Sign inStart Free

Privacy policy

Last updated 2026-05-21. This document is a plain-language description of how PicShots handles personal data. It is not a substitute for legal advice.

Who we are

PicShots (the “Service”) is operated by an individual sole trader (the “Operator”, “we”, “us”). For any privacy question or request, contact us at support@picshots.app or via the contact page.

Personal data we collect

We process the following categories of personal data:

  • Host account. Your email address (for magic-link sign-in), a unique user identifier issued by our authentication provider, account creation date, and sign-in timestamps.
  • Event data. Event name, date, time zone, category, gallery visibility settings, shot limits, host access PIN, optional guest access PIN, video allowance, and a unique event slug used in URLs.
  • Guest uploads.The display name a guest types on the upload page, the photo or short video they upload, the upload timestamp, the file’s content type, the storage location (path/URL), and a one-time delete token that lets the same device remove its own upload.
  • Technical request data. Your IP address (parsed from the incoming request) is held briefly in server memory to enforce per-IP rate limits on uploads, downloads, QR generation, and similar endpoints. We do not persist IP addresses to any database.
  • Approximate country. When you load the pricing page, our edge handler reads country-level information attached to the request by our hosting provider, and uses it solely to choose a default currency. The country is not stored.
  • Aggregate analytics. For each event you host, we increment a per-day counter of guest-page and gallery-page views so we can show you an analytics dashboard. We do not store individual visitor IPs, user agents, or fingerprints.
  • Server logs. Our server logs sign-in attempts (email address + redirect target) and errors. Logs are retained by our hosting provider for operational and security purposes.

We do not intentionally collect special-category data (such as health, biometric, political, religious, or sexual- orientation data). Hosts and guests should not upload such data.

Legal bases (UK / EU users)

Where UK or EU data-protection law applies:

  • Contract — to create your host account, run your event, store the uploads guests submit to your event, and let you view your dashboard.
  • Legitimate interests — to keep the Service secure (rate limiting, abuse prevention), to operate it (error logs, aggregated event analytics for the host), and to fix bugs.
  • Legal obligation — to respond to lawful requests and to comply with applicable regulations.

We do not currently rely on consent for the data described above, and we do not use cookies or local storage for advertising or behavioural tracking.

Cookies and local storage

We use a small number of strictly necessary cookies. All are HTTP-only, SameSite=Lax, and Secure in production.

  • Authentication session cookies (set by our authentication provider’s SDK) — maintain your signed-in session.
  • ps_guest_access_<slug> — remembers that you entered the correct guest PIN for a PIN-protected event. Expires after 14 days.
  • ps_flash — carries a one-time toast message across a redirect. Expires after 30 seconds.

The guest upload page also stores small values in your browser’s localStorage on your device only (we never see them on our servers): ps_guest_name_<slug>, ps_guest_uploads_<slug> (so you can manage your own uploads from the same device), ps_pricing_country (chosen currency on the pricing page), and picshots-pwa-install-dismissed (hides the “install app” banner for 7 days after dismissal). You can clear these at any time through your browser’s site-data controls.

On public marketing pages we use a third-party analytics provider to understand aggregate traffic (page views, referrers, and similar). That provider may set its own analytics cookies or use similar technologies in your browser; the current provider’s name and privacy notice are available on request from support@picshots.app. We do not use advertising or behavioural remarketing cookies.

Categories of sub-processors

The Service relies on the following categories of sub-processors. Each receives only the data described.

  • Authentication & database provider — stores host emails, account data, event rows, upload metadata, and (when used as fallback storage) media files.
  • Object storage provider — stores the binary photo or short-video files guests upload, under a path keyed by event slug.
  • Transactional email provider — sends sign-in (magic-link) emails on our behalf. Receives the recipient email address and the email body.
  • Hosting platform — runs the web application and receives standard request data (IP, headers) for delivery and security.
  • QR-code generation service — generates the QR-code image for guest links. Receives the encoded guest URL only.
  • Currency-rate data provider — supplies an open currency-rate dataset used to display prices in local currency. No personal data is sent.
  • Web font provider — serves typography assets used in the interface.
  • Analytics provider — aggregate website analytics on public pages. Receives page URLs, referrer, device/browser signals, and approximate location.

A current list of named sub-processors, the regions in which they operate, and their privacy notices is available on request from support@picshots.app.

International transfers

Some of our sub-processors are based in, or operate infrastructure in, countries outside your own (including the United States and the European Union). Where transfers from the UK or EEA take place, they rely on the relevant provider’s Standard Contractual Clauses, UK IDTA, EU–US Data Privacy Framework certification, or equivalent safeguards published by that provider.

Retention and deletion

Event photos and videos are hosted for a limited time based on your plan. After the hosting period ends, guests lose access; hosts have a short export grace window to download a ZIP or delete the event before we remove the data:

  • Free events — guests can upload for 14 days after the event date; the gallery is hosted for 90 days.
  • Paid events — guests can upload for 90 days after the event date; the gallery is hosted for about 12 months.
  • After hosting ends, hosts have 30 days to export or delete before automatic removal.

You can also remove data at any time:

  • Guestscan delete their own upload from the same device they uploaded it on, using the in-page “My uploads” controls.
  • Hosts can delete individual uploads or an entire event from the host dashboard. Deleting an event removes the event record, all guest upload rows, and the underlying media files (best-effort) from object storage.
  • Host accounts can be permanently deleted from /profile. Account deletion removes all of your events, uploads, and the authentication record.

Backups and operational logs at our hosting providers may retain residual copies for a short period (typically up to 30 days) for disaster-recovery purposes, after which they are overwritten in the ordinary course.

Your rights

Depending on where you live (e.g. UK / EU under UK GDPR & GDPR, or California under CCPA/CPRA), you may have the right to:

  • access a copy of the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data deleted;
  • restrict or object to certain processing, including processing based on legitimate interests;
  • port your data to another service;
  • opt out of any “sale” or “sharing” of personal information (we do not sell or share personal information for advertising); and
  • lodge a complaint with your local supervisory authority (for example the UK ICO or your EU data-protection authority).

To exercise these rights, email support@picshots.app. We may need to verify your identity (for example by sending a confirmation link to the email associated with your account). We will respond within the timescale required by applicable law (within one month under UK / EU GDPR).

Image and consent rights

If you appear in a photo or video uploaded to PicShots and you did not give the host permission, contact us at support@picshots.app with the event link or event code and a description of the content, and we will work with the host (or directly remove it where appropriate) to address your request.

Security

We use TLS for transport, HTTP-only and SameSite cookies for session management, server-side authorisation checks for host actions, and per-IP rate limiting on sensitive endpoints. No service is perfectly secure; please do not upload material you are not comfortable storing on third-party infrastructure.

Children

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact support@picshots.app and we will delete it.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the “Last updated” date at the top of this page, and where required by law we will give you additional notice.

← Back to home