Privacy Policy

Pursuant to Regulation (EU) 2016/679 (GDPR):

• <strong>Data Controller for Event data:</strong> the User (organizer, including on behalf of their Organization) who creates the event, as they determine the purposes and legal basis for the processing of photographs, uploaded content and the data of guests added to lists within the Event.
• <strong>Data Processor:</strong> fotia, which provides the software platform as a SaaS and processes personal data relating to the Event on behalf of the Controller, pursuant to Art. 28 GDPR, with autonomy limited to the technical arrangements necessary to deliver the service.
• <strong>Independent Controller for specific processing:</strong> fotia also acts as Data Controller for personal data processed for its own purposes, such as account management, platform security, abuse prevention, technical log management, compliance with legal obligations (including the Digital Services Act) and protection of its own rights.

This Privacy Policy describes how fotia processes the personal data of users of the Software as a Service (SaaS) platform for event management: access management via guest lists, QR codes and check-in (Gate module), and the collection and sharing of photo galleries (Gallery module).

fotia operates as a technical hosting provider and does not use uploaded content or guest data for its own purposes.

The service involves the following categories of individuals:

• Registered users who create and manage Events (organizers), including on behalf of an Organization (venue, club, promoter)
• Members of the Organization's team (PRs and staff), invited by the organizer and registered with their own account
• Listed guests: people added to guest lists by the organizer or their PRs, who do not need any account
• Anonymous guests, who upload or view photographs without creating an account

4.1 Registered users and team members

For the creation and management of the account, fotia processes in particular:

• full name
• email address
• phone number (optional)
• acceptance of the terms of service
• role held within an Organization (owner, PR or staff) and related membership

No profiling or behavioral analysis for commercial purposes is carried out.

4.2 Listed guests (Gate module)

When an organizer or one of their PRs adds a guest to a list, fotia processes on behalf of the organizer:

• name of the guest (or of the group representative)
• phone number (optional, used exclusively to send the invitation QR)
• number of companions and complimentary entries
• any organizational notes entered by the list manager

This data normally refers to people who do not have a fotia account and is not collected from the data subject: it is the organizer, as Data Controller, who guarantees the lawfulness of the collection and informs the data subjects. The invitation QR contains only random identifiers, which cannot be traced back to personal data by third parties. The public invitation page shows only the guest's name, event and list; it cannot be indexed by search engines, is protected by access limits and the link stops working 24 hours after the end of the event.

4.3 Entry records (check-in)

When a guest enters, the following is recorded:

• date and time of entry
• the operator (owner or staff) who performed the check-in
• the type of entry (paid or complimentary)

Check-in records are immutable: they cannot be individually modified or deleted, to guarantee the integrity of entry counts and commission calculations. They are permanently deleted together with the event they refer to.

4.4 Anonymous guests (Gallery module)

Guests who upload photographs:

• do not need to register
• are not asked for direct identifying data

fotia does not require registration or direct identifying data, except for the IP address processed for security purposes.

4.5 Technical data collected during upload

fotia processes certain technical data associated with photo uploads, such as:

• uploader's IP address
• browser information
• operating system
• device type

The IP address is retained for a limited period proportionate to the purposes of security and abuse prevention (30 days), and subsequently deleted or anonymized. Other technical data is processed in aggregated or pseudonymized form, where possible.

Such data is processed to:

• ensure the security of the platform and prevent unlawful or abusive use
• diagnose and resolve any technical errors
• ensure the proper functioning and technical improvement of the service

4.6 Data relating to reports (DSA)

In case of content reports under the Digital Services Act, the following is collected:

• reporter's email address (required)
• reporter's name (optional)
• reporter's IP address
• reporter's relationship to the content (e.g. person involved, third party, rights holder)
• description and category of the report

The reporter's IP address is automatically deleted after 30 days. The other report data is retained for the time necessary for DSA compliance obligations and to guarantee the traceability of the actions taken.

4.7 Error logs

fotia keeps internal technical logs for service monitoring. Such logs may incidentally contain references to registered users (ID, email) and are automatically deleted after 30 days.

4.8 Sponsors and aggregated measurements

If the organizer associates a sponsor with an event, fotia counts, in aggregated and anonymous form, the views of the sponsor's image on the invitation page and in the gallery. The count is a simple numeric counter: it does not use cookies, does not identify visitors and does not involve the processing of personal data.

Uploaded photographs:

• Remain the property of the data subject or the organizing User.
• Are automatically processed to optimize web display (conversion to WebP format, resizing and compression).
• Are stored both in the original version and in the version optimized for display.
• Retain the technical metadata embedded in the file (EXIF: e.g. capture date, device model and any GPS coordinates), which is not removed on upload and remains visible to anyone downloading the original file. Those who do not wish to share it must remove it before uploading.
• Are not used for marketing purposes or AI training.
• Are not analyzed through facial recognition or other biometric data.

Personal data is processed pursuant to Art. 6 GDPR, on the basis of the following lawfulness conditions:

• Performance of a contract (Art. 6(1)(b) GDPR), with reference to the provision of the SaaS service to organizers using the platform.
• Compliance with legal obligations (Art. 6(1)(c) GDPR), for example in relation to the obligations set out by the Digital Services Act or other applicable regulations.
• Legitimate interest (Art. 6(1)(f) GDPR):

In particular:

• the Organizer, as Data Controller of the event photographs and the data of guests added to lists, may base the processing on their own legitimate interest or on another suitable legal basis identified by them;
• fotia acts as an independent Controller for the processing necessary for platform security, abuse prevention, technical management of the service, handling of reports and compliance obligations.

Personal data is processed by means of IT tools and automated procedures, in compliance with the principles of lawfulness, fairness, transparency, minimization and storage limitation set out by the GDPR.

Uploaded photographs and content undergo the technical processing necessary to deliver the service (e.g. optimization for web display and storage management).

fotia adopts appropriate technical and organizational measures pursuant to Art. 32 GDPR, including:

• logical access controls to systems and data, with role-based segregation (owners, PRs and staff access only the data within their remit)
• authentication systems and credential protection
• gallery and album access codes (passcodes) stored exclusively in encrypted form (hash), never in plain text
• invitation QRs based on unpredictable random identifiers
• technical monitoring, anti-abuse limits (rate limiting) and logging of security-relevant events
• automated data management and deletion procedures according to the established retention periods
• measures to prevent unauthorized access, loss, alteration or undue disclosure of data

fotia applies the principles of privacy by design and by default, adopting technical and organizational measures proportionate to the nature of the data processed and the related risks.

Data is retained for the periods strictly necessary for the purposes of the processing:

• <strong>Photos and galleries:</strong> retained for the period set by the gallery plan — from a minimum of 30 to a maximum of 365 days from the creation of the gallery — unless deleted earlier by the User. Upon expiry, the gallery and all associated photos (originals and optimized versions) are permanently deleted from storage through automated procedures.
• <strong>Guest lists and check-in records (Gate module):</strong> retained for the lifetime of the event, under the organizer's control. They are permanently deleted when the organizer deletes the event, the list or the individual guest, or upon closure of their account.
• <strong>Invitation links (QR):</strong> stop working 24 hours after the end of the event.
• <strong>Uploader IP addresses:</strong> automatically deleted 30 days after upload.
• <strong>Reporter IP addresses:</strong> automatically deleted 30 days after the report.
• <strong>Error logs:</strong> automatically deleted after 30 days.
• <strong>Unaccepted team invitations:</strong> the invitation link automatically expires after 7 days.
• <strong>ZIP exports:</strong> photo export download links automatically expire 7 days after generation.
• <strong>Reports and audit trail:</strong> retained for the time necessary for legal obligations and the protection of rights in court, for compliance with the Digital Services Act (DSA) and traceability obligations regarding moderation actions.

Upon closure of an account or deletion of an Event, fotia proceeds with the removal of all associated data: photos (originals, optimized versions and any exports), guest lists and check-in records, through automated deletion procedures.

Personal data is not sold or transferred to third parties.

To deliver the service, fotia relies on qualified providers for hosting, database, storage, email delivery and cloud infrastructure services, appointed as data processors pursuant to Art. 28 GDPR. The updated list of processors is available on request. Should transfers to non-EU countries occur, they take place in compliance with Artt. 44 et seq. GDPR by means of adequacy decisions or standard contractual clauses.

Each provider is contractually bound to comply with the GDPR and processes data in particular for the technical purposes necessary for the operation of the service.

Any sending of the invitation QR via WhatsApp takes place directly from the device of the list manager (opening the app with a pre-filled message): fotia does not communicate personal data to WhatsApp or other messaging services.

Data is hosted in data centers located in the EU. Some providers may be companies based outside the EU; any transfers take place pursuant to Artt. 44 et seq. Users' personal data (database, photos, emails) is processed and stored within the EU.

Any transfers to non-EU countries, should they become necessary in the future, will take place only with adequate safeguards pursuant to Artt. 44–49 GDPR, and will be communicated through an update to this Policy.

Under the GDPR, the data subject has the right to:

• access their data
• rectification
• erasure
• restriction of processing
• objection
• data portability

Requests can be sent to:

support@fotia.events

The data subject also has the right to lodge a complaint with the competent Data Protection Authority.

Guests added to a list by an organizer or one of their PRs may exercise their rights against the organizer, as Data Controller, or contact fotia, which will forward the request to the competent Controller, providing the necessary technical cooperation.

fotia may update this Privacy Policy in case of regulatory or functional changes.

Changes will be communicated through the website or the User account.

For any privacy-related questions: