GDPR Compliance Notice

Who This Applies To

This notice applies to all individuals in the EU, EEA, and UK who use Xarazo, and to Xarazo's processing of personal data belonging to EU/UK data subjects regardless of where the processing occurs.

Data Controller

Xarazo acts as the data controller for personal data collected through the platform. For data-related enquiries, contact us via our contact page.

Lawful Basis for Processing

Under GDPR Article 6, we process personal data on the following lawful bases:

• Article 6(1)(b) — Performance of a contract: Processing your host email and event data is necessary to provide the service you've contracted with us
• Article 6(1)(a) — Consent: Guest names and optional email addresses are collected based on your awareness and for a clearly stated purpose (gallery attribution and optional photo delivery)
• Article 6(1)(f) — Legitimate interests: Processing minimal technical data to operate, maintain, and secure the platform

Personal Data We Process

• Host email address (collected at event creation)
• Guest name (collected before first photo upload)
• Guest email address (optional, collected after upload)
• Event photos (uploaded by hosts and guests)
• IP address (used for locale detection only; not stored)
• Payment metadata via Stripe (we do not store card details)

Your Rights Under GDPR

As an EU/UK data subject, you have the following rights:

• Right of access (Art. 15) — request confirmation of whether we process your data and a copy of that data
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete personal data
• Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your personal data where no legitimate retention ground applies
• Right to restrict processing (Art. 18) — request that we limit how we use your data
• Right to data portability (Art. 20) — receive your data in a structured, commonly used format
• Right to object (Art. 21) — object to processing based on legitimate interests
• Right to withdraw consent — where processing relies on consent, withdraw at any time without affecting prior lawful processing

To exercise any of these rights, contact us via our contact page. We will respond within 30 days (extendable by two months for complex requests).

Retention Periods

All event photos and personal data are retained for 90 days from the event date, then permanently deleted. Payment records are retained as required by applicable financial regulations. See our Data Retention & Deletion Policy.

International Data Transfers

Your data may be stored on Cloudflare R2 infrastructure outside the EEA. Cloudflare maintains compliance with EU data transfer requirements. We only use infrastructure providers with adequate safeguards (Standard Contractual Clauses or equivalent).

No Automated Decision-Making

Xarazo does not use automated decision-making or profiling that produces legal effects concerning you.

Security

We implement appropriate technical and organisational security measures consistent with GDPR Article 32, including HTTPS encryption, access controls, and regular security reviews.

Complaints

If you are unsatisfied with how we handle your data rights request, you have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, contact your national data protection authority.

Related: Privacy Policy · Data Retention · NDPR Notice