Privacy Policy

Last updated: 3 July 2026

Protecting personal data is important to us. Below we transparently inform you which data we process when operating this photo-sharing service, for which purpose and on which legal basis. The German version of this policy is legally binding.

1. Data Controller

Data controller in the sense of the GDPR is:

Stansday UG (haftungsbeschränkt) Oberer Kolberg 12 34212 Melsungen Germany

Email for privacy requests: support@stansday.com

2. Data Protection Officer

We are not required to appoint a Data Protection Officer. For privacy inquiries please contact the email address above.

3. What data do we process?

The following personal data is processed during operation of the service:

• Email address — only for album owners and co-managers, for login via magic link. • Optional guest name — provided when uploading a photo, displayed with the media in the gallery. • Uploaded media — photos, videos and voice notes including technical metadata such as resolution, file size and upload timestamp. GPS and camera data from EXIF are removed server-side before storage. • Consent timestamp — for each upload we record which version of this privacy policy was accepted. • IP address (hashed) — for abuse prevention and rate limits we store a SHA-256 hash of the IP, never plain-text IPs. • Audit log — actions by platform administrators (block, role change, album deletion) are logged with timestamp and acting user ID.

4. Purpose and Legal Basis

• Providing the service (album creation, photo upload, gallery display, voice notes): contractual performance (Art. 6 (1) b GDPR). • Guest uploads: consent (Art. 6 (1) a GDPR), obtained via the checkbox in the upload form. • Rate limits, abuse prevention, audit log: legitimate interest in secure operations (Art. 6 (1) f GDPR).

5. Data Processors

We use the following service providers:

• Supabase — database, file storage and authentication. Server location: EU (Frankfurt am Main). Data processing agreement in place. • Server hosting — the application itself runs on our own infrastructure or on hosting servers within the EU.

No data is transferred to recipients outside the EU.

6. Retention

• Album content (media, comments, guest names): until the expiry date set by the album owner, by default at most 12 months. Media and metadata are then deleted automatically. • Hashed IP addresses for rate limits: at most 24 hours after the last request. • Audit log: 1 year. • Email addresses of account holders: until account deletion.

7. Your Rights

You have the right to:

• Access the data stored about you (Art. 15 GDPR) • Rectification of incorrect data (Art. 16 GDPR) • Deletion (Art. 17 GDPR) — for uploaded photos please contact the album owner or us directly. • Restriction of processing (Art. 18 GDPR) • Data portability (Art. 20 GDPR) • Withdrawal of consent with effect for the future (Art. 7 (3) GDPR) • Complaint to a data protection authority (Art. 77 GDPR)

Please direct your requests to support@stansday.com.

8. Cookies

We only use strictly necessary cookies:

• Session cookie — keeps login sessions active (only for logged-in users). • Password cookie — HMAC-signed, keeps access to a password-protected album open (lifetime 1 hour). • Language cookie — remembers the most recently chosen language.

No analytics, tracking or advertising cookies are set.

9. Contact

For questions about privacy or to exercise your rights, contact us at support@stansday.com.