Privacy Policy

1. Introduction

Pinocchio LLC (“Shared Moments,” “we,” “us,” or “our”) operates the Shared Moments platform at shared-moments.com. We are committed to protecting your personal information and your right to privacy.

This Privacy Policy explains what information we collect, how we use it, with whom we share it, how long we keep it, and what rights you have over it. It applies to all users worldwide, including those in the European Union (“EU”), United Kingdom (“UK”), and California, United States.

2. Data Controller

For the purposes of the EU General Data Protection Regulation (“GDPR”) and the UK GDPR, the data controller is:

3. Information We Collect

3.1 Information you provide to us (Hosts)

• Account information: Your name and email address when you register.
• Event data: Event name, description, date, location, and configuration settings you choose.
• Payment information: Billing details are collected and processed directly by Stripe, Inc. We receive only a transaction confirmation and the last four digits of your card. We never store your full card details.

3.2 Information collected from Guests

• Photos: Images taken or uploaded by Guests during an event.
• Email address (optional): Only if a Guest voluntarily creates an account.
• Guests who do not create an account participate anonymously. No personal information beyond the photos they submit is collected from anonymous Guests.

3.3 Information collected automatically

• Log data: IP address, browser type, operating system, referring URLs, and pages visited.
• Device information: Device type and screen resolution for optimizing the camera experience.
• Cookies and similar technologies: See Section 8 below.
• Analytics data: We use third-party analytics tools to understand how users interact with our platform. This data is aggregated and used only to improve the Service.

4. How We Use Your Information

We use the information we collect for the following purposes:

We will never use your photos or any User Content for advertising, marketing, AI training, or any purpose beyond operating your event gallery.

5. How We Share Your Information

We do not sell your personal data. We share information only with the following trusted third-party service providers, and only to the extent necessary to operate the Service:

• Stripe, Inc. — Payment processing. Stripe Privacy Policy
• Cloudflare, Inc. — Photo and file storage (R2). Cloudflare Privacy Policy
• Supabase, Inc. — Database hosting. Supabase Privacy Policy
• Clerk, Inc. — User authentication. Clerk Privacy Policy
• Analytics providers — Aggregated, anonymized usage data to improve the Service.

We may also disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Shared Moments, our users, or the public.

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you before your personal information becomes subject to a different privacy policy.

6. Data Retention

• Account data: Retained for as long as your account is active. If you delete your account, your personal data is permanently deleted within 30 days.
• Photos — free events: Stored for 30 days after the event ends, then permanently deleted.
• Photos — paid events: Stored for 1 year after the event ends, then permanently deleted.
• Payment records: Retained for 7 years as required by US tax and financial regulations.
• Log data: Retained for up to 90 days for security and debugging purposes.

We will send an email reminder to Hosts before photos are automatically deleted. You can always download your full gallery as a ZIP file from your dashboard before deletion.

7. International Data Transfers

Our servers and service providers are primarily located in the United States. If you are accessing the Service from the European Union, United Kingdom, or other regions with laws governing data collection and use, please note that your information may be transferred to and processed in the United States, which may have different data protection standards than your country.

For transfers of personal data from the EU or UK to the United States, we rely on the applicable Standard Contractual Clauses (“SCCs”) approved by the European Commission, or other lawful transfer mechanisms as required.

8. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

• Essential cookies: Required for the Service to function, including keeping you signed in and maintaining your session. These cannot be disabled.
• Analytics cookies: Used to understand how visitors interact with our platform. We use anonymized and aggregated data to improve the Service. You may opt out of analytics tracking.

We do not use advertising, retargeting, or third-party tracking cookies. You can control cookie settings through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

9. Your Privacy Rights

9.1 Rights for all users

• Download your event gallery at any time from your dashboard.
• Delete your account and all associated data from your dashboard settings.
• Contact us to correct inaccurate account information.

9.2 Rights for EU and UK users (GDPR)

If you are located in the EU or UK, you have the following rights under the GDPR:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data (“right to be forgotten”).
• Right to restriction: Request that we restrict processing of your data in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national data protection authority in the EU).

9.3 Rights for California residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (“CCPA”):

• Right to know: Request disclosure of the personal information we collect, use, and share.
• Right to delete: Request deletion of your personal information.
• Right to opt-out of sale: We do not sell personal information. No opt-out is required.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, please contact us at hello@shared-moments.com. We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA).

10. Children’s Privacy (COPPA)

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided personal information to us, please contact us at hello@shared-moments.com and we will delete that information promptly.

Hosts who use Shared Moments at events attended by minors are solely responsible for obtaining the necessary parental or guardian consents required by applicable law before collecting photos of children.

11. Data Security

We implement industry-standard technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS.
• Encryption of data at rest.
• Access controls limiting who can access personal data.
• Secure payment processing via Stripe (PCI-DSS compliant).

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

12. Links to Third-Party Sites

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies before providing any personal information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

14. Contact & Data Requests

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We aim to respond to all privacy-related requests within 30 days.