Privacy Policy

How We Collect, Use and Protect Your Personal Data

Effective Date: 1 July 2025 · getursnap.com

1. Introduction

GetUrSnap is a brand of Tedora Technologies Private Limited (CIN: U72900KA2019PTC125184) ("we", "us", "our"). We are committed to protecting the privacy and security of personal data processed through the GetUrSnap platform. This Privacy Policy explains what personal data we collect from Photographers and their gallery Guests, how we use it, how long we keep it, and your rights under Indian law.

This Policy applies to all users of getursnap.com and any related services.

2. Definitions

• Photographer: A registered professional user who creates and manages galleries on GetUrSnap.
• Guest: A person who accesses a gallery using a shared link, password, or invitation.
• Personal Data: Any data about an individual who can be identified directly or indirectly.
• Data Fiduciary: GetUrSnap — the entity that determines the purpose and means of processing personal data.
• DPDP Act: The Digital Personal Data Protection Act, 2023.

3. What Data We Collect

3.1 Data Collected from Photographers

• Account Data: Full name, business name, email address, mobile number (+91 format), city, password (hashed).
• Payment Data: Transaction IDs, plan type, payment status (processed via Razorpay; we do not store full card/bank details).
• Content Data: Photos, videos, and associated metadata you upload (including EXIF data — camera make, camera model, lens, focal length, aperture, shutter speed, ISO, and capture timestamp; GPS co-ordinates embedded in files are not extracted or stored by GetUrSnap).
• Usage Data: Gallery views, feature usage, IP address, device type, browser type.
• Communication Data: Emails sent to or received from GetUrSnap support.
• Website Analytics: If you publish a website on our platform, we collect visitor analytics (hashed IP, device, traffic source) on your behalf.

3.2 Data Collected from Gallery Guests

• Registration Data: Name (required), mobile number in +91 format (optional), email address (optional).
• Gallery Activity Data: Photos viewed, photos downloaded, videos played, timestamps, IP address.
• Geolocation Data: City, region, and country derived from your IP address at the time of registration.
• Authentication Data: A secure JSON Web Token (JWT) stored in your browser's local storage for session management, valid for 30 days.

Guests: Your data is shared with the Photographer who created the gallery you are accessing. By registering to view a gallery, you consent to this sharing.

4. How We Collect Data

• Directly from you when you register, upload content, or contact us
• Automatically through local storage, log files, and device information when you use the Platform
• From Razorpay when payment transactions are completed
• From EXIF metadata embedded within photo and video files you upload

5. Cookies, Local Storage and Analytics

GetUrSnap does not use HTTP cookies for advertising or cross-site tracking. We use browser local storage (localStorage) to store authentication tokens (JSON Web Tokens) for session management. These tokens are strictly necessary for the Platform to function and cannot be disabled while using the service.

We use Google Analytics 4 (provided by Google LLC via the Firebase SDK) to understand how the Platform is used. Google Analytics may set first-party cookies (e.g.,_ga, _ga_*) in your browser to distinguish unique visitors and track session activity. These cookies are not used for advertising or cross-site tracking. Data collected includes: pages visited, time spent, device type, browser, operating system, screen resolution, approximate geographic location (derived from IP address), and user interactions (button clicks, form submissions, scroll depth). Your IP address is anonymised by Google before storage. We do not enable Google Signals, advertising features, or any data sharing with Google for ad personalisation.

In addition to Google Analytics, we collect server-side analytics using hashed identifiers for gallery and website page views. This data does not rely on third-party cookies.

You can clear your browser's local storage and cookies at any time through your browser settings. Doing so will log you out of the Platform and reset your analytics identifiers. You may also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

6. How We Use Personal Data

6.1 Photographers

• Create and manage your account and galleries
• Process payments and issue GST-compliant tax invoices
• Send transactional emails (e.g., quote accepted, payment confirmed)
• Provide customer support
• Comply with legal obligations (GST, IT Act, DPDP Act)
• Improve the Platform through anonymised usage analysis

6.2 Guests

• Authenticate your access to the specific gallery you were invited to
• Track gallery activity to provide analytics to the Photographer (views, downloads)

We will not use your data for advertising, profiling, or any purpose unrelated to delivering the gallery experience without your explicit consent.

7. Legal Basis for Processing

Under the DPDP Act 2023 and DPDP Rules 2025, we process personal data on the following bases:

• Consent (Section 6, DPDP Act): For Guests accessing galleries, and for any optional marketing communications. Consent must be free, specific, informed, unconditional, and unambiguous — obtained through a clear affirmative action (no pre-ticked boxes). You may withdraw consent at any time by emailing privacy@getursnap.com; withdrawal will not affect the lawfulness of processing carried out before withdrawal.
• Contractual Necessity: To provide the services you have purchased as a Photographer — including gallery creation, payment processing, and transactional notifications.
• Legal Obligation: To comply with GST, the IT Act 2000, CERT-In Directions 2022, and other applicable Indian laws.
• Legitimate Use (Section 7, DPDP Act): For fraud prevention, platform security, abuse detection, and enforcement of our Terms and Conditions.

We maintain records of all consent obtained. You can access, modify, or withdraw consent by contacting privacy@getursnap.com.

8. Children's Data

GetUrSnap's registration service is available only to persons aged 18 or above. By creating an account or registering as a gallery guest, you represent and warrant that you are 18 years of age or older. We rely on this self-declaration at registration; we cannot independently verify every user's age. We disclose this limitation transparently.

We recognise that wedding galleries may contain photographs and videos of minors. Such content is processed solely for the purpose of delivering it to the Photographer and their authorised guests. We do not use images of minors for any other purpose, including analytics, profiling, or training.

Under DPDP Rules 2025 (Rules 10 and 11), where we knowingly collect personal data of a child under 18, we must obtain verifiable parental consent before processing — meaning consent from a parent or lawful guardian whose identity can be verified through government-issued credentials, virtual tokens (DigiLocker), or existing identity records. If a Photographer or Guest discloses that a registered Guest is a minor, we will immediately suspend their access and request verifiable parental consent before reinstating it.

If you are a parent or guardian and believe your child's personal data has been collected without proper consent, please contact our Grievance Officer immediately at privacy@getursnap.com. We will delete such data within 72 hours of a verified request.

9. Data Sharing and Third Parties

We do not sell your personal data. We share data only in the following circumstances:

9.1 Service Providers (Data Processors)

We share data with the following processors under binding data processing agreements that mandate security safeguards, breach notification obligations, and data deletion upon termination:

• Razorpay: Payment processing. Data shared: transaction identifiers, amount, contact detail for invoice. Razorpay is subject to RBI payment data localisation requirements.
• Cloud Storage (Backblaze B2): Cloud storage of photos, videos, and processed variants. Data shared: encrypted file contents. We use Backblaze B2 as our primary storage provider. Some legacy content may remain on DigitalOcean Spaces. Both services maintain servers in the United States.
• Resend: Transactional email delivery. Data shared: email address, name, notification content.
• DigitalOcean Functions: Serverless image processing (thumbnail generation, transcoding). Data shared: storage keys and credentials required to access and process uploaded media files.
• freeipapi.com: IP-based geolocation lookup. Data shared: IP address. Used to derive approximate city, region, and country for guest analytics.
• Google Analytics / Firebase (Google LLC): Website and application usage analytics. Data shared: anonymised IP address, device and browser information, pages visited, user interactions (clicks, scroll depth), and approximate geographic location. Google Analytics may set first-party cookies in your browser. We do not enable advertising features or share data with Google for ad personalisation. Google's servers are located in the United States. Google's privacy policy applies: policies.google.com/privacy.

9.2 Photographers and Guests

Guest registration data (name, phone, email) is visible to the Photographer who created the gallery. Photo download and activity data is shared with the Photographer via their analytics dashboard.

9.3 Legal Disclosures

We may disclose data to government authorities, courts, or law enforcement agencies where required by applicable Indian law or valid legal process.

9.4 Cross-Border Data Transfers

GetUrSnap uses cloud storage and email delivery services that operate servers located in the United States (Backblaze B2 and Resend; some legacy content on DigitalOcean Spaces). Your personal data — including photos, videos, and contact details — may be stored and processed outside India as a result.

Under the Digital Personal Data Protection Act, 2023 (Section 16) and DPDP Rules 2025 (Rule 15), cross-border personal data transfers are permitted by default. India has adopted a "negative list" (blacklist) approach: personal data may be transferred to any country unless the Central Government specifically restricts that jurisdiction by notification. As of the effective date of this Policy, no country or territory has been notified as restricted. The United States, where our processors operate, is not blacklisted.

These cross-border transfer provisions are currently scheduled to come into full force by May 2027 under the phased DPDP enforcement timeline. There are no mandatory data localisation requirements applicable to GetUrSnap as a regular (non-Significant) Data Fiduciary. We do not maintain a mirror copy of your data in India unless required by law.

All cloud processors are bound by data processing agreements that require them to: (a) maintain technical and organisational security safeguards; (b) notify GetUrSnap of any data breach within 72 hours; (c) delete all personal data upon contract termination; and (d) not make personal data available to any foreign government agency except as required by applicable law. We will update this Policy within 30 days if the Central Government restricts any country where our processors operate, and we will implement any required changes to data flows promptly.

Important for Guests: By registering and providing your data to access a gallery, you acknowledge that your personal data may be stored on servers located outside India for the purpose of delivering the gallery service.

10. Data Retention

• Photographer Account Data: Retained for the duration of your active account. To request account deletion, contact support@getursnap.com.
• Gallery Content (Photos and Videos): Retained for the duration of the gallery's active period (60, 90, or 120 days depending on plan tier), unless a gallery extension has been purchased by a Client. All plans include up to 1-year total data retention from the event date. Extended galleries are retained for the purchased extension period.
• Guest Personal Data: Retained for the duration of the gallery's active period. We do not retain guest contact details beyond the gallery's active period.
• Analytics Data: Gallery interaction events and website page views are automatically deleted after 365 days (TTL-based).
• Payment Records: Retained for 8 years as required under GST and tax laws.

11. Your Rights Under the DPDP Act

As a Data Principal under the DPDP Act 2023, you have the following rights (enforceable from May 2027 under the phased enforcement timeline, though we honour them now):

• Right of Access: Request a summary of personal data we hold about you and the processing activities carried out on it.
• Right to Correction and Completion: Request correction of inaccurate, incomplete, or outdated personal data.
• Right to Erasure: Request deletion of your personal data where it is no longer necessary for the purpose collected (subject to our legal retention obligations under GST and tax law).
• Right to Withdraw Consent: Withdraw consent for any optional processing at any time by emailing privacy@getursnap.com. Withdrawal does not affect prior lawful processing.
• Right to Grievance Redressal: File a complaint with our Grievance Officer (Section 13). If unresolved within 30 days, escalate to the Data Protection Board of India once it is operational.
• Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, contact our Privacy team at privacy@getursnap.com. We will acknowledge your request within 48 hours and respond within 30 days.

12. Security

We implement technical and organisational security measures as required by DPDP Rules 2025 (Rule 6), including:

• Passwords hashed using bcrypt (cost factor 12)
• JWT tokens with short expiry for photographer sessions (access: 1 day, refresh: 7 days)
• HTTPS/TLS encryption for all data in transit; encryption at rest provided by our cloud storage providers
• Presigned S3 URLs for direct, secure media uploads
• Rate limiting and CORS controls on all API endpoints
• Razorpay webhook signature verification

No security system is impenetrable. In the event of a personal data breach that may affect your rights, we will notify you and the Data Protection Board of India within 72 hours of becoming aware, as required by the DPDP Act 2023 (Rule 7). Additionally, under CERT-In Directions 2022, cybersecurity incidents are reported to CERT-In within 6 hours of detection.

ICT system logs are retained in compliance with CERT-In Directions 2022.

13. Grievance Officer

For any privacy complaints or data requests, please contact:

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India once it becomes operational.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or a notice on the Platform at least 30 days before they take effect. Your continued use after the effective date constitutes acceptance.

15. Contact

For general privacy enquiries: privacy@getursnap.com

For legal notices: legal@getursnap.com

Platform: getursnap.com

This policy is drafted in compliance with the Digital Personal Data Protection Act, 2023; the Digital Personal Data Protection Rules, 2025; the Information Technology Act, 2000; the IT (Reasonable Security Practices) Rules, 2011; and CERT-In Directions 2022.