EventFaceFinder

MVP privacy notice

Privacy

Event Face Finder is built for event-scoped photo search. This MVP notice explains the current product posture for organizers, guests, photos, face embeddings, analytics, retention, and deletion.

This is operational MVP copy pending counsel review. It is not a final DPA, DPIA, subprocessor list, or jurisdiction-specific legal policy.

Who controls event data

  • The organizer is normally the controller for event photos, guest access settings, download policy, and retention choices.
  • Event Face Finder acts as a processor for event photos and event face embeddings when it provides the hosted search service.
  • Event Face Finder is controller for its own account, billing, security, product analytics, and support records.

What we process

  • Organizer account, organization, team role, billing, support, and audit information.
  • Event metadata, access settings, retention settings, source manifests, processing status, photo originals, derivatives, and face embeddings.
  • Guest search inputs, including access-code checks, consent state, transient selfie processing, match/no-match metadata, and privacy request details.
  • Privacy-safe product analytics when analytics consent is granted.

Biometric search baseline

  • Face embeddings used to find event photos are treated as sensitive biometric data.
  • Guest selfies are used only to create a temporary query for the selected event and are not stored by default.
  • The product does not train models on guest selfies or private event photos.
  • The product is not for public surveillance, real-time public-space identification, emotion recognition, or untargeted scraping to build facial-recognition databases.

Retention and deletion

  • Event photos, derivatives, face embeddings, access tokens, and search sessions are scoped to the event retention period.
  • When retention ends, deletion jobs remove event media and biometric rows, then keep only minimal non-biometric billing, security, and audit records where required.
  • Guests can submit privacy and deletion requests from each event. Identity-wide deletion requires manual review because the same person may appear in many photos.
  • Legal, billing, abuse, or privacy holds can pause deletion and must remain visible in the audit trail.

Analytics and tracking

  • Analytics must not capture guest selfies, private photos, face embeddings, access codes, signed media URLs, private filenames, payment secrets, or raw biometric identifiers.
  • PostHog capture is consent-gated in the browser and can be rejected from the cookie banner.
  • Guest biometric surfaces should remain masked or excluded from session recording before production launch.

Rights and contact

Guests should use the event privacy request form for removal, report, or deletion requests. Organizers should use the dashboard support inbox for event-level requests. Final production launch still requires a reviewed public support/privacy contact and a complete subprocessor list.

Official references