Privacy Policy

InstantPix is operated by InstantPix Technology Private Limited (CIN: U62011KA2026PTC221385), a company incorporated in India with its registered office at C/o Kowshik Ashirwad Apts, 2nd Flr, New Extension Road, Dharmaram College, Bangalore South, Karnataka 560029. References in this Privacy Policy to "InstantPix", "we", "us" or "our" mean InstantPix Technology Private Limited.

Under the Digital Personal Data Protection Act, 2023 (DPDPA), InstantPix Technology Private Limited is the Data Fiduciary for personal data processed through our website, mobile app, and services.

This Privacy Policy explains how we collect, process, store, and protect your personal information. By using InstantPix, you agree to this Privacy Policy. If you do not agree, please discontinue use of the platform.

Account data: Full name, email address, mobile number, password (stored as bcrypt hash — never in plain text).

Photographer profile data: Business name, city, GPS coordinates and service radius (when provided), experience, specializations, portfolio URLs, social links, Aadhaar/PAN reference (masked — last 4 digits only, for KYC).

Location data: When you use location-based photographer discovery, we request your device's GPS coordinates. This data is used only to compute proximity and is not stored permanently on our servers — it is transmitted over HTTPS and used in real time to query nearby photographers.

Face embedding data: When you upload a selfie for photo search, we compute a mathematical face embedding vector using our AI model. This embedding is processed server-side, used to search the event gallery, and then deleted after the search is complete. Raw selfie images are not retained.

Event media: Photos and videos uploaded to event galleries are stored in encrypted AWS S3 buckets. Access is restricted to event participants and authorised editors.

Payment data: We use Razorpay as our payment processor. We do not store raw card numbers, UPI credentials, or bank account details. Razorpay stores this data under their PCI-DSS compliant environment. We store only Razorpay order IDs, payment IDs, and transaction status.

Push notification token (Device ID): When you enable notifications, we receive an opaque Firebase Cloud Messaging (FCM) token tied to your device. We use it only to deliver notifications to your device and remove it on logout. The token does not identify you outside our system.

Diagnostic & performance data: When the app or web crashes or behaves abnormally, we send anonymised crash logs, performance metrics, and breadcrumb traces to Sentry. We scrub identifiers (email, phone, OTP, tokens) before transmission. These are used only to diagnose bugs and improve reliability.

Usage data: IP address, browser/device type, pages visited, feature interactions (used for analytics and fraud prevention).

We use your data to:

• Create and manage your account
• Match clients with nearby photographers using GPS proximity
• Process bookings and payments via Razorpay
• Search event photo galleries using face recognition
• Send transactional SMS/email (OTP, booking confirmation, payment receipt)
• Detect fraud and enforce platform rules
• Improve our AI models (using anonymised embeddings only)
• Comply with applicable Indian law (IT Act 2000, DPDPA 2023)

We do not sell your personal data.

We share data with:

• Razorpay (payment processing) — governed by Razorpay's Privacy Policy
• AWS (cloud storage and infrastructure) — encrypted at rest and in transit
• Firebase (authentication, social sign-in, push notifications) — handles Google/Apple sign-in tokens and delivers FCM push to your device
• MSG91 (transactional SMS for phone OTP, India only) — phone number passed for delivery, not retained beyond the OTP session
• Sentry (error and performance monitoring) — anonymised stack traces and breadcrumbs; PII keys are scrubbed client-side before transmission
• Law enforcement — if required by a valid court order under Indian law

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Face embeddings: Deleted immediately after photo search is completed.
• Event media: Retained for the duration the event organiser keeps the event active. Deleted upon organiser deletion or 2 years of inactivity.
• Payment records: Retained for 7 years as required by Indian tax law.
• Location data: Not stored — used in real time only.

Under the Digital Personal Data Protection Act 2023 (DPDPA), you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request erasure of your account and associated data
• Withdraw consent to data processing (which may affect your ability to use the platform)
• Nominate a representative in the event of death or incapacity

To exercise any right, email support@instantpixapp.com with subject "Data Rights Request". We will respond within 30 days.

We use httpOnly cookies to store your authentication session (JWT). These cookies are secure, not accessible to JavaScript, and expire after 24 hours. We do not use third-party tracking or advertising cookies.

• All data is transmitted over TLS 1.2+
• Passwords are hashed using bcrypt (cost factor ≥ 12)
• JWTs are signed with HS256 and expire after 24 hours
• S3 buckets are private with signed CloudFront URLs
• Rate limiting and CSRF protection on all auth endpoints
• Face embeddings are processed in memory and not persisted

InstantPix is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has provided data, contact support@instantpixapp.com and we will delete it promptly.

Ownership. You retain full ownership of every photo or video you upload to InstantPix. We never sell your media, never license it to third parties, and never use it to train AI models without your explicit consent.

Visibility. Media uploaded to an event gallery is visible only to the event owner, invited editors, and users who have access via event code, link, or QR. Galleries are not publicly indexable and are excluded from search engines.

AI face search inputs. When a user searches with a selfie, the selfie is converted into a numerical face embedding, used for the search, and discarded immediately. The original selfie image is never persisted. Only the event organiser's uploaded gallery is searched — never the public internet.

Watermarks & previews. Free previews may be served at reduced resolution with a watermark. Original-quality downloads are gated to authorised users only.

Account deletion. Request account deletion in-app under Account → Settings, or by emailing support@instantpixapp.com. We will delete your account and associated personal data within 30 days, except records we are legally required to keep (payment records under Indian tax law are retained for 7 years).

Event & media deletion. Event owners can delete an event or any individual photo from the event dashboard. Deletions are immediate from active galleries and propagated to backups within 30 days. Once deleted, photos are unrecoverable.

Face embeddings. Search-time embeddings are discarded within seconds. Index-time embeddings tied to a deleted photo are removed when the underlying photo is deleted.

Withdrawn consent. If you withdraw consent for processing, we will stop processing within 7 days and delete data unless retention is legally required.

InstantPix respects intellectual property rights. If you believe content on our platform infringes your copyright, send a written notice to support@instantpixapp.com including:

• Identification of the copyrighted work
• The exact URL or event code containing the infringing content
• Your contact details (name, email, address)
• A statement, under penalty of perjury, that you are the rights holder or authorised to act on their behalf
• Your physical or electronic signature

We will review and, where appropriate, remove the content within 7 business days and notify the uploader. Repeat infringers will have their accounts terminated.

For counter-notice procedures, write to the same address with your justification.

We may update this Privacy Policy. Material changes will be notified via email to registered users at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

For privacy concerns, data requests, or to reach our Grievance Officer:

Data Fiduciary: InstantPix Technology Private Limited

CIN: U62011KA2026PTC221385

Email: support@instantpixapp.com

Registered office: C/o Kowshik Ashirwad Apts, 2nd Flr, New Extension Road, Dharmaram College, Bangalore South, Karnataka 560029, India

Mark data-rights requests with the subject line "Data Rights Request" and grievances with "Grievance Officer". We will acknowledge within 7 days and respond within 30 days as required under the DPDPA 2023.