Privacy Policy

Welcome to FindMePic ("we," "us," or "our"). We provide an AI-powered photo delivery platform that uses facial recognition to help event attendees find photos of themselves. We value your privacy and are committed to protecting your personal data, especially your biometric information.

2. Who Is Responsible for Your Data?

The Data Controller (The Organizer): The photographer, event host, or organisation that uploaded the photos. They determine the purpose of data collection and how long the event gallery remains active.

The Data Processor (FindMePic): We provide the technology to process images strictly on behalf of the Controller and under their documented instructions. For Organizers, our Data Processing Agreement (DPA) applies and is incorporated into our Terms of Service.

3. The Data We Collect & How We Use It

We process three distinct categories of images:

A. Event Photos (Uploaded by Organizers)

Biometric Processing: We analyse these photos to detect faces and create a "Face Vector" — a mathematical representation of facial features that cannot be used to reconstruct the original image.

Purpose: To build a temporary, searchable index so attendees can find photos of themselves.

B. Search Selfies (Uploaded by Attendees)

Biometric Processing: We generate a temporary Face Vector from your selfie to compare against the event index.

Purpose: To perform the search query only. Your selfie is processed entirely in memory and permanently deleted immediately after the match result is returned (within approximately 3 seconds). It is never written to disk or stored in any database.

C. Liveness Verification Selfies (For Deletion Requests)

Purpose: To verify your identity strictly for the purpose of processing a biometric data deletion request. These are also processed in memory and discarded immediately after verification.

4. Data Retention — The Hybrid Lifecycle

We adhere to a strict storage limitation policy, separating the retention of biometric data (Face Vectors) from the event photos themselves.

Note: GDPR requires data to be kept no longer than necessary. Organizers are contractually obligated via our DPA to configure retention periods that comply with applicable law.

5. Legal Basis for Processing

EEA & UK (GDPR / UK GDPR)

Biometric data is special category data under Article 9 GDPR. We process it solely on the basis of Explicit Consent (Article 9(2)(a)) — given by attendees when they actively submit a selfie to search for their photos, or by the organizer on behalf of attendees who have provided documented consent at the event.

Standard personal data (e.g. organizer account data) is processed on the basis of Contract Performance (Article 6(1)(b)) and Legitimate Interest (Article 6(1)(f)) for service analytics.

Right to Withdraw Consent: You may withdraw your consent at any time by using our self-service deletion tool (see Section 7). Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

United States — Illinois BIPA & Texas CUBI

We do not sell, lease, trade, or profit from biometric data. We permanently destroy biometric identifiers when the initial purpose has been satisfied, or within 3 years of the individual's last interaction with the service, whichever occurs first. This publicly available policy constitutes our written retention schedule as required under Illinois BIPA (740 ILCS 14/15).

6. Where Your Data Is Stored

EU Data Residency: All data for European events is processed and stored exclusively within the European Economic Area using AWS Region eu-west-1 (Dublin, Ireland). Photos are encrypted at rest (AES-256) and in transit (TLS 1.3).

International Transfers: Our cloud provider (AWS) is headquartered in the United States. Data transfers between FindMePic and AWS are governed by Standard Contractual Clauses (SCCs) approved by the European Commission. A copy of the applicable SCCs is available on request.

US CLOUD Act Notice: While we use SCCs and encryption to minimise risk, please be aware that in rare legal circumstances, data stored in the EU may be subject to lawful access requests by US authorities under the US CLOUD Act. This is an industry-wide legal reality for any service using US-headquartered cloud infrastructure.

7. Your Rights — The "Search & Destroy" Protocol

You have the right to have your biometric data removed at any time. The following GDPR rights apply to you:

• Right of access: request a copy of your personal data.
• Right to rectification: request correction of inaccurate data.
• Right to erasure ("right to be forgotten"): request deletion of your biometric data.
• Right to restrict processing.
• Right to data portability.
• Right to object to processing based on legitimate interest.
• Right to withdraw consent at any time without affecting prior lawful processing.
• Right to lodge a complaint with a supervisory authority — in the Netherlands: Autoriteit Persoonsgegevens (AP).

How to Delete Your Biometric Data

To prevent unauthorised deletion of other people's data, we use a secure verification process:

1. Identity Verification: You use our Live Camera feature to take a real-time selfie (Liveness Check).
2. Search: Our system searches the event index for your face.
3. Deletion: Upon finding matches, the system permanently deletes the specific Face Vectors linked to your face. The original photos remain as pixel data only — they are no longer linked to your biometric identity.

8. Organizer Obligations & Restrictions

A. The "Notice at the Door" Requirement

Organizers warrant that they have provided clear, conspicuous notice to all attendees that facial recognition technology is in use. This includes physical signage at the venue entrance and digital notices on any event registration pages.

B. Employee & Employment Data

This service is prohibited for use in employee monitoring, time-tracking, or workplace surveillance. Organizers may not process biometric data of their employees through FindMePic without a specific, documented employment law compliance framework.

C. Schools & Minors

If the service is used for a school or youth event, the Organizer warrants that they have obtained verified parental or guardian consent for the collection and processing of biometric data of minors under 16 years of age (or the applicable age of digital consent in their jurisdiction).

9. Data Security & Business Continuity

Encryption: All images and face vectors are encrypted at rest (AES-256) and in transit (TLS 1.3). Passwords are hashed using bcrypt (minimum 10 rounds). API keys are stored as bcrypt hashes.

Data Breach Notification: In the event of a data breach involving personal data, we will notify the relevant supervisory authority within 72 hours of becoming aware, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Articles 33–34.

Bankruptcy / Acquisition: In the event of a sale, merger, or bankruptcy, Face Vectors will not be transferred as a business asset. They will be permanently destroyed unless the acquiring entity expressly agrees in writing to adhere to this exact Privacy Policy, and all affected users are given advance notice and the opportunity to request deletion.

10. Cookies

We use only essential session cookies required for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered Organizers at least 30 days before taking effect. Continued use of the service after that date constitutes acceptance of the updated policy.

12. Contact & Data Protection Officer

For privacy questions, data access requests, or complaints, contact our Privacy Team:

You also have the right to lodge a complaint directly with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens.