Privacy Policy

Last updated: May 9, 2026

Operator: Terena Group LLC, a New York limited liability company Mailing Address: 418 Broadway, Ste N, Albany, NY 12207, United States Email: support@gaze.photo

1. Introduction

Gaze ("we," "our," or "us") is operated by Terena Group LLC and provides the Gaze platform at gaze.photo. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our digital photobooth platform, including our website, capture experiences, kiosk mode, live display walls, galleries, publisher portal, and related services (collectively, the "Service").

This policy applies to event organizers who create and manage events through Gaze, and to event guests who interact with capture experiences, view galleries, or receive photos through the Service.

We believe in transparency. This policy is written in plain language so you can understand exactly what data we collect and why. If anything is unclear, please contact us at support@gaze.photo.

2. Information We Collect

We collect information in three ways: information you provide directly, information collected automatically when you use the Service, and information from third-party authentication providers.

2.1 Information You Provide

Data Type	When Collected	Examples
Account information	When you sign up or update your profile	Name, email address, company name, profile avatar, optional public-profile fields (bio, vanity handle for the publisher portal)
Authentication credentials	When you create an account or sign in	Email and password, email magic link, or Google account credentials
Marketing preferences	At signup and any time after	A single opt-in/opt-out flag (`marketing_opt_in`) for product update emails. New accounts default to opted out unless you tick the consent checkbox at signup. Transactional emails (account verification, password resets, photo delivery, security alerts) are sent regardless of this preference.
Event details	When you create or configure an event	Event name, description, location, dates, branding settings, gallery passwords (hashed at rest), kiosk exit PINs (hashed with PBKDF2-SHA256 at rest)
Event content	When photos or videos are captured	Photos, videos, GIFs, boomerangs, and associated metadata (file dimensions, duration, file type, perceptual blur hash for fast gallery placeholders)
Delivery information	When a guest receives photos	Photos are delivered via QR code, native share (which on iOS includes AirDrop), or direct download at the kiosk. No email address or contact information is collected from guests.
Billing and subscription data	When you subscribe to a paid plan or purchase a one-off event credit	Stripe customer ID, Stripe subscription ID, Stripe price ID, subscription status (e.g. `active`, `past_due`, `canceled`), plan tier, current period end, one-off event-credit purchase history. Full payment card details are collected and processed directly by Stripe and never touch our servers.
Help-center activity	When you browse the in-app Help Center	Pages visited (used for the "Suggested next" panel and to surface recently-viewed articles in your account; not used for advertising)

2.2 Information Collected Automatically

Data Type	Purpose	Details
IP address	Security, rate limiting, and abuse prevention	Collected from request headers on API calls (uploads, session creation, gallery access, and other operations)
Device information	Service functionality and session management	Device type (desktop, tablet, mobile, kiosk), browser user agent string
Device identifier	Session management across page loads	A randomly generated UUID stored in your browser's localStorage (`client_device_id`)
Usage analytics	Event performance insights for organizers	Session counts, capture types, and anonymized usage events — collected only when analytics are enabled for an event.
Session replay analytics	Understanding how organizers use the platform	We use Microsoft Clarity on our marketing pages (`/`, `/pricing`) and on organizer / publisher dashboards (`/admin/`, `/publisher/`) for anonymized session replay analytics (click heatmaps, scroll depth tracking, and session recordings). Clarity does not record keystrokes in password or payment fields and honors the Global Privacy Control (GPC) browser signal — Clarity will not load at all when GPC is active. Clarity is not loaded on guest-facing pages (galleries, photo downloads, capture experiences, live walls, kiosk, or publisher portal pages under `/u/*`), and is not loaded on auth-flow pages (`/login`, `/signup`, `/reset-password`, `/welcome`). You can learn more about Clarity's data practices at clarity.microsoft.com/terms.
Error monitoring and session replay	Diagnosing application errors	We use Sentry to capture unhandled errors, performance traces, and (on a sampled basis) session replays. Replay is path-scoped: it loads only on `/`, `/admin/`, `/publisher/`, and `/pricing` — never on guest-facing surfaces (`/e/`, `/u/`, `/kiosk/`, `/wall/`). Replay samples 10% of normal sessions and 100% of sessions that experience an unhandled error. All text and inputs are masked by default; sensitive fields (passwords, kiosk PINs, gallery passwords, account email/name) carry explicit mask selectors. Our `beforeSend` hook strips email addresses, IP addresses, authentication headers, and Supabase signed-URL tokens from every event before it leaves your browser. Error events (without replay) are captured on every page for ops visibility.

2.3 Cookies & Local Storage

We use a minimal set of cookies and browser storage:

Item	Type	Purpose	Category	Duration
`sb-*-auth-token`	Cookie	Authenticates your session with our platform	Essential	~1 hour (refreshed automatically)
`gallery_*`	Cookie	Verifies you entered the correct gallery password (the cookie is intentionally non-`HttpOnly` to allow client-side password-prompt dismissal; security relies on the password match, not on the cookie being unreadable)	Essential	1 hour
`kiosk_exit_*`	Cookie	Verifies you entered the correct kiosk exit PIN to leave kiosk mode	Essential	Until kiosk session ends
`client_device_id`	localStorage	Identifies your device for session management	Essential	Persistent until cleared
`gaze-offline-queue`	IndexedDB	Temporarily stores photos taken offline until they can be uploaded	Essential	Until upload completes
`_clck`, `_clsk`	Cookies	Microsoft Clarity user / session identifiers (marketing pages and organizer / publisher dashboards only; never set on guest pages or auth-flow pages; not set when Global Privacy Control is active)	Analytics	1 year / 1 day
`_uetsid`, `_uetvid`	Cookies	Microsoft Bing UET pixel (synchronized by Clarity for cross-property analytics; same scope and GPC suppression as Clarity above)	Analytics	1 day / 16 months

Essential cookies are strictly necessary for the Service to function and do not require consent. Analytics cookies (Microsoft Clarity and the synchronized Bing UET pixel) are set only on marketing pages and organizer / publisher dashboards and are not loaded on guest-facing pages or auth-flow pages. Where required by applicable law (including the GDPR ePrivacy Directive), we will obtain your consent before setting analytics cookies. We honor the Global Privacy Control (GPC) browser signal as an opt-out for analytics cookies; visitors with GPC enabled will not be tracked. You may also opt out of analytics cookies at any time through your browser settings. Microsoft may set additional operational cookies per the Microsoft Privacy Statement.

We do not use advertising or marketing cookies.

2.4 Information We Do NOT Collect

We do not collect precise geolocation data.
We do not use facial recognition, facial analysis, or biometric identification on captured photos or videos. Photos and videos are stored and delivered as standard media files only. We do not extract, store, or process biometric identifiers or biometric information as defined under any applicable biometric privacy law.
We do not knowingly collect personal information from children under 13 years of age. See Section 8 (Children's Privacy) for details.

3. How We Use & Share Your Data

3.1 How We Use Your Data

We process your personal information for the following purposes:

Providing the Service — storing, processing, and delivering photos to event guests; managing events and galleries; running kiosk and live wall experiences; operating the publisher portal at vanity URLs of the form gaze.photo/u/{handle}; serving the Help Center and surfacing relevant articles
Account management — authenticating users, managing profiles, plan tier and entitlements, the publisher-portal vanity handle, and the Stripe Customer Portal session (which lets you manage payment methods, download invoices, change subscription, and cancel)
Billing — processing subscription payments, managing one-off event-credit purchases, applying plan entitlements (event count, storage, capture-mode availability), and applying prorations when you change plans mid-cycle
Analytics — generating event performance insights for organizers (session counts, capture breakdowns) and product analytics for ourselves (heatmaps, error rates) on the surfaces described in Sections 2.2 and 2.3
Security — rate limiting, fraud prevention, abuse detection, audit logs (e.g. retained Stripe webhook events for billing reconciliation), and protecting the integrity of the platform
Communication — sending transactional emails (account verification, password resets, photo delivery, security alerts) and, only if you opted in at signup or in your account settings, occasional product updates

Legal bases for processing (for EU/EEA/UK users under GDPR):

Contract performance — processing necessary to provide the Service you signed up for
Legitimate interest — security, fraud prevention, and platform improvement
Consent — for analytics cookies where required by law

3.2 Third-Party Service Providers

We share data with the following service providers, strictly for the purposes described. We do not sell, rent, or trade your personal information.

Provider	Purpose	Data Shared
Supabase (Supabase, Inc., United States)	Database hosting, user authentication, file storage (private buckets), realtime channels	Account data, profile data, event data, media files, authentication tokens, kiosk PIN hashes
Vercel (Vercel, Inc., United States)	Application hosting, edge runtime, build pipeline, request and runtime logs	HTTP request metadata (IP, user-agent, path), runtime logs, deployment metadata
Google (Google LLC, United States)	OAuth sign-in (optional alternative to email + password)	Email, name, profile picture (only if you choose to sign in with Google)
Stripe (Stripe, Inc., United States)	Payment processing, hosted Checkout, Customer Portal, one-off event-credit purchases	Email address, name, billing address (collected by Stripe directly), Stripe customer ID, subscription status, event-credit purchase history (Stripe handles full card data — we never see or store card numbers)
hCaptcha (Intuition Machines, Inc., United States)	Bot prevention during signup and other rate-limited flows	Captcha challenge tokens, IP address (collected by hCaptcha directly)
Resend (Resend, Inc., United States)	Transactional email delivery, configured as the SMTP provider behind Supabase Auth (magic links, password resets, email verification, account notifications, the unsubscribe link in product-update emails)	Email address, email content, message metadata
Microsoft (Microsoft Corporation, United States)	Session replay analytics via Microsoft Clarity on marketing pages and organizer / publisher dashboards (heatmaps, scroll depth, anonymized session recordings); Clarity also synchronizes a Bing UET pixel for cross-property analytics	Anonymized interaction data, page URLs, device/browser info
Sentry (Functional Software, Inc., United States)	Error monitoring (every page) and session replay (organizer-facing pages only — not loaded on guest pages `/e/`, `/u/`, `/kiosk/`, `/wall/`). Replay samples 10% of organizer sessions and 100% of organizer sessions with an unhandled error. PII (emails, IPs, auth headers, Supabase signed-URL tokens) is stripped client-side via `beforeSend` before events leave your browser.	Error events, stack traces, anonymized session recordings on errors

3.3 Sub-Processors

For event organizers acting as data controllers under GDPR: the service providers listed above are our sub-processors. A complete list of sub-processors with entity names, processing locations, and purposes is maintained at gaze.photo/subprocessors. We will notify organizers by email at least 30 days before adding a new sub-processor, and organizers may object to a new sub-processor during that period.

3.4 Other Disclosures

We may also disclose your information:

To comply with legal obligations — in response to a subpoena, court order, or other lawful government request
To protect rights and safety — to enforce our Terms of Use, protect our rights, or protect the safety of our users or the public
In a business transfer — if Gaze is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction; we will notify you via email or prominent notice on the Service before your information becomes subject to a different privacy policy

3.5 Public Surfaces (Publisher Portal)

If you publish a vanity-handle profile under gaze.photo/u/{handle}, the following profile-level information is public by design and is indexable by search engines and link-preview generators (open-graph cards, social media unfurls, messaging apps):

Your vanity handle, display name, profile avatar, and bio
The list of events you have published on your profile page

Per-event landing pages are not publicly indexed. Pages of the form gaze.photo/u/{handle}/{event-name} (and the corresponding gallery, capture, kiosk, live-wall, and download sub-pages) carry a noindex, nofollow, noarchive, nosnippet, noimageindex directive and are also excluded from robots.txt. The pages remain reachable to anyone who has the direct link (a QR code, an emailed invitation, a social share), but search engines will not crawl, archive, or surface their contents (event name, description, cover image, or the photos themselves) in search results, link previews, or image search.

Captured photos, videos, GIFs, and boomerangs themselves are stored in private cloud storage and are served only via short-lived signed URLs, so they are not directly indexable by search engines under any circumstance.

4. Your Rights & Controls

4.1 Rights for All Users

Regardless of where you are located, you can:

Access your personal data by viewing your account profile and event data
Correct inaccurate information through your account settings
Delete your account and associated data through account settings or by contacting us
Export your event media and data using the data export feature in your account settings

4.2 Additional Rights for EU/EEA/UK Users (GDPR)

If you are located in the European Union, European Economic Area, or the United Kingdom, you also have the right to:

Rectification — request correction of inaccurate personal data
Erasure ("Right to be Forgotten") — request deletion of your personal data
Data portability — receive your data in a structured, commonly used, machine-readable format
Restrict processing — request that we limit how we use your data
Object to processing — object to processing based on legitimate interest, including the right to object to Microsoft Clarity analytics
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
Lodge a complaint — file a complaint with your local data protection supervisory authority (for UK users, this is the Information Commissioner's Office at ico.org.uk)

We will respond to GDPR requests within 30 days.

4.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, under the California Consumer Privacy Act and California Privacy Rights Act you have the right to:

Right to Know — request what personal information we have collected, used, and disclosed about you in the past 12 months
Right to Delete — request deletion of your personal information
Right to Correct — request correction of inaccurate personal information
Right to Opt-Out of Sale or Sharing — we do not sell or share your personal information for cross-context behavioral advertising, so no opt-out is necessary
Right to Limit Use of Sensitive Personal Information — photos captured through the Service may constitute sensitive personal information; we process this data only as necessary to provide the Service
Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights

We will respond to CCPA/CPRA requests within 45 days.

4.4 Additional Rights Under Other US State Privacy Laws

If you are a resident of Virginia, Colorado, Connecticut, Oregon, Texas, Montana, or other states with comprehensive privacy laws, you may have similar rights to access, correct, delete, and port your personal data, and to opt out of certain processing activities. We honor the Global Privacy Control (GPC) signal as a valid opt-out request where required by applicable law. To exercise your rights, contact us using the methods described in Section 4.6.

4.5 Rights for Canadian Users (PIPEDA)

If you are located in Canada, under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, you have the right to:

Access — request access to the personal information we hold about you
Correction — request correction of inaccurate or incomplete personal information
Withdrawal of consent — withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
Challenge compliance — file a complaint with the Office of the Privacy Commissioner of Canada if you believe we have not handled your personal information in accordance with PIPEDA

We collect, use, and disclose your personal information only for the purposes identified in this Privacy Policy and with your knowledge and consent, except where otherwise permitted or required by law. We will respond to PIPEDA access and correction requests within 30 days.

To exercise your rights, contact us using the methods described in Section 4.6.

4.6 How to Exercise Your Rights

To exercise any of the rights above:

Account holders (organizers): Delete your account or update your information through your account settings, or email support@gaze.photo with the subject line "Privacy Rights Request"
Event guests: Because event organizers act as data controllers for guest data captured at their events, guests should direct privacy requests (access, deletion, correction) to the event organizer who hosted the event. If the organizer does not respond within 14 days, or you are unable to reach them, you may contact us at support@gaze.photo with the subject line "Guest Privacy Rights Request" and we will make reasonable efforts to assist.
Marketing email opt-out: Every product-update email we send includes a one-click unsubscribe link (also available in your account settings under Communication preferences). Unsubscribing from marketing email does not affect transactional emails (account verification, password resets, photo delivery, security alerts).
By mail: You may also send written requests to Terena Group LLC, 418 Broadway, Ste N, Albany, NY 12207, United States. Email is faster and we recommend it where available.

For account holders, we will verify your identity by confirming your account email address. For guest requests routed through us, we will verify your identity by confirming the contact information you provided at the event. For requests made on behalf of another person, we may require authorized agent documentation. We will not charge a fee for processing reasonable requests.

4.7 Event Organizer Responsibilities

If you are an event organizer using Gaze, you are responsible for:

Informing your event guests that photos are being captured and how they will be used
Obtaining any necessary consent from guests before capturing their photos, including verifiable parental or guardian consent for children under 13
Posting visible signage at events where photos may be displayed on live walls or shared publicly
Configuring appropriate data retention and gallery privacy settings for your events
Complying with all applicable biometric privacy laws when operating events in jurisdictions with such laws

Gaze acts as a data processor on behalf of event organizers (who act as data controllers) with respect to guest data captured at events. Event organizers who require a Data Processing Agreement (DPA) can access one at gaze.photo/dpa.

5. Security & Updates

5.1 How We Protect Your Data

We implement industry-standard security measures to protect your personal information:

Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS (HTTPS)
Secure file storage — media files are stored in private cloud storage buckets and can only be accessed via time-limited signed URLs (1-hour expiry) for all assets, with proactive refresh 5 minutes before expiry on the client
Event-owner-scoped storage access — in addition to signed URLs, our captures storage bucket enforces a row-level policy that limits read and delete operations on any event's files to the user who owns that event (storage path: events/{eventId}/...)
Image metadata stripping — we strip embedded EXIF and IPTC metadata (including GPS coordinates, camera model, device serial, and timestamp data) from JPEG and PNG uploads — both event captures and brand assets — before the file is written to storage
Upload integrity — capture file writes use collision-protected mode (no overwrite of an existing object on the same path); video poster images are constrained to a JPEG/PNG MIME allowlist and verified by magic-byte inspection
Authentication security — session tokens are cryptographically signed using HMAC-SHA256; kiosk exit PINs are hashed using PBKDF2-SHA256 with 100,000 iterations; account passwords are managed by Supabase Auth (bcrypt)
Rate limiting — API endpoints are protected against abuse with per-IP rate limiting
Access controls — database tables are protected with row-level security policies; sensitive fields (gallery passwords, kiosk PINs) are stripped before client-side storage
Kiosk session isolation — kiosk sessions are isolated between guests; each session is cleared upon completion to prevent access by subsequent users
Diagnostic source maps — we upload application JavaScript source maps to Sentry (our error-monitoring sub-processor) solely to make production stack traces resolvable; source maps contain no end-user data

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5.2 Security Incident Response

In the event of a data breach that compromises your personal information, we will:

Notify affected event organizers (as data controllers) without undue delay and within 72 hours of becoming aware of the breach, where feasible
Notify relevant supervisory authorities as required by applicable law (including GDPR and applicable US state breach notification laws)
Notify affected individuals as required by applicable law
Provide details of the nature of the breach, the data involved, and the measures taken to address it

5.3 Data Retention

Data Type	Retention Period
Account data	Retained for as long as your account exists. You can delete your account at any time through your account settings. We reserve the right to deactivate or remove accounts that have been inactive for an extended period (generally 24 consecutive months or more) after providing reasonable advance email notice; if you respond within the notice window we will keep your account open.
Event media (photos, videos, GIFs, boomerangs)	Retained until the Organizer deletes it through gallery management, until the Organizer's account is terminated, or as otherwise instructed by the Organizer. We do not impose an automatic expiration on event media beyond what the Organizer chooses.
Analytics and usage data	Retained for as long as necessary to operate, improve, and secure the Service — typically for the lifetime of the associated account, plus a reasonable buffer for aggregated reporting and security diagnostics.
Subscription state	If a payment fails, your subscription enters a past-due state and remains active while Stripe retries the payment; we downgrade your account to the free tier only when Stripe later reports the subscription as canceled or deleted. The subscription status field (and the underlying Stripe records) is retained for the life of the account plus the audit-log retention below.
Stripe webhook audit log	Retained indefinitely (or for the period required by applicable financial-records law, whichever is longer) for billing reconciliation, idempotency, and audit. This audit log survives account deletion.
Payment records	Retained as required by applicable tax and financial regulations (typically a minimum of seven years in the United States).
Rate limiting data	Held in server memory only; cleared on each deployment.
Microsoft Clarity / Bing UET data	Subject to Microsoft's retention policies; see Microsoft Privacy Statement.
Sentry error and replay data	Subject to Sentry's retention policies (default 90 days for events, 30 days for replays); see Sentry Privacy Policy.

5.4 Data After Termination

When you delete your account, your data — including your profile, events, media, and settings — is deleted from active systems immediately. Database backups containing your data are cycled out within 7 days. Payment records processed by Stripe are retained by Stripe in accordance with applicable tax and financial regulations. We recommend exporting your data before deletion using the data export feature in your account settings or by contacting support@gaze.photo.

5.5 International Data Transfers

Your data is processed and stored in the United States via our infrastructure provider (Supabase). If you are accessing the Service from outside the United States, your data will be transferred to the US. For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. For transfers from the United Kingdom, we rely on the International Data Transfer Addendum (IDTA) to the SCCs as approved by the Information Commissioner's Office. Where applicable, we also rely on the EU-US Data Privacy Framework.

5.6 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will update the "Last updated" date at the top of this page
For significant changes, we will notify you by email or through a prominent notice on the Service

Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

5.7 Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

Operator: Terena Group LLC
Mailing Address: 418 Broadway, Ste N, Albany, NY 12207, United States
Email: support@gaze.photo

6. Children's Privacy

The Service is not directed at children under 13 years of age. Gaze does not knowingly collect personal information from children under 13. However, we recognize that events may include minor attendees.

If we learn that personal information has been collected from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. Parents or guardians may contact us at support@gaze.photo to request deletion of a child's data.

Event organizers are solely responsible for obtaining verifiable parental or guardian consent before capturing photos of children under 13 at their events, in compliance with the Children's Online Privacy Protection Act (COPPA) and any other applicable child privacy laws. Gaze does not collect email addresses, phone numbers, or other contact information from event guests (including children) — photos are delivered via QR code, native share (which on iOS includes AirDrop), or direct download only.