Back to homepage

Privacy Policy

March 21, 2026

1. Data Controller

Bartosz Rżycki, unregistered sole trader (działalność nierejestrowana), Poland.

Contact: team@albumqr.io — response within 30 days.

2. Data We Process

Organizers

email address and Google profile (OAuth), event name and configuration, payment data (processed exclusively by Stripe — we do not store card details), technical data (IP, logs).

Guests

photos and thumbnails (uploaded directly to S3 via presigned URL), optional name and message, photo metadata (date, size, EXIF), technical data. Likes are stored locally in the browser only.

Analytics

Google Analytics 4 — traffic and interaction data (GA4 events), with user consent (Consent Mode v2). Data transferred to Google LLC (USA).

3. Purposes and Legal Bases

We process data to provide the service and handle payments (performance of contract), ensure security and analytics (legitimate interests), optional Google Drive integration (consent), and fulfil legal obligations.

4. Organizer Responsibility for Image Rights

⚠️ Important

AlbumQR is a technical tool. The service administrator does not moderate content or verify consents for use of likeness. The Organizer is responsible for informing participants and obtaining any required consents (applicable portrait rights law, GDPR).

5. Data Processors

ProcessorPurpose
Vercel Inc.USA — hosting; Standard Contractual Clauses (SCCs)
Amazon Web ServicesS3 eu-central-1 Frankfurt, CloudFront — photos; SCCs
Stripe Inc.USA — payments; independent data controller
Google LLCUSA — OAuth, Google Analytics 4, optionally Google Drive; SCCs
Neon Inc.PostgreSQL database (AWS eu-central-1, EEA)

6. Security

  • HTTPS/TLS encrypted transmission
  • Photos uploaded directly to S3 via presigned URL (valid 15 min)
  • Private gallery access protected by CloudFront signed cookies (24 h)
  • Rate limiting on upload endpoints

7. Retention Periods

  • Photos and metadata — until deleted by the organizer or plan expiry
  • Google account data — for the duration of the account, deleted on request
  • Payment data — in accordance with Stripe policy (up to 5 years, legal requirements)
  • Technical logs — up to 90 days

8. Your Rights

Under the GDPR you have the right of access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent. Contact us: team@albumqr.io.

You may also lodge a complaint with the Polish Data Protection Authority (UODO), ul. Stawki 2, Warsaw — uodo.gov.pl.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

1. Right to Know

You have the right to know what personal information we collect. We collect the following categories:

  • Identifiers (email address, OAuth profile data from Google)
  • Event configuration data (event name, dates, settings)
  • Uploaded photo metadata (file size, dimensions, EXIF date, orientation)
  • Usage logs and technical data (IP address, browser information)
  • Payment records — handled exclusively by Stripe Inc. (we do not store card numbers)

2. Right to Delete

You may request deletion of your personal information. Organizers can delete their account and all associated data via the self-service account deletion feature at /settings (Danger Zone → Delete Account), or by contacting us at team@albumqr.io.

3. Right to Opt-Out of Sale or Sharing

AlbumQR does not sell or share personal information for monetary or other valuable consideration. We do not sell your data to third parties, and we do not share your data for cross-context behavioural advertising.

4. Right to Non-Discrimination

AlbumQR will not discriminate against you for exercising any of your CCPA rights. You will not be denied services, charged different prices, or provided a different level of service because you exercised your privacy rights.

5. How to Submit a Request

To submit a privacy rights request, contact us at: team@albumqr.io. We will respond within 45 days of receiving a verifiable consumer request.

9. Cookies and localStorage

We use NextAuth session cookies (necessary for login) and CloudFront signed cookies (gallery access, 24 h). localStorage stores likes and language preferences locally.

With your consent we also set Google Analytics 4 cookies (_ga, _ga_*) — stored for up to 2 years. You may withdraw consent at any time by clicking "Decline" in the consent banner or clearing browser data. We use Consent Mode v2 — no analytics cookies are set before consent is given.

Google Consent Mode v2 may apply behavioral modeling techniques, including conversion modeling and Google Signals, even when a user has not provided full analytics consent. This means Google may estimate traffic patterns from aggregated, anonymised data. For details, see: Google Consent Mode v2.

10. Changes to This Policy

The current version is available at www.albumqr.io/privacy. Organizers will be notified of material changes by email.

11. Minimum Age Requirement (COPPA / GDPR)

This service is intended for users who are 16 years of age or older. This requirement follows GDPR Art. 8 and the US Children's Online Privacy Protection Act (COPPA).

AlbumQR does not knowingly collect personal data from children under the age of 16. If we become aware that such data has been collected, it will be deleted immediately.

Organizers are responsible for ensuring that Guests participating in their events meet the minimum age requirement.

12. Data Breach Notification

In the event of a personal data breach, AlbumQR will notify the Polish Data Protection Authority (UODO, ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl) within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 33.

When a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals directly without undue delay (GDPR Art. 34).

To report a suspected security incident, contact: team@albumqr.io.