← Back

Privacy Policy

Last updated: May 2026

This Privacy Policy explains how Confetti (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our service at confetti.app. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Confetti is operated as a sole trader / small business based in the United Kingdom. We are the data controller for personal data collected through this service. For data-related enquiries, contact us at hello@confetti.film.

2. Data we collect

From couples (event organisers):

  • Name and email address (via Google or Apple sign-in)
  • Event details (couple names, wedding date, venue)
  • Payment information (processed by Stripe — we do not store card details)

From guests:

  • First name (required to claim a camera)
  • Email address (optional — provided only if the guest wants their photos emailed after the reveal)
  • Photos taken during the event
  • A device identifier stored in your browser to recognise your camera across sessions

Automatically collected: standard server logs including IP address, browser type, and access times. We do not use tracking cookies or third-party advertising.

3. Legal basis for processing

We process your data on the following legal bases under UK GDPR:

  • Contract — processing necessary to provide the service you have purchased (couples)
  • Legitimate interests — recognising returning guests to avoid duplicate camera claims
  • Consent — where you provide your email address to receive your photos; you may withhold this without affecting your ability to use the camera

4. How we use your data

  • To provide and operate the Confetti camera service
  • To process and grade your photos overnight and make them available at the reveal time
  • To send guests their personal photo roll by email after the reveal (where email was provided)
  • To send couples event-related communications (receipt, reveal notification, expiry reminders)
  • To prevent duplicate camera claims within an event
  • To comply with our legal obligations

We do not use your data for marketing without your explicit consent, and we do not sell personal data to any third party.

5. Photo and event retention

All photos and event data are permanently deleted 60 days after the wedding date. This applies to all photo formats — raw, full-resolution, previews, and thumbnails. The gallery is closed and the event record is removed at this point.

We will send reminder emails at 30 days, 7 days, and 1 day before deletion. It is your responsibility to download your photos before this date. After deletion, photos cannot be recovered.

We do not offer indefinite storage as a standard feature. This policy keeps your data minimal and reduces our storage footprint in line with the GDPR principle of storage limitation.

6. Personal data retention

  • Couple accounts: retained while the account is active. You may request deletion at any time.
  • Guest names and email addresses: deleted when the event is deleted (60 days after the wedding date)
  • Payment records: retained for 7 years as required by HMRC financial regulations
  • Server logs: retained for 30 days then automatically deleted

7. Third-party processors

We use the following third-party services to operate Confetti. Each acts as a data processor under a data processing agreement:

  • Supabase (EU West) — database and file storage
  • Vercel — web hosting and content delivery
  • Railway — image processing infrastructure
  • Stripe — payment processing (Stripe is an independent data controller for payment data)
  • Resend — transactional email delivery
  • Google / Apple — authentication (sign-in only; we receive only your name and email)

8. International transfers

Some of our service providers are based outside the UK or EEA. Where data is transferred internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, in accordance with UK GDPR requirements.

9. Your rights

Under UK GDPR, you have the following rights:

  • Right of access — request a copy of your personal data
  • Right to rectification — request correction of inaccurate data
  • Right to erasure (“right to be forgotten”) — request deletion of your data
  • Right to restrict processing — request we limit how we use your data
  • Right to data portability — request your data in a machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at hello@confetti.film. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

10. Security

We take appropriate technical and organisational measures to protect your data, including encrypted storage, access controls, and secure transmission over HTTPS. Photos are stored in private buckets accessible only via time-limited signed URLs.

11. Cookies

We use only essential session cookies required to keep you signed in. We do not use advertising, analytics, or tracking cookies. No cookie consent banner is required for essential cookies under UK GDPR.

12. Changes to this policy

We may update this policy from time to time. Where changes are material, we will notify couples by email. Continued use of the service after changes are posted constitutes acceptance.

13. Contact

For any privacy-related questions or to exercise your rights, contact us at hello@confetti.film.