Privacy Policy

Last updated: June 17, 2026

1. Who we are

Bat Mitzvah Photo Booth ("we", "us", "our") operates photoboothformitzvah.com. We provide a web-based gallery service that helps families collect guest photos and videos from a bar or bat mitzvah celebration. For questions about this policy or your data, contact us at [email protected].

2. What we collect

Families (account holders)

Account information: name, email address, and password (hashed).
Payment information: processed and stored exclusively by Creem (Creem Global Ltd), our Merchant of Record. We never see or store your full card number, CVV, or banking details.
Gallery settings: celebrant name, mitzvah date, gallery customisation preferences.
Communication data: email correspondence with our support team.

Guests (uploaders)

Uploaded content: photos, videos, and text messages.
Optional display name: only if the guest chooses to provide one.
Truncated IP address: kept temporarily for abuse prevention and rate limiting. No full IP addresses are stored.

Guests do not need to create an account or provide an email address to upload.

3. How we use your data

To provide and operate the Service: host galleries, process uploads, deliver files.
To send transactional emails: gallery ready notifications, expiry reminders, purchase confirmations.
To respond to your support requests.
To detect and prevent abuse, fraud, or security threats.
To improve the Service based on aggregated, anonymised usage patterns.

We do not sell your data, display advertising, build user profiles for marketing, or share your information with third parties for their own purposes.

4. Legal basis for processing (GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we process your personal data based on:

Contract performance — processing necessary to deliver the Service you purchased (Art. 6(1)(b) GDPR).
Legitimate interests — abuse prevention, security, and service improvement, where these interests are not overridden by your rights (Art. 6(1)(f) GDPR).
Legal obligation — where we are required to retain data for tax, fraud prevention, or regulatory compliance (Art. 6(1)(c) GDPR).

5. Third-party processors

We use a limited number of trusted third-party services to operate:

Creem (Creem Global Ltd) — our Merchant of Record. Creem processes payments, collects taxes, generates invoices, and manages the buyer checkout experience. Creem processes your payment data as an independent data controller for its own purposes. See Creem's Privacy Policy for details.
Cloud CDN provider — encrypted file storage and delivery for gallery uploads. Files are stored on infrastructure within Europe.
Brevo — transactional email delivery (gallery notifications, expiry reminders). Brevo processes only the email address and message content necessary for delivery.

We do not use analytics platforms, advertising networks, or social media tracking pixels.

6. International data transfers

Your data may be processed outside of your country of residence by our third-party processors. Where data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms recognised under UK data protection law.

7. Data retention

Gallery files (photos, videos, messages): deleted within 30 days after the hosting period ends. You can download everything as a ZIP before expiry.
Account data (name, email): retained while your account is active and for up to 90 days after deletion to handle any outstanding support or billing matters.
Truncated IP addresses: automatically purged within 30 days of collection.
Transaction records: retained for up to 7 years as required by tax and accounting laws.

8. Your rights

Depending on your jurisdiction, you may have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate or incomplete data.
Erasure — request deletion of your personal data ("right to be forgotten").
Restriction — request that we limit how we process your data.
Data portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email [email protected]. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK).

9. Data security

We implement appropriate technical and organisational measures to protect your data, including:

Encryption in transit (TLS/HTTPS on all connections).
Encrypted file storage on our CDN infrastructure.
Hashed passwords (bcrypt) — we cannot read your password.
Access controls limiting who can access production systems.
Regular security updates and dependency monitoring.

10. Cookies

We use essential cookies only:

Session cookie — maintains your login session. Expires when you close the browser or after inactivity.
CSRF token — protects against cross-site request forgery attacks.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required because we only use strictly necessary cookies.

11. Children's privacy

The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to customers with active accounts. The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this page periodically.

13. Contact

For any questions or requests related to this Privacy Policy or your personal data, contact us at:
Email: [email protected]
Website: photoboothformitzvah.com

← Back to home