Privacy Policy
Privacy Policy
Last updated: May 2026
1. Data Controller
Controller within the meaning of Art. 4(7) GDPR:
Capture Core Moments UG
(haftungsbeschraenkt)
Cosimastrasse 121
81925
Munich
Germany
Email:
info@capturecoremoments.com
Website:
www.capturecoremoments.com
2. Contact for Data Protection Matters
For questions about data protection, privacy
requests, deletion requests, guest upload requests, or
security concerns, please contact us at
info@capturecoremoments.com.
3. Scope of This Privacy Policy
This Privacy Policy explains how we process
personal data when you visit our website, create an
account, buy or receive a package, create or join an event
gallery, upload photos, videos, text or voice messages,
use QR-code or link-based guest upload pages, order
printed products, contact support, participate in referral
or affiliate functions, or otherwise use Capture Core
Moments (the "Platform"). Some data is
provided directly by you or by an event host or guest.
Other data is collected automatically, such as IP address,
device and browser information, language settings,
timestamps, log data, consent records, and security
events. We process personal data in accordance with the
GDPR, the German Federal Data Protection Act (BDSG), the
German Telecommunications Digital Services Data Protection
Act (TDDDG), and other applicable laws.
4. Roles: Hosts, Guests, Controller and Processor
For account management, billing, payment
administration, platform security, analytics, legal
compliance, consent records, support, and the technical
operation of the Platform, we act as data controller.
For
event content uploaded by hosts and guests, the event
organizer or host is generally responsible for deciding
who is invited, which QR codes or links are shared, which
content is uploaded, and whether people shown or heard in
that content have given any required consent. Depending on
the concrete use case, we may act as processor for the
host when we store and make event content available on the
host's instructions, while we remain controller for
platform security, logs, support, billing, and legal
compliance. Business customers may request a data
processing agreement where required.
5. Categories of Personal Data Processed
Depending on how you use the Platform, we may
process:
5.1 Account and authentication data: name,
email address, password/authentication data, Firebase or
other authentication identifiers, email verification
status, account status, selected language, and account
settings, two-factor authentication status and related
security settings where enabled.
5.2 Contact and
support data: email address, message content, support
tickets, contact form submissions, optional attachments,
and related communication metadata.
5.3
Event and gallery data: event names, dates, albums,
gallery settings, package type, storage duration, QR
codes, event links, cover images, download and sharing
settings, notification preferences, co-organizer
invitations, co-organizer status, and host/guest
interactions.
5.4 User and
guest content: photos, videos, text messages, guestbook
entries, audio or voice messages, optional guest names or
contact details, captions, comments, likes or reactions,
filenames, upload timestamps, thumbnails, previews, and
related technical metadata. Uploaded photos may include EXIF metadata such as GPS coordinates, camera model, date and time of capture, and other technical details embedded by the uploading device; we do not automatically strip this data and it is stored as part of the uploaded file. Such
content may show or reveal identifiable people, children,
private events, locations, voices, relationships, or other
personal information.
5.5 Payment, billing, tax and
invoice data: purchase details, package, currency, price,
discount or gift information, invoice data, billing
address where applicable, payment status, transaction
identifiers, Stripe checkout identifiers, company or
invoice details where provided, and legally required
accounting records. Where a VAT ID validation feature is
used, we may also process the VAT ID, validation result,
and company name/address returned by VAT validation
services. We do not store full credit card numbers.
5.6
Shipping and print order data: name, email address,
shipping address, order details, product configuration,
print files, production status, delivery status, and
related communication if you order printed products.
5.7
Technical, usage and security data: IP address, date and
time of access, user agent, browser, device and operating
system, referrer URL, pages visited, request IDs, session
identifiers, error logs, upload/download logs, rate-limit
data, fraud-prevention signals, and security-relevant
events.
5.8 Location, currency and language data:
approximate country, region or city derived from IP
address, browser language, Accept-Language header, chosen
website language, chosen or detected currency, and stored
currency/language preferences.
5.9 Consent and legal
records: cookie consent choices, marketing/analytics
consent where applicable, document version accepted,
consent method, timestamp and version. Where consent or
legal acknowledgements are recorded server-side, related
audit records may also include IP address and user agent.
5.10 Referral and affiliate
data where used: referral codes, click IDs, affiliate
attribution, commission or payout status, IP address, user
agent, cookies, invoice or payout information, PayPal or
other payout identifiers, and fraud-prevention data.
6. Purposes and Legal Bases
We process personal data for the following purposes
and legal bases under Art. 6 GDPR:
Contract performance, Art. 6(1)(b) GDPR: creating accounts, providing event galleries, storing
and displaying uploads, enabling downloads, processing
purchases, delivering gifts, providing printed products,
customer support, and administering packages.
Legal obligations, Art. 6(1)(c) GDPR: accounting, invoicing, statutory retention duties, tax
and VAT documentation, fraud-related legal compliance, and
responding to lawful requests.
Consent, Art. 6(1)(a) GDPR and Section 25 TDDDG: non-essential cookies and similar technologies,
analytics, marketing or optional communications where
offered, and consent-based features.
Legitimate interests, Art. 6(1)(f) GDPR: platform security, abuse prevention, fraud detection,
troubleshooting, service improvement, business
administration, approximate localization, currency
display, referral protection, and preservation of legal
claims, provided your interests and fundamental rights do
not override our interests.
7. IP Address, Location, Language and Currency
We use IP addresses and browser information to
operate and protect the Platform. We may also use an IP
address to estimate a user's country, region or city for
security, fraud prevention, tax and VAT support, admin
usage views, language or currency suggestions, and a more
relevant user experience. IP-based location is approximate
and may be inaccurate.
We may use browser language,
device language, Accept-Language headers, selected website
language, and locally stored language preferences to show
the Platform in a suitable language. We may store language
choices in local storage or account settings.
Prices
are primarily managed in EUR. We may detect or store a
preferred currency and display converted prices for
convenience. Exchange rates can change and may be obtained
from third-party exchange-rate providers. Converted prices
shown before checkout are informational unless expressly
stated otherwise; the final checkout price and currency
displayed during payment are decisive.
8. Cookies, Local Storage and Similar Technologies
We use cookies, local storage, session storage and
similar technologies for authentication, security,
remembering preferences, language settings, currency
settings, cookie consent, referral attribution, checkout
flow, and Platform functionality. Examples may include
cookie-consent records, language preferences, referral
codes, session identifiers, preferred currency, and
detected currency. Gallery features may also store local
identifiers or temporary states such as guest names,
guest/user identifiers, uploader references, PIN
verification flags, favorites, message read status,
thumbnail references, pending checkout/order references
and preview settings.
Technically necessary technologies
are used to provide the Platform and protect it.
Non-essential analytics or marketing technologies are used
only where a valid legal basis exists, generally your
consent. Where processing is based on consent, you may
withdraw that consent at any time with effect for the
future without affecting the lawfulness of processing
based on consent before withdrawal. You can withdraw or
adjust your consent choices at any time via our
Cookie Settings page.
A full list of cookies and similar technologies we use is
available on that page. Disabling certain technologies may
limit some features.
9. Analytics, Fonts, Scripts and External Content
Where enabled, we may use Google Analytics or
similar analytics tools to understand website usage and
improve the Platform. Analytics cookies or comparable
tracking technologies are intended to be used only with
consent where required by law.
Our website and certain
static pages were originally designed and published using
Webflow. Webflow-related CDN assets, scripts or fonts may
be loaded from Webflow infrastructure for such pages. The
application itself uses self-hosted fonts where technically
implemented; externally hosted fonts such as those from
Google Fonts are replaced with locally hosted equivalents
where feasible. Google Tag Manager and Google Analytics
scripts are loaded only where enabled and consent-gated
where required by law. When any external resource is
loaded, the provider may receive technical data such as
your IP address, browser information, referrer and
timestamp.
10. Payments, Gifts, Tax and Invoicing
Payments are processed by external payment
providers such as Stripe. Stripe may process payment
details, authentication data, fraud-prevention data,
billing information, transaction identifiers and other
information required for payment processing. We receive
payment status and transaction references but do not store
full card details.
If you buy or receive a gift,
purchase a package, upgrade an event, order physical
products, or request an invoice, we process the necessary
order, billing, tax, currency, invoice and communication
data. Gift processing may include purchaser name and email
address, recipient name and email address, optional sender
name, optional personal message, gift code, redemption
status, delivery email logs, Stripe checkout metadata,
billing address and invoice records. The recipient may
receive an email containing the gift code and instructions.
We currently apply the German small-business rule
(Kleinunternehmerregelung) under Section 19 UStG where
applicable and do not charge German VAT while this status
applies. For business customers, we may collect company
and invoice details. Where a VAT ID validation feature is
used, we may validate VAT IDs through EU VAT validation
services such as VIES and store the validation result as
evidence for accounting, tax, fraud-prevention or
compliance purposes.
11. Printed Products and Fulfillment Partners
If you order printed products, such as photo books
or QR-code cards, we process the selected media, print
files, order details, recipient name, shipping address,
email address, production status and delivery information.
We transmit the data required for production and shipping
to print and logistics partners such as Cloudprinter, depending on the product and fulfillment flow.
12. Email and Communications
We send transactional and support-related emails,
such as registration, verification, purchase, invoice,
order, security and service emails. We use SMTP/email
service providers, which may include ZeptoMail (a product
of Zoho Corporation Pvt. Ltd.) or other configured
providers, depending on our production setup. These providers process email addresses, message
content, delivery metadata and technical information
required to send and secure emails.
13. Hosting, Storage, Backups and Security Logs
We use cloud infrastructure and storage providers,
including Amazon Web Services (AWS), for hosting, media
storage, backups, content delivery, thumbnails, downloads,
security, monitoring and operational logs. Data may be
stored or processed in the European Union, including AWS
regions in Germany or the EU, and in other locations where
a provider or subprocessor lawfully operates under
appropriate safeguards.
14. Service Providers and Recipients
We use carefully selected service providers and
recipients only where necessary for the purposes described
above. Depending on your use of the Platform, recipients
may include:
- AWS and related cloud/CDN providers for
hosting, storage, delivery, backups and logs.
- Stripe
for payment processing, checkout, fraud prevention and
payment status.
- Print and fulfillment partners such
as Cloudprinter for physical products.
-
Email providers such as ZeptoMail, Zoho or the configured
SMTP provider for transactional and support emails.
-
Google services for fonts, scripts, analytics, tag
management, Firebase authentication or other website
resources where enabled.
- Canva or similar template,
design or preview integrations where offered.
-
IP geolocation and currency/location services such as
ipapi, GeoJS, Open ER API, or Frankfurter fallback
exchange-rate services, where used for approximate
location, currency display, security or admin
functionality.
- EU VAT validation services such as
VIES for VAT ID checks.
- Authentication, monitoring,
fraud-prevention, support, accounting, referral,
affiliate, payout, logistics and professional service
providers where required.
This list describes the
categories and named providers currently used or supported
by the Platform, including fallback providers configured
for availability, localization, payments, email, design,
currency or fulfillment features. Not every provider is
used for every user or transaction. The exact provider
used depends on the feature, country, payment method,
product, environment and production configuration at the
time of use.
Where processors process
data on our behalf, we use data processing agreements
where required. Where data is transferred outside the
EU/EEA, we use appropriate safeguards such as adequacy
decisions, Standard Contractual Clauses, the EU-US Data
Privacy Framework where applicable, or other lawful
transfer mechanisms. IP geolocation services such as
ipapi.co and GeoJS are operated by US-based providers;
IP addresses may be transferred to the US when these
services are called, under the EU-US Data Privacy
Framework or Standard Contractual Clauses as applicable.
Providers that may involve processing outside the EU/EEA
include, depending on configuration and feature use,
Google/Firebase, Stripe, PayPal, Canva, Webflow, AWS
support or CDN operations, email providers and IP
geolocation services. We review these transfers and use
available contractual, technical and organizational
safeguards where required.
15. Guest Uploads and Event Galleries
Guests can upload photos, videos, text messages and
voice/audio messages via QR code or direct event link.
Guest uploads may include personal data of the guest, the
host, other event participants, children, vendors or other
third parties. Processed guest data may include uploaded
media and messages, optional name or contact details,
upload timestamp, IP address, user agent, event/gallery
identifier, moderation or security information, and
download/view activity where applicable.
Guests may
request access to or deletion of their uploaded content
via the event organizer or by contacting us. We may need
information that allows us to identify the relevant event,
upload or account before we can act on a request.
16. Retention and Deletion
We keep personal data only as long as necessary for
the relevant purpose or as required by law. Typical
retention periods include:
Account data:
for the duration of the account or contractual
relationship and thereafter where needed for legal claims
or statutory duties.
Event content:
for the storage period of the selected package or event,
unless earlier deletion is requested and legally possible
or longer retention is required for legal reasons.
Billing, tax, VAT and invoice data: generally up to 10 years where statutory retention rules
apply.
Consent and legal records: for
as long as needed to prove compliance and manage legal
claims.
Logs, security and fraud-prevention
data: generally for a limited period, often up to
90 days, unless longer retention is required for security
incidents, abuse prevention, accounting, legal claims or
compliance. This includes server access logs, application
logs, and CDN/CloudFront access logs generated by our
content delivery infrastructure.
Referral, affiliate and payout
data: for the duration needed to administer
attribution, commissions, payouts, fraud checks,
accounting and legal claims.
Backups may retain data
for a limited additional period before automatic rotation
or deletion.
17. Automated Decision-Making
We do not use automated decision-making producing
legal effects within the meaning of Art. 22 GDPR. We may
use automated technical checks for security, fraud
prevention, abuse detection, rate limiting, localization,
currency suggestions, file processing, thumbnails,
operational monitoring and similar Platform functions.
18. Data Security
We use appropriate technical and organizational
measures to protect personal data, including encryption in
transit, access controls, authentication mechanisms,
role-based access where appropriate, logging, backups,
security monitoring, and regular maintenance. No online
service can be guaranteed to be completely secure, but we
work to protect the confidentiality, integrity and
availability of the Platform.
19. Your Rights Under GDPR
Subject to legal requirements, you have the right
to request access to your personal data (Art. 15 GDPR),
rectification (Art. 16 GDPR), erasure (Art. 17 GDPR),
restriction of processing (Art. 18 GDPR), data portability
(Art. 20 GDPR), and objection to processing based on
legitimate interests (Art. 21 GDPR). Where processing is
based on consent, you may withdraw consent at any time
with effect for the future (Art. 7(3) GDPR). You also
have the right to lodge a complaint with a supervisory
authority.
Competent authority in Bavaria, Germany:
Bayerisches Landesamt fuer Datenschutzaufsicht
(BayLDA)
Promenade 18
91522 Ansbach,
Germany
www.lda.bayern.de
20. Changes to This Privacy Policy
We may update this Privacy Policy from time to
time, for example if our Platform, providers, legal
obligations or processing activities change. The current
version is available on this page. Where required, we will
inform users of material changes through the Platform,
email or another appropriate channel.
21. Contact
If you have questions regarding this Privacy Policy
or our data processing practices, please contact us at
info@capturecoremoments.com.