Privacy Policy
Effective date: 2 July 2026
This Privacy Policy explains how Memory Code collects, uses, and protects personal data when you use memorycode.app and app.memorycode.app (the "Service"). It is written to comply with the EU General Data Protection Regulation (GDPR) and Slovenian data protection law (ZVOP-2).
1. Who is responsible for your data
The Service is operated by:
Omar Iriškić s.p. Nazorjeva ulica 4, 4000 Kranj, Slovenia Registration number: 7498411000 · Tax number: 90476727 Email: [email protected]
Our role depends on who you are:
- If you are a Host (account holder): we are the data controller for your account, billing, and usage data.
- If you are a Guest or Viewer (event attendee): the Host who organizes the event is the data controller for the photos, videos, names, and messages you upload or that depict you. Memory Code acts as the Host's data processor for that content, storing and displaying it on the Host's behalf. If you have questions about why your image appears in a gallery, or want it removed, the fastest route is to contact the event Host; you can also contact us and we will assist.
- We are additionally the controller for limited technical and security data we process in our own interest (e.g. abuse prevention, error monitoring, aggregated analytics).
We are a small business and have not appointed a Data Protection Officer; for all privacy matters, contact [email protected].
2. What data we collect
2.1 Hosts (account holders)
- Account data: name, email address, email verification status, password (stored only as a secure hash), optional profile image, language preference, optional Google account link (if you sign in with Google), two-factor authentication data (if enabled).
- Business profile: company name, phone number, country.
- Billing data: orders, plans, add-ons, payment status, shipping address for physical products. Card details are collected and stored by Stripe, our payment processor — we never see or store your full card number.
- Session and security data: IP address and browser/device information for active sessions, login history, and account status (e.g. ban reason where applicable).
- Communications: messages you send via the contact form or support email, and a log of transactional emails we send you (recipient, type, subject, delivery status).
2.2 Guests (uploaders)
- Content you upload: photos, short video clips, an optional display name, and an optional message attached to an upload.
- Technical data: a guest-session token stored in your browser, and — for each upload — a hashed (pseudonymized) IP address and hashed browser identifier, used for abuse prevention and rate limiting. We do not store your raw IP address with your uploads.
No account or app installation is required to be a Guest.
2.3 Viewers and reactions
When you open a gallery or "heart" a photo, we store an anonymous visitor identifier together with a hashed IP address and hashed browser identifier, so reactions can be counted without identifying you.
2.4 Usage analytics
We record product events (e.g. QR scans, gallery opens, uploads, reactions, slideshow opens) with a hashed IP address and browser/device information, to show Hosts an analytics dashboard for their event and to improve the Service. On the marketing website we use Google Analytics — see Section 7 (Cookies).
2.5 Photos may depict other people
Photos and videos uploaded to an event can show other attendees, including children. The Host, as the event organizer and data controller for event content, is responsible for informing attendees and obtaining any required consents. If you believe content depicting you or your child should be removed, contact the Host or email us at [email protected] and we will assist.
3. Why we process data and on what legal basis
| Purpose | Data | Legal basis (GDPR) |
|---|---|---|
| Providing the Service to Hosts (account, events, galleries, exports, orders) | Account, business, billing, content data | Art. 6(1)(b) — contract |
| Storing and displaying Guest content on behalf of Hosts | Uploaded media, names, messages | Processed on the Host's behalf under Art. 28 (the Host's own legal basis applies) |
| Payments and delivery of physical products | Billing and shipping data | Art. 6(1)(b) — contract; Art. 6(1)(c) — accounting/tax law |
| Transactional emails (welcome, password reset, trial and payment notices, shipping updates) | Email address, email log | Art. 6(1)(b) — contract |
| Newsletter and product news | Email address | Art. 6(1)(a) — consent; you can unsubscribe at any time via the link in each email |
| Security, abuse and fraud prevention, rate limiting | Hashed IP/browser data, session data, tokens | Art. 6(1)(f) — legitimate interest in protecting the Service and its users |
| Event analytics for Hosts and product improvement | Pseudonymized usage events | Art. 6(1)(f) — legitimate interest; Art. 6(1)(a) for non-essential cookies |
| Error monitoring and debugging | Technical error context | Art. 6(1)(f) — legitimate interest |
| Responding to support requests | Contact form / email content | Art. 6(1)(b) or (f) |
| Legal compliance (tax, accounting, responding to authorities) | Billing records, relevant logs | Art. 6(1)(c) — legal obligation |
We do not use your content for advertising, we do not sell personal data, and we do not use your photos or videos to train AI models. We do not carry out automated decision-making with legal or similarly significant effects.
4. Who we share data with (sub-processors and recipients)
We share personal data only with service providers that help us run the Service, under data processing agreements:
| Provider | Purpose | Location / transfers |
|---|---|---|
| Cloudflare (R2 object storage & CDN) | Storage and delivery of uploaded photos/videos and generated files | Stored in the European Union; Cloudflare Inc. participates in the EU–US Data Privacy Framework and uses SCCs where applicable |
| Stripe | Payment processing | EU entity (Stripe Payments Europe); transfers to Stripe Inc. (US) safeguarded by SCCs/DPF |
| Twilio SendGrid | Sending transactional and (with consent) newsletter emails | US; SCCs/DPF |
| Optional Google sign-in; Google Analytics on the marketing site (with your cookie consent) | US; SCCs/DPF | |
| Sentry | Error monitoring (technical error reports may include request context) | US; SCCs/DPF |
| Hosting & infrastructure providers (application servers, background job queue) | Running the application; job queues hold transient processing data only | EU |
We may also disclose data where required by law or to protect our legal rights, and to a successor in the event of a business transfer (with notice to you).
Our own staff and administrators can access accounts and event data only as needed for support, moderation, and operation of the Service; such administrative access (including support sign-in to an account) is logged.
5. International transfers
Uploaded photos and videos are stored in the EU. Where a provider listed above processes data outside the EU/EEA (e.g. US-based email, payments, or error-monitoring providers), the transfer is protected by an EU adequacy decision (including the EU–US Data Privacy Framework) or Standard Contractual Clauses.
6. How long we keep data
- Event content (photos, videos, names, messages): for the storage duration included in the event's Plan (e.g. six months, one year, or "lifetime" — meaning for as long as the Service operates; see our Terms). When the retention period ends, content is scheduled for deletion by an automated daily cleanup process. Hosts can hide or delete content at any time; album download links expire automatically.
- Host accounts: for as long as your account exists. If you request deletion, we delete or anonymize your account data without undue delay, except data we must keep by law.
- Billing and order records: kept for the periods required by Slovenian tax and accounting law (generally up to 10 years for invoices).
- Security and session data: kept only as long as needed for security purposes; session records are removed when sessions expire or are revoked.
- Email logs: kept for a limited period to prove delivery and diagnose email issues.
- Support correspondence: kept as long as needed to handle your request and for a reasonable period thereafter.
7. Cookies and similar technologies
We use two categories of cookies:
Essential cookies (no consent required):
- authentication/session cookies (including a cross-subdomain cookie so you stay signed in between memorycode.app and app.memorycode.app),
- a guest-session cookie that lets Guests upload to an event without an account,
- a language preference cookie.
Analytics cookies (consent required):
- Google Analytics on the marketing website, used to understand site traffic. These cookies are set only if you accept them in our cookie consent banner. You can change or withdraw your choice at any time via the cookie settings link on the Website.
We do not use advertising cookies.
8. Security
We take appropriate technical and organizational measures to protect personal data, including: encrypted connections (HTTPS/TLS) for all traffic; passwords stored only as secure hashes; optional two-factor authentication for Hosts; pseudonymization (hashing) of IP addresses and browser identifiers attached to guest uploads and reactions; token-based, per-event guest access with QR codes that Hosts can rotate or regenerate; rate limiting and anti-abuse protections on public endpoints; access controls and logging of administrative access; and payment data handled exclusively by Stripe (PCI DSS compliant).
No system is perfectly secure. If a personal data breach occurs that risks your rights and freedoms, we will notify the competent supervisory authority and, where required, affected users, in accordance with the GDPR.
9. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you and receive a copy;
- rectify inaccurate or incomplete data;
- erasure ("right to be forgotten"), where the conditions of Art. 17 GDPR are met;
- restrict processing in certain circumstances;
- data portability of data you provided to us, in a structured, machine-readable format;
- object to processing based on our legitimate interests, and to direct marketing at any time;
- withdraw consent at any time (e.g. newsletter, analytics cookies), without affecting processing before withdrawal.
To exercise these rights, email [email protected]. We will respond within one month (extendable by two further months for complex requests, in which case we will inform you). We may need to verify your identity before acting on a request.
For content in event galleries: because the Host is the controller of event content, requests concerning photos or videos of you at an event should ideally be directed to the Host. We will forward requests we receive to the relevant Host and assist in their fulfilment; where content clearly violates our Terms or the law, we may also remove it ourselves.
Complaints: you have the right to lodge a complaint with a supervisory authority, in particular the Slovenian Information Commissioner (Informacijski pooblaščenec), Dunajska cesta 22, 1000 Ljubljana, Slovenia, [email protected], www.ip-rs.si — or the authority of your EU country of residence.
10. Children
The Service (as a Host) is intended for adults aged 18 or over. Galleries may nevertheless contain images of children uploaded by event attendees; responsibility for lawful collection and sharing of such images lies with the event Host, as explained in Section 2.5 and in our Terms. If you believe an image of a child has been shared without appropriate consent, contact us at [email protected] and we will act promptly.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example when we add features or change providers. The current version is always available on the Website with its effective date. For material changes, we will notify registered Hosts by email or in-app notice.
12. Contact
For any questions about this Privacy Policy or your personal data:
Omar Iriškić s.p. Nazorjeva ulica 4, 4000 Kranj, Slovenia [email protected]