Privacy Policy

Snapora ("we", "our", or "us") is an event photo management and face-search platform. We provide event organisers with tools to upload event photos, and allow guests to find their own photos using a selfie. Our registered correspondence address is available on request at legal@snapora.photos.

This Privacy Policy applies to all users of Snapora — including event organisers who create and manage events, and guests who access events to find their photos.

2.1 Account data (organisers)

When you register as an organiser, we collect your name, email address, and a hashed password. We do not store your plain-text password.

2.2 Event photos

Organisers upload photos to our platform. These photos are stored securely in object storage and are accessible only via time-limited signed URLs. Photos are associated with the organiser's account and the specific event.

2.3 Biometric / facial recognition data

Important notice: Snapora uses AI-based face recognition to match selfies submitted by guests with faces in event photos. This involves processing biometric data as defined under India's Digital Personal Data Protection Act (DPDP Act) 2023 and, where applicable, the GDPR.

Specifically, we process:

• Face embeddings from event photos — mathematical vector representations of faces detected in uploaded event photos. These embeddings are stored in a vector database (Qdrant) linked to the event. The raw photos are not used for face search after indexing.
• Selfie embeddings from guests — when a guest submits a selfie via the "Find Me" feature, we generate a face embedding from that selfie in memory. We do not store the selfie image or the guest's face embedding after the search is complete. The embedding is used only for a single real-time search and immediately discarded.

2.4 Payment data

We use Cashfree Payments to process payments. We do not store your card number, bank details, or UPI credentials. Cashfree's privacy policy governs the payment data they collect. We store only the payment status, order ID, and amount for accounting and support purposes.

2.5 Usage and log data

We collect server logs including IP addresses, browser user-agent strings, pages visited, and timestamps. This data is used for security monitoring, debugging, and abuse prevention. We retain log data for up to 90 days.

2.6 Cookies

We use an HTTP-only session cookie to keep you signed in. We do not use third-party advertising or tracking cookies. We may use analytics cookies (Vercel Analytics) which are privacy-friendly and do not track you across other websites.

• To provide the service — creating and managing events, storing photos, and enabling the "Find Me" face search feature.
• Face embeddings from event photos are stored to power the face search feature for the lifetime of the event. When an event expires or is deleted, all associated face embeddings are permanently deleted.
• Selfie embeddings from guests are used only for a single real-time search query and are never persisted.
• To process payments — order creation, confirmation, and support.
• To send transactional emails — account verification, payment receipts, and event expiry reminders. We do not send marketing emails without your explicit consent.
• To maintain security — detecting abuse, rate-limiting, and audit logging.

We process your data on the following legal bases under the DPDP Act 2023 and GDPR (where applicable):

• Contract performance — processing your account data and payment information to provide the service you subscribed to.
• Consent — facial recognition and biometric processing. Guests who use the "Find Me" feature explicitly consent to their selfie being processed for face search by submitting it. Organisers consent to event photos being processed for face indexing by uploading them to the platform.
• Legitimate interests — security logging, abuse prevention, and service reliability.

We share data with the following third-party processors:

• Cashfree Payments — payment processing. Cashfree is a PCI-DSS compliant payment gateway regulated by RBI.
• Object storage provider (MinIO / S3-compatible) — photo storage. Photos are stored encrypted at rest.
• Qdrant — vector database for face embeddings. Only mathematical embeddings (not photos or personal identifiers) are stored.
• Vercel — hosting and edge network. Vercel's privacy policy governs infrastructure-level data.

We do not sell your personal data. We do not share your data with advertisers, data brokers, or any third party beyond those listed above.

• Event photos and face embeddings are retained for the duration of the event's active period (30 or 60 days depending on plan). After expiry, all photos and embeddings are permanently deleted within 7 days.
• Guest selfies are never stored — they are processed in memory and discarded immediately after the search.
• Account data is retained for as long as your account is active. You may delete your account at any time (see Section 7).
• Payment records are retained for 7 years as required by Indian accounting and tax law.
• Server logs are retained for up to 90 days.

Under the DPDP Act 2023 and GDPR (where applicable), you have the following rights:

• Right to access — request a copy of personal data we hold about you.
• Right to correction — request correction of inaccurate data.
• Right to erasure — request deletion of your account and associated data. Note: payment records must be retained for 7 years by law.
• Right to withdraw consent — for biometric processing, you may withdraw consent at any time by contacting us. This will prevent future face-search processing but does not affect past searches already completed.
• Right to data portability — request your data in a machine-readable format.

To exercise any of these rights, email legal@snapora.photos. We will respond within 30 days.

We use industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest for stored photos, HTTP-only cookies, rate limiting, and HMAC-signed webhook verification. Access to production systems is restricted to authorised personnel. Despite these measures, no system is completely secure — if you discover a security vulnerability, please report it to support@snapora.photos.

Snapora is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted a selfie or their photos have been uploaded without consent, please contact us immediately at legal@snapora.photos and we will delete the data promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated via email (to registered organisers) and/or a banner on the platform at least 14 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.