Privacy Policy

1. Introduction

Welcome to picNgo ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web platform (collectively, the "Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Personal Information

We collect the following types of personal information:

• Account Information: Name, email address, phone number, password (encrypted)
• Guest Information: Name, email address, phone number (for OTP verification and event access)
• Profile Information: Optional profile details, preferences, and settings

2.2 Photos and Visual Content

• Event Photos: Images uploaded by event organizers and photographers
• Guest Selfies: Face photos uploaded by guests for facial recognition matching
• User-Generated Content: Any photos or media you upload, share, or create within the Service

2.3 Facial Recognition Data

Important: When you use our facial recognition feature, we temporarily process your face image to match you with event photos. This section provides complete details about our face data practices.

2.3.1 What Face Data We Collect

• Guest Selfie Image: A photo you upload or capture for face matching purposes
• Face Bounding Box: Coordinates indicating the position of detected faces in photos (width, height, left, top values)
• Confidence Scores: Numerical values (0-100) indicating face detection accuracy
• Face Identifiers: Unique IDs assigned by AWS Rekognition for indexed faces
• What We Do NOT Collect: We do NOT store facial geometry, biometric templates, facial embeddings, or facial feature vectors locally. All facial feature analysis is performed by AWS Rekognition.

2.3.2 How We Use Face Data

Face data is used exclusively for photo matching at events:

1. Event photographers upload photos, and faces in those photos are indexed
2. You upload a selfie to find photos where you appear
3. Your selfie is compared against indexed faces using AWS Rekognition (default 80% similarity threshold)
4. Photos containing matching faces are displayed to you

Face data is NOT used for: Advertising, user tracking, behavioral profiling, surveillance, identity verification beyond photo matching, or any purpose other than helping you find your photos at events.

2.3.3 Third-Party Processing

• Service Provider: Amazon Web Services (AWS) Rekognition processes face data for facial recognition
• Data Protection: AWS is contractually obligated to protect your data and processes it only for the specified purpose
• No Other Sharing: Face data is NOT shared with any other third parties, sold, or used for purposes beyond photo matching

2.3.4 Face Data Storage Locations

• Selfie Images: Stored in AWS S3 cloud storage in event-specific folders
• Face Metadata: Bounding boxes, confidence scores, and face IDs stored in our secure database
• Facial Feature Vectors: Stored within AWS Rekognition collections (not accessible to us directly)

2.3.5 Face Data Retention

• Guest Selfies: Retained for the duration of your guest session (default: 2 hours, configurable by event organizer)
• Face Index Data: Retained for the duration of the event, deleted when the event is deleted
• AWS Rekognition Collections: Deleted when the associated event is deleted
• Account Deletion: All face data associated with your account is permanently deleted within 30 days of account deletion request

2.3.6 Your Controls and Opt-Out

• Optional Feature: Facial recognition is entirely optional. You can browse event galleries without using it
• Alternative Access: You can access event photos using QR codes or email verification instead of face matching
• Delete Your Data: You can delete your account and all associated face data at any time through the app settings
• Event Organizer Controls: Event organizers can enable or disable the face matching feature for their events

2.4 Usage Data

• Device information (device type, operating system, unique device identifiers)
• IP address and approximate location (city/country level)
• Log data (access times, pages viewed, app features used)
• Download and upload activity
• Crash reports and performance data

2.5 Communications

• Email correspondence with our support team
• Feedback, reviews, and survey responses
• OTP (One-Time Password) verification codes sent to your phone or email

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

• Create and manage your account
• Enable event creation, photo uploads, and downloads
• Process facial recognition requests to match guests with their photos
• Generate and deliver QR codes for photo access
• Send OTP verification codes for secure authentication

3.2 Communication

• Send transactional emails (account notifications, password resets, event invitations)
• Respond to your inquiries and support requests
• Send service announcements and updates (with opt-out option)

3.3 Improvement and Analytics

• Analyze usage patterns to improve our Service
• Monitor and analyze trends, usage, and activities
• Detect, prevent, and address technical issues and security threats
• Develop new features and enhance existing functionality

3.4 Legal Compliance

• Comply with legal obligations and enforce our Terms of Service
• Protect our rights, privacy, safety, or property
• Respond to lawful requests from public authorities

4. Data Storage and Security

4.1 Storage Infrastructure

• Photo Storage: All uploaded images are stored in Amazon Web Services (AWS) S3 with enterprise-grade security
• Database: User and event data is stored in secure, encrypted databases
• Encryption: Data is encrypted in transit (HTTPS/TLS) and at rest (AES-256)
• Geographic Location: Data is stored in AWS data centers (specify your region)

4.2 Security Measures

We implement industry-standard security measures including:

• Encryption of data in transit and at rest
• Regular security audits and vulnerability assessments
• Access controls and authentication mechanisms
• Monitoring and logging of system activities
• Regular backups and disaster recovery procedures

4.3 Data Retention

• Account Data: Retained as long as your account is active or as needed to provide services
• Event Photos: Retained according to event organizer settings (typically until event deletion)
• Guest Selfies: Retained for the duration of guest session (default: 2 hours), then automatically deleted
• Face Index Metadata: Bounding boxes, confidence scores, and face IDs retained until event deletion
• AWS Rekognition Face Collections: Deleted when the associated event is deleted
• Guest Sessions: Expire after configurable period (default: 2 hours)
• QR Download Codes: Expire after configurable period (default: 24 hours)
• Log Data: Retained for up to 90 days for security and analytics
• Deleted Accounts: All personal data including face data is permanently deleted within 30 days of account deletion request

5. Data Sharing and Disclosure

We do NOT sell your personal information to third parties. We may share your information in the following circumstances:

5.1 Service Providers

We share data with trusted third-party service providers:

• Amazon Web Services (AWS):
  • AWS S3: Secure cloud storage for photos and selfie images
  • AWS Rekognition: Facial recognition processing for photo matching. When you upload a selfie, it is sent to AWS Rekognition to compare against indexed faces in event photos. AWS Rekognition stores facial feature vectors in collections that are deleted when events are deleted.
  • AWS processes face data solely for the purpose of providing the photo matching service
• SendGrid: Email delivery service for OTP codes and notifications
• Analytics Providers: To understand app usage and performance (no face data is shared)

All service providers are contractually obligated to protect your data and use it only for specified purposes. We have Data Processing Agreements (DPAs) in place with AWS and other providers handling personal data.

5.2 Event Organizers and Photographers

• Event organizers can view guest information (name, email, phone) for their own events
• Photographers assigned to events can upload and manage photos
• Download and access analytics are available to event organizers

5.3 Legal Requirements

We may disclose your information if required to:

• Comply with legal obligations, court orders, or subpoenas
• Protect and defend our rights or property
• Prevent fraud or security threats
• Protect the safety of users or the public

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. Your Privacy Rights

6.1 General Rights (All Users)

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and personal data
• Export: Download your data in a portable format
• Opt-Out: Unsubscribe from marketing communications
• Object: Object to processing of your personal data

6.2 GDPR Rights (EU/EEA Users)

If you are located in the European Economic Area (EEA) or UK, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to be Informed: Clear information about how we use your data (this Privacy Policy)
• Right of Access: Obtain confirmation of data processing and access to your data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to data processing for direct marketing or legitimate interests
• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing
• Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
• Right to Lodge a Complaint: File a complaint with your local data protection authority

6.3 CCPA Rights (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides additional rights:

• Right to Know: Request information about data collection and use
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the sale of personal information (Note: We do NOT sell personal information)
• Right to Non-Discrimination: Not be discriminated against for exercising your rights

6.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: privacy@picngo.com
• Subject line: "Privacy Rights Request"
• Include: Your name, email address, and specific request

We will respond to your request within 30 days. We may require verification of your identity before processing your request.

7. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and service providers are located.

For users in the EEA/UK: We ensure adequate protection of your data through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Compliance with data protection frameworks and regulations
• Use of service providers with adequate data protection measures

8. Children's Privacy

Our Service is not intended for children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will take steps to delete the information.

Age Rating: Our mobile app is rated 12+ due to user-generated content (photos uploaded by users).

9. User-Generated Content

When you upload photos or other content to the Service:

• You retain ownership of your content
• You grant us a license to store, process, and display your content to provide the Service
• You are responsible for ensuring you have rights to upload and share the content
• You agree not to upload inappropriate, illegal, or copyrighted content
• We reserve the right to remove content that violates our Terms of Service

Content Moderation: While we do not actively monitor uploaded content, we respond to reports of inappropriate content and may remove content that violates our policies.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Maintain your session, authentication, and preferences (required for Service functionality)
• Analytics Cookies: Understand usage patterns and improve the Service (can be disabled)
• Performance Cookies: Monitor app performance and identify issues

You can control cookies through your browser settings. Note that disabling essential cookies may affect Service functionality.

11. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

• Updating the "Last Updated" date at the top of this policy
• Sending an email notification to registered users (for material changes)
• Displaying a prominent notice in the app or website

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at:

Email: dpo@picngo.com

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Response Time: We aim to respond to all privacy inquiries within 30 days.

15. Supervisory Authority

If you are located in the EEA or UK and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.