Privacy Policy
How we collect, use, and protect your information
Last updated: April 7, 2026
Introduction
At Pixload, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our real-time event photography service.
Information We Collect
Personal Information
- • Name and email address when you create an account
- • Payment information for event processing
- • Camera and device information for connectivity
- • Event details (name, date, location) that you provide
Photo Data
- • Original photos uploaded during events
- • Processed and enhanced versions of photos
- • Facial recognition data (temporarily processed, not stored)
- • Photo metadata (timestamp, camera settings, location if enabled)
Usage Information
- • App usage patterns and feature interactions
- • Gallery access logs and download statistics
- • Device information and technical diagnostics
- • IP addresses and general location data
How We Use Your Information
Service Delivery:
To provide real-time photo processing, gallery creation, and guest access management.
AI Processing:
To enhance photos, recognize faces for personalized galleries, and organize content automatically.
Communication:
To send event notifications, gallery links, and important service updates.
Payment Processing:
To handle billing for events and subscription services.
Improvement:
To analyze usage patterns and improve our service quality and features.
Legal Compliance:
To comply with applicable laws and protect our legal rights.
How We Protect Your Data
Encryption:
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
Secure Storage:
Photos are stored on Amazon S3 with enterprise-grade security and access controls.
Limited Access:
Only authorized personnel have access to user data, and only when necessary for service delivery.
Gallery Security:
Each gallery uses cryptographically secure URLs that cannot be guessed or enumerated.
Facial Recognition:
Face recognition processing happens in real-time and facial data is never permanently stored.
Regular Audits:
We conduct regular security audits and vulnerability assessments.
Biometric Data
We process biometric data (facial features) solely to match you with event photos.
- • Selfie photos are processed and deleted within minutes
- • Facial embeddings (not photos) are stored for up to 90 days
- • Processing is done on secure, encrypted servers
- • You can request deletion of your biometric data at any time
Cookies & Tracking Technologies
We use cookies and similar technologies to improve your experience. The technologies below are categorized by their legal basis.
Essential Cookies
- • Authentication and session management (Supabase auth cookies)
- • Language and theme preferences (localStorage)
Analytics Cookies (consent required)
- • Google Analytics (GA4) — usage statistics. Cookies: _ga (2 years), _gid (24 hours), _gat (1 minute). Only loaded after you accept analytics cookies.
- • PostHog — product analytics (EU-hosted). Cookies: ph_* (1 year). For connected users, your user ID and email are transmitted for analytics purposes. Only loaded after you accept analytics cookies.
No-Consent Technologies (legitimate interest)
- • Umami — self-hosted, privacy-friendly web analytics (umami.pixload.app). No cookies, no personal data collected, no cross-site tracking. Always active. Exempt from consent under CNIL guidelines for audience measurement tools.
- • Sentry — error monitoring for application stability (EU-hosted). Captures technical errors only (stack traces, browser info). Session replays on errors only, with all text masked and all media blocked. No user tracking or profiling.
- • Internal engagement tracking — anonymous gallery usage statistics (views, downloads, shares). Uses a random session-scoped visitor ID (UUID) with no link to your identity. No cookies. Based on legitimate interest.
You can manage your cookie preferences at any time using the "Cookie Policy" button in the footer.
Legal Bases (GDPR Art. 6)
We process your data based on the following legal grounds:
- • Consent (Art. 6(1)(a)) — Google Analytics, PostHog: only activated after your explicit consent via the cookie banner.
- • Performance of contract (Art. 6(1)(b)) — Pixload service: photo processing, gallery creation, facial recognition matching, account management.
- • Legitimate interest (Art. 6(1)(f)) — Umami (audience measurement, CNIL-exempt), Sentry (error monitoring), internal engagement tracking (anonymous usage statistics).
- • Legal obligation (Art. 6(1)(c)) — Data retention required by applicable regulations.
Sub-processors
We use the following third-party service providers to deliver our services:
- • Supabase — Database and authentication (Ireland, EU)
- • Vercel — Web hosting and serverless functions (USA — EU-US Data Privacy Framework)
- • Cloudflare — CDN and image optimization (EU)
- • Google Analytics — Web analytics (USA — EU-US Data Privacy Framework)
- • PostHog — Product analytics (EU)
- • Sentry — Error monitoring (EU)
- • Resend — Transactional emails (USA — EU-US Data Privacy Framework)
- • Stripe — Payment processing (USA — EU-US Data Privacy Framework)
Data Retention
We retain your data only as long as necessary.
- • Account data: retained while your account is active
- • Biometric data: automatically deleted after 90 days
- • Anonymous selfies: automatically deleted after 24 hours
- • Analytics data: retained for up to 26 months
Your Rights
Under GDPR, you have the following rights:
- • Right of access to your personal data (Art. 15)
- • Right to rectification of inaccurate data (Art. 16)
- • Right to erasure — right to be forgotten (Art. 17)
- • Right to restrict processing (Art. 18)
- • Right to data portability (Art. 20)
- • Right to object to processing (Art. 21)
- • Right to lodge a complaint with the CNIL (www.cnil.fr)
International Transfers
Your data may be processed on servers located in the European Union and the United States. Transfers to the USA are protected by the EU-US Data Privacy Framework (DPF). All sub-processors handling data outside the EU adhere to Standard Contractual Clauses (SCCs) or equivalent safeguards.
Contact Us
If you have any questions about this Privacy Policy or our privacy practices, please contact us:
Email: privacy@pixload.io
Pixload Limited
Unit 2A, 17/F, Glenealy Tower
No.1 Glenealy, Central
Hong Kong S.A.R.
