Privacy Policy

1. Scope and Data Controller

Grain is a digital disposable camera service for events. For all data processing described in this policy, Grain acts as the data controller unless a separate written agreement states otherwise.

2. Information We Collect

We collect only information needed to provide and improve the service, including:

• Account data (email address and authentication identifiers).
• Event participation data (guest name, event access details, and participation status).
• Photo and media data uploaded or captured through the app, including metadata necessary for rendering and reveal flows.
• Technical data (IP address, browser type, device signals, logs, and security telemetry).
• Cookie and local storage preferences used for authentication, session continuity, and your consent choices.

3. How We Use Information

• Provide account login, event access, and photo delivery.
• Apply event settings such as reveal timing and photo limits.
• Prevent abuse, fraud, and unauthorized access.
• Maintain service reliability, troubleshoot incidents, and improve product quality.
• Comply with legal obligations and enforce our platform policies.

4. Legal Bases for Processing

• Contractual necessity to provide core platform functionality.
• Legitimate interests in security, abuse prevention, and service operations.
• Consent where required, including optional analytics and marketing cookies.
• Compliance with legal and regulatory requirements.

5. Cookies and Similar Technologies

Grain uses a consent banner with category-level controls. Necessary cookies are always active because they are required for secure login and core functionality. Optional categories are disabled unless you explicitly enable them.

• Necessary cookies: authentication, session continuity, security.
• Analytics cookies: optional usage and performance insights.
• Marketing cookies: optional campaign measurement and attribution.

You can update your preferences at any time via the cookie settings control in the app.

6. Data Sharing and Subprocessors

We may share data with trusted processors that support authentication, storage, delivery, infrastructure, and security. These providers are contractually bound to process data only on our instructions and apply appropriate safeguards.

We may also disclose data when legally required, to protect rights, safety, or property, or as part of a business transfer.

7. Data Retention

We retain personal data only for as long as needed for the purposes described in this policy, including legal, accounting, and security obligations. Event hosts are responsible for managing and removing event content where controls are provided.

8. Security

We implement administrative, technical, and organizational measures to protect personal data, including access controls, transport security, and operational monitoring. No method of transmission or storage is fully secure, but we continuously improve controls in line with industry practices.

9. International Transfers

If your data is transferred across borders, we use appropriate safeguards as required by applicable law.

10. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, object to, or port your data, and to withdraw consent where processing is consent-based.

11. Children's Privacy

Grain is not directed to children under the age required by your local law to provide valid consent for data processing. If you believe a child has provided personal data without proper consent, contact us and we will take appropriate action.

12. Policy Updates

We may update this policy from time to time. Material changes will be reflected by updating the date above and, where required, providing additional notice.