Privacy Policy

Last updated: May 30, 2026

Melrose Lab ("we," "us," or "our") operates the Photoboothify mobile application and website at photoboothify.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using Photoboothify, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Display name
• Profile picture (optional)
• Authentication credentials (managed securely via AWS Cognito)

1.2 Photos and Videos

When you use the photo booth features, we collect and store:

• Photos and videos you capture within the app
• Frames, filters, and overlays applied to your media
• AI-generated frames created from your text prompts
• Event-associated media shared via QR codes

1.3 Device Information

We automatically collect certain device information, including:

• Device type, model, and operating system version
• Unique device identifiers
• Firebase Cloud Messaging (FCM) device tokens for push notifications
• App version and build number

1.4 Location Information

If you use the marketplace feature to browse or list photo booth equipment, we may collect approximate location data to show relevant listings near you. Location access is optional and only used when you grant permission.

1.5 Usage Analytics

We collect anonymized usage data to improve the Service, including:

• Features used and frequency of use
• Session duration and app interactions
• Crash reports and performance metrics
• Event creation and sharing activity (aggregated)

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Create and manage your account
• Store and deliver your photos and videos
• Enable QR code sharing with event guests
• Generate AI-powered frames based on your prompts
• Send push notifications about events, bookings, and app updates
• Facilitate marketplace connections between vendors and renters
• Analyze usage patterns to improve features and performance
• Detect and prevent fraud, abuse, or security issues
• Comply with legal obligations

3. Third-Party Services

We use the following third-party services to operate Photoboothify:

3.1 Amazon Web Services (AWS)

We use AWS for cloud infrastructure, including:

• AWS Cognito — User authentication and account management. Receives and processes: email address, authentication credentials, session tokens.
• AWS S3 — Secure storage of photos, videos, and media files. Receives and processes: all user-uploaded media content.
• AWS Lambda & DynamoDB — Backend processing and data storage. Receives and processes: event data, session data, user preferences, media metadata.
• AWS SES — Transactional email delivery. Receives: email address for verification codes and notifications.

AWS processes data in accordance with their Privacy Policy. All AWS services we use are deployed in the us-east-1 (N. Virginia) region.

3.2 OpenAI

We use OpenAI's services to generate AI-powered frames from your text prompts. When you use the AI frame generation feature, your text prompt is sent to OpenAI for processing. We do not send your photos or personal information to OpenAI. OpenAI processes data in accordance with their Privacy Policy.

3.3 Firebase Cloud Messaging (FCM)

We use Google's Firebase Cloud Messaging to deliver push notifications to your device. This requires storing your FCM device token. Google processes this data in accordance with their Privacy Policy.

3.4 Google Play

Photoboothify is distributed through Google Play. Google may collect information about your app downloads and usage as described in their privacy policy. We receive anonymized, aggregated analytics from Google Play Console.

4. Data Storage and Security

We take the security of your data seriously:

• All data is stored on AWS infrastructure with encryption at rest and in transit
• Authentication is handled through AWS Cognito with industry-standard security protocols
• Media files are stored in private S3 buckets with access controls
• We use HTTPS for all data transmission
• Access to user data is restricted to authorized personnel only

While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

5. Data Sharing

We do not sell your personal information. We may share your information in the following circumstances:

• With your consent — When you share photos via QR codes, recipients can view the shared media
• Marketplace interactions — When you contact a vendor or renter, limited contact information may be shared to facilitate the transaction
• Service providers — With third-party services described in Section 3, solely to operate the Service
• Legal requirements — When required by law, regulation, or legal process
• Safety — To protect the rights, safety, or property of Melrose Lab, our users, or the public

6. Your Rights

You have the following rights regarding your personal data:

• Access — You can request a copy of the personal data we hold about you
• Correction — You can update your account information at any time through the app
• Deletion — You can delete your account directly from the app (Settings → Account → Delete Account) or via our web deletion page
• Data Portability — You can request an export of your data in a machine-readable format via the app (Settings → Account → Download My Data)
• Opt-out of notifications — You can disable push notifications through your device settings

6.1 Account Deletion Process

When you request account deletion (either through the app or the web deletion page):

1. Your account is immediately marked for deletion and you are signed out
2. A 30-day grace period begins during which you can cancel the deletion by simply signing back into the app
3. After 30 days, all your data is permanently and irreversibly deleted, including:
   • Your authentication credentials (AWS Cognito account)
   • All database records (events, sessions, media metadata, preferences)
   • All stored media files (photos, videos, frames) from S3
4. Deletion is completed within 72 hours of the grace period expiring

During the grace period, your data is retained in a deactivated state but remains accessible if you choose to recover your account.

To exercise any of these rights, you can use the in-app features or contact us at support@photoboothify.com. We will respond to your request within 30 days.

7. Children's Privacy

Photoboothify is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@photoboothify.com.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

8.1 Retention Periods by Data Category

Data Category	Purpose	Retention Period
Email address	Account authentication, communications	Until account deletion + 30 days
Photos & videos	Core service functionality, sharing	Until deleted by user or account deletion + 30 days
Device information	Push notifications, compatibility	Until app uninstall or account deletion
Usage analytics	Service improvement, performance	Anonymized, retained up to 24 months
Event data	Event management, booth sessions	Duration of event + 90 days, or account deletion

8.2 Post-Deletion Retention

• Account data — Retained until you delete your account
• Photos and videos — Retained until you delete them or delete your account
• Event data — Retained for the duration of the event plus 90 days, unless you choose to keep it longer
• Usage analytics — Retained in anonymized form for up to 24 months
• Device tokens — Updated or removed when you uninstall the app or revoke notification permissions

After account deletion request, we retain all data for a 30-day grace period before permanent deletion. Once the grace period expires, data is permanently deleted within 72 hours.

9. International Data Transfers

Your data may be processed and stored in the United States where our servers are located. By using the Service, you consent to the transfer of your data to the United States.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy within the app and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: support@photoboothify.com
• Address: Melrose Lab, United States