GDPR Compliance
Last Updated: February 19, 2026
1. Introduction to GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process the personal data of individuals in the European Union (EU), regardless of where the organization is located.
At CapturedInLife, we are committed to ensuring the protection and privacy of your personal data. This page outlines our GDPR compliance measures and your rights as a data subject.
2. Data Controller Information
Data Controller: CapturedInLife
Contact Email: privacy@capturedinlife.com
Data Protection Officer: dpo@capturedinlife.com
3. Your Rights Under GDPR
Under GDPR, you have the following rights regarding your personal data:
3.1 Right to Access (Article 15)
You have the right to obtain confirmation as to whether or not we process your personal data, and where that is the case, access to that data and information about how it is processed.
How to exercise: Contact us at privacy@capturedinlife.comwith the subject line "Data Access Request."
3.2 Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete data completed.
How to exercise: Update your information in your account settings or contact us directly.
3.3 Right to Erasure ("Right to be Forgotten") (Article 17)
You have the right to request the deletion of your personal data when:
- The data is no longer necessary for the purposes it was collected
- You withdraw consent and no other legal basis applies
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- The data must be erased for legal compliance
How to exercise: Delete your account through settings or email us with "Deletion Request."
3.4 Right to Restrict Processing (Article 18)
You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
3.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
How to exercise: Contact us to request an export of your data.
3.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or direct marketing at any time.
3.7 Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. Our AI features do not make such decisions about users.
4. Legal Basis for Processing
Under GDPR Article 6, we process personal data based on the following legal grounds:
| Purpose | Legal Basis | Description |
|---|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) | Processing necessary to provide our service |
| Payment processing | Contract (Art. 6(1)(b)) | To fulfill our contractual obligations |
| AI photo analysis | Consent (Art. 6(1)(a)) | Optional feature you can disable |
| Analytics and improvements | Legitimate Interest (Art. 6(1)(f)) | To improve our service quality |
| Legal compliance | Legal Obligation (Art. 6(1)(c)) | To comply with applicable laws |
| Marketing communications | Consent (Art. 6(1)(a)) | Only with your explicit consent |
5. Data We Process
5.1 Personal Data Categories
- Identity Data: Name, email address, user ID
- Contact Data: Email address
- Financial Data: Payment information (processed by Stripe)
- Technical Data: IP address, browser type, device information
- Usage Data: How you interact with our service
- Content Data: Photos and images you upload
- Biometric Data: Face recognition data derived from photos (optional)
5.2 Special Categories of Data
Photos you upload may contain special category data under GDPR Article 9 (e.g., revealing racial or ethnic origin). By uploading such photos, you consent to our processing of this data for the purpose of providing our services.
6. International Data Transfers
As a global service, your data may be transferred to and processed in countries outside the European Economic Area (EEA).
6.1 Transfer Mechanisms
We ensure appropriate safeguards are in place for international transfers:
- Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs with our service providers
- Adequacy Decisions: We transfer data to countries with EU adequacy decisions where possible
- Data Processing Agreements: All processors are bound by GDPR-compliant DPAs
6.2 Service Providers Outside EEA
- AWS (United States) - Photo storage and AI processing
- Stripe (United States) - Payment processing
- Supabase (United States) - Database services
7. Data Retention
We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days | To provide service and allow account recovery |
| Photos | Until deleted by user | To provide gallery service |
| Payment records | 7 years | Legal and tax compliance |
| Usage logs | 90 days | Security and debugging |
| Face recognition data | Until photo deletion | To enable search functionality |
8. Data Protection Measures
We implement appropriate technical and organizational measures to protect your data:
- Encryption at rest and in transit (TLS 1.3)
- Regular security assessments and penetration testing
- Access controls and role-based permissions
- Employee training on data protection
- Incident response procedures
- Data minimization practices
- Regular backups with encryption
9. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware
- Notify affected individuals without undue delay if the breach poses a high risk
- Document all breaches, including facts, effects, and remedial actions
10. Cookies and Tracking
We use cookies and similar technologies. For detailed information, please see our Cookie Policy. You can manage cookie preferences through your browser settings.
11. Supervisory Authority
If you are in the EU, you have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data violates GDPR.
12. Contact Us
For any GDPR-related inquiries or to exercise your rights, please contact:
- Email: dpo@capturedinlife.com
- Postal: CapturedInLife, Attn: Data Protection Officer, 123 Gallery Street, Creative District, CD 12345
We will respond to all requests within 30 days. Complex requests may require additional time, in which case we will notify you.
Questions?
If you have any questions about our legal documents, please contact us at legal@capturedinlife.com