Privacy Policy

Last updated: 16 March 2026

1. Introduction

SpotMe Ltd ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data when you use SpotMe ("the Service"). We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

SpotMe Ltd is the data controller for the personal data processed through the Service. Contact: privacy@spotme.to.

3. What Data We Collect

3.1 Organiser Accounts

  • Company name, email address, password (hashed)
  • Event details: title, dates, location, participant count
  • Payment information (processed by Stripe, we do not store card details)

3.2 Photographer Accounts

  • Email address
  • Photos uploaded to the Service

3.3 Event Participants

  • A randomly generated participant code (not linked to any personal identity)
  • Tag ID (a number assigned to a fiducial marker)

Important: SpotMe does NOT use facial recognition. We identify participants solely through fiducial markers (PicTags) on badges. No biometric data is collected or processed.

3.4 Technical Data

  • IP address, browser type, device information
  • Usage logs and analytics

4. How We Use Your Data

  • To provide and operate the Service
  • To process payments via Stripe
  • To match photos with participants using fiducial marker detection
  • To generate and serve photo thumbnails
  • To send service-related communications (account verification, OTP codes)
  • To enforce our Terms of Service and content policies

5. Legal Basis for Processing

  • Contract: Processing necessary to provide the Service you signed up for
  • Legitimate interest: Service improvement, security, fraud prevention
  • Consent: Marketing communications (you can opt out at any time)
  • Legal obligation: Compliance with applicable laws

6. Data Storage and Security

Your data is stored on secure servers provided by Google Cloud Platform (GCP) in the EU/UK region. Photos are stored in Google Cloud Storage with encryption at rest. We implement appropriate technical and organisational measures to protect your data.

7. Data Sharing

We share data only with:

  • Stripe: Payment processing
  • Google Cloud Platform: Infrastructure and storage

We do not sell your personal data to third parties.

8. Data Retention

  • Account data: Retained while your account is active, deleted within 30 days of account closure
  • Event data and photos: Retained for the duration of the event plus 90 days, unless the organiser deletes them earlier
  • Payment records: Retained for 7 years as required by UK tax law

9. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability
  • Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise your rights, contact privacy@spotme.to.

10. Cookies

We use essential cookies for authentication (JWT tokens stored in cookies). We do not use tracking or advertising cookies.

11. Children

The Service is not directed at individuals under 18. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this policy from time to time. We will notify registered users of material changes via email.

13. Contact

For privacy-related enquiries: privacy@spotme.to