Privacy Policy

Your privacy matters to us. This Privacy Policy explains how Event Photo Share Inc. ("PicStashio," "we," "us," or "our"), a Colorado corporation, collects, uses, discloses, and protects your personal information when you use our website at picstash.io and the PicStashio application (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. Information We Collect

1.1 Information You Provide

• Account Information: When you create an event, we collect your name, email address, and event details (such as event name and date).
• Photos and Videos: Guests and event creators upload photos and videos to the Service. These are stored on your behalf and are considered your content.
• Payment Information: When you purchase a plan, payment is processed by Stripe. We do not store your credit card number or full payment details on our servers. See Stripe's Privacy Policy for details on how Stripe handles payment data.
• Communications: If you contact us at support@picstash.io, we collect the content of your message and your email address.

1.2 Information Collected Automatically

When you access the Service, our servers may automatically record standard technical information, including:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and time spent
• Referring URL

We use this information for security, diagnostics, and to improve the Service. We do not use third-party tracking cookies or advertising pixels. See Section 6 for our approach to cookies.

1.3 Photo Content Analysis

When photos are uploaded, we perform automated content analysis to detect offensive or inappropriate material. This analysis is performed solely for safety and moderation purposes. We do not use uploaded photos for advertising, machine learning training, or any purpose beyond providing the Service to you.

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Process transactions and send related notifications
• Moderate uploaded content for safety (automated offensive content detection)
• Respond to your requests and support inquiries
• Send transactional emails (event confirmations, download links, account updates)
• Send marketing communications where you have opted in (you can unsubscribe at any time)
• Detect, prevent, and address fraud, abuse, or security issues
• Comply with legal obligations

We will never sell your personal information to third parties.

3. How We Share Your Information

We share your information only in the following circumstances:

• Service Providers: We use trusted third-party services to operate the Service, including:
  • Stripe — payment processing
  • Google Cloud Platform — photo storage and infrastructure
  • Resend — transactional email delivery
  • Vercel — website hosting

  These providers access only the data necessary to perform their functions and are contractually obligated to protect it.

• Event Participants: Photos uploaded to an event are visible to other participants of that event, as determined by the event creator's sharing settings.
• Legal Requirements: We may disclose your information if required by law, court order, or governmental request, or to protect the rights, safety, or property of PicStashio, our users, or the public.
• Business Transfers: If PicStashio is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

4. Photo Storage and Retention

• Uploaded photos and videos are stored securely on Google Cloud Platform.
• Your content is retained for the duration of your plan's Stash Lifetime (e.g., 90 days for free plans, 2 years for paid plans). You may extend your Stash Lifetime at any time.
• When your Stash Lifetime expires, we will notify you and provide a 90-day grace period. If you do not respond or renew within that period, your photos and event data will be permanently deleted.
• You may request deletion of your photos and account data at any time by contacting us at support@picstash.io.

5. Data Security

We take reasonable and commercially appropriate measures to protect your information, including:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of stored data at rest on Google Cloud Platform
• Secure payment processing through PCI DSS-compliant Stripe
• Access controls limiting personnel access to personal data on a need-to-know basis

No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data using industry-standard practices.

6. Cookies and Tracking

We take a privacy-first approach. PicStashio does not use third-party tracking cookies, advertising pixels, or cross-site tracking technologies.

We may use strictly necessary cookies for essential functionality such as maintaining your session and processing payments. These cookies are required for the Service to operate and cannot be disabled.

Because we do not use non-essential cookies, no cookie consent banner is required.

Do Not Track: Some browsers offer a "Do Not Track" (DNT) signal. Because PicStashio does not track users across third-party websites and does not use advertising cookies, our practices already align with DNT preferences by default.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

7.1 All Users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct any inaccurate or incomplete information.
• Deletion: Request that we delete your personal information and uploaded content.
• Opt-Out of Marketing: Unsubscribe from marketing emails at any time using the link in each email or by contacting us.

7.2 European Economic Area, UK, and Switzerland (GDPR)

If you are in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Legal Basis: We process your data based on: (a) performance of a contract (providing the Service), (b) your consent (marketing communications), (c) our legitimate interests (security, fraud prevention, improving the Service), and (d) compliance with legal obligations.
• Data Portability: Request your data in a structured, commonly used, machine-readable format.
• Restrict Processing: Request that we limit how we use your data in certain circumstances.
• Object to Processing: Object to processing based on our legitimate interests.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
• Lodge a Complaint: You have the right to file a complaint with your local data protection authority.

Event Photo Share Inc. is the data controller. For personal data transferred outside the EEA, we rely on appropriate safeguards including standard contractual clauses.

7.3 California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: Request the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of your personal information.
• Right to Opt-Out of Sale: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

In the past 12 months, we have collected: identifiers (name, email, IP address), commercial information (purchase history), and audio/visual data (uploaded photos and videos). We collect this information for the business purposes described in Section 2.

7.4 Canadian Residents (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including the right to access, correct, and withdraw consent for the use of your personal information.

7.5 Australian Residents

If you are an Australian resident, your personal information is handled in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. You may access and correct your personal information and make a complaint about a breach of the Australian Privacy Principles by contacting us.

To exercise any of these rights, please contact us at support@picstash.io. We will respond to your request within 30 days (or sooner if required by applicable law).

8. Data Retention

• Photos and event data: Retained for the duration of your Stash Lifetime, plus a 90-day grace period after expiry (see Section 4).
• Account information: Retained for as long as your account is active. If you request account deletion, we will delete your data within 30 days, except where retention is required for legal or compliance purposes.
• Payment records: Transaction records are retained as required for tax, accounting, and legal obligations. Payment card details are stored and managed by Stripe, not by PicStashio.
• Support communications: Retained for up to 2 years to improve service quality, unless you request earlier deletion.

9. Children's Privacy

PicStashio accounts may only be created by individuals who are 18 years of age or older. Guests of any age may upload photos to an event at the invitation of the event creator.

We do not knowingly collect personal information from children under 13 years of age. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at support@picstash.io.

10. International Data Transfers

PicStashio is operated from the United States. If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States where our servers and service providers operate.

Where required by applicable law (such as GDPR), we use appropriate safeguards for international data transfers, including standard contractual clauses approved by the European Commission.

11. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective Date" at the top of this page and, where required by law, notify you by email or through the Service.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: