Skip to main content
Legal

Privacy policy.

How we collect, use, and protect personal data across the DeliverShot platform — for both photographers and event guests.

Last updated · 21 April 2026

01

Who we are

DeliverShot is a platform that helps event photographers deliver photos to their guests using face-recognition technology. This policy explains how we collect, use, and protect your personal data.

02

Data we collect

For photographers

  • Name, email address, and account credentials.
  • Stripe payment account information.
  • Event photos uploaded to the platform.

For guests

  • Name and email address (provided during registration or by the event host).
  • Selfie image (for face matching — deleted immediately after matching).
  • GDPR consent records.
  • Order and shipping information, if purchases are made.
03

Biometric data (selfies)

Selfie images are classified as biometric special-category data under UK GDPR. We process selfies to match guests to event photos. Selfies are deleted immediately after the matching process completes, typically within seconds. We never store selfie images beyond the matching request.

Our lawful basis for processing your selfie is your explicit consent (UK GDPR Article 6(1)(a) and Article 9(2)(a)), which we collect at the consent step before any matching takes place. You can withdraw consent at any time using the “Delete my data” option in your gallery.

Where a photographer pre-matches you to a gallery from photos they already hold, the photographer is the Data Controller for that processing and relies on the permission they have obtained from you; we act only as their processor and collect no fresh biometric data from you.

04

How we use your data

  • To match guests with their event photos using face recognition.
  • To deliver personalised photo galleries via email.
  • To process print orders and digital downloads.
  • To process payments through Stripe.
  • To fulfil print orders through our printing partner.
05

Data storage and location

All data is stored within the EU/UK region:

  • Database: EU region.
  • Photo storage: EU region.
  • Face-recognition processing: London (eu-west-2).
  • Email delivery: EU region.
06

Data retention

  • Selfie images: deleted immediately after matching.
  • Event photos: deleted after the event’s retention period (14–90 days, set by studio).
  • Guest data: deleted when event photos are deleted, or upon request.
  • Order records: retained for 7 years (UK accounting law).
  • Digital download files: deleted 48 hours after delivery.
  • Print-ready files: deleted 30 days after shipping.
07

Your rights

Under UK GDPR, you have the right to:

  • Access your personal data.
  • Request correction of inaccurate data.
  • Request deletion of your data (use the “Delete my data” option in your gallery).
  • Object to processing of your data.
  • Lodge a complaint with the ICO at ico.org.uk.
08

Third-party services

  • Stripe — payment processing (USA, with Standard Contractual Clauses in place).
  • Face-recognition provider — biometric matching (London, UK region).
  • Print fulfilment partner — physical photo prints (EU region).
  • Transactional email provider — order confirmations and gallery invites (EU region).
  • Umami (self-hosted, UK region) — privacy-friendly web analytics. Operated by us on our own infrastructure. No data is shared with any third party.

We’ll share the identity of any specific subprocessor on request — email privacy@delivershot.com. Each operates under its own terms and data-processing agreement.

09

Cookies and analytics

We only use cookies that are strictly necessary for the site to function. Under PECR (Privacy and Electronic Communications Regulations), these cookies don’t require your consent, but we want you to know what’s set:

  • Attendee session (session_*) — keeps guests signed in to their event gallery. HttpOnly, Secure, expires after 30 days.
  • Supabase auth (sb-*) — keeps photographers and studio members signed in. HttpOnly, Secure, managed by our authentication provider.
  • Referral attribution (pea_ref) — when a prospective photographer visits a referral link, we store the referral code in a cookie for up to 30 days so we can credit the referring photographer if the new signup later pays for a subscription. HttpOnly, Secure, strictly necessary for the referral program to work.

We don’t use advertising or cross-site tracking cookies.

For product analytics we use Umami, a privacy-friendly tool we self-host at analytics.cacei.ro. Umami does not set cookies, does not use browser storage, and does not follow you across other websites. It records aggregate pageviews and a small set of product events (e.g. “checkout completed”) so we can measure which features are useful and fix what isn’t. Where we need to distinguish one photographer studio from another inside a funnel, we send a one-way salted hash of the studio identifier — never the identifier itself, and never your name, email, or any other personal data. Attendee (guest) events are aggregate only and carry no correlating identifier.

This processing is carried out on the basis of our legitimate interest in understanding how the service is used. You can opt out at the network level by enabling your browser’s Do Not Track setting or by using a content blocker; doing so has no effect on the service.

10

Referral program data

If you sign up through a referral link, we record a link between the referring photographer’s studio and your newly created studio (an internal referred_by field). This lets us credit the referring photographer when your first subscription invoice is paid. We do not use IP-address, device-fingerprint, or payment-method matching to detect fraud — fraud controls are limited to Stripe refund and dispute signals on the qualifying payment.

Referring photographers can see the display name of the studios they referred, along with the state of each referral (pending, credited, voided). They cannot see your email address, payment details, or any other personal data. Referral program data is retained in line with the rest of our studio data-retention schedule.

11

Contact

For data-protection enquiries, contact us at privacy@delivershot.com.