Privacy Policy
1. Data Controller
The data controller is [COMPANY NAME / LEGAL ENTITY], [ADDRESS]. Contact: contact@fotelya.com. [Data Protection Officer (DPO): to be appointed if applicable.]
2. Our principle
Fotelya is built around minimization : Guests share their photos and videos , without an account or registration. We only collect what is strictly necessary for the Service to function. We do not sell any data, display any ads, or use data to train third-party artificial intelligence.
3. Data processed
- Organizer : email address, event settings, and billing data (processed by Paddle).
- Guest : the media they choose to send, along with minimal technical metadata. Geolocation EXIF data is removed à l'upload.
- Technical data : security logs, and privacy-friendly analytics (no advertising trackers).
4. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Service provision (album, live wall, download) | Contract performance; guest consent for scanning |
| Security, abuse and fraud prevention | Legitimate interest |
| Content moderation | Legitimate interest and legal obligation |
| Billing and accounting | Legal obligation |
| Privacy-friendly analytics | Legitimate interest (aggregated/anonymized data) |
5. Recipients and subprocessors
We work with carefully selected subprocessors, bound by a Data Processing Agreement (DPA), and prioritize processing within the European Union. Data recipients fall into the following categories:
- hosting and cloud infrastructure provider (European Union);
- database provider (European Union);
- content moderation provider using artificial intelligence (European Union): (Union européenne) : Mistral AI (Paris, France), for automated photo, video and message analysis;
- payment and billing provider: Paddle, acting as the official Merchant of Record.
A detailed list of our subprocessors is available upon request at contact@fotelya.com. No data is sold or shared for advertising purposes.
Automated AI moderation. When enabled by the organizer (three-level setting, disableable), photos, videos and messages sent may be automatically analyzed by our subprocess Mistral AI (European Union) to detect manifestly inappropriate content (explicit nudity, violence, etc.). This analysis does not make any final decisions on its own: the organizer retains control and the final say (validation, restoration or manual removal). No data is used to train AI models.
6. Transfers outside the European Union
Our data is by principle hosted and processed within the European Union. When a subcontractor involves processing outside the EU, it is governed by appropriate safeguards (European Commission standard contractual clauses and additional measures).
7. Retention periods
- Media and event data : automatically deleted at the end of the retention period of the subscribed offer.
- Billing data : stored in compliance with legal obligations (including accounting).
- Security logs : stored for a limited and proportionate duration.
8. Security
Media are encrypted in transit and at rest (AES-256). Access is granted via signed expiring links and a code (PIN), on non-public galleries, with non-enumerable identifiers. EXIF location metadata is removed. Administrative access is protected by two-factor authentication.
9. Your rights
In accordance with the GDPR, you have the rights toaccess, rectification, erasure, objection, restriction, portability, the right to withdraw your consent at any time, and to set directives regarding the fate of your data after your death. Any identifiable person in media has a right to image and may request its removal. To exercise your rights: contact@fotelya.com. We respond within one month.
10. Complaint
You may lodge a complaint with the CNIL (French data protection authority, cnil.fr).
11. Minors
The Service is not intended for persons under 15 years of age without the consent of a parent or legal guardian. We delete any data of a minor brought to our attention in the absence of such consent.
12. Residents outside the European Union
We apply a GDPR-inspired protection standard worldwide. Specific rights may apply depending on your place of residence:
- California (CCPA/CPRA) : rights of access, deletion and objection to the "sale" of personal data. Fotelya does not sell data.
- Brazil (LGPD) : equivalent rights of access, correction and deletion.
- Other jurisdictions: contact us to exercise your local rights.
13. Cookies
The use of cookies is detailed in our Cookie Policy. No advertising trackers are used.
14. Changes and contact
This policy may evolve. The applicable version is the one published on this page. For any questions regarding your data: contact@fotelya.com.