Gaze

Legal Document Changelog

This page tracks material changes to Gaze's legal documents. We maintain this changelog to provide transparency about how our policies evolve over time.

2026-06-09 — iPad app launch: legal corpus extended to native iOS / Apple App Store

The Gaze app for iPad (a light kiosk-capture + read-mostly admin companion to gaze.photo) is launching on the Apple App Store. The legal corpus was previously web-only; this refresh extends it to the native app and adds Apple-required terms. No change to the operating entity (Terena Group LLC) or to the underlying data practices — the app shares the web backend. (Same-day follow-up: in-app account deletion shipped in the app; Privacy §2.5 and Terms §20 now state that deletion can be initiated in the app as well as on the web.)

Terms of Use

  • New §20 (Apple App Store and Mobile Application Terms): added all ten Apple Exhibit B minimum terms (the agreement is with Terena, not Apple; scope of license per Apple's Usage Rules; Apple has no maintenance/support obligation; Apple's warranty remedy is limited to a refund; product-liability, IP, and consumer claims are Terena's; export/embargo representation; developer name + address; third-party terms; Apple as third-party beneficiary), plus an Apple non-endorsement clause, a "purchases are not Apple In-App Purchases" clause, and an account-deletion clause.
  • §1–§2: broadened "the Service" and the service description to include the native iPad app.
  • §3: added Sign in with Apple to the listed authentication methods.
  • §4.2: clarified that subscriptions and one-off credits are sold by Terena via Stripe on the web, are not Apple In-App Purchases, and that Apple is not a party to any purchase.
  • §5: added a "Reporting objectionable content" clause (report inbox + Gaze's removal/suspension right) for user-generated content.
  • §7.3: added explicit disclosure of on-device face detection (Apple Vision, framing/crop only — no identification, no faceprint, never leaves the device) and Face ID (Secure Enclave; success/failure result only).

Privacy Policy

  • New §2.5 (Information Collected Through the Gaze App for iPad): App Store "App Privacy" category table (Name, Email, User ID, Photos/Videos, Product Interaction, Device Identifier — all linked, none used for tracking); device permissions (camera, add-only photo library, Face ID); on-device Vision face detection; photo delivery (QR, native share/AirDrop, Save to Photos, AirPrint) with no guest contact collected; offline capture queue; Sign in with Apple (Hide My Email); web-only analytics are not in the app.
  • §2.4: added "no audio recording" and "no cross-app advertising tracking — no IDFA, no App Tracking Transparency prompt, no third-party ad/analytics SDK."
  • §1, §3.2: added the native app to the covered surfaces and added Apple (Sign in with Apple + App Store distribution).

Data Processing Agreement

  • §2.3: noted the native iPad app as a capture/kiosk channel and added AirPrint as a delivery method.
  • §2.6: added the on-device Vision face-detection note (no biometric identifier; never leaves the device).

Sub-Processors

  • Added Apple Inc. for Sign in with Apple; noted App Store / TestFlight distribution, where Apple acts as an independent controller (not a sub-processor).

2026-06-07 — Signup marketing-consent checkbox copy trimmed

Signup form — marketing opt-in checkbox

  • Removed the trailing sentence "Transactional emails (account verification, password resets, photo delivery) are sent regardless." from the marketing opt-in checkbox label on the create-account screen. The checkbox now reads: "Send me product updates, tips, and occasional news about Gaze. You can unsubscribe at any time."
  • No change to policy or behavior — transactional emails are still sent regardless of the marketing preference. The transactional-vs-marketing distinction remains documented in the Privacy Policy (Marketing-preferences table) and the Terms of Use (transactional-emails clause), which are the controlling disclosures. The inline checkbox restatement was a redundant transparency nicety, not a legal requirement.

2026-05-21 — Terms §19 inline anchor link removed + in-page anchor rendering fixed

Surgical follow-on to the 2026-05-20 DMCA-registration pass.

Terms of Use — §19 (Contact Us)

  • Removed the trailing "see Section 11 for the designated agent and registration details" anchor link from the DMCA-notices bullet in §19. The link was opening a duplicate browser tab on every click instead of scrolling within the same page. The §11 DMCA section is still a single click away in the doc's outline / table of contents — no information was lost.

Site fix — in-page anchor links across all legal and help docs

  • Fixed the shared document renderer used by our legal pages and help center so that any future "Section X"-style link inside a document scrolls within the same page instead of opening a duplicate tab. No user-visible content change in this release; the fix is forward-compatible plumbing.

2026-05-20 — Legal punch-list accuracy audit

An internal audit reconciled our counsel checklist against the platform as actually shipped. Several previously pending items were verified as delivered — including privacy hardening of our error-monitoring tooling, shorter-lived media links, search-engine exclusion of per-event pages, and the marketing-email opt-in default — and were moved to the resolved list. The legal documents themselves were not changed in this audit — only internal punch-list housekeeping. Items still requiring attorney or external action remain tracked internally.

2026-05-20 — DMCA agent registration complete + legal-doc header restructure

Two follow-on housekeeping changes after the doc-parity refresh that landed earlier the same day.

Terms of Use — §11 (DMCA & Copyright Complaints) is now live

  • Replaced the registered-agent placeholder with the actual designated agent details now on file.
  • Designated Agent: DMCA Agent, Terena Group LLC, 418 Broadway, Ste N, Albany, NY 12207, United States. Email: support@terena.group with subject line "DMCA Notice" (or "DMCA Counter-Notification" for counter-notices). This is the same email on file with the U.S. Copyright Office, so the public Copyright Office directory and our published Terms agree on a single inbox.
  • U.S. Copyright Office registration number: DMCA-1073098, effective May 20, 2026.
  • Removed the "in the process of registering" status note from §11 and the matching hedging clause from §19 (Contact Us) — both are obsolete now that the filing is complete.
  • No phone number is published in the legal docs; takedown notices route through support@terena.group (with the "DMCA Notice" subject convention) or the postal address above. Using a shared support inbox with a subject-line convention is the conventional small-SaaS pattern and is fully OCILLA-compliant — 17 USC § 512(c)(2) and 37 CFR § 201.38 require designating an agent and providing an email, not a dedicated address.
  • Gaze now qualifies for the OCILLA / § 512(c) safe-harbor protection as a service provider, provided we continue to respond to valid takedown notices and maintain a repeat-infringer policy as described in §11.

Header restructure across Terms, Privacy, and DPA

  • Removed the stark "Operator / Mailing Address / Email" block that previously sat at the top of each legal doc, immediately under the title.
  • Replaced it with a single short intro paragraph that names the operating entity (Terena Group LLC) in prose and links to the existing Contact section at the bottom of each doc for the mailing address and email.
  • Rationale: industry-standard structure leads with the title, last-updated date, and a brief intro that names the entity — not a postal-style address block. The address remains canonical in the Contact section of each doc; only its placement changed. No substantive legal language was altered.

What was not changed

  • No new rights, commitments, or processing operations.
  • No retention, subprocessor, or fee changes.
  • No code, no plan terms, no third-party-service additions or removals.

2026-05-20 — Doc-parity refresh: descriptive language updated to match the shipped platform

A documentation-parity audit surfaced precise drift between several legal statements and what the platform actually does today. This pass updates the descriptive language to match the shipped reality. It adopts no new commitments, removes no existing protections, and is not a renegotiation of the privacy or terms relationship with users — it is a documentation hygiene update. Operators do not need to re-consent to anything; the underlying processing and rights are unchanged.

Privacy Policy

  • §2.1 (PINs and passwords) — hashing algorithm: Updated from "PBKDF2-SHA256" to "Argon2id, with transparent on-verify upgrade of any pre-existing PBKDF2 or SHA-256 hashes to Argon2id." Reflects the hash upgrade that shipped recently. Both kiosk exit PINs and gallery passwords are covered.
  • §2.4 (Cookies) — kiosk exit cookie name: Corrected the cookie row from kiosk_exit_* to __Host-kiosk_exit_* to match the actual prefix in production — the prefix is what makes the cookie host-locked and HTTPS-only at the browser-enforcement layer.
  • §2.x (One-off event credit purchases) — lifecycle disclosure: Added the four lifecycle fields we persist on credit purchases: status (pending / redeemed / refunded / expired), redemption and refund timestamps, the payment reference, and the 12-month expiry after which an unredeemed credit auto-expires.
  • §3.1 (How We Use Your Data) — operational processing: Disclosed our scheduled background jobs (welcome-email reconciliation, printer health checks, credit expiry, periodic cleanup), the print-agent heartbeat (every 30s when a printer pairing is claimed), and the remote command channel that lets the cloud send restart / update / sync commands to a paired host. Operators of paired hosts can disable the remote command channel by deleting the pairing.
  • §3.5 (Public Surfaces) — search-engine and link-preview behavior: Acknowledged that general search engines are blocked from per-event pages, while a dedicated allowance lets social platforms (Facebook, Twitter/X, LinkedIn, Slack, WhatsApp, Telegram, Discord, Apple, Pinterest, Reddit) fetch those URLs to render link previews — without this, shared event URLs render as a bare globe glyph in iMessage and other apps. Page-level no-index directives remain the second layer of defense for any crawler that finds the URL externally.
  • §4.1 (Your Rights — Data Export): Narrowed the export promise from "machine-readable export of all data" to "JSON export of account metadata, plus media file download from your event galleries; for a full bundle covering both, email support@gaze.photo and we will reply within 30 days." Reflects the actual scope of the self-serve export (account metadata) plus the existing per-event gallery download flow that covers media. The docs were over-promising a single mechanism that covered both.
  • §5.1 (Security Measures) — three additions: Added (a) a strict Content-Security-Policy with per-request script nonces, (b) supply-chain hardening (pinned CI dependencies, automated dependency and secret scanning, cryptographically signed print-agent installer), and (c) updated the auth security row to reflect that account-password and application-side PIN/password hashing both use Argon2id. The previous language was carried over from an earlier posture and no longer matched today's defaults.

DPA

  • §2.3 (Processing operations): Added print relay, printer-pairing heartbeat ingest (every 30s), and remote command delivery (restart / update / sync) to the enumeration of processing operations performed by Processor for Controller.
  • §2.5 (Categories of Personal Data) — PIN hashing: Mirrored the privacy update — clarified that all PIN/password hashes are Argon2id with on-verify lazy upgrade from any legacy PBKDF2 or SHA-256 material.
  • §5 (Security Measures) — table additions: Added rows for Content-Security-Policy with per-request nonces and supply-chain hardening. Updated the existing "Authentication and credentials" row to reflect Argon2id + transparent lazy upgrade.

Subprocessors

  • Last updated date: May 8 → May 20. No subprocessor additions, removals, or substitutions — only the date bump to keep parity with the privacy/DPA refresh.

Terms of Use

  • §2 (The Service) — print agent disclosure: Added a paragraph naming the optional Gaze Print Agent, the platforms it runs on (Linux / macOS / Raspberry Pi), the published install script at https://gaze.photo/install/print-agent.sh (served with a checksum header so operators can verify it before running), and the fact that pairing the agent enables a remote-command channel (restart / update / sync) which the operator can disable at any time by deleting the pairing. The agent is opt-in — accounts without a printer pairing have zero agent surface area.

COPPA Parental Consent Form

  • Operator name header: Added "Provided by Terena Group LLC" to the form preamble so guardians see who the data is being shared with at consent time.
  • AirDrop wording: Replaced bare "AirDrop" references with "native share (which on iOS includes AirDrop)" to reflect that the underlying primitive is the platform share feature — on iOS it surfaces as the standard share sheet (including AirDrop), on Android as the platform share sheet, and on desktop browsers as a share dialog or copy-to-clipboard option.

What was not changed

  • No new rights or commitments. Every protection in the previous version remains in place. This pass narrows over-promises and broadens accurate disclosure; it does not add a "we will" commitment we cannot keep, and it does not retract a "we will" commitment we made before.
  • No subprocessor changes. Subprocessor list is unchanged from the May 8 version.
  • No retention changes. Retention schedule in privacy §5.3 is unchanged from the May 9 version.
  • No fee or plan term changes. Pricing page and plan structure are governed by the pricing page (the canonical numerical source); §4 of Terms continues to defer to it.

Operational

  • A doc-parity audit cadence has been added — every release shipping new public-facing surfaces (new processing operation, new subprocessor candidate, new auth flow, new data category) requires the legal corpus to be reviewed in the same release. This is internal process, not a user-facing commitment, but it should reduce the likelihood of similar drift in future.

2026-05-09 — Counsel-led legal refresh, second pass

A second sweep of the same audit, prompted by significant platform updates shipped between the first pass and now: Stripe billing fully wired (in-place plan switching with prorations + past-due semantics), photo metadata stripping on all uploaded images, tightened access controls on captured-media storage, improved error diagnostics, and expanded automated accessibility testing. This pass is purely descriptive — it adopts no new commitments — but the docs were lagging behind the platform in a few precise places.

Privacy Policy

  • §2.1 (Information You Provide) — billing row: Expanded the Stripe inventory from "customer ID + plan" to the full set we actually keep on your billing record (Stripe customer ID, subscription ID, price ID, subscription status, current period end, plan tier).
  • §3.1 (How We Use Your Data) — Customer Portal scope: Spelled out exactly what the Stripe Customer Portal lets organizers do (manage payment methods, download invoices, change subscription, cancel) and clarified that mid-cycle plan changes update the existing Stripe subscription in place, with prorations applied to the next invoice.
  • §3.5 (Public Surfaces — Publisher Portal): New section. Discloses that host profiles (gaze.photo/u/{handle}) are public and indexable by design (handle, display name, avatar, bio, list of published events). Per-event landing pages and all of their sub-pages carry full no-index directives and are excluded from search-engine crawling — search engines will not crawl, archive, or surface event names, descriptions, cover images, or photos in search results, link previews, or image search. Captured photos themselves remain non-indexable by virtue of expiring-link delivery from private storage.
  • §5.1 (Security Measures): Added four new measures the platform actually performs today — (a) owner-scoped access controls on captured-media storage, (b) EXIF/IPTC metadata stripping (including GPS coordinates) on JPEG and PNG uploads, (c) integrity checks on uploads, and (d) diagnostic stack-trace resolution for error monitoring.
  • §5.3 (Data Retention) — past-due row: Added a row clarifying that a failed Stripe payment does not immediately downgrade an account — Stripe retries against its standard schedule and your subscription remains active in a past-due state until either the payment succeeds or Stripe gives up and reports the subscription as canceled.

Search engine indexing

  • Per-event publisher pages and their sub-pages, plus event galleries, are now excluded from search-engine crawling — both via the site's crawler rules and via page-level no-index directives as a belt-and-braces signal for any non-compliant bot. Host profile pages (gaze.photo/u/{handle}) remain crawlable.

Terms of Use

  • §4.1 (Plans): Added a sentence enumerating the seven dimensions of per-plan limits (capture count, storage bytes, simultaneously-active events, capture modes, gallery visibility options, custom-branding entitlements, brand-asset library size) so that organizers know up-front what changes between tiers, with the pricing page remaining the canonical numerical source.
  • §4.3 (Auto-Renewal, Cancellation, and Plan Changes): Renamed and expanded. Added two paragraphs covering (a) mid-cycle plan switching: we modify the existing Stripe subscription in place and Stripe applies prorations on the next invoice, and (b) downgrade blocking: switching to a smaller plan is blocked if your current usage exceeds the new plan's caps, and you are prompted to delete or archive content first — we do not silently delete data on downgrade.
  • §4.6 (Failed Payments and Past-Due Subscriptions): New section. Mirrors the privacy disclosure above — failed payments enter Stripe's retry schedule, your subscription stays active during the retry window, and downgrade only happens if Stripe finally reports the subscription as canceled. Renumbered the previous Communications section to §4.7.

DPA

  • §2.5 (Categories of Personal Data) — billing row: Mirrored the privacy update — added Stripe subscription ID, price ID, subscription status (with active / past-due / canceled examples), and current period end to the existing controller-billing-data row.
  • §5 (Security Measures) — table: Added three new rows covering owner-scoped storage access controls on captured media, image metadata stripping (EXIF/IPTC), and upload integrity checks.
  • §5.1 (Sentry): Added a sentence disclosing that we provide our error-monitoring service with the debugging information needed to resolve production stack traces to readable function names — this describes Gaze's own code and contains no end-user Personal Data.

Accessibility Statement

  • Full refresh. Adopted the substance of the May 8 launch instead of "WCAG 2.2 with 2.1 fallback" hand-waving. New Testing Methodology section discloses the actual rule packs (wcag2a, wcag2aa, wcag21a, wcag21aa, wcag22aa, best-practice), the eight-persona surface coverage (anonymous marketing, signed-out / signed-in auth, organizer admin, publisher portal, event guest, live wall, kiosk, onboarding), and the live result (0 critical / 0 serious / 0 moderate / 0 minor on the scanned surfaces as of 2026-05-08, with baselines kept for regression detection).
  • Plain-text honesty about scope. Spelled out what automated scans do not catch (manual screen-reader prose quality, focus-trap correctness inside dynamic dialogs, live-region readability, accessibility of the captured media itself), confirmed that we do not currently publish a VPAT or manual screen-reader log, and added a Known Limitation noting that mobile-viewport baselines exist for the public marketing/auth surfaces but not yet for the full organizer / publisher / guest fleet.
  • Conformance status reworded from "partially conformant" to "substantially conformant based on automated testing across the scanned surfaces" — the previous phrasing was more pessimistic than the actual test posture warrants.

2026-05-08 — Counsel-led legal refresh

This revision was driven by an attorney audit of the entire legal corpus. It (a) reconciles the docs with the platform as it actually shipped, (b) adopts industry-standard retention and inactive-account language, (c) names the operating entity (Terena Group LLC) and registered mailing address on every doc, and (d) was accompanied by privacy hardening of our analytics and error-monitoring configuration (described below). Items the attorney still needs to action externally are tracked on our internal counsel checklist.

Across all documents

  • Operator named. Terena Group LLC, a New York limited liability company, named as the operating entity on Privacy, Terms, DPA, Subprocessors, and Accessibility Statement.
  • Mailing address added. 418 Broadway, Ste N, Albany, NY 12207, United States added as the operator mailing address on every doc, satisfying CCPA § 1798.130(a)(1) and CAN-SPAM § 7704(a)(5).
  • "AirDrop" → "native share (which on iOS includes AirDrop)" everywhere, matching the actual platform share feature used by the kiosk and gallery.

Privacy Policy

  • §2.1 (Information You Provide): Added marketing preferences row (with new opt-in default), billing/subscription data row (Stripe customer ID, plan tier, period end, one-off credits), Help Center activity row. Clarified that gallery passwords and kiosk PINs are hashed at rest.
  • §2.2 (Information Collected Automatically): Rewrote the Clarity row to enumerate the actual pages where it runs (home, pricing, organizer and publisher dashboards) and the Global Privacy Control opt-out. Added a Sentry row describing session replay limited to organizer surfaces only, the sampling rates, the default text/input masking, and client-side scrubbing of personal data before reports leave the browser.
  • §2.3 (Cookies & Local Storage): Added kiosk-exit cookie row, Bing UET cookies row (synchronized by Clarity), GPC suppression note. Added an explanation that the gallery cookie is intentionally readable by the page (security relies on the password match, not on cookie obscurity).
  • §3.1 (How We Use Your Data): Added publisher portal / vanity handles, Stripe Customer Portal, one-off event credits, Help Center, Stripe webhook audit log; updated communications bullet to reflect the new opt-in default.
  • §3.2 (Third-Party Service Providers): Added Vercel and Sentry rows. Refined the Resend row to clarify it is the email-delivery provider behind our authentication emails. Refined the Microsoft row to disclose the synchronized Bing UET pixel.
  • §4.6 (How to Exercise Your Rights): Added a marketing-email opt-out path (one-click unsubscribe + account-settings toggle) and a postal-mail option to Terena Group LLC's Albany address.
  • §5.3 (Data Retention): Removed the unenforced "12 months then automatically purged" promise for analytics data — adopted the industry-standard "as long as necessary" pattern. Removed the unenforced "12 months inactive then auto-delete" promise — replaced with a 24-month reservation of right + advance email notice. Removed the "configured by event organizer" claim for event media — there is no organizer-configurable retention setting. Added explicit Stripe webhook audit log retention (survives account deletion). Added Sentry retention reference.
  • §5.7 (Contact Us): Added Terena Group LLC and the Albany mailing address.
  • §6 (Children's Privacy): Updated photo-delivery sentence from "QR code, AirDrop, or direct download" to "QR code, native share (which on iOS includes AirDrop), or direct download."

Terms of Use

  • Header: Operator (Terena Group LLC) and mailing address added.
  • §2 (Description of Service): Expanded to enumerate every feature surface that has shipped: 3-photo / 4-photo strip layouts, branded design editor + design kits + version history + built-in template library, bulk gallery ZIP download, kiosk PIN exit code, Stripe Customer Portal, one-off event credits, vanity-handle publisher portal at gaze.photo/u/{handle}, in-app Help Center.
  • §4.1 (Plans): Added explicit plan tier prices — Free / Starter $20mo or $169yr / Pro $60mo or $499yr / one-off Event Credit $15. The pricing page is named as the canonical source if any number drifts.
  • §4.2 (Payment Processing and Taxes): Added the tax disclosure language: prices are listed exclusive of taxes; where required by law and where Gaze has registered to collect them, applicable taxes will be added at checkout.
  • §4.3 (Auto-Renewal and Cancellation): Reworded "cancel anytime through account settings" to point to the Stripe Customer Portal explicitly, accessed from account settings. Documented one-off credit semantics.
  • §4.6 (Communications): Rewrote to reflect the new marketing-email opt-in default — new accounts are opted out by default and must affirmatively tick a consent checkbox at signup; transactional emails remain mandatory.
  • §7.2 (Analytics and Error Monitoring): Renamed from "Analytics" and expanded to describe both Clarity and Sentry, with replay limited to organizer surfaces, GPC honoring, and client-side scrubbing of personal data called out.
  • §11 (DMCA & Copyright Complaints): Restructured into a proper § 512(c)(2) designated-agent block. Documented the in-flight registration with the U.S. Copyright Office. Added a "Repeat Infringers" subsection. The placeholder would be replaced with the registered agent details once the filing completed (it has since — see the 2026-05-20 entry).
  • §16.2 (Termination by Gaze): Replaced the "12 months inactive → auto-delete" clause with a 24-month inactive reservation of right + advance email notice.
  • §17 (General Provisions) and §19 (Contact Us): Added the Albany mailing address as a notice address and a DMCA-notice contact path.

Data Processing Agreement (DPA)

  • Header: Processor (Terena Group LLC) and mailing address added.
  • §2.3 (Nature and Purpose of Processing): Added Stripe billing processing for paid-plan Controllers; updated photo-delivery wording.
  • §2.5 (Types of Personal Data Processed): Added Controller billing data (Stripe customer ID, subscription status, plan tier, billing email/address, one-off credit history) and Controller security data (kiosk PIN hashes, gallery password hashes, signed session tokens) categories.
  • New §5.1 (Diagnostic Analytics and Replay — Sentry): Added a Sentry-specific paragraph documenting replay scope, default masking, and client-side scrubbing of personal data, so Controllers can satisfy Article 28(3)(c) "appropriate technical measures" expectations without separate sub-processor diligence.
  • §15 (Contact): Operator + mailing address added.

Sub-Processors

  • §Questions: Added the Albany mailing address as a postal contact.

Accessibility Statement

  • §Feedback: Added the Albany mailing address as a postal contact for accessibility feedback.

Privacy hardening shipped alongside these doc revisions

  • Error-monitoring hardening. Our error-monitoring configuration now strips email addresses, IP addresses, authentication headers, and media-link tokens from reports before they leave the browser, and drops any report that would carry such a token. Session replay runs only on organizer-facing surfaces — guest-facing pages (event pages, galleries, kiosk, live wall) never load it — and masks all text and inputs by default, with explicit masking on sensitive form fields.
  • Marketing email opt-in default flip. New accounts now default to opted out of marketing email; the signup form exposes a clearly-labelled "Send me product updates" checkbox (default unchecked). Existing accounts are unchanged (anyone signed up under the prior US-only opt-out regime stays opted in, which CAN-SPAM permits with a working unsubscribe link, which we already provide).

2026-05-08 — v2.9.1 launch fold

  • Sentry added as subprocessor (error monitoring and session replay; organizer pages only; not loaded on guest surfaces). See the Sub-Processors page.
  • Stripe live-mode billing activated for paid plans. Customer Portal exposes self-serve plan changes.
  • Kiosk exit PIN hashing — PINs now hashed with PBKDF2-SHA256 (100,000 iterations) at rest, replacing earlier storage. (Since upgraded to Argon2id — see the 2026-05-20 entry.)
  • Captured-media storage access tightened — anonymous read path replaced with an owner-scoped access policy.

April 16, 2026

Privacy Policy & Subprocessors — SMS Authentication Removed

  • Privacy Policy §2.1: "Authentication credentials" updated — SMS/phone verification is no longer offered. Accepted sign-in methods are email/password, email magic link, and Google sign-in.
  • Privacy Policy §3.2 and Subprocessors: Twilio removed from the sub-processor list. We no longer share phone numbers or verification codes with Twilio.
  • Terms of Use §3: Authentication methods enumerated in the account-security clause updated from "email, phone, or Google sign-in" to "email, magic link, or Google sign-in".
  • Data deletion: Any phone numbers previously stored against accounts will be removed from our authentication records within 30 days of this change.

April 13, 2026

Terms of Use — v2.0 (Major Revision)

  • Section 2: Updated delivery methods to reflect current capabilities
  • Section 4.2: Removed Apple In-App Purchase reference (not yet available)
  • Section 4.5: Added consumer protection law carve-out for refund policy
  • Section 5: Added prohibitions on capturing minors without parental consent and using captured media for biometric identification
  • Section 6.3: Added organizer responsibilities for COPPA compliance, event signage, biometric law compliance, and organizer indemnification for guest claims
  • Section 7.1: Added Data Processing Agreement section with link to DPA
  • Section 7.2: Added Microsoft Clarity opt-out language
  • Section 7.3: Added biometric data disclaimer (no facial recognition or biometric processing)
  • Section 8: Added Children's Privacy section (COPPA compliance)
  • Section 11: Updated DMCA section for registered agent
  • Section 15.3: Added 30-day arbitration opt-out right
  • Section 15.6: Specified New York as governing law jurisdiction
  • Section 16.3: Updated data deletion language to reflect actual infrastructure (active systems + 7-day backup cycle)
  • Section 16.4: Added survival clause specifying sections that survive termination
  • Section 17: Updated Entire Agreement to include DPA; expanded Force Majeure list

Privacy Policy — v2.0 (Major Revision)

  • Section 2.3: Distinguished essential vs. analytics cookies; added consent language for analytics cookies
  • Section 2.4: Expanded biometric disclaimer with legal specificity
  • Section 3.1: Added UK alongside EU/EEA for GDPR legal bases
  • Section 3.2: Updated third-party provider table to match actual integrations
  • Section 3.3: Added sub-processor list and 30-day change notification mechanism
  • Section 4.2: Added UK (ICO) alongside EU/EEA GDPR rights
  • Section 4.3: Updated to CCPA/CPRA with Right to Correct and Right to Limit Sensitive PI
  • Section 4.4: Added coverage for Virginia, Colorado, Connecticut, Oregon, Texas, Montana, and other US state privacy laws; added Global Privacy Control recognition
  • Section 4.5: Added Canadian PIPEDA rights (access, correction, withdrawal of consent, complaint to Privacy Commissioner)
  • Section 4.6: Added identity verification process details for privacy rights requests (renumbered from 4.5)
  • Section 4.7: Added COPPA, signage, biometric organizer responsibilities; added DPA link (renumbered from 4.6)
  • Section 5.1: Added kiosk session isolation to security measures
  • Section 5.2: Added Security Incident Response section (72-hour breach notification)
  • Section 5.3: Added Microsoft Clarity data retention row
  • Section 5.4: Updated deletion language to reflect actual infrastructure (active systems + 7-day backup cycle)
  • Section 5.5: Specified Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum (IDTA), and EU-US Data Privacy Framework for international transfers
  • Section 6: Added Children's Privacy section

Data Processing Agreement — v1.0 (New Document)

  • Published initial DPA at /dpa covering GDPR Article 28 requirements
  • Includes: scope of processing, data categories, controller/processor obligations, security measures, sub-processor management, data subject rights assistance, audit rights, 72-hour breach notification, data deletion/return, international transfer mechanisms, liability, and governance

Sub-Processors List — v1.0 (New Document)

  • Published initial sub-processor list at /subprocessors
  • Lists all current sub-processors with locations and purposes
  • Includes 30-day change notification and objection mechanism

Accessibility Statement — v1.0 (New Document)

  • Published accessibility statement at /accessibility
  • Covers WCAG 2.1 Level AA conformance goals, current features, known limitations, and feedback process

COPPA Compliance Toolkit — v1.0 (New Documents)

  • Published Event Signage Templates with three variants: general event, events with minors, and biometric privacy notice for IL/TX/WA jurisdictions
  • Published Parental Consent Form for events where children under 13 may be present

April 6, 2026

Terms of Use — v1.0 (Initial Publication)

  • Initial Terms of Use published for Gaze platform launch

Privacy Policy — v1.0 (Initial Publication)

  • Initial Privacy Policy published for Gaze platform launch