Privacy Policy

1. Introduction

Protecting your personal data is important to us. This Privacy Policy explains the type, scope and purpose of processing personal data in the EventPics app.

2. Controller

Aigner Software e. U.
Owner: Matthias Manuel Aigner
Hauptplatz 23
4190 Bad Leonfelden
Austria
Email: [email protected]

3. Collection and processing of personal data

3.1 When using the app

Email address (for registration and login)
Profile information (name, profile photo)
Event‑related data (event names, descriptions)
Uploaded photos and videos incl. metadata (e.g. EXIF)
Capture time/creation date (“takenAt” or EXIF DateTimeOriginal)
Link/access IDs (e.g. share links, access codes) and related permissions
API keys (only for integrations, e.g. photo booth)
Usage data (login times, app usage)

3.2 Data collected automatically

Device information (OS, app version)
IP address (for security purposes)
Server log data (e.g. request time, URL/endpoint, HTTP status, user agent)
Cookies and similar technologies

4. Purpose of processing

Your data is processed for the following purposes:

Providing app functionality
Managing your user account
Organising and sharing events
Direct uploads via pre‑signed “uploadUrl” (e.g. to Cloudflare R2) and upload confirmation
Storing and providing photos/videos
Improving our services
Technical support

5. Legal bases

We process your data based on:

Your consent (Art. 6(1)(a) GDPR)
Contract performance (Art. 6(1)(b) GDPR)
Legitimate interests (Art. 6(1)(f) GDPR), e.g. IT security, abuse prevention
Legal obligations (Art. 6(1)(c) GDPR)

6. Data sharing

We do not share personal data with third parties unless:

To other app users (only content you have shared)
To processors/service providers supporting us, e.g. cloud hosting/object storage (e.g. Cloudflare R2, EU region), database/server functions/hosting/logging (e.g. Google Cloud europe‑west3 incl. Cloud Firestore), and email/support providers
To Apple/Google in connection with app store processing (in‑app purchases) – separate controllers
Where required by law or government order

International transfers: Where providers outside the EU/EEA are used, transfers rely on Standard Contractual Clauses (SCC) and additional technical/organisational measures.

7. Data storage

Your data is stored:

Until your account or event is deleted
Free events: automatic deletion of content usually after 6–8 weeks
Premium: no automatic deletion until you actively delete
Server logs: for short periods (typically 30–90 days) for security/error purposes
Backups: for a limited time (e.g. up to 30 days), then overwritten
Billing/record data: until statutory retention periods expire

Storage location: For users in the EU/EEA we store photos, videos and account data in EU data centres (e.g. Cloudflare R2 – EU region; Google Cloud – region europe‑west3, e.g. Cloud Firestore). For users outside the EU/EEA, storage takes place in a geographically nearby data centre (provider region). Content delivery via CDN may technically use edge nodes outside the EU; no permanent copies of your content are stored outside the EU for this purpose.

8. Your rights

You have the following rights:

Access to your stored data
Rectification of inaccurate data
Erasure of your data
Restriction of processing
Data portability
Right to object

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR).

9. Security measures

We implement comprehensive technical and organisational measures to protect your data:

Encrypted data transfer (HTTPS/TLS)
Encrypted data at rest
Regular security updates
Access controls and authentication

10. Additional information

10.1 Roles & processing on behalf

For content within an event, the organiser is usually the controller; EventPics acts as a processor. For account data, security, billing and platform operation, EventPics is the controller. Our Data Processing Agreement (DPA) is available for download on the DPA download page.

10.2 Cookies & local storage

We use technically necessary cookies/local storage (e.g. session, language, preferences). In addition, we use cookies/local storage for analytics (audience measurement) only with your consent. We do not use advertising cookies.

10.3 Exercising your rights

You can exercise your rights at any time via the app or by email to [email protected]. We verify requests and usually respond within one month. You can withdraw consents (e.g. push) in the device/app settings.

10.4 Supervisory authority (right to lodge a complaint)

Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna, [email protected], dsb.gv.at

10.5 Payment processing (app stores)

In‑app purchases are processed via Apple App Store or Google Play. EventPics does not receive full payment details, but status/receipt information to fulfil the contract.

10.6 QR code generator

Inputs/logos are processed exclusively in your browser and are not sent to our servers.

10.7 Photo subjects

Please note that uploaded images may contain personal data of third parties. As the organiser you ensure there is a legal basis for capturing/processing/sharing.

10.8 Google Analytics (website) & Firebase Analytics (app/web app)

We use Google Analytics (GA4) on the website and Firebase Analytics in the app/web app for audience measurement and error analysis (no ads).

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Data types: usage/event data (e.g. page views, clicks, app starts), truncated IP address, device/browser info, language, approximate location (country/region). In mobile apps, advertising identifiers (IDFA/AAID) may be processed if allowed in OS settings.
Purpose: audience measurement, product improvement and stability. No personalised advertising.
Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time in the cookie/consent banner. On mobile, you can limit use of the advertising identifier in OS settings.
Retention: event data is stored in Analytics/Firebase for 2–14 months (configurable).
International transfers: Data may be transferred to the USA. Google relies on EU Standard Contractual Clauses (Art. 46 GDPR).
IP anonymisation: Enabled by default in GA4.
Data processing agreement: We have a DPA with Google (Art. 28 GDPR).
Opt‑out: In addition to the consent banner you can use Google’s browser add‑on: https://tools.google.com/dlpage/gaoptout. More information: Google Privacy Policy, Firebase Privacy.

10.9 Storage location for images/videos (Cloudflare R2)

We use Cloudflare R2 to deliver and securely store photos and videos.

Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Cloudflare Germany GmbH, Rosental 7, 80331 Munich.
Data types: media content (photos/videos), file name, MIME type, size and any metadata supplied by you (e.g. EXIF timestamp).
Region: For users in the EU/EEA, data is stored in EU buckets. For users outside the EU, storage may take place outside the EU.
Purpose: storage, content delivery (CDN), download, abuse/spam prevention, availability and scalability.
Legal bases: Performance of contract (Art. 6(1)(b) GDPR) to provide your event, and legitimate interests (Art. 6(1)(f) GDPR) in secure, performant delivery.
Security/transfers: encryption in transit (TLS) and at rest. For third‑country transfers (e.g. USA), Cloudflare relies on appropriate safeguards (e.g. EU Standard Contractual Clauses under Art. 46 GDPR).

10.10 Firebase services (Firestore & Cloud Functions)

We use Google Firebase/Google Cloud to process event data (e.g. event/album metadata, upload workflows).

Provider: Google Ireland Limited (EEA) / Google LLC (USA).
Data types: data you enter (e.g. event titles), system/process data (e.g. link IDs, confirmation IDs), technical log data (e.g. timestamps, service responses).
Purpose: operating the platform (store/retrieve data), generating upload URLs, sending system notifications, scaling and availability.
Legal bases: performance of contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) in secure, stable operation.
Transfers: processing may also take place outside the EU; Google uses, among other things, the EU Standard Contractual Clauses (Art. 46 GDPR).

10.11 Firebase Authentication (email, Apple, Google)

We use Firebase Authentication for sign‑in.

Data types: email address, hashed passwords (for email sign‑in), provider IDs/tokens (Apple/Google), and possibly display name/profile picture from the respective provider.
Purpose: account/session management, access protection, fraud prevention.
Legal basis: performance of contract (Art. 6(1)(b) GDPR).
Transfers/security: processing on Google infrastructure with modern safeguards; for third‑country transfers: EU Standard Contractual Clauses.

10.12 Firebase App Check & Crashlytics

App Check protects backend resources from abuse (e.g. bots) using device/integrity attestations; Crashlytics collects crash reports to improve stability.

Data types (App Check): attestation/integrity signals, technical device info, time/context of requests.
Data types (Crashlytics): crash logs, device/OS info, app version, anonymous session IDs; no album content.
Purpose: security (App Check) and product stability/error diagnostics (Crashlytics).
Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

10.13 No personalised advertising

We do not build advertising profiles and do not serve third‑party ads. We may display information about EventPics features or offers (self‑promotion; Art. 6(1)(f) GDPR, with right to object).

11. Contact

If you have questions about data protection, please contact us:

Email: [email protected]

Address: Aigner Software e. U. (owner: Matthias Manuel Aigner), Hauptplatz 23, 4190 Bad Leonfelden, Austria

12. Changes

This Privacy Policy may be updated. Changes will be communicated in the app.

Effective: October 2025

Choose language