Privacy Policy
Last updated: 2026-05-18
This page is a draft pending legal review. It is not binding on Imago Club SRL and may change before the Service launches. For questions, contact privacy@imagomoments.ro.
This Privacy Policy explains how Imago Club SRL(“ImagoMoments”, “we”, “us” or “our”) collects, uses, and protects personal data when you use our Service. It is written to comply with the EU General Data Protection Regulation (GDPR), Romanian Law 190/2018, Romanian Law 506/2004 (ePrivacy) and OUG 34/2014.
1. Who we are
Imago Club SRL is the entity responsible for the ImagoMoments Service. Our public identifiers are:
- Company: Imago Club SRL
- CUI (tax ID): 17715050
- Trade Register: J12/2348/2005 (Oficiul Registrului Comerțului de pe lângă Tribunalul Cluj)
- Registered office: Str. Patriciu Barbu, Nr. 37, 400057 Cluj-Napoca, jud. Cluj
- General contact: contact@imagomoments.ro
- Privacy and data subject rights: privacy@imagomoments.ro
No Data Protection Officer has been appointed at this time. Privacy questions should be sent to privacy@imagomoments.ro. Our supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), https://www.dataprotection.ro, postal address B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București.
2. Our dual role
We act as a controller for data we decide the purpose of: your account details, authentication records, audit log, our own billing records, sub-processor relationships, security telemetry and transactional email logs.
We act as a processorfor data that a Couple configures for their own Event: the guest list, RSVP responses, uploaded photos and videos, EXIF metadata, face recognition embeddings derived from event photos, and AI-curated highlight selections. In that role we follow the Couple's documented instructions under GDPR Art. 28.
3. What we collect
| Category | Examples | Retention |
|---|---|---|
| Account data | Name, email, hashed password, preferred language | Until account deletion (90-day soft delete grace) |
| Authentication | Cognito access and refresh tokens, sealed session cookie | Session lifetime |
| Event metadata | Event title, type (wedding, baptism, birthday), date, venue address, map coordinates | With the event |
| Invitation content | Couple-authored text, uploaded invitation images, color palette | With the invitation |
| RSVP responses | Guest name, attendance, adults/children count, menu choice, table assignment, optional dietary notes (which may be health data under GDPR Art. 9) | With the event |
| Guest list entries | Name, contact details, family or group grouping | With the event |
| Photos and videos | Image files (JPEG, PNG, WebP) and video files (MP4, QuickTime, WebM, AVI); stored in three tiers (original, web at 2048px, thumbnail at 400px) plus a Glacier Deep Archive disaster-recovery copy; EXIF metadata is preserved on originals | With the event; 30 days after soft delete |
| Guest-contributed uploads | Photos and videos uploaded by a Guest to a Couple's event album. Held in a moderation queue until the Couple approves them for the shared album. Subject to a per-event upload cap configured by the Couple. Guests may view and delete their own uploads via the My Uploads view at any time. | With the event; 30 days after soft delete |
| Face biometric data | Per-event AWS Rekognition collection of face vectors (GDPR Art. 9 special category) | 30 days from the last face_processed_at (reprocessing resets the window) |
| In-app support messages | Free-form messages between a Couple and ADMIN staff | With the account |
| Audit log | Actor id, action, entity type and id, JSON diff of changes | 12 months |
| Analytics events | Four event types (view, share, rsvp_start, rsvp_complete); hashed IP address, referrer truncated to 255 characters, user-agent truncated to 512 characters, 60-second deduplication window per invitation + IP + event type | 24 months |
| Email send log | Send, bounce and complaint records from our worker-service via AWS SES | Operationally necessary period |
| Customer reviews | Review text, star rating, author display identifier, the partner referenced and the moderation state (pending, approved, rejected). Submitted by a User who is a verified customer of a partner. | With the partner profile, plus a configurable additional period after partner deactivation (currently set per partner agreement) |
| Partner profile data | Business name, contact details, services offered, profile description, gallery imagery and public profile status, submitted by a Partner User who has chosen to publish a partner profile on the Service | While the partner profile is active |
| Album share tokens | Per-cluster scoped, revocable share tokens granting limited access to a defined slice of an event album | While the album exists or until the token is revoked |
| Federated identity link audit | Audit trail of automatic linking events between a federated identity (Google or Facebook) and a pre-existing native email account on the Service, performed by our PreSignUp Lambda | While the account exists |
| Payment data | Card and bank-instrument data are held by the payment provider, not by us. We retain only billing line items, plan state, transaction references and provider tokens necessary for accounting and reconciliation | With the order / accounting record (10 years under Romanian Law 82/1991) |
| Cookies | Strictly-necessary and functional cookies only — see the Cookie Policy | See the Cookie Policy |
4. Why we process it (lawful basis)
- Account sign-up, sign-in and session management — Art. 6(1)(b), performance of the contract between us and you.
- Event data owned by a Couple (invitation content, guest list, RSVPs, photos) — Art. 6(1)(b) between us and the Couple. In relation to individual Guests, the Couple is the controller and typically relies on Art. 6(1)(f) legitimate interest in organising a private event; we act as the Couple's processor.
- Dietary notes in RSVPs — where these reveal health information, the Couple relies on Art. 9(2)(a) explicit consent collected at the RSVP form.
- Photos depicting identifiable guests — Art. 6(1)(f) legitimate interest of the Couple, balanced against guest expectations. A guest may object via the Couple or directly at privacy@imagomoments.ro.
- Face recognition over event photos — when a Couple opts the event in to face recognition, the Couple acts as controllerand is responsible for obtaining explicit Art. 9(2)(a) consent from each guest whose face will be processed. The default and recommended form is recorded written or electronic per-guest consent (e.g. RSVP form checkbox, written event registration, electronic signature). Verbal consent or a physical sign at the venue is acceptable only where the Couple can record sufficient evidence of who consented. Imago Club SRL acts as processor on the Couple's documented instructions, runs the per-event AWS Rekognition collection in
eu-central-1, and applies the safeguards described in our internal Data Protection Impact Assessment, which is available on request. - Face recognition for the guest selfie claim flow — a Guest who wants to find photos that depict them in a specific event uploads a selfie. The Guest is the data subject providing explicit Art. 9(2)(a) consent in two layers: a standing opt-in (the
face_consentflag granted from your account) and a per-action consent record written each time you submit a selfie. Without the standing opt-in, a selfie submission is refused. Each match runs against a single event's per-event AWS Rekognition collection — never across events — with a 95% similarity threshold and a 5-per-hour rate limit. - Analytics on invitation views — Art. 6(1)(f) legitimate interest, mitigated by IP hashing, the 255-character referrer cap, the 512-character user-agent cap and the 60-second deduplication window.
- Session and security cookies — ePrivacy Art. 5(3) strictly-necessary exemption (Romanian Law 506/2004).
- In-app support messages — Art. 6(1)(f) legitimate interest in providing support.
- Audit log — Art. 6(1)(f) combined with Art. 5(2) accountability.
- Customer reviews— Art. 6(1)(b) performance of the contract with the reviewing User where the review is solicited as part of the post-purchase flow on a partner profile, and Art. 6(1)(f) legitimate interest in hosting and publicly displaying the review on the relevant partner profile thereafter, balanced against the reviewer's expectations.
- Partner profile data — Art. 6(1)(b) performance of the contract between us and the Partner User who has chosen to publish a partner profile on the Service.
- Federated identity auto-link — when you sign in via Google or Facebook OAuth and a native email account already exists on the Service for the same verified email address, our PreSignUp Lambda automatically links the federated identity to the existing native account so you do not end up with two parallel accounts. Lawful basis: Art. 6(1)(f) legitimate interest in account integrity, security and in preventing accidental duplicate accounts under the same email.
- Billing records — Art. 6(1)(c) legal obligation under Romanian Law 82/1991 on accounting (10-year retention). When a real payment provider is enabled, Art. 6(1)(b) performance of the paid plan contract applies in addition.
- Marketing emails — we do not currently send any. If this ever changes, we will obtain prior opt-in consent and give 14 days' advance notice.
5. Who we share it with
We share Personal Data only with the sub-processors we need to operate the Service. All systematic processing runs on AWS in eu-central-1 (Frankfurt).
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cognito (authentication), RDS (database), S3 (photo and export storage), CloudFront (delivery), Rekognition (face recognition), Bedrock (AI Highlights), Lambda, SQS, ElastiCache Redis, ECS, KMS, CloudWatch, SES (email) | eu-central-1 (Frankfurt) |
| Google LLC | Google OAuth sign-in; Google Places JavaScript API for address autocomplete | Global (EU-primary where available) |
| Meta Platforms Ireland Limited | Facebook OAuth sign-in | Ireland / Global |
AI processing for the photo Highlights feature runs on AWS Bedrock in eu-central-1. There is no transfer to the United States for AI inference.
The Google Places JavaScript API is loaded only on authenticated editor surfaces (the invitation editor and the template editor used by Couples), and only after the user explicitly engages with a place-search affordance. Public invite pages displayed to unauthenticated guests do not load any Google script; venue navigation buttons are simple external links to Google Maps, Waze or Apple Maps, and clicking them takes you to the third-party site under that site's own privacy terms. Loading the Places script on the editor surfaces may cause Google to set cookies on the google.com domain; we do not set those cookies on our own domain.
The full authorised sub-processor list (each AWS service broken out with its role, location and retention window) is maintained as part of our internal legal reference pack and is available on written request at privacy@imagomoments.ro.
6. International transfers
Our baseline is that all systematically processed Personal Data stays in Frankfurt. The only exceptions relate to sign-in via Google or Facebook OAuth, where the provider may process data outside the EEA under its own GDPR Art. 46 safeguards (Standard Contractual Clauses or equivalent).
Separately, AWS may in limited support scenarios route operator access across regions under the AWS Data Processing Addendum. This does not change where your data is stored.
7. How long we keep it
- Face biometric data: 30 days after the last
face_processed_at; reprocessing resets the window. - Soft-deleted photos: 30 days, then a full hard delete across all three S3 tiers and the Deep Archive copy.
- Soft-deleted events: 90 days (full cascade covering photos, faces, RSVPs, guest list, invitation and analytics).
- Audit log: 12 months.
- Invitation analytics events: 24 months.
- Unverified accounts: 7 days.
- Soft-deleted users: 90 days.
- Billing records: 10 years (Romanian Law 82/1991).
- Data export ZIPs: 7 days.
Cookie lifetimes are listed in the Cookie Policy.
8. Your rights
Under GDPR Arts. 15 to 22 you have the right to request access, rectification, erasure, restriction of processing, portability, and to object. You may exercise any of these rights by emailing privacy@imagomoments.ro. We will respond within 30 days, extendable by up to two further months for complex requests with written notice.
You also have the right to lodge a complaint with ANSPDCP — https://www.dataprotection.ro, postal address B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București.
9. Children
Account holders must be at least 18 years old. We do not knowingly create accounts for minors. Photos at weddings, baptisms and birthdays frequently depict minors; the Couple, as controller of guest data, is responsible for the parental-consent analysis and for informing parents or guardians where required.
The minimum age of digital consent in Romania is 16, the GDPR Art. 8 default; Romania has not exercised the option to lower it. Account holders must still be 18.
10. Security
We apply technical and organisational measures appropriate to the risk. This includes encryption at rest for S3 and RDS, TLS 1.2 or higher in transit, HSTS, least-privilege IAM, role-based access control, CloudFront signed URLs for event photos, CSRF protection, rate limiting, and a documented audit log.
A Glacier Deep Archive disaster-recovery copy of photo originals is kept separately so that loss of the live bucket does not destroy the Couple's event data.
Authentication is hardened with adaptive risk-based authentication through Cognito advanced security: low / medium / high risk decisions trigger graduated handling, and compromised credentials are blocked when Cognito detects credentials known to have leaked elsewhere. We apply per-email rate limits on the password-reset and sign-in flows in addition to per-IP rate limits, and we maintain a token denylist that revokes refresh and access tokens at sign-out so a stolen token cannot be replayed even within its remaining lifetime.
11. Cookies
We use a small number of strictly-necessary and functional cookies. We do not use advertising or profiling cookies. Optional behavioural-analytics cookies (Google Analytics 4 with IP anonymization) are loaded only after you grant explicit consent via the cookie banner. The full list and the consent / withdrawal mechanism are at Cookie Policy.
12. Automated decisions
We do not make automated decisions within the meaning of GDPR Art. 22 that produce legal or similarly significant effects. Face clustering (Smart Photo Groups) and the AI Highlights feature produce assistance outputs that the Couple can review, edit, override or delete before anything becomes visible to other parties.
13. Changes to this policy
We will publish updates to this Privacy Policy at this URL. Material changes will be reflected in the “Last updated” date and version. We aim to provide advance notice of material changes when we have an in-app mechanism to do so.
In case of any conflict between the Romanian and English versions of this document, the Romanian version prevails for all consumers domiciled in Romania.
14. Contact
- General: contact@imagomoments.ro
- Privacy and data subject rights: privacy@imagomoments.ro