GDPR & Data Privacy
This page explains how QR Code Photos handles personal data under the EU General Data Protection Regulation (GDPR) and equivalent privacy laws, including what we store, where we store it, how long we keep it, and how you can exercise your rights.
Who this applies to
QR Code Photos processes personal data on behalf of two groups of people:
- Account owners — customers who create an account and host events on our service.
- Event guests — people who upload or view photos at an event created by an account owner.
When an account owner uploads guest photos, they act as the data controller for those photos. QR Code Photos acts as the data processor and stores photos on their behalf.
What data we collect
Account information
When you create an account, we store your email address, a hashed API key used to authenticate your uploads, your subscription plan and billing status, and a Stripe customer ID linking your account to our payment processor.
Event and photo data
For each event you create, we store the event name, tag, event date, and any metadata you choose to associate with it. Photos uploaded to an event are stored along with their file size, view count, download count, and a reference to the event they belong to.
Technical data
We log requests to our service including timestamp, IP address, user agent, HTTP method, URL, and response status. We use these logs for security, debugging, and abuse prevention.
Data retention
We keep personal data only as long as it is needed to provide the service or meet a legal obligation.
Event photos
Photos uploaded to an event are retained for one year from the date they are uploaded, unless the account owner deletes the event and its photos sooner. This retention limit is enforced automatically by a lifecycle policy on our object storage. When an account owner deletes an event, all photos associated with it are removed from active storage and purged from our CDN.
Server logs
Server logs (including request logs, error logs, and access logs) are retained for 30 days, after which they are deleted. These logs may contain IP addresses, timestamps, and request paths.
Account data
Account information (email, billing records, and account settings) is retained for as long as your account is active. Database backups are kept for 7 days. Certain records may be kept after account closure to comply with tax, accounting, or other legal obligations.
Where your data is stored
QR Code Photos is hosted in the United States (US East / N. Virginia). Photos are retained for up to one year from upload, or until the account owner deletes the event. Server logs are retained for 30 days. Account data is retained for as long as your account is active. See Data retention for the full breakdown.
Security safeguards
- All traffic between you and QR Code Photos is encrypted in transit using TLS 1.2 or higher.
- Photos and database contents are encrypted at rest using AWS-managed encryption keys.
- Our database and cache are only reachable from inside a private virtual network — they are not exposed to the public internet.
- Uploads use short-lived, single-use signed URLs so photos can only be uploaded to the event they were requested for.
- Payment card details are handled entirely by Stripe. We never see or store card numbers or CVCs.
Sub-processors
We use the following third-party services to help us provide QR Code Photos. Each of them processes a limited set of personal data on our behalf:
- Amazon Web Services (AWS) — hosting, object storage, database, CDN, and content delivery. Region: US East (N. Virginia).
- Stripe — payment processing and subscription billing. Stripe stores payment methods and processes charges on our behalf.
- PostHog — product analytics and error reporting. We send anonymized usage events, error messages, and request metadata (including IP address) to help us monitor reliability.
Your rights
If you are in the EEA, UK, or an equivalent jurisdiction, you have the right to access, correct, delete, restrict, or export your personal data, to object to processing, and to lodge a complaint with your data protection authority.
Requests from account owners
If you are the account owner, you can request access to, correction of, or deletion of your account data by emailing hello+qrcode@sparkbooth.com. For deletion of specific events and their photos, use the delete controls in your account dashboard. See our Data Deletion Instructions for details.
Requests from event guests
Because event photos are hosted on behalf of the account owner, the account owner controls what happens to those photos. If you are a guest and want a photo removed, or want to exercise any other GDPR right over a photo you appear in or uploaded:
- Contact the account owner who hosted the event directly. They can delete the photo or event from their dashboard.
- If you cannot reach the account owner, or if you believe your request has not been honored, email us at hello+qrcode@sparkbooth.com. We will forward your request to the account owner and, where appropriate, follow up to ensure it is resolved.
We forward guest deletion requests to the account owner rather than acting on them directly because the account owner is the data controller for the event's content. We will step in if the account owner does not respond or if there is a clear legal obligation for us to act.
Lawful basis for processing
We process personal data on the following bases:
- Contract — to provide the service to account owners who have signed up.
- Legitimate interests — to secure the service, prevent abuse, and improve reliability.
- Consent — where you have opted in, for example to receive marketing emails.
- Legal obligation — to meet tax, accounting, and other regulatory requirements.
International data transfers
QR Code Photos is hosted in the United States (AWS US East / N. Virginia). If you access the service from the European Economic Area, the United Kingdom, or another jurisdiction outside the United States, your personal data will be transferred to and processed in the United States. Where we transfer personal data across borders, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses, to ensure your data remains protected.
Contact us
To exercise any of the rights above, or if you have a question about how we handle your personal data, please email hello+qrcode@sparkbooth.com. We aim to respond to all requests within 30 days.