Privacy Policy

This policy applies to two groups of people:

• Organisers — people who create an account to set up and manage events.
• Guests — people who scan a QR code to use the photo-frame camera at an event.

Guests do not need to create an account and I do not collect any personal information from them beyond what is described in section 3.

When you register for an account I collect:

• Name — used to personalise your account.
• Email address — used for authentication, account notifications, and support.
• Password (hashed) — if you register with email and password. I store only a secure bcrypt hash; I never store your plaintext password.
• Google account identifier — if you choose to sign in with Google, I store only your Google user ID and the email address returned by Google. I do not receive or store your Google password.

When you create an event I also store:

• Event name, date, and configuration settings (frame design, guest tier, accent colour).
• A short unique slug used to generate the shareable QR code URL.

When a guest scans a QR code and uses the in-browser camera, the following applies:

• No photos are uploaded or stored. All photo processing happens entirely in the guest's browser. The framed image is composed on-device and saved directly to the guest's camera roll. No image data is ever transmitted to my servers.
• No account is required. Guests are anonymous and I do not assign them any identifier.
• No camera feed is recorded or transmitted. Camera access is granted by the guest's browser solely for the purpose of rendering the live preview and composing the final photo locally.

I use the information I collect from organisers to:

• Authenticate you and secure your account.
• Provide, operate, and improve the Framed Events platform.
• Display your event configuration to guests who scan your QR code (event name, frame design only — never your personal details).
• Send transactional emails (e.g. account confirmation, password reset). I do not send marketing emails without your explicit consent.
• Process one-time payments through my payment provider (Stripe). I do not store card details; all payment data is handled directly by Stripe in accordance with PCI-DSS.
• Respond to support enquiries.

If you are located in the European Economic Area (EEA) or United Kingdom, I process your personal data under the following legal bases:

• Contract — processing your account details and event data is necessary to provide the service you have signed up for.
• Legitimate interests — detecting and preventing fraud, securing the platform, and improving the service.
• Legal obligation — where I am required to retain or disclose data by law.

Your data is stored in a PostgreSQL database hosted on Neon, a cloud database provider operating within the United States. I apply the following safeguards:

• Passwords are hashed with bcrypt (cost factor 12) before storage.
• All connections to the database and between the server and your browser are encrypted with TLS.
• Access to the production database is restricted to application service accounts only.

No security system is impenetrable. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, I will notify you and the relevant supervisory authority as required by applicable law.

• Account data is retained for as long as your account is active.
• Deleted events are soft-deleted and permanently purged from the database after 30 days.
• When you delete your account, all associated personal data and events are permanently deleted immediately.
• I may retain anonymised, aggregated data (e.g. total events created) indefinitely for analytical purposes. This data cannot be linked back to any individual.

I do not sell, rent, or trade your personal data. I share data only with:

• Neon — database hosting. Data is stored in their secure infrastructure.
• Vercel — the hosting platform. Application code and server-side processing run on Vercel's infrastructure.
• Stripe — payment processing. I share only the minimum data required to process a payment.
• Google — only when you choose “Sign in with Google”. Google returns your name, email, and user ID to me in accordance with their own privacy policy.
• Law enforcement — where I am compelled to do so by a valid legal process.

I use a single session cookie to maintain your login state (set by NextAuth.js). This cookie is strictly necessary for the service to function and does not track you across other websites.

I do not use advertising cookies, analytics cookies, or any third-party tracking scripts.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data I hold about you.
• Rectification — ask me to correct inaccurate data.
• Erasure — request deletion of your personal data. You can do this instantly from your account settings.
• Portability — request your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Restriction — ask me to restrict processing while a dispute is resolved.

To exercise any of these rights, contact me at privacy@framedevents.com. I will respond within 30 days.

Framed Events is not directed at children under the age of 16. I do not knowingly collect personal information from children. If you believe a child has provided me with their data, please contact me and I will delete it promptly.

I may update this Privacy Policy from time to time. When I do, I will revise the “Last updated” date at the top of this page. If the changes are material, I will notify you by email or by a prominent notice on the platform.

Your continued use of Framed Events after any changes constitutes your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or my data practices, please contact me at: