Posy

Privacy Policy

Last updated 26 May 2026. How Posy handles personal data — host accounts, event photos uploaded by guests, and in-app purchases via Apple (iOS) and Google (Android).

About this policy

This policy explains how Workyloop OÜ (“Posy”, “we”, “us”) handles personal data collected through the Posy service — the marketing site at posy.camera, the iOS and Android apps, the iOS App Clip, and the web capture page guests use after scanning an event QR code.

Who we are

Workyloop OÜ, Tartu mnt 67/1-13b, 10115 Tallinn, Estonia. Estonian registry code 16837036. We operate the Posy service and are the data controller for the categories of personal data described below.

Contact: hello@posy.camera

What we collect

  • Host account data — name, email (or Apple Sign-In identifier), password hash if email/password is used, and Apple Sign-In opaque user id. Provided when you create an account in the mobile app.

  • Event data — event name, optional description, host-chosen cover image, host-chosen filter and shot count, scheduled open/close/reveal timestamps. Created by hosts in the app.

  • Guest identifiers — web guests are identified by a per-device token (a random opaque string stored in the browser). Mobile-app guests are identified by their authenticated user id. We do not collect guest phone numbers or email addresses for the join flow.

  • Photos and EXIF metadata — the photos guests take inside an event, plus the metadata embedded in those photos (timestamp, device model, optional GPS coordinates if the guest enabled location for the camera). Photos are stored encrypted at rest on Cloudflare R2.

  • Purchase records — receipts, transaction ids, and product ids for in-app purchases made via Apple (iOS) or Google (Android). We do not see or store payment card details — the app store processes the charge end to end.

  • Server logs — IP address, user-agent, request timestamps, and requested URLs, retained for up to 30 days for security and operational purposes.

Special category

Photos in particular

Photos may contain images of identifiable people. Posy treats photos as the host's content — the host who created the event controls who joins it, when the album reveals, and when the album is deleted.

Guests upload photos to the event with the understanding that the host will see them after reveal, alongside the rest of the album. Guests can delete their own photos before reveal. Hosts can delete the entire event and its photos at any time.

We strip GPS coordinates from photos before storage by default; the host can opt photos in to keep location, in which case the coordinates are stored alongside the photo.

We do not use your photos to train machine-learning models. We do not surface anyone else's photos to you outside of the event you joined.

Legal basis (GDPR Art. 6)

  • Host account data — contract (Art. 6(1)(b)) and legitimate interest in operating the service.

  • Event data and photos — contract with the host plus the guest's consent given when scanning the event QR and taking a photo.

  • Purchase records — contract (Art. 6(1)(b)) and legal obligation for tax/accounting.

  • Server logs — legitimate interest in operating and securing the service.

How long we keep it

Host account data is retained while the account is active. Deleted accounts (via the in-app “Delete account” button) are hard-deleted immediately and their events, participants, and photos are removed in the same transaction.

Draft events older than 24 hours are pruned by an automated sweep — these are events whose tier purchase did not complete.

Purchase records and receipts are retained for 7 years to satisfy tax and accounting obligations. Server logs: up to 30 days.

Who we share data with

We do not sell personal data. We share data only with the following processors, strictly to operate the service:

  • Apple Inc. (iOS in-app purchase processing and Apple Sign-In) — United States.

  • Google LLC (Android in-app purchase processing via Google Play Billing) — United States.

  • RevenueCat, Inc. (cross-platform IAP backend) — United States, under EU Standard Contractual Clauses.

  • Cloudflare, Inc. (R2 object storage for photos and covers) — storage region configurable; transfers governed by Cloudflare's data processing addendum.

  • Fly.io (application hosting) — United States, under EU Standard Contractual Clauses.

  • Vercel Inc. (web hosting for posy.camera) — United States, under EU Standard Contractual Clauses.

  • Resend (transactional email delivery) — used for account verification, password reset, and event-related notifications.

  • The host of an event you joined — your photos, captured during their event, are visible to the host (and to other guests at the event) after the album reveals.

Your rights

Under the GDPR, you have the right to access, rectify, erase, restrict processing of, or port your personal data, and to object to processing. To exercise these rights, contact hello@posy.camera.

You can also delete your account directly in the app: Profile → Delete account. This is an immediate hard delete.

You have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee).

International transfers

Some processors listed above are based in the United States. Transfers are governed by the European Commission's Standard Contractual Clauses. We do not transfer personal data to jurisdictions without an adequate level of protection unless protected by appropriate safeguards.

Children

Posy is not directed at children under 16. Hosts using Posy must not knowingly collect or display personal data of children under 16 through Posy events without verifiable parental consent.

Changes to this policy

We may update this policy. The “Last updated” date at the top always reflects the current version. Material changes will be communicated to hosts by email.

Questions about how we handle data? Email hello@posy.camera.

Email hello@posy.camera