPR compliance and maintaining the highest standards of data security.

🔒

GDPR Compliant & Secure

UK-based servers • Enterprise encryption • Full data control • Regular security audits

Last Updated: February 8, 2026

Quick Navigation

1. Overview

Event Layer is an AI-powered event photography platform that uses facial recognition technology to help event attendees find their photos quickly and easily. We take data protection seriously and are fully compliant with the UK General Data Protection Regulation (UK GDPR) and EU GDPR.

Company Details:

  • Service Name: Event Layer
  • Website: https://snapflow.co.uk
  • Data Controller: Event Layer Ltd
  • Location: United Kingdom

2. What Data We Collect

We collect only the data necessary to provide our services effectively:

2.1 Event Photography Data

  • Event Photos: Digital photographs taken by event photographers
  • Facial Biometric Data: Mathematical representations of faces extracted from photos for matching purposes (not stored as actual images)
  • Upload Metadata: Date, time, event name, and photographer information

2.2 Attendee Information

  • Selfie Photos: Self-uploaded photos for facial recognition matching
  • Email Address: For photo delivery and notifications (optional)
  • Mobile Phone Number: For SMS notifications (optional)
  • Device Information: Browser type, IP address, device type (for security and optimization)

2.3 Event Organizer Information

  • Account Details: Name, email, company name, billing information
  • Event Information: Event names, dates, locations, attendance estimates
  • Payment Information: Processed securely via Stripe (we don't store card details)
Important: We do NOT sell, rent, or share your personal data with third parties for marketing purposes. Your data is used solely to provide our event photography services.

3. Lawful Basis for Processing

Under GDPR, we must have a lawful basis for processing your personal data. Our lawful bases are:

3.1 Consent (Primary Basis)

When attendees upload a selfie to find their photos, they provide explicit consent for us to process their facial biometric data for the specific purpose of photo matching. This consent is:

  • Freely given and specific to the event
  • Informed with clear information about processing
  • Revocable at any time (see "Your Rights" below)

3.2 Legitimate Interest

For event organizers and photographers, we process data based on legitimate interest to:

  • Provide event photography management services
  • Enable photo delivery to attendees
  • Improve our platform and services
  • Prevent fraud and ensure platform security

3.3 Contract Performance

For paid services, we process data to fulfill our contractual obligations with event organizers and photographers.

4. Facial Recognition Technology

Understanding how our facial recognition works and how we protect your biometric data:

4.1 How It Works

  1. Photo Upload: Photographers upload event photos to our platform
  2. Face Detection: Our AI identifies faces in photos (no identification at this stage)
  3. Biometric Template Creation: We create a mathematical "template" of each face (a series of numbers, not an image)
  4. Attendee Selfie: When an attendee uploads a selfie, we create a template from it
  5. Matching: We compare the selfie template against event photo templates to find matches
  6. Photo Delivery: Matched photos are shown to the attendee

4.2 Biometric Data Protection

  • No Permanent Storage: Facial biometric templates are temporary and deleted after the event period (see retention policy)
  • Encrypted Storage: All biometric data is encrypted at rest and in transit
  • No Cross-Event Matching: We NEVER use biometric data from one event to match photos from another event without explicit consent
  • No Database Building: We don't create or maintain a facial recognition database across events
  • Purpose Limitation: Biometric data is used ONLY for photo matching, never for surveillance or other purposes

4.3 AWS Rekognition

We use Amazon Web Services (AWS) Rekognition for facial recognition processing:

  • AWS Rekognition is GDPR compliant and ISO 27001 certified
  • Data is processed in UK/EU AWS regions only
  • AWS does not use our data to train their models
  • We have a Data Processing Agreement (DPA) with AWS

5. Data Storage & Retention

5.1 Where We Store Data

  • Primary Storage: UK-based servers and AWS UK/EU regions
  • Backup Storage: Backblaze B2 cloud storage (EU data centers)
  • No International Transfers: Your data stays within the UK/EU

5.2 Data Retention Periods

Facial Biometric Data: Deleted 90 days after event end date (unless earlier deletion requested)

  • Event Photos: Retained as specified by event organizer (typically 30-180 days), then permanently deleted
  • Attendee Selfies: Deleted 90 days after event, or immediately upon request
  • Email/Phone Data: Deleted 90 days after event, or immediately upon request
  • Account Information: Retained while account is active, deleted 30 days after account closure
  • Payment Records: Retained for 7 years for tax and accounting purposes (legal requirement)

5.3 Automated Deletion

Our systems automatically delete personal data according to the retention schedule. You don't need to request deletion after the retention period expires—it happens automatically.

6. Your Privacy Rights

Under GDPR, you have comprehensive rights over your personal data:

6.1 Right to Access

You can request a copy of all personal data we hold about you, including:

  • Photos containing your likeness
  • Any selfies you've uploaded
  • Contact information we have stored
  • Information about how your data has been processed

6.2 Right to Rectification

If any of your personal data is inaccurate or incomplete, you can request correction.

6.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data at any time. We will:

  • Delete your selfie and biometric data immediately
  • Remove your email/phone number from our systems
  • Anonymize any photos containing your likeness (if technically feasible)
  • Confirm deletion within 48 hours

To request deletion: Email privacy@snapflow.co.uk or use the "Delete My Data" button on the event gallery page.

6.4 Right to Data Portability

You can request your personal data in a structured, machine-readable format (e.g., JSON, CSV).

6.5 Right to Object

You can object to processing of your personal data based on legitimate interest. We will stop processing unless we have compelling legitimate grounds.

6.6 Right to Withdraw Consent

You can withdraw consent for facial recognition processing at any time. This will not affect processing that occurred before withdrawal.

6.7 Right to Lodge a Complaint

If you believe we've mishandled your data, you can lodge a complaint with the UK Information Commissioner's Office (ICO):

  • Website: https://ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

7. Security Measures

We implement enterprise-grade security to protect your data:

7.1 Technical Security

  • Encryption in Transit: All data transferred via HTTPS/TLS 1.3
  • Encryption at Rest: All stored data encrypted using AES-256
  • Secure Authentication: Password hashing with bcrypt, session management
  • Access Controls: Role-based access control (RBAC) limiting data access
  • Regular Backups: Encrypted backups with secure storage
  • Firewall Protection: Network security and DDoS protection

7.2 Operational Security

  • Staff Training: All staff trained on GDPR and data protection
  • Access Logging: All data access logged and audited
  • Regular Audits: Security audits and penetration testing
  • Incident Response: Data breach notification procedures in place
  • Vendor Management: All third-party vendors assessed for GDPR compliance

7.3 Data Breach Notification

In the unlikely event of a data breach affecting your personal data:

  • We will notify the ICO within 72 hours
  • We will notify affected individuals without undue delay
  • We will provide information about the breach, its impact, and remediation steps

8. Third-Party Services

We work with carefully selected third-party services that are GDPR compliant:

8.1 Data Processors

  • AWS (Amazon Web Services): Facial recognition processing, server hosting (UK/EU regions)
  • Backblaze B2: Photo storage and backup (EU data centers)
  • Stripe: Payment processing (PCI-DSS compliant)
  • Twilio: SMS notifications (GDPR compliant)
  • SendGrid/Mailgun: Email delivery (GDPR compliant)

8.2 Data Processing Agreements

We have Data Processing Agreements (DPAs) with all third-party processors, ensuring:

  • They process data only on our instructions
  • They implement appropriate security measures
  • They assist with GDPR compliance obligations
  • They delete or return data when services end

8.3 No Marketing Data Sharing

We do NOT share your personal data with:

  • Advertising networks
  • Marketing platforms
  • Data brokers
  • Social media platforms (except if you explicitly connect your account)

9. Cookies & Tracking

9.1 Essential Cookies

We use essential cookies for platform functionality:

  • Session Cookies: Keep you logged in
  • Security Cookies: Prevent fraud and unauthorized access
  • Preference Cookies: Remember your settings

9.2 Analytics

We use privacy-focused analytics to understand how our platform is used:

  • We do NOT use Google Analytics or similar tracking tools
  • We collect anonymized usage statistics only
  • We do NOT track users across websites
  • We do NOT create user profiles for advertising

9.3 Third-Party Cookies

When you make a payment via Stripe, they may set their own cookies. Please see Stripe's privacy policy for details.

10. Contact & Data Protection Officer

If you have questions, concerns, or requests regarding your data:

Data Protection Officer

For all privacy and data protection inquiries:

Email: privacy@snapflow.co.uk

Response Time: We aim to respond within 48 hours

Subject Access Requests: Fulfilled within 30 days (as required by GDPR)

What to Include in Your Request

To help us process your request quickly, please include:

  • Your full name and email address
  • The event name and date (if applicable)
  • The nature of your request (access, deletion, rectification, etc.)
  • Any relevant reference numbers or details

Identity Verification

To protect your privacy, we may ask you to verify your identity before fulfilling certain requests. This is a security measure to ensure we don't disclose data to unauthorized parties.

This policy is regularly reviewed and updated. We will notify you of any significant changes by email (if we have your email address) or by posting a notice on our website.