The Candid Captures Company

Legal

Privacy Policy

Last updated: 8 April 2025

Who we are

The Candid Captures Company is operated by Jack Wallace, a sole trader based in the United Kingdom. References to “we”, “us”, or “our” in this policy mean Jack Wallace trading as The Candid Captures Company.

We are the data controller for the personal data described in this policy. If you have any questions, contact us at hello@thecandidcapturescompany.com.

What data we collect

Event organisers (account holders)

  • Email address — used to create and access your account, and to send service-related messages.
  • Event details you enter — event title, date, theme preferences, access PIN if set.
  • Payment information — processed entirely by Stripe. We do not store your card details. We receive a record of the transaction (plan purchased, amount, date) from Stripe.

Guests (people uploading photos)

  • Guests do not create accounts and are not required to provide their name or email address.
  • Photos and videos uploaded by guests are stored on our servers and associated with the event gallery. These files may contain personal data such as images of people or embedded location metadata.
  • We do not extract or analyse metadata from uploaded files beyond what is necessary to display and deliver them.

Technical data

  • Standard server logs (IP addresses, browser type, pages visited) retained for a short period for security and debugging purposes. We do not use this data for profiling or advertising.

How we use your data

  • To provide the service — creating and managing your event gallery, processing your purchase, generating your QR code, and allowing guests to upload and view photos.
  • To communicate with you — sending confirmation emails and service-related notifications. We do not send marketing emails.
  • To maintain security — detecting and preventing abuse, unauthorised access, or illegal activity.

Lawful basis for processing

Under UK GDPR, we rely on the following lawful bases:

  • Contract performance (Article 6(1)(b)) — processing your email and event data is necessary to deliver the service you have purchased.
  • Legitimate interests (Article 6(1)(f)) — maintaining security logs and preventing abuse.

Where your data is stored

We store data within the European Economic Area (EEA). We use the following sub-processors:

ProviderPurposeLocation
SupabaseDatabase, authentication, and account dataEU (West Europe)
Cloudflare R2Photo and video file storageEurope (Ireland)
VercelApplication hosting and deliveryGlobal CDN (edge nodes worldwide)
StripePayment processingUSA (covered by Standard Contractual Clauses)

How long we keep your data

  • Event uploads (photos and videos) — stored for 2 years from your event date, then permanently and automatically deleted.
  • Event settings and metadata — retained for the same 2-year period as the associated uploads.
  • Account data — retained while your account is active. You may delete your account at any time by contacting us.
  • Payment records — retained for 7 years as required by HMRC financial record-keeping obligations.

Guest uploads and your responsibilities

As the event organiser, you are responsible for informing your guests that their photos will be stored as described in this policy. Guests uploading to your gallery are doing so at your invitation. If a guest requests removal of a photo they uploaded, or a photo in which they appear, please contact us and we will assist you in processing that request.

Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate data.
  • Erasure — ask us to delete your personal data (subject to legal retention requirements).
  • Restriction — ask us to restrict processing of your data in certain circumstances.
  • Portability — receive your data in a machine-readable format.
  • Object — object to processing based on legitimate interests.

To exercise any of these rights, email hello@thecandidcapturescompany.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have not handled your data correctly.

Cookies

We use only essential cookies required for authentication (to keep you signed in). We do not use advertising, tracking, or analytics cookies. No third-party tracking scripts are loaded on this site.

Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

For any privacy-related questions or requests, contact us at hello@thecandidcapturescompany.com.

Terms & Conditions →← Back to home