1. Overview
MemoryLasso Inc. ("MemoryLasso," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our event media collection platform.
This policy applies to all users of our service, including:
- Guests — people who upload photos and videos to an event
- Hosts — people who create and manage events
- Visitors — people who browse our website without uploading or creating events
Our Privacy Philosophy
- We collect the minimum data necessary to provide our service.
- We never sell your personal information.
- We give you control over your data.
2. What We Collect
2.1 From Guests (Event Attendees)
| Data Type | Share Freely | Stay Connected | Purpose |
|---|---|---|---|
| Photos / Videos | Yes | Yes | Core service — media collection |
| EXIF Metadata | Yes | Yes | Organizing media by date/location |
| File Hash | Yes | Yes | Duplicate detection |
| Display Name | Optional | Yes | Identify uploads to the host |
| Email Address | No | Yes | Account recovery, notifications |
| Claim Token | Yes | No | Allow guests to manage their uploads |
| IP Address | Yes | Yes | Security, abuse prevention |
| Browser / Device Info | Yes | Yes | Compatibility, troubleshooting |
| Upload Timestamp | Yes | Yes | Audit trail |
2.2 From Hosts (Event Organizers)
| Data Type | Required | Purpose |
|---|---|---|
| Email Address | Yes | Account creation, communications |
| Name | Yes | Account identification |
| Password (hashed) | Yes* | Authentication (* or OAuth) |
| OAuth Tokens | If using SSO | Google / Microsoft sign-in |
| Cloud Storage Credentials | If exporting | Export to Google Photos, OneDrive |
| Event Details | Yes | Create and manage events |
| Billing Information | For paid plans | Payment processing via Stripe |
2.3 Automatically Collected
- Device Information — browser type, operating system, screen resolution
- Usage Data — pages visited, features used, time spent
- Performance Data — load times, errors, crash reports
- Referral Information — how you arrived at our site
No Advertising Profiles
3. How We Use Data
| Purpose | Legal Basis (GDPR) | Data Used |
|---|---|---|
| Provide core service | Contract performance | Media, account info, event details |
| Process payments | Contract performance | Billing info (via Stripe) |
| Prevent abuse & fraud | Legitimate interest | IP address, device info, usage patterns |
| Send service communications | Contract performance | Email, name |
| Improve the platform | Legitimate interest | Anonymized usage data, performance metrics |
| Comply with legal obligations | Legal obligation | As required by law |
What We Will Never Do
- Never sell your personal information to third parties.
- Never use your photos or data for advertising purposes.
- Never train AI models on your content outside of event-specific features.
- Never share your data with third parties for their marketing purposes.
5. Storage & Security
Where Your Data Is Stored
Your data is stored in the United States. Media files are stored using Cloudflare R2, and account/event data is stored using Neon.tech PostgreSQL databases.
Security Measures
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- bcrypt password hashing with salting
- OAuth token rotation and secure storage
- Role-based access controls
- File type validation and size limits
- Scoped API access with JWT tokens
Important
6. Data Retention
Pass-Through Model (Free Events)
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Media files | 30 days after event ends | Automatic |
| Event metadata | 30 days after event ends | Automatic |
| Guest session data | 30 days after event ends | Automatic |
| Claim tokens | 30 days after event ends | Automatic |
Permanent Storage Model (Paid Events)
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Media files | Until host deletes or account closes | Manual or account deletion |
| Event metadata | Until host deletes or account closes | Manual or account deletion |
| Guest data | Linked to event lifecycle | Event deletion |
Account Data
Host account data is retained as long as the account is active. You may request deletion of your account and all associated data at any time by contacting us.
7. Your Rights
7.1 GDPR Rights (EU/EEA Residents)
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Restrict Processing
Request that we limit the processing of your personal data.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or direct marketing.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
7.2 CCPA Rights (California Residents)
MemoryLasso does not sell personal information. California residents have the right to know what personal information is collected, request its deletion, and not be discriminated against for exercising their rights.
7.3 Deletion Process
- Hosts: Delete your account through the settings page, or contact us at [email protected]. This will delete all your events, media, and account data.
- Guests (Stay Connected): Contact us with the email address you provided. We will remove your email and associated data from all events.
- Guests (Share Freely via Claim Token): Use your claim token to manage or delete your uploads. If you have lost your claim token, contact us and we will assist on a best-effort basis.
Important Note About Exported Copies
8. Children's Privacy
MemoryLasso is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly.
Users between the ages of 13 and 18 may use MemoryLasso with the consent and supervision of a parent or legal guardian.
10. Third-Party Services
MemoryLasso integrates with third-party services to provide its features. Each service has its own privacy policy:
- Google Privacy Policy — Sign-in and Google Photos export
- Microsoft Privacy Statement — Sign-in and OneDrive export
- Stripe Privacy Policy — Payment processing
We request only the minimum scopes necessary for each integration. You can review and revoke access to connected services at any time through your account settings.
11. International Data Transfers
MemoryLasso is based in the United States, and your data is processed and stored in the US. If you are located outside the United States, your information will be transferred to and processed in the US.
For transfers of personal data from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission to ensure an adequate level of data protection.
12. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice before the changes take effect, via email notification and/or a prominent notice on our website.
Your continued use of MemoryLasso after the effective date of a revised policy constitutes your acceptance of the changes. We encourage you to review this page periodically.
13. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
Privacy Inquiries: [email protected]
General Support: [email protected]
Mailing Address:
MemoryLasso Inc.[Mailing Address Placeholder]
United States