Privacy Policy

FindMePic ("we", "our", "us") provides a facial recognition photo matching service for event organizers and their attendees. This policy explains how we collect, use, and protect personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

1. Data Controller

FindMePic acts as a data processor on behalf of event organizers (the data controllers) who upload photos and configure events. For data related to organizer accounts, FindMePic acts as the data controller.

2. What Data We Collect

Organizer accounts: name, email address, password (hashed), subscription plan, billing information (processed by Stripe — we do not store card numbers).

Event photos: images uploaded by organizers, stored in encrypted AWS S3 buckets. We extract facial feature vectors using AWS Rekognition for matching purposes.

Attendee selfies: selfie photos submitted for facial matching are processed in real-time and never stored. They are sent directly to AWS Rekognition for comparison and immediately discarded after the match result is returned.

Email addresses: when attendees choose to email their matched photos, the email address is used to send the photos and then cryptographically hashed in our database. We cannot recover the original email address after hashing.

Search logs: we record anonymous search metadata (timestamp, number of matches, source) for analytics. No biometric data or personally identifiable information is stored in search logs.

3. Legal Basis for Processing

• Contract performance: organizer account data is processed to provide our service.
• Legitimate interest: anonymous analytics help us improve the service.
• Consent: attendees consent to facial matching when they submit their selfie. Attendees consent to email delivery when they provide their email address.

4. Facial Recognition Data (Biometric Data)

Facial feature vectors are generated by AWS Rekognition and stored in AWS Rekognition Collections tied to specific events. These vectors are mathematical representations — not images — and cannot be used to reconstruct a face.

When an event is deleted, all associated facial data in AWS Rekognition is permanently deleted along with the photos and all related records.

5. Data Retention

Organizers control the lifecycle of their event data. They can delete events and all associated data at any time. When an event is deleted, the following is permanently removed:

• All uploaded photos and thumbnails
• All facial feature vectors in AWS Rekognition
• All search logs for that event
• All email delivery records for that event

6. Data Storage and Security

All data is stored within the European Economic Area (EEA) using AWS eu-west-1 (Ireland) region. Photos are encrypted at rest using AES-256 server-side encryption. All data in transit is encrypted using TLS 1.2+.

Passwords are hashed using bcrypt with a minimum of 10 rounds. API keys are stored as bcrypt hashes. Download links use HMAC-SHA256 tokens with timing-safe comparison.

7. Third-Party Services

• AWS (S3, Rekognition): photo storage and facial recognition processing. Data stays in EU region.
• Stripe: payment processing. See Stripe's privacy policy.
• Resend: email delivery. See Resend's privacy policy.

8. Your Rights (GDPR)

• Right of access: request a copy of your personal data.
• Right to rectification: request correction of inaccurate data.
• Right to erasure: request deletion of your personal data.
• Right to restrict processing: request that we limit how we use your data.
• Right to data portability: request your data in a machine-readable format.
• Right to object: object to processing based on legitimate interest.

To exercise any of these rights, contact us at privacy@findmepic.com. We will respond within 30 days.

9. Cookies

We use only essential cookies required for authentication (session cookies). We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

10. Children's Privacy

FindMePic is not intended for use by individuals under 16 years of age. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered organizers.

12. Delete Your Data

If you attended an event that used FindMePic and want to delete any data we may hold, enter your email below.