Privacy Policy

Pursuant to Regulation (EU) 2016/679 (GDPR):

• <strong>Data Controller for Event content:</strong> the User (organizer) who creates the event, as they determine the purposes and legal basis for the processing of photographs and content uploaded within the Event.
• <strong>Data Processor:</strong> fotia, which provides the software platform in SaaS mode and processes personal data related to Event content on behalf of the Controller, pursuant to Art. 28 GDPR, with autonomy limited to the technical methods necessary for service delivery.
• <strong>Independent Data Controller for specific processing:</strong> fotia also acts as Data Controller for personal data processed for its own purposes such as account management, platform security, abuse prevention, technical log management, compliance with legal obligations (including the Digital Services Act), and the protection of its own rights.

This Privacy Policy describes how fotia processes the personal data of users who utilize the Software as a Service (SaaS) platform for creating and managing event photo galleries.

fotia operates as a technical hosting provider and does not use the uploaded content for its own purposes.

The service can be used by:

• Registered users, who create and manage Events
• Anonymous guests, who upload photographs without creating an account

4.1 Registered users

For account creation and management, fotia specifically processes:

• full name
• email address
• phone number (optional)
• acceptance of terms of service

No profiling or behavioral analysis for commercial purposes is performed.

4.2 Anonymous guests

Guests who upload photographs:

• do not need to register
• are not asked for direct identifying data

fotia requires neither registration nor direct identifying data, except for the IP address processed for security purposes.

4.3 Technical data collected during upload

fotia processes certain technical data associated with photo uploads, such as:

• uploader's IP address
• browser information
• operating system
• device type

The IP address is retained for a limited period proportionate to the purposes of security and abuse prevention, and subsequently deleted or anonymized. Other technical data is processed in aggregate or pseudonymized form, where possible.

Such data is processed to:

• ensure platform security and prevent illegal or abusive uses
• diagnose and resolve any technical errors
• ensure the proper functioning and technical improvement of the service

4.4 Data related to reports (DSA)

In the event of content reporting pursuant to the Digital Services Act, the following is collected:

• reporter's email address (mandatory)
• reporter's name (optional)
• reporter's IP address
• reporter's relationship to the content (e.g., involved person, third party, rights holder)
• description and category of the report

The reporter's IP address is automatically deleted after 30 days. Other report data is retained for the time necessary for DSA compliance obligations and to ensure traceability of the actions taken.

4.5 Error logs

fotia records internal technical logs for service monitoring. These logs may incidentally contain references to registered users (ID, email) and are automatically deleted after 30 days.

Uploaded photographs:

• Remain the property of the data subject or the organizing User.
• Are automatically processed for web display optimization (conversion to WebP format, resizing, and compression).
• Are stored in both the original version and the display-optimized version.
• Are not used for marketing purposes or AI training.
• Are not analyzed via facial recognition or other biometric data.

The processing of personal data takes place pursuant to Art. 6 of the GDPR, based on the following conditions of lawfulness:

• Performance of a contract (Art. 6(1)(b) GDPR), with reference to the provision of the SaaS service to organizers using the platform.
• Compliance with legal obligations (Art. 6(1)(c) GDPR), for example in relation to obligations set forth by the Digital Services Act or other applicable regulations.
• Legitimate interest (Art. 6(1)(f) GDPR):

In particular:

• the Organizer, acting as the Data Controller for the event photographs, may base the processing on their legitimate interest or on another suitable legal basis identified by them;
• fotia acts as an independent Data Controller for processing necessary for platform security, abuse prevention, technical management of the service, report handling, and compliance requirements.

Personal data is processed using IT tools and automated procedures, in compliance with the principles of lawfulness, fairness, transparency, data minimization, and storage limitation set out by the GDPR.

Photographs and uploaded content undergo technical processing necessary for service delivery (e.g., optimization for web display and storage management).

fotia adopts appropriate technical and organizational measures pursuant to Art. 32 GDPR, including:

• logical access controls to systems and data
• authentication systems and credential protection
• technical monitoring and logging of events relevant for security purposes
• automated procedures for data management and deletion according to expected retention periods
• measures to prevent unauthorized access, loss, alteration, or improper disclosure of data

fotia applies the principles of privacy by design and by default, adopting technical and organizational measures proportionate to the nature of the data processed and the associated risks.

Data is retained for the periods strictly necessary for the purposes of processing:

• <strong>Photos and events:</strong> retained for a maximum of {retentionDays} days from the event date, unless deleted earlier by the User. Upon expiration, all associated photos are permanently deleted from storage.
• <strong>Uploader IP addresses:</strong> automatically deleted 30 days after upload.
• <strong>Reporter IP addresses:</strong> automatically deleted 30 days after the report.
• <strong>Error logs:</strong> automatically deleted after 30 days.
• <strong>ZIP Exports:</strong> download links for photo exports automatically expire 7 days after generation.
• <strong>Reports and audit trail:</strong> retained for the time necessary for legal obligations and the protection of rights in court for compliance with the Digital Services Act (DSA) and for tracking obligations regarding moderation actions.

Upon account closure or Event expiration, fotia proceeds with the removal of all associated photos from its storage servers, including original and optimized versions, as well as any exports, through automated deletion procedures.

Personal data is not sold or transferred to third parties.

To deliver the service, fotia relies on qualified providers for hosting, database, storage, email delivery, and cloud infrastructure services, appointed as data processors pursuant to Art. 28 GDPR. The updated list of processors is available upon request. Should transfers to non-EU countries occur, these take place in compliance with Art. 44 et seq. GDPR through adequacy decisions or standard contractual clauses.

Each provider is contractually bound to comply with the GDPR and specifically processes data for the technical purposes necessary for the functioning of the service.

Data is hosted in data centers located in the EU. Some providers may be companies based outside the EU; any transfers take place according to Art. 44 et seq. Users' personal data (databases, photos, emails) are processed and stored within the EU.

Any transfers to countries outside the EU, should they become necessary in the future, will only occur in the presence of adequate safeguards pursuant to Arts. 44–49 GDPR, and will be communicated through an update to this Policy.

Under the GDPR, the user has the right to:

• access data
• rectification
• erasure
• restriction of processing
• objection
• data portability

Requests can be sent to:

support@fotia.events

The user also has the right to lodge a complaint with the Data Protection Authority.

fotia may update this Privacy Policy in the event of regulatory or functional changes.

Changes will be communicated via the site or the User account.

For any privacy-related questions: