Privacy Policy

1. Data Controller

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

TwoMenCrew GbR (Civil-law partnership under German BGB — Bürgerliches Gesetzbuch / German Civil Code)

Partners: Jens Schwoon & Daniel Wagner Friedensstraße 7 48151 Münster, Germany

Email: contact@snapveil.com

A Data Protection Officer (DPO) is not legally required pursuant to Art. 37 GDPR and has not been appointed.

2. General Information

This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data when you use Snapveil. Snapveil is a platform for creating and managing private event photo galleries. Organizers create event galleries, and guests join via QR code directly in their browser — no app installation is required.

We take the protection of your personal data seriously. We process your personal data in compliance with the applicable data protection legislation, in particular the GDPR, the BDSG (Bundesdatenschutzgesetz — German Federal Data Protection Act), and the TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz — German Telecommunications and Telemedia Data Protection Act).

3. Collection and Storage of Personal Data

3.1 Website Visits (Server Log Files)

Each time you access our website, our system automatically collects data and information from your device. The following data is collected:

• IP address of the requesting device (anonymized)
• Date and time of the request
• Name and URL of the requested resource
• Website from which the request originates (referrer URL)
• Browser type and version, and operating system of the requesting device

This data is stored in log files to ensure the functionality and security of the website. The data is also used for optimization purposes and to ensure the security of our information technology systems. The data is stored temporarily and is not merged with other data sources.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring the functionality and security of the website).

3.2 Cookies

Our website uses cookies. Cookies are small text files that are stored in or by the web browser on your device.

Strictly Necessary Cookies

These cookies are essential for the operation of the website, in particular for session management, security, and storing your locale preference. This includes the SPV_LOCALE cookie, which stores your language preference and has an expiry period of 30 days.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technical functionality of the website). These cookies are also exempt from the consent requirement under Section 25(2) TTDSG (German implementation of the ePrivacy Directive), as they are strictly necessary for the provision of the service explicitly requested by the user.

Functional Cookies

These cookies enable extended features such as maintaining your login state and remembering user preferences. They enhance the usability of the website but are not essential for its basic operation.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing an enhanced user experience).

Analytical Cookies

These cookies are used to collect usage statistics, monitor performance, and understand how visitors interact with the website. Analytical cookies help us improve the quality and relevance of our services.

These cookies are set only with your explicit consent.

Legal basis: Art. 6(1)(a) GDPR (consent).

Marketing Cookies

These cookies may be used to deliver personalized content and to measure the effectiveness of promotional campaigns.

These cookies are set only with your explicit consent.

Legal basis: Art. 6(1)(a) GDPR (consent).

Cookie Consent Management

We use a cookie banner to obtain your consent for non-essential cookies before they are set. You have the right to withdraw your consent at any time by adjusting your cookie preferences through the cookie banner or your browser settings. Withdrawal of consent does not affect the lawfulness of processing carried out based on consent before its withdrawal.

3.3 Use of Services

a) Organizer Registration

To create event galleries, we collect the following data:

• Email address
• Username
• Password (stored exclusively as a cryptographic hash)
• Event information (event name, date, location)

Registration is also available via Google OAuth, in which case we receive your name and email address from Google as part of the authentication process. No password is stored by Snapveil for Google OAuth accounts.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — provision of the event gallery service).

b) Guest Participation

When joining an event gallery, we collect:

• Username (required)
• Email address (optional — used for receiving notifications when the event gallery is completed)

Guests access galleries via QR code directly in their browser. No app download or full registration is required.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — enabling participation in the event gallery).

3.4 Uploaded Photos and Videos

When photos and videos are uploaded to an event gallery, we process the following data:

• The image and video files themselves
• EXIF metadata contained in the files
• Upload timestamp and association with the uploading user

EXIF Metadata

We extract and store the following EXIF metadata from uploaded images:

• Camera information: Manufacturer, model, software
• Capture settings: Exposure time, aperture, ISO value, focal length, flash usage
• Time information: Date and time of capture
• Location data: GPS coordinates (if present in the image)
• Additional technical data: Resolution, orientation, exposure mode

This data is used to enhance gallery features such as sorting by capture time and displaying camera settings.

You can prevent the storage of EXIF metadata by stripping it from your images before uploading.

Reverse Geocoding of GPS Data

If uploaded images contain GPS coordinates, these coordinates are transmitted to LocationIQ (locationiq.com), operated by Unwired Labs, Inc., to convert them into human-readable location names (e.g., "Berlin, Germany" instead of numerical coordinates). Only the GPS coordinates are transmitted — no personal identifiers are sent to LocationIQ.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing an optimized gallery experience with readable location information).

Further information about data processing by LocationIQ can be found in their privacy policy: https://locationiq.com/privacy.

Storage

Photos and videos are stored via Cloudflare services on servers within the EU (Germany/EU):

• Cloudflare Images for photo processing and delivery
• Cloudflare Stream for video processing and delivery
• Cloudflare R2 for general object storage

All file transfers between Snapveil and Cloudflare are encrypted.

Important: Snapveil is not responsible for the content of uploaded images and videos. Users must ensure they hold the necessary rights to upload and share the content.

3.5 AI-Powered Image Analysis

AI-powered image analysis features are available on the Premium + AI plan (EUR 34.90). These features include:

• Automatic content recognition — identifying and tagging image content (e.g., "dancing," "group photo," "outdoor ceremony"). AI tagging works in multiple languages.
• Face detection and grouping — detecting faces and grouping photos of similar persons together.
• Photo quality scoring — assessing the technical quality of uploaded photos.

Organizer Control

AI features can be enabled or disabled per event by the Organizer. When an Organizer creates or configures an event on the Premium + AI plan, they decide whether AI analysis is active for that event.

Face grouping specifically requires an explicit opt-in action by the Organizer. It is not enabled by default, even when other AI features are active.

Legal Basis

• General AI analysis (content recognition, quality scoring): Art. 6(1)(b) GDPR (performance of a contract — AI features are part of the subscribed Premium + AI plan and constitute a core element of the service).
• Face grouping: Face data may constitute biometric data under Art. 9 GDPR (special categories of personal data). The legal basis for face grouping is Art. 9(2)(a) GDPR — explicit consent. The Organizer provides this consent by explicitly enabling the face grouping feature. The Organizer is responsible for informing depicted persons (guests) about the activation of face grouping and ensuring their awareness. Organizers should inform their guests, for example, when sharing the event QR code or invitation.

Processing

When AI features are enabled, analysis runs automatically in the background after photos are uploaded. The results (tags, face groupings, quality scores) are used solely to improve the gallery experience and photo organization for the event. AI results do not leave the Snapveil platform and are deleted together with the event data upon expiration.

3.6 Payment Processing via Stripe

Snapveil uses Stripe, Inc. as its payment processor for one-time event payments. Snapveil offers the following paid tiers:

• Premium (EUR 24.90): 2,500 photos, 250 minutes of video, 12 months storage, original quality downloads
• Premium + AI (EUR 34.90): Everything in Premium plus AI-powered features

Snapveil does not store credit card numbers or other sensitive payment data. All payment information is collected and processed directly by Stripe.

Further information about Stripe's data processing practices can be found in their privacy policy: https://stripe.com/privacy.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — processing payment for the purchased service).

3.7 Notification Services

In connection with the use of Snapveil, we send the following types of email notifications:

• Welcome email — sent upon registration to confirm your account
• Gallery available notification — sent to guests when the Organizer completes the event and the gallery is ready for viewing
• Guest access link — sent after a guest joins an event, providing a link to access the gallery
• Export complete notification — sent when a photo/video export is ready, including a download link
• Storage expiring warning — sent approximately 30 days before the event's storage period expires, reminding users to download their content
• Storage expired notification — sent after the storage period has ended and the event has been archived/deleted
• Organizer notifications — sent to Organizers about event activity (e.g., new uploads, guest activity)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract — these notifications are necessary to fulfill the event gallery service and keep users informed about the status of their data).

3.8 Newsletter

If you have given us your explicit consent, we will periodically send you a newsletter by email. The newsletter may contain information about new features, event photography tips, and special offers.

Double Opt-In

Newsletter registration follows a double opt-in procedure. After you subscribe (e.g., during registration or when exporting your gallery), you will receive a confirmation email. Your subscription is only activated after you click the confirmation link in that email. This procedure prevents unauthorized sign-ups.

We log the subscription process (time of opt-in, confirmation, and IP address) to be able to provide proof of your consent as required by law.

Legal basis: Art. 6(1)(a) GDPR (consent).

You can withdraw your consent and unsubscribe from the newsletter at any time by clicking the unsubscribe link included at the bottom of every newsletter email. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4. Data Sharing with Third Parties

We share personal data with third parties only as described below. All processors are bound by Data Processing Agreements pursuant to Art. 28 GDPR.

4.1 Cloudflare, Inc.

• Purpose: Photo and video storage, processing, and content delivery (Cloudflare Images, Cloudflare Stream, Cloudflare R2)
• Data processed: Uploaded photos, videos, and associated metadata
• Jurisdiction: EU servers (Germany/EU). Cloudflare, Inc. is a US-based company but processes Snapveil data on EU servers.
• Safeguards: Data Processing Agreement per Art. 28 GDPR. Cloudflare is certified under the EU-US Data Privacy Framework.
• Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in reliable and secure storage)

4.2 Stripe, Inc.

• Purpose: Payment processing for one-time event purchases
• Data processed: Payment information (collected directly by Stripe), transaction details, email address
• Jurisdiction: US-based with EU data processing capabilities
• Safeguards: EU-US Data Privacy Framework certified. Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR are in place.
• Legal basis: Art. 6(1)(b) GDPR (contract performance)
• Privacy policy: https://stripe.com/privacy

4.3 LocationIQ (Unwired Labs, Inc.)

• Purpose: Reverse geocoding of GPS coordinates from EXIF metadata to generate human-readable location names
• Data processed: GPS coordinates only — no personal identifiers are transmitted
• Jurisdiction: US-based
• Safeguards: Only anonymous GPS coordinates are transferred. No personal data linkage occurs.
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing location-enriched gallery features)
• Privacy policy: https://locationiq.com/privacy

4.4 AI Service Providers

• Purpose: Image analysis when AI features are enabled by the Organizer (content recognition, face detection and grouping, quality scoring)
• Data processed: Uploaded photos and image data for the purpose of analysis and categorization
• Safeguards: Data Processing Agreements per Art. 28 GDPR are in place. Processing is limited to the purposes described in Section 3.5.
• Legal basis: Art. 6(1)(b) GDPR (contract performance for the Premium + AI plan) and Art. 9(2)(a) GDPR (explicit consent for face grouping)

4.5 Other Disclosures

• Organizers can view and download all photos and videos uploaded to their event galleries.
• We may disclose personal data to law enforcement authorities or courts if required by law or by a binding legal order. In such cases, the legal basis is Art. 6(1)(c) GDPR (compliance with a legal obligation).

5. Automated Decision-Making

Snapveil's AI features analyze photos automatically when enabled by the Organizer, but do not make any decisions with legal or similarly significant effects on individuals. No profiling or automated individual decision-making within the meaning of Art. 22 GDPR takes place.

AI results — including content tags, face groupings, and quality scores — are used solely to organize and improve the gallery experience. They do not influence any rights, access, or entitlements of any person.

6. Your Rights (Data Subject Rights)

Under the GDPR, you have the following rights with respect to your personal data:

• Right of access (Art. 15 GDPR) — You have the right to obtain confirmation as to whether personal data concerning you is being processed, and if so, to access that data and receive further information about the processing.

• Right to rectification (Art. 16 GDPR) — You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.

• Right to erasure (Art. 17 GDPR) — You have the right to request the deletion of your personal data. You can delete your account at any time through your dashboard settings (self-service). Alternatively, you may contact us at contact@snapveil.com to request deletion.

• Right to restriction of processing (Art. 18 GDPR) — You have the right to request that we restrict the processing of your personal data under certain conditions.

• Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

• Right to object (Art. 21 GDPR) — You have the right to object, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6(1)(f) GDPR (legitimate interest). We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.

• Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on your consent, you have the right to withdraw that consent at any time. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

For expiring events: You will receive an email notification approximately 30 days before your photos are scheduled for deletion, giving you the opportunity to download your content.

To exercise any of these rights, please contact us at contact@snapveil.com.

7. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for TwoMenCrew GbR is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia)

Kavalleriestr. 2-4 40213 Düsseldorf, Germany

Phone: +49 211 38424-0 Email: poststelle@ldi.nrw.de

8. Data Security

We implement technical and organizational security measures to protect your personal data against unauthorized access, loss, destruction, or alteration:

• Encryption in transit: All data transmitted between your device and Snapveil is encrypted using HTTPS/TLS.
• Secure EU storage: Photos, videos, and associated data are stored on EU servers via Cloudflare services (Images, Stream, R2), in compliance with GDPR requirements.
• Password security: User passwords are stored exclusively as cryptographic hashes and are never stored in plaintext.
• Regular updates: We perform regular security updates and monitoring of our systems.
• Access controls: We enforce access controls and authentication mechanisms to ensure that personal data is only accessible to authorized personnel and systems.

9. Storage Duration

Personal data is retained only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless longer retention is required by law.

Event Data (Photos, Videos, and Associated Data)

• Free Events: 2 months from event creation
• Premium Events (EUR 24.90): 12 months from purchase date
• Premium + AI Events (EUR 34.90): 12 months from purchase date

After the storage period expires: The entire event is automatically deleted, including all photos, videos, AI analysis results, and associated metadata.

Before deletion: You will receive an email notification approximately 30 days prior to the scheduled deletion date.

Account Data After Deletion

When you delete your account or when event data expires, your personal data is either anonymized or deleted, except where retention is required by law:

• Accounting records: Retained for 10 years in accordance with Section 257 HGB (Handelsgesetzbuch — German Commercial Code).
• Tax-relevant data: Retained for 6 to 10 years in accordance with Section 147 AO (Abgabenordnung — German Fiscal Code).

During these statutory retention periods, the data is restricted from further processing and is used solely for compliance with legal obligations.

10. Information for International Users

United Kingdom

Following the United Kingdom's departure from the European Union, UK users are protected by the UK GDPR and the Data Protection Act 2018. Snapveil applies equivalent protections to UK users as to users in the EU/EEA. Your rights under UK data protection law are substantially the same as those described in Section 6 of this Privacy Policy.

United States (California)

Snapveil does not sell personal information as defined by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). California residents have the right to know what personal data is collected, the right to request deletion, and the right to opt out of the sale of personal information. Since Snapveil does not sell personal information, no opt-out mechanism is necessary. California residents may exercise their data rights by contacting us at contact@snapveil.com.

Other Jurisdictions

For users located outside the EU/EEA, your personal data is processed in the European Union under GDPR standards, which provide a high level of data protection. By using Snapveil, you acknowledge that your data will be transferred to and processed in the EU.

11. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in the applicable legal framework, regulatory requirements, or modifications to our services.

In the event of material changes, we will notify you via email or through an in-app notification. Continued use of Snapveil after such notification constitutes acceptance of the updated Privacy Policy. If you do not agree with the changes, you may discontinue use of the service and request deletion of your data.

We recommend reviewing this Privacy Policy periodically.

---

This is a template for informational purposes. Consult with a qualified attorney for legal advice specific to your situation.

Last updated: March 28, 2026