Privacy Policy
Last Updated: December 10, 2025 Effective Date: December 10, 2025 Version: 1.0
Introduction
Capture and Motion LLC ("we", "us" or "our") takes your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our photo event delivery platform (the "Services").
Please read this Policy together with our Terms of Service and, where applicable, our Data Processing Agreement.
Who We Serve:
- Photographers: Event photographers who use our platform to upload and share photos
- Guests: Individuals who receive event photos via SMS or email
- Website Visitors: Anyone browsing our public website
Definitions
"Personal Information" means any information that identifies, relates to, describes, or could reasonably be linked to you, including name, email address, phone number, photos, and device identifiers.
"Photographer" means a business or individual who creates an account to use our Services for uploading and delivering event photos.
"Guest" means an individual who receives event photos through our Services, typically via SMS or email link provided by a Photographer.
"Biometric Data" means facial recognition markers used to identify and tag individuals in photos (this feature is optional and requires explicit consent).
1. Information We Collect
1.1 From Photographers
When you create a Photographer account, we collect:
| Category | Types of Data | Purpose |
|---|---|---|
| Identity Information | Name, username | Account creation |
| Contact Information | Email address, phone number, billing address | Communications, billing, support |
| Payment Information | Collected by Stripe (we do not store credit card numbers) | Subscription billing |
| Profile Information | Business name, logo, preferences | Customization |
| Usage Data | Galleries created, photos uploaded, features used | Service provision, analytics |
| Device & Technical Data | IP address, browser type, operating system | Security, troubleshooting |
1.2 From Guests
When you receive photos through our Services, we collect:
| Category | Types of Data | Purpose |
|---|---|---|
| Contact Information | Email address OR phone number (one required) | Photo delivery |
| Identity Information | Name (optional, provided by Photographer) | Personalization |
| Photo/Video Data | Images and videos from the event | Service provision |
| Biometric Data | Facial recognition markers (OPTIONAL, requires explicit consent) | Photo tagging feature |
| Device & Technical Data | IP address, browser type, device information | Gallery access |
| Usage Data | Photos viewed, downloaded, shared | Service provision |
| Consent Records | Timestamp, IP address of SMS opt-in | TCPA compliance |
SMS Gallery Delivery Opt-In
When you request event photos via SMS:
- Opt-In Point: You provide your phone number through a web form or mobile application at the event
- Consent Language: The form clearly states that you agree to receive SMS from khrome with your gallery link
- Required Disclosures: Message frequency, data rates, opt-out instructions, and privacy policy link
- Confirmation Message: Upon opt-in, you receive a confirmation with the gallery link
- Consent Tracking: Your consent is recorded with timestamp and IP address for TCPA compliance
Important Notes:
- SMS messages originate from khrome and are delivered on behalf of the photographer's studio
- This is a transactional message (gallery delivery), not marketing
- You may opt out at any time by replying STOP
- Limited messages per event (not recurring marketing)
1.3 From Website Visitors
When you browse our website, we automatically collect:
- Technical Data: IP address, browser type, operating system, referring website
- Usage Data: Pages visited, time spent, click patterns
- Cookie Data: See Cookie Policy section below
1.4 Information We Do NOT Collect
- Social Security Numbers
- Government ID numbers
- Financial account information (handled by Stripe)
- Health information
- Precise geolocation (we collect approximate location via IP address only)
2. How We Collect Information
We collect information through:
- Direct Collection: Information you provide when signing up, uploading content, or contacting support
- Automatic Collection: Cookies, log files, and similar technologies when you use our Services
- Third Parties: Analytics providers (Microsoft Clarity), payment processors (Stripe)
- Photographers: Guests' contact information is provided to us by Photographers who collected it at their events
3. How We Use Your Information
3.1 Legal Basis for Processing
We process your Personal Information based on:
- Contract Performance: To provide the Services you signed up for
- Consent: For optional features like biometric tagging, marketing communications
- Legitimate Interest: For fraud prevention, security, product improvement
- Legal Obligations: To comply with tax, accounting, and regulatory requirements
3.2 Specific Uses
For Photographers:
- Provide access to the platform
- Process subscription payments
- Send service-related notifications
- Provide customer support
- Send marketing communications (with consent - opt-out anytime)
- Improve our Services
- Prevent fraud and ensure security
For Guests:
- Deliver event photos via SMS or email
- Provide access to online galleries
- Enable photo browsing, downloading, and sharing
- Optional: Tag you in photos using facial recognition (only if you opt-in)
For Website Visitors:
- Display website content
- Analyze website traffic to improve user experience
- Prevent abuse and ensure security
4. How We Share Your Information
We do NOT sell your Personal Information. We share information only as described below:
4.1 Service Providers
We use the following third-party services to operate our platform:
| Service | Purpose | Location |
|---|---|---|
| Cloudinary | Photo storage and delivery | United States |
| Resend | Email delivery | United States |
| Telnyx | SMS delivery | United States |
| Vercel | Website hosting | United States |
| Supabase/PostgreSQL | Database | United States |
| Stripe | Payment processing | United States |
| Microsoft Clarity | Website analytics | United States |
All service providers are contractually obligated to use data only for providing services to us, maintain appropriate security measures, and not disclose data to third parties.
4.2 Photographers & Guests
- Guests' contact information (email/phone) is shared with the Photographer who sent them photos
- Photos are accessible to all Guests who have the gallery link
4.3 Legal Requirements
We may disclose your information if required by law, such as responding to subpoenas, court orders, protecting our legal rights, investigating fraud, or complying with regulatory obligations.
4.4 Business Transfers
If we are acquired, merge with another company, or sell assets, your information may be transferred. We will notify you via email or prominent website notice of any such change.
4.5 With Your Consent
We may share your information for other purposes with your explicit consent.
5. International Data Transfers
Our Services are hosted in the United States. If you access our Services from outside the US, your information will be transferred to, stored, and processed in the United States.
For EU/UK Users:
- We comply with GDPR requirements for international data transfers
- We use Standard Contractual Clauses (SCCs) approved by the European Commission
- Enterprise customers can request our Data Processing Agreement
6. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Gallery Photos | 2 years from event date | Service provision, Guest access |
| Biometric Data | 2 years OR upon deletion request | Photo tagging feature |
| Photographer Account Data | Duration of subscription + 7 years | Tax/legal compliance |
| Guest Contact Information | 2 years OR until opt-out | Photo delivery |
| Payment Records | 7 years | Tax and accounting requirements |
| Anonymized Analytics | Indefinitely | Product improvement |
Photographer Extensions: Photographers can request one 2-year extension for galleries (max 4 years total). Guests can request deletion anytime, which overrides Photographer settings.
Automatic Deletion: After retention periods, data is permanently deleted from our systems.
7. Your Privacy Rights
7.1 Rights for All Users
You have the right to:
- Access: Request a copy of the Personal Information we hold about you
- Rectify: Correct inaccurate or incomplete information
- Delete: Request deletion of your Personal Information (subject to legal retention requirements)
- Export: Receive your data in a portable format
- Opt-Out: Unsubscribe from marketing emails or SMS messages
- Withdraw Consent: Revoke consent for optional processing (e.g., biometric tagging)
7.2 GDPR Rights (EU/UK Users)
In addition to the above, you have:
- Right to Restriction: Limit how we process your data
- Right to Object: Object to processing based on legitimate interests
- Right to Complain: Lodge a complaint with your local Data Protection Authority
7.3 CCPA Rights (California Residents)
See California Privacy Rights section below.
7.4 How to Exercise Your Rights
Email: privacy@khro.me Response Time: 30 days (we may extend to 60 days for complex requests)
We will verify your identity before processing requests.
8. Security Measures
We implement industry-standard security measures:
Technical Safeguards:
- Encryption in Transit: TLS 1.3 for all data
- Encryption at Rest: AES-256 for stored data
- Access Controls: Role-based access with multi-factor authentication
- Audit Logging: All data access is logged
- Vulnerability Management: Regular security scans
Organizational Safeguards:
- Confidentiality agreements with staff and contractors
- Security awareness training
- Data minimization
- Regular security audits
While we take reasonable measures, no internet transmission is 100% secure. You use our Services at your own risk.
9. Biometric Data (Facial Recognition)
9.1 Optional Feature
Facial recognition for photo tagging is disabled by default, requires Photographer to enable per event, and requires Guest consent before processing.
9.2 How It Works
When a Guest opts in, we scan photos to identify their face and create facial recognition markers to tag them in photos, helping Guests find photos of themselves quickly.
9.3 Guest Control
- Opt-In Required: We never process your face data without explicit consent
- Per-Event Only: Consent applies to one event only
- Withdraw Anytime: Email privacy@khro.me to revoke consent
- Automatic Deletion: Face data deleted after 2 years (or upon request)
9.4 Not Used For
Identity verification, surveillance, tracking across different events, or sharing with law enforcement (except if legally required).
9.5 Illinois BIPA Compliance
Illinois residents have additional rights under BIPA. We obtain written consent before collecting biometric data, retain data only as long as necessary, do not sell biometric data, and use commercially reasonable security.
10. Children's Privacy
Our Services are not directed to children under 13. We do not knowingly collect Personal Information from children under 13 without parental consent.
Event photos may include children. Photographers are responsible for obtaining parental consent. Parents/guardians should contact Photographers directly to request photo removal.
If you believe we have collected information from a child under 13 without consent, contact privacy@khro.me.
11. Cookies & Tracking
11.1 Types of Cookies
| Cookie Type | Purpose | Can Opt-Out? |
|---|---|---|
| Strictly Necessary | Authentication, security, basic functionality | No (required) |
| Analytics | Microsoft Clarity for usage patterns | Yes |
| Preferences | Language, settings, theme | Yes |
We Do NOT Use: Advertising cookies, third-party ad networks, or cross-site tracking.
11.2 How to Manage Cookies
Use your browser's cookie settings. We honor Do Not Track browser settings.
Disabling cookies may affect site functionality.
12. Third-Party Links
Our Services may contain links to photographers' websites, social media platforms, or third-party services. We are not responsible for their privacy practices.
13. California Privacy Rights (CCPA)
This section applies to California residents only.
13.1 Categories Collected
| Category | Collected? | Disclosed? | Sold? |
|---|---|---|---|
| Identifiers (name, email, phone, IP) | Yes | Yes | No |
| Customer Records (billing, payment) | Yes | Yes (Stripe only) | No |
| Commercial Information (subscriptions) | Yes | Yes | No |
| Biometric Information (with consent) | Yes | No | No |
| Internet Activity (browsing, clicks) | Yes | Yes (Analytics) | No |
| Geolocation (approximate via IP) | Yes | Yes | No |
| Audio/Visual (photos, videos) | Yes | No | No |
We Do NOT Sell Personal Information.
13.2 Your CCPA Rights
- Right to Know: Request disclosure of data collected and shared
- Right to Delete: Request deletion (subject to exceptions)
- Right to Opt-Out of Sales: We don't sell data
- Right to Non-Discrimination: We won't discriminate for exercising rights
13.3 How to Exercise CCPA Rights
Email: privacy@khro.me Response Time: 45 days (may extend to 90 days for complex requests)
We will verify your identity before processing requests. You may designate an authorized agent with written authorization.
14. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or new features.
Material Changes: We will notify you via email or prominent website notice at least 30 days before changes take effect.
Minor Changes: We will update the "Last Updated" date at the top.
Continued use after changes take effect means you accept the updated policy.
15. Contact Us
For Privacy Questions:
- Email: privacy@khro.me
For GDPR Inquiries (EU/UK Users):
- Email: dpo@khro.me
For General Support:
- Email: support@khro.me
16. Version History
- Version 1.0 (2025-12-10): Initial release