Privacy

FotoMemoris is operated by LYKOS Desenvolvimento de Softwares LTDA, headquartered in Brazil. Under the Brazilian General Data Protection Law (LGPD, Law 13.709/2018), LYKOS is the Controller of the personal data processed on this platform.

For anything involving your personal data, write to contact@lykoscompany.com.

This document describes what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have. It applies both to people who create events (hosts) and people who contribute photos and videos (guests).

We collect only what is needed to operate FotoMemoris. Broken down by who you are:

From the host: name, email, phone number (also used for SMS login), event settings (name, date, capacity, reveal and privacy rules), and history of events created. At payment time, Mercado Pago may request additional data such as tax ID (CPF) and billing address; that data is handled directly by Mercado Pago. Payment data (card number, expiration, CVV, PIX data) is processed directly by Mercado Pago and never passes through our servers; we only receive a transaction identifier and a payment status.

From the guest: an anonymous session identifier (generated when the guest opens the event link or QR Code), photos and videos uploaded, and, optionally, a phone number if the host has enabled SMS verification for their event.

Automatic technical data: IP address (used only for security and diagnostics; masked in metrics), device and browser type, language and time zone, pages you visit on our site, and technical error reports.

What we do not collect: precise device location, data from other apps, your contact list, or sensitive data (race, religion, health) unless you voluntarily choose to upload that as a photo or video.

Every processing activity has a legal basis under the LGPD:

• Operating the event you created (creating, configuring, revealing the album, generating QR/link): performance of contract (art. 7, V).
• Processing event payment: performance of contract (art. 7, V).
• Issuing receipts and meeting tax obligations: compliance with legal obligation (art. 7, II).
• Preventing fraud, abuse, and misuse: legitimate interest (art. 7, IX).
• Sending operational communications about your event (reveal, expiration warning, support): performance of contract (art. 7, V).
• Marketing emails about product updates: consent (art. 7, I), with simple opt-out in every email.
• Automatic AI moderation when the add-on is enabled: consent at the time of activating the add-on (art. 7, I).

We use data exclusively to operate the service: reveal the album at the configured moment, enable high-resolution download, process payments, prevent abuse, provide support when you reach out, and improve the product through aggregated and anonymized metrics.

What we never do: sell your personal data to third parties, share with behavioral advertising networks, or use your photos to train artificial intelligence models (ours or anyone else's).

We only share data with essential providers needed to operate FotoMemoris, and only what is required for each one's specific function. These providers act as data processors under the LGPD and are contractually bound to process data only as we instruct.

• Firebase (Google Cloud): authentication, database, current media storage, and push notifications.
• Cloudflare R2: media storage in a future scale phase (when enabled, we will update this policy).
• Mercado Pago: payment processing (PIX, credit card with installments, boleto). Card and PIX data are handled exclusively by Mercado Pago under PCI DSS certification.
• SMS provider (Twilio or equivalent): verification codes when the host enables the SMS add-on.
• AI moderation provider (Google Cloud Vision SafeSearch or equivalent): automated content analysis when the host enables the moderation add-on.

We may also share data in two specific situations: when required by a Brazilian court order or for compliance with legal obligations; or in case of an acquisition, merger, or asset sale of LYKOS, in which your data may be transferred to the new controller, with prior notice and preserving the conditions of this policy.

Since we use Google (Firebase) and Cloudflare services, part of your data may be stored or processed on servers outside Brazil, primarily in the United States and Europe. These providers adopt standard contractual clauses and other mechanisms recognized by Brazil's National Data Protection Authority (ANPD) to ensure a level of protection equivalent to that of the LGPD.

For specific details about transfers related to your data, write to contact@lykoscompany.com.

• Event album (photos and videos): 30 days from the day of the event, on the standard plan. With the extended retention add-on, it stays available for 1 year (also counted from the day of the event).
• Host account: kept while the account is active. When you request deletion, personal data is removed within 30 days.
• Guest session: the anonymous session identifier expires in 90 days. Uploaded photos remain attached to the event album, but guest identification is anonymized when the session expires.
• Receipts and accounting records: 5 years (Brazilian tax compliance).
• Security logs (masked IPs, authentication events): 6 months.
• Operational backups: up to 90 days after deletion of primary data.

We adopt technical and organizational practices aligned with market best practices to protect your data: encryption in transit (TLS 1.3), encryption at rest (AES-256, the standard of the providers we use), role-based access control for internal staff, and access logs for sensitive data.

Our team does not access the content of your photos manually. The only exceptions are investigations of abuse reported by another guest or host, or compliance with a court order.

If we identify a security incident that may significantly affect your personal data, we will notify you and the ANPD within 72 hours, as required by the LGPD.

We use cookies and local storage only for what is necessary to operate the platform: keeping you authenticated, identifying the guest session during an event, and remembering your language preference.

We do not use behavioral advertising cookies or third-party trackers for cross-site marketing. Our internal analytics is configured to collect aggregated metrics without personal identification.

FotoMemoris is not intended for children under 13. For users between 13 and 18, use depends on consent and supervision by legal guardians.

If we identify a registration by a child under 13 without guardian consent, we will remove the data immediately. If you suspect such a situation, notify us at contact@lykoscompany.com.

The LGPD guarantees you a set of rights over your personal data. At any time, you can:

• Confirm whether we process your data.
• Access the data we hold about you.
• Correct incomplete, inaccurate or outdated data.
• Request anonymization, blocking or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD.
• Request portability of your data to another provider.
• Delete data processed on the basis of your consent (preserving legal obligations that require retention).
• Obtain information about entities with whom we share your data.
• Be informed about the possibility of not providing consent and its consequences.
• Revoke consent previously given.

To exercise any of these rights, write to contact@lykoscompany.com. We respond within 15 business days.

We recognize equivalent rights for visitors from other jurisdictions:

European Union and United Kingdom (GDPR / UK GDPR): you have the rights of access, rectification, deletion, portability, restriction, objection to processing, and the right to lodge a complaint with the national data protection authority of your country.

California (CCPA/CPRA): you have the rights to know, delete, correct, and opt out of the "sale" or "sharing" of your data (we do neither). We do not discriminate against the exercise of these rights.

To exercise any of these rights, use the same channel: contact@lykoscompany.com.

When we make editorial or clarifying changes, we update the date at the top of this page and publish immediately.

When we make material changes, meaning changes that affect how we treat your data, we will notify you by email at least 30 days before the new version takes effect.

A history of previous versions is available upon request.

Email: contact@lykoscompany.com.

Support response within 48 business hours. Response to LGPD data subject requests within 15 business days.