Privacy Policy

Spotlr ("we," "us," "our") operates the website spotlr.ai — an AI-powered event photo marketplace that connects event photographers with attendees using facial recognition technology.

Spotlr acts as a data controller for account data, usage data, and platform operations. When processing photos and facial data uploaded by photographers on behalf of event attendees, Spotlr acts as a data processorunder the photographer's direction.

How it works

1. Enrollment: You upload a selfie or profile photo. The image is processed entirely client-side in your browser using the open-source face-api.js library. A 128-dimension facial descriptor (a set of numbers representing facial geometry) is extracted. The original photo is not uploaded to our servers for this purpose.
2. Storage:Only the numerical descriptor is transmitted and stored in your Firestore account document, encrypted at rest using Google Cloud's AES-256 encryption. The descriptor is associated with your user ID and cannot be reverse-engineered into a facial image.
3. Matching:When you visit an event gallery and activate "Discover You," your stored descriptors are compared against descriptors from event photos to calculate similarity scores. Photos exceeding the match threshold are surfaced to you.
4. Deletion: You can delete all stored facial descriptors at any time from Settings. They are also permanently deleted if you delete your account. Deletion is immediate and irreversible.

What we do NOT do with biometric data

• We do not store your selfie photos on our servers
• We do not use facial data for advertising, profiling, or behavioral targeting
• We do not sell, lease, or trade facial data to any third party
• We do not use facial data for surveillance or law enforcement purposes
• We do not perform emotion analysis, age estimation, or demographic profiling from face data

State-specific biometric rights

If you are a resident of Illinois (BIPA — 740 ILCS 14), Texas (CUBI — Tex. Bus. & Com. Code § 503.001), or Washington (HB 1493), you have specific statutory rights regarding biometric data. We obtain your informed consent before collecting biometric identifiers, we disclose the purpose and duration of storage, and we provide a mechanism to permanently delete such data. Contact us at the address below to exercise these rights.

• Service delivery: Create and manage your account, match your face against event photos, process purchases, deliver full-resolution downloads, and pay photographers their earnings
• Communications: Send transaction receipts, email verification, purchase confirmations, and notifications you have opted into (event approvals, photo sales)
• Personalization: Display events relevant to your location (state/city), show your profile completion status
• Platform improvement: Analyze aggregated and anonymized usage data to improve features, fix bugs, and optimize performance
• Security: Detect and prevent fraud, unauthorized access, and abuse of the platform
• Legal compliance: Meet tax reporting obligations, respond to legal process, enforce our Terms of Service

We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers, under strict contractual obligations:

Sub-processors

We may also disclose information when required by law, court order, or governmental request, or to protect the rights, property, or safety of Spotlr, our users, or the public.

When data is deleted, it is permanently removed from our active systems. Backup systems may retain encrypted copies for up to 30 days before automatic purging.

Spotlr is hosted on Google Cloud Platform in the United States. If you access the service from outside the US, your data will be transferred to and processed in the United States. We rely on Google Cloud's compliance with SOC 2, ISO 27001, and its Data Processing Terms for adequate data protection.

For EU/EEA users, transfers are governed by Standard Contractual Clauses (SCCs) as incorporated into Google's and Stripe's data processing agreements.

Depending on your jurisdiction, you may have the following rights:

To exercise any right, email customersupport@spotlr.ai with the subject line "Privacy Request." We will respond within 30 days (or sooner if required by applicable law).

If you are located in the European Economic Area, we process your personal data under the following legal bases:

• Consent (Art. 6(1)(a)): For facial recognition, optional demographic data, and analytics cookies
• Contract (Art. 6(1)(b)): To fulfill purchases, deliver photos, and process photographer payouts
• Legitimate interest (Art. 6(1)(f)): For platform security, fraud prevention, and service improvement using anonymized data
• Legal obligation (Art. 6(1)(c)): For tax records, financial reporting, and responding to legal process

For biometric data, which constitutes special category data under Article 9, we rely exclusively on your explicit consent. You may withdraw this consent at any time by deleting your face data in Settings.

You have the right to lodge a complaint with your local supervisory authority. A list of EU DPAs is available at edpb.europa.eu.

Under the California Consumer Privacy Act and the California Privacy Rights Act (CCPA/CPRA), California residents have the following additional rights:

• Right to know: Request the categories and specific pieces of personal information we have collected about you
• Right to delete: Request deletion of personal information we have collected (subject to legal retention requirements)
• Right to opt out of "sale": We do not sell personal information as defined by the CCPA
• Right to non-discrimination: We will not deny services or charge different prices for exercising your privacy rights
• Right to correct: Request correction of inaccurate personal information
• Right to limit use of sensitive personal information: Facial descriptors are classified as sensitive personal information under CPRA. You may request that we limit their use to providing the services you requested.

In the past 12 months, we have collected the categories of information described in Section 2. We have not sold personal information. We have shared information only with the service providers listed in Section 5.

We use a minimal set of cookies for authentication and analytics. We do not use advertising cookies, retargeting pixels, or cross-site tracking. For a complete list of cookies and how to manage them, see our Cookie Policy.

Spotlr is not directed to children under 16. We do not knowingly collect personal information from anyone under the age of 16. If you believe a child under 16 has provided personal data, contact us immediately and we will delete it within 72 hours.

• HTTPS/TLS 1.3 encryption for all data in transit
• AES-256 encryption at rest (Google Cloud Firestore and Cloud Storage)
• Firebase Authentication with secure session token management
• Stripe PCI-DSS Level 1 compliance for all payment data
• HTTP security headers: HSTS (2-year max-age with preload), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
• Server-side role-based access controls (admin/user separation)
• Client-side biometric processing (face data never transmitted as images)
• Google Cloud infrastructure with SOC 2 Type II and ISO 27001 certification

In the event of a data breach that affects your personal information, we will:

• Notify affected users via email within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
• Notify the relevant supervisory authority where required by law
• Describe the nature of the breach, the data affected, and the steps taken to mitigate it
• Provide contact information for follow-up questions

We may update this privacy policy from time to time. When we make material changes, we will notify you by email (if you have an account) or by posting a prominent notice on the site at least 30 days before the changes take effect. The "last updated" date at the top reflects the most recent revision. Your continued use of Spotlr after the effective date constitutes acceptance of the updated policy.