Gaze

Legal Document Changelog

This page tracks material changes to Gaze's legal documents. We maintain this changelog to provide transparency about how our policies evolve over time.

2026-05-09 — Counsel-led legal refresh, second pass (post v2.9.2)

A second sweep of the same audit, prompted by significant code shipped between the first pass and now: Stripe billing fully wired (in-place plan switching with prorations + past-due semantics), EXIF/IPTC metadata stripping on all uploaded images, captures storage bucket tightened to event-owner-scoped row-level access, application source maps shipped to Sentry for stack-trace resolution, and the accessibility test fleet expanded with full axe-core coverage. This pass is purely descriptive — it adopts no new commitments — but the docs were lagging behind the code in a few precise places.

Privacy Policy

  • §2.1 (Information You Provide) — billing row: Expanded the Stripe inventory from "customer ID + plan" to the full set we actually persist on profiles rows (Stripe customer ID, Stripe subscription ID, Stripe price ID, Stripe subscription status, current period end, plan tier).
  • §3.1 (How We Use Your Data) — Customer Portal scope: Spelled out exactly what the Stripe Customer Portal lets organizers do (manage payment methods, download invoices, change subscription, cancel) and clarified that mid-cycle plan changes update the existing Stripe subscription in place, with prorations applied to the next invoice.
  • §3.5 (Public Surfaces — Publisher Portal): New section. Discloses that host profiles (gaze.photo/u/{handle}) are public and indexable by design (handle, display name, avatar, bio, list of published events). Per-event landing pages (gaze.photo/u/{handle}/{event-name}) and all of their sub-pages now carry noindex, nofollow, noarchive, nosnippet, noimageindex directives at the page level and are also excluded from robots.txt — search engines will not crawl, archive, or surface event names, descriptions, cover images, or photos in search results, link previews, or image search. Captured photos themselves remain non-indexable by virtue of signed URL delivery from private storage.
  • §5.1 (Security Measures): Added four new measures that the platform actually does today — (a) event-owner-scoped row-level access on the captures storage bucket, (b) EXIF/IPTC metadata stripping (including GPS coordinates) on JPEG and PNG uploads, (c) collision-protected upload writes plus magic-byte verification on video poster files, and (d) diagnostic source-map upload to Sentry.
  • §5.3 (Data Retention) — past-due row: Added a row clarifying that a failed Stripe payment does not immediately downgrade an account — Stripe retries against its standard schedule and your subscription remains in past_due (active) state until either the payment succeeds or Stripe gives up and reports the subscription as canceled.

Robots / search engine indexing

  • app/robots.ts: Added /u/*/* (every per-event publisher page and its sub-pages) and /e/*/gallery to the disallow list. Existing disallows for /admin/, /api/, /kiosk/, /wall/, /publisher/, /auth/, /welcome, /reset-password, /e/*/capture, /e/*/download, /u/*/*/capture, /u/*/*/download, /u/*/*/kiosk, /u/*/*/wall remain. Host profile pages (gaze.photo/u/{handle}) remain crawlable.
  • app/u/[handle]/[slug]/page.tsx and app/u/[handle]/[slug]/gallery/page.tsx: generateMetadata now emits robots: { index: false, follow: false, noarchive: true, nosnippet: true, noimageindex: true, googleBot: { ... same ... } } as a belt-and-braces signal in case any non-compliant bot ignores robots.txt.

Terms of Use

  • §4.1 (Plans): Added a sentence enumerating the seven dimensions of per-plan limits (capture count, storage bytes, simultaneously-active events, capture modes, gallery visibility options, custom-branding entitlements, brand-asset library size) so that organizers know up-front what changes between tiers, with the pricing page remaining the canonical numerical source.
  • §4.3 (Auto-Renewal, Cancellation, and Plan Changes): Renamed and expanded. Added two paragraphs covering (a) mid-cycle plan switching: we modify the existing Stripe subscription in place and Stripe applies prorations on the next invoice, and (b) downgrade blocking: switching to a smaller plan is blocked at the API layer if your current usage exceeds the new plan's caps, and you are prompted to delete or archive content first — we do not silently delete data on downgrade.
  • §4.6 (Failed Payments and Past-Due Subscriptions): New section. Mirrors the privacy disclosure above — failed payments enter Stripe's retry schedule, your subscription stays active during the retry window, and downgrade only happens if Stripe finally reports the subscription as canceled. Renumbered the previous Communications section to §4.7.

DPA

  • §2.5 (Categories of Personal Data) — billing row: Mirrored the privacy update — added Stripe subscription ID, Stripe price ID, subscription status (with active / past_due / canceled examples), and current period end to the existing controller-billing-data row.
  • §5 (Security Measures) — table: Added three new rows covering event-owner-scoped storage RLS on the captures bucket, image metadata stripping (EXIF/IPTC), and upload integrity (collision-protected writes + magic-byte poster verification).
  • §5.1 (Sentry): Added a sentence disclosing that we upload application JavaScript source maps to Sentry at build time so that production stack traces resolve to readable function names — source maps describe Gaze's own code and contain no end-user Personal Data.

Accessibility Statement

  • Full refresh. Adopted the substance of the May 8 launch instead of "WCAG 2.2 with 2.1 fallback" hand-waving. New Testing Methodology section discloses the actual rule packs (wcag2a, wcag2aa, wcag21a, wcag21aa, wcag22aa, best-practice), the eight-persona surface coverage (anonymous marketing, signed-out / signed-in auth, organizer admin, publisher portal, event guest, live wall, kiosk, onboarding), and the live result (0 critical / 0 serious / 0 moderate / 0 minor on the scanned surfaces as of 2026-05-08, with baselines committed to the repo for regression detection).
  • Plain-text honesty about scope. Spelled out what automated scans do not catch (manual screen-reader prose quality, focus-trap correctness inside dynamic dialogs, live-region readability, accessibility of the captured media itself), confirmed that we do not currently publish a VPAT or manual screen-reader log, and added a Known Limitation noting that mobile-viewport axe baselines exist for the public marketing/auth surfaces (/, /login, /signup, /pricing) but not yet for the full organizer / publisher / guest fleet.
  • Conformance status reworded from "partially conformant" to "substantially conformant based on automated axe-core testing across the scanned surfaces" — the previous phrasing was more pessimistic than the actual test posture warrants.

COUNSEL-BACKLOG

  • T5 (publisher portal indexability) — RESOLVED. Per-event pages now have page-level noindex + robots.txt block; host profiles remain crawlable. No further attorney action required.
  • T6 — HaveIBeenPwned password-strength enablement carried forward as a deferred manual launch step (originally noted in v2.9.1 changelog) — surfaced explicitly so it doesn't get lost.

2026-05-08 — Counsel-led legal refresh (post v2.9.1)

This revision was driven by an attorney audit of the entire legal corpus. It (a) reconciles the docs with the platform as it actually shipped through v2.9.1, (b) adopts industry-standard retention and inactive-account language used by Linear / Stripe / Vercel / Supabase / Resend / PostHog, (c) names the operating entity (Terena Group LLC) and registered mailing address on every doc, and (d) hardens the supporting code (Sentry PII scrubbing + replay path-scope; marketing-email opt-in default flip). Any items the attorney still needs to action externally (DMCA agent registration, EU representative, cookie consent banner) are tracked in content/COUNSEL-BACKLOG.md.

Across all documents

  • Operator named. Terena Group LLC, a New York limited liability company, named as the operating entity on Privacy, Terms, DPA, Subprocessors, and Accessibility Statement.
  • Mailing address added. 418 Broadway, Ste N, Albany, NY 12207, United States added as the operator mailing address on every doc, satisfying CCPA § 1798.130(a)(1) and CAN-SPAM § 7704(a)(5).
  • "AirDrop" → "native share (which on iOS includes AirDrop)" everywhere, matching the actual navigator.share Web Share API code path used by the kiosk and gallery.

Privacy Policy

  • §2.1 (Information You Provide): Added marketing preferences row (with new opt-in default), billing/subscription data row (Stripe customer ID, plan tier, period end, one-off credits), Help Center activity row. Clarified that gallery passwords and kiosk PINs are hashed at rest.
  • §2.2 (Information Collected Automatically): Rewrote Clarity row to enumerate the actual path allowlist (/, /pricing, /admin/*, /publisher/*) and the GPC opt-out. Added a Sentry row describing the path-scoped Replay (organizer surfaces only), the 10% / 100% sample rates, the default text/input masking, and the beforeSend PII scrubber.
  • §2.3 (Cookies & Local Storage): Added kiosk-exit cookie row, Bing UET cookies row (synchronized by Clarity), GPC suppression note. Added an explanation that the gallery cookie is intentionally non-HttpOnly (security relies on the password match, not on cookie obscurity — see docs/DECISIONS.md).
  • §3.1 (How We Use Your Data): Added publisher portal / vanity handles, Stripe Customer Portal, one-off event credits, Help Center, Stripe webhook audit log; updated communications bullet to reflect the new opt-in default.
  • §3.2 (Third-Party Service Providers): Added Vercel and Sentry rows. Refined the Resend row to clarify it is configured as the SMTP provider behind Supabase Auth. Refined the Microsoft row to disclose the synchronized Bing UET pixel.
  • §4.6 (How to Exercise Your Rights): Added a marketing-email opt-out path (one-click unsubscribe + account-settings toggle) and a postal-mail option to Terena Group LLC's Albany address.
  • §5.3 (Data Retention): Removed the unenforced "12 months then automatically purged" promise for analytics data — adopted the industry-standard "as long as necessary" pattern. Removed the unenforced "12 months inactive then auto-delete" promise — replaced with a 24-month reservation of right + advance email notice. Removed the "configured by event organizer" claim for event media — there is no organizer-configurable retention UI. Added explicit Stripe webhook audit log retention (survives account deletion). Added Sentry retention reference.
  • §5.7 (Contact Us): Added Terena Group LLC and the Albany mailing address.
  • §6 (Children's Privacy): Updated photo-delivery sentence from "QR code, AirDrop, or direct download" to "QR code, native share (which on iOS includes AirDrop), or direct download."

Terms of Use

  • Header: Operator (Terena Group LLC) and mailing address added.
  • §2 (Description of Service): Expanded to enumerate every feature surface that shipped through v2.9.1: 3-photo / 4-photo strip layouts, branded design editor + design kits + version history + built-in template library, bulk gallery ZIP download, kiosk PIN exit code, Stripe Customer Portal, one-off event credits, vanity-handle publisher portal at gaze.photo/u/{handle}, in-app Help Center.
  • §4.1 (Plans): Added explicit plan tier prices — Free / Starter $20mo or $169yr / Pro $60mo or $499yr / one-off Event Credit $15. The pricing page is named as the canonical source if any number drifts.
  • §4.2 (Payment Processing and Taxes): Added the Stripe Tax disclosure language: prices are listed exclusive of taxes; where required by law and where Gaze has registered to collect them, applicable taxes will be added at checkout. (Stripe Tax is not currently enabled — disclosure is forward-looking so we can flip the switch without re-papering Terms.)
  • §4.3 (Auto-Renewal and Cancellation): Reworded "cancel anytime through account settings" to point to the Stripe Customer Portal explicitly, accessed from account settings. Documented one-off credit semantics.
  • §4.6 (Communications): Rewrote to reflect the new marketing-email opt-in default — new accounts are opted out by default and must affirmatively tick a consent checkbox at signup; transactional emails remain mandatory.
  • §7.2 (Analytics and Error Monitoring): Renamed from "Analytics" and expanded to describe both Clarity and Sentry, with Replay path-scope, GPC honoring, and beforeSend PII scrubbing called out.
  • §11 (DMCA & Copyright Complaints): Restructured into a proper § 512(c)(2) designated-agent block with placeholders. Documented the in-flight registration with the U.S. Copyright Office. Added a "Repeat Infringers" subsection. The placeholder will be replaced with the registered agent name and address as recorded with the Copyright Office once the filing is complete.
  • §16.2 (Termination by Gaze): Replaced the "12 months inactive → auto-delete" clause with a 24-month inactive reservation of right + advance email notice (matches Linear, Plausible, PostHog).
  • §17 (General Provisions) and §19 (Contact Us): Added the Albany mailing address as a notice address; added a dmca@gaze.photo contact for DMCA notices once the agent is registered.

Data Processing Agreement (DPA)

  • Header: Processor (Terena Group LLC) and mailing address added.
  • §2.3 (Nature and Purpose of Processing): Added Stripe billing processing for paid-plan Controllers; updated photo-delivery wording.
  • §2.5 (Types of Personal Data Processed): Added Controller billing data (Stripe customer ID, subscription status, plan tier, billing email/address, one-off credit history) and Controller security data (kiosk PIN hashes, gallery password hashes, HMAC-signed session tokens) categories.
  • New §5.1 (Diagnostic Analytics and Replay — Sentry): Added a Sentry-specific paragraph documenting Replay path-scope, default masking, and beforeSend PII scrubbing, so Controllers can satisfy Article 28(3)(c) "appropriate technical measures" expectations without separate sub-processor diligence.
  • §15 (Contact): Operator + mailing address added.

Sub-Processors

  • §Questions: Added the Albany mailing address as a postal contact.

Accessibility Statement

  • §Feedback: Added the Albany mailing address as a postal contact for accessibility feedback.

Code changes shipped alongside these doc revisions

  • Sentry hardening (Tier 2 + Tier 3). sentry.client.config.ts now ships a beforeSend hook that strips email addresses, IP addresses, authentication headers, and Supabase signed-URL tokens client-side; drops the entire event if any breadcrumb URL contains a Supabase token; redacts emails from breadcrumb messages; and strips query strings from request URLs. Replay is now path-scoped to mirror the Clarity allowlist (/, /admin/*, /publisher/*, /pricing) — guest-facing surfaces (/e/*, /u/*, /kiosk/*, /wall/*) never load the rrweb DOM recorder. Replay also now masks all text and inputs by default and carries explicit mask selectors for the eight sensitive form fields (full name, company, email, current/new/confirm password, kiosk PIN entry).
  • Marketing email opt-in default flip. New migration supabase/migrations/00032_marketing_opt_in_default_false.sql flips profiles.marketing_opt_in from DEFAULT TRUE to DEFAULT FALSE and updates the handle_new_user() trigger to read the user's checkbox value from auth.users.raw_user_meta_data->>'marketing_opt_in'. Existing rows are unchanged (anyone signed up under the prior US-only DEFAULT TRUE regime stays opted in, which CAN-SPAM permits with a working unsubscribe link, which we already provide). Signup form at app/(auth)/login/page.tsx now exposes a clearly-labelled "Send me product updates" checkbox (default unchecked) and passes the value through both the magic-link and password signup paths.

2026-05-08 — v2.9.1 launch fold

  • Sentry added as subprocessor (error monitoring and session replay; organizer pages only; not loaded on guest surfaces). See content/subprocessors.md.
  • Stripe live-mode billing activated for paid plans. Customer Portal exposes self-serve plan changes. See docs/BILLING_IMPLEMENTATION.md.
  • Kiosk exit PIN hashing — PINs now hashed with PBKDF2-SHA256 (100,000 iterations) at rest. Plain-text storage retired in v2.8.10.
  • Captures storage RLS tightened — anonymous SELECT path replaced with owner-scoped policy (migration 00030).

April 16, 2026

Privacy Policy & Subprocessors — SMS Authentication Removed

  • Privacy Policy §2.1: "Authentication credentials" updated — SMS/phone verification is no longer offered. Accepted sign-in methods are email/password, email magic link, and Google sign-in.
  • Privacy Policy §3.2 and Subprocessors: Twilio removed from the sub-processor list. We no longer share phone numbers or verification codes with Twilio.
  • Terms of Use §3: Authentication methods enumerated in the account-security clause updated from "email, phone, or Google sign-in" to "email, magic link, or Google sign-in".
  • Data deletion: Any phone numbers previously stored against accounts will be removed from our authentication records within 30 days of this change.

April 13, 2026

Terms of Use — v2.0 (Major Revision)

  • Section 2: Updated delivery methods to reflect current capabilities
  • Section 4.2: Removed Apple In-App Purchase reference (not yet available)
  • Section 4.5: Added consumer protection law carve-out for refund policy
  • Section 5: Added prohibitions on capturing minors without parental consent and using captured media for biometric identification
  • Section 6.3: Added organizer responsibilities for COPPA compliance, event signage, biometric law compliance, and organizer indemnification for guest claims
  • Section 7.1: Added Data Processing Agreement section with link to DPA
  • Section 7.2: Added Microsoft Clarity opt-out language
  • Section 7.3: Added biometric data disclaimer (no facial recognition or biometric processing)
  • Section 8: Added Children's Privacy section (COPPA compliance)
  • Section 11: Updated DMCA section for registered agent
  • Section 15.3: Added 30-day arbitration opt-out right
  • Section 15.6: Specified New York as governing law jurisdiction
  • Section 16.3: Updated data deletion language to reflect actual infrastructure (active systems + 7-day backup cycle)
  • Section 16.4: Added survival clause specifying sections that survive termination
  • Section 17: Updated Entire Agreement to include DPA; expanded Force Majeure list

Privacy Policy — v2.0 (Major Revision)

  • Section 2.3: Distinguished essential vs. analytics cookies; added consent language for analytics cookies
  • Section 2.4: Expanded biometric disclaimer with legal specificity
  • Section 3.1: Added UK alongside EU/EEA for GDPR legal bases
  • Section 3.2: Updated third-party provider table to match actual integrations
  • Section 3.3: Added sub-processor list and 30-day change notification mechanism
  • Section 4.2: Added UK (ICO) alongside EU/EEA GDPR rights
  • Section 4.3: Updated to CCPA/CPRA with Right to Correct and Right to Limit Sensitive PI
  • Section 4.4: Added coverage for Virginia, Colorado, Connecticut, Oregon, Texas, Montana, and other US state privacy laws; added Global Privacy Control recognition
  • Section 4.5: Added Canadian PIPEDA rights (access, correction, withdrawal of consent, complaint to Privacy Commissioner)
  • Section 4.6: Added identity verification process details for privacy rights requests (renumbered from 4.5)
  • Section 4.7: Added COPPA, signage, biometric organizer responsibilities; added DPA link (renumbered from 4.6)
  • Section 5.1: Added kiosk session isolation to security measures
  • Section 5.2: Added Security Incident Response section (72-hour breach notification)
  • Section 5.3: Added Microsoft Clarity data retention row
  • Section 5.4: Updated deletion language to reflect actual infrastructure (active systems + 7-day backup cycle)
  • Section 5.5: Specified Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum (IDTA), and EU-US Data Privacy Framework for international transfers
  • Section 6: Added Children's Privacy section

Data Processing Agreement — v1.0 (New Document)

  • Published initial DPA at /dpa covering GDPR Article 28 requirements
  • Includes: scope of processing, data categories, controller/processor obligations, security measures, sub-processor management, data subject rights assistance, audit rights, 72-hour breach notification, data deletion/return, international transfer mechanisms, liability, and governance

Sub-Processors List — v1.0 (New Document)

  • Published initial sub-processor list at /subprocessors
  • Lists all current sub-processors with locations and purposes
  • Includes 30-day change notification and objection mechanism

Accessibility Statement — v1.0 (New Document)

  • Published accessibility statement at /accessibility
  • Covers WCAG 2.1 Level AA conformance goals, current features, known limitations, and feedback process

COPPA Compliance Toolkit — v1.0 (New Documents)

  • Published Event Signage Templates (content/coppa-signage-template.md) with three variants: general event, events with minors, and biometric privacy notice for IL/TX/WA jurisdictions
  • Published Parental Consent Form (content/coppa-parental-consent-form.md) for events where children under 13 may be present

April 6, 2026

Terms of Use — v1.0 (Initial Publication)

  • Initial Terms of Use published for Gaze platform launch

Privacy Policy — v1.0 (Initial Publication)

  • Initial Privacy Policy published for Gaze platform launch