RareCapture
+91
Legal

Privacy Policy

This policy explains what personal data RareCapture collects, why we collect it, how we protect it, and the choices you have as a user on our platform.

Last updatedJune 2026

Biometric data notice

If you use the face-matching feature for an event, please read Section 4 — and make sure your attendees have consented to facial-data processing.

1. Introduction

RareCapture ("we", "us", or "our") operates the RareCapture platform — a SaaS service designed for professional photography studios to manage events, deliver photos to clients, and run studio operations. This Privacy Policy applies to all users of the RareCapture platform, including Studio Admins, Studio Members, Personal Users, and event attendees.

By registering for or using RareCapture, you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use of the platform immediately.

This policy should be read alongside our Terms & Conditions, which govern the overall use of our service.

2. Data We Collect

We collect the following categories of information when you use RareCapture:

Account & Identity Information

  • Full name and email address
  • Phone number (optional, used for WhatsApp OTP verification)
  • Profile photograph (optional, uploaded by you)
  • Hashed password (we never store plaintext passwords)
  • Account role (Studio Admin, Studio Member, or Personal User)
  • Studio name, branding preferences, and studio URL

Event & Operational Data

  • Events you create: title, date, location, cover photo
  • Photographs uploaded to events (JPEG / PNG)
  • Participant information submitted by attendees: name, email address, phone number
  • Watermark preferences, storefront template selections

Billing & Payment Information

  • Subscription plan and billing period — managed through our third-party payment processor; we do not store raw card numbers on our servers
  • Transaction amounts, currency, and status records
  • GST/business name if voluntarily provided for invoice generation

Technical & Usage Data

  • IP address, browser type, and device information
  • Session tokens (JWT) for authentication
  • Platform activity logs (e.g. uploads, event creation, login timestamps)

Biometric-Derived Data

Where event attendees use the photo-matching feature, their reference selfies and the resulting face representation data are processed and stored. This is described in full in Section 4.

3. How We Use Your Data

We use the information we collect for the following purposes:

  • Service delivery — to operate your studio account, process event photos, and match attendees to their photographs
  • Authentication & security — to verify your identity via OTP and maintain secure sessions
  • Billing & subscriptions — to process payments, manage plan entitlements, and generate receipts
  • Notifications & communications — to send account-related alerts (plan expiry, quota warnings, OTP codes) via email or WhatsApp
  • Platform improvement — to monitor performance, fix bugs, and improve the service based on usage patterns
  • Legal compliance — to meet applicable legal obligations, including tax record retention

We do not use your data for advertising profiling, sell it to third parties, or use it for purposes unrelated to operating RareCapture.

4. Biometric & Face Data

This section describes how RareCapture processes biometric information. As a Studio Admin or Studio Member, you are responsible for informing your event attendees that their facial data will be processed and for obtaining their explicit consent before using the photo-matching feature.

What Is Processed

When an event attendee uploads a reference selfie to locate their photos, our platform processes that image to generate a mathematical representation of the facial features present in the photograph. This representation (a numerical vector derived from facial geometry) is stored in our database and used exclusively to match the attendee to photos taken at the event.

Event photos uploaded to the platform are also analysed to identify faces within them. The resulting representations are compared to attendee reference data to produce match results.

What Is Stored

  • Reference selfie photographs — original images uploaded by attendees, stored on the platform's secure file storage
  • Derived facial representations — numerical vectors extracted from facial geometry; these are not photographs but mathematical abstractions used solely for comparison
  • Match results — the outcome of each comparison (matched or not matched, similarity score)
  • Event photographs — original images and, where applicable, watermarked versions

Retention of Biometric Data

Facial representations derived from reference selfies are retained for as long as the attendee's account or participation record remains active on the platform. Attendees may request deletion of their reference photos and associated derived data through the event portal or by contacting us directly.

Event photos and their associated facial representations are retained only while the event gallery remains active. Each event carries an expiry date; once it passes, the event is moved to Trash and then permanently and irreversibly purged — photos and derived face data alike — from our servers and cloud storage 30 days later. A Studio Admin or platform administrator may also delete an event or individual photos sooner. We do not retain unassigned biometric or facial data beyond this lifecycle.

Studio Admin Responsibilities

By enabling the photo-matching feature for any event, you as the Studio Admin acknowledge and agree that:

  • You have obtained, or will obtain, informed consent from each attendee before their facial data is processed
  • Your data collection practices comply with applicable laws in your jurisdiction, including any biometric privacy laws (such as DPDPA, GDPR, BIPA, or equivalent regional legislation)
  • You will maintain a clear privacy notice for event attendees explaining how their facial data is used
  • You will delete event data and participant records when they are no longer needed for the stated purpose

Processing Location

All facial analysis is performed on infrastructure controlled by RareCapture. We do not share raw photographs or facial representations with any external AI cloud service. Processing occurs entirely within our own server environment.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share information only in the following limited circumstances:

Service Providers

  • Payment processing — subscription and top-up payments are processed by a third-party payment gateway. We share your billing information with this provider solely to complete transactions. Their privacy practices are governed by their own policies.
  • Communication delivery — transactional emails (OTP codes, billing alerts) are transmitted via a third-party email delivery service. WhatsApp OTP messages are delivered via a third-party messaging API. These providers process the minimum data necessary to deliver messages on our behalf.

Legal Requirements

We may disclose personal data if required to do so by law, court order, or a government authority, or where necessary to protect our legal rights, prevent fraud, or protect the safety of users.

Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, user data may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.

No Advertising Networks

We do not share your data with advertising networks, data brokers, or social media platforms for marketing or behavioural profiling purposes.

6. Data Retention

We retain personal data for as long as necessary to provide the service and comply with our legal obligations. Specific retention periods are as follows:

  • Account data — retained for the duration of your active account. Upon account deletion, account data is soft-deleted and permanently purged within 90 days, except where retention is required by law.
  • Billing records — payment transaction records are retained for a minimum of 7 years for tax and audit compliance purposes.
  • Event photos & face representations — retained only while the event gallery is active. Every event has an expiry date; on expiry the event moves to Trash and is then permanently purged from our servers and cloud storage 30 days later (a Studio Admin or platform administrator may also delete it sooner). Studios are responsible for downloading any data they wish to keep before this purge.
  • OTP codes — verification codes expire automatically within 10 minutes of issuance and are purged from the database thereafter.
  • Log data — server and application logs are retained for up to 90 days for security and debugging purposes.

Data Retention Pipeline: We only retain event photos and related analytical data for as long as the specific event gallery remains active. Once an event expires, all associated photos and data are moved to a temporary deletion queue (Trash) and are permanently destroyed from our servers and cloud storage within 30 days. We do not store unassigned biometric or facial data beyond this lifecycle.

7. Your Rights & Choices

Studio Admins are also data controllers in their own right with respect to event attendee data. Attendees seeking to exercise rights over their personal data (including facial data) should contact the studio that organised their event in the first instance.

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure — request deletion of your personal data, subject to legal retention obligations
  • Right to restrict processing — request that we limit how we use your data in certain circumstances
  • Right to data portability — request your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at support@rarecapture.pro. We will respond within 30 days of receiving a verifiable request.

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

  • Encryption of data in transit using TLS
  • Bcrypt hashing of all user passwords
  • JWT-based session management with server-side session invalidation
  • Role-based access controls limiting data access to authorised personnel
  • Single concurrent session enforcement for platform administrator accounts
  • OTP-based verification for sensitive account actions

However, no method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.

9. Cookies & Tracking

The RareCapture platform uses the following types of cookies and local storage:

  • Authentication tokens — JWT tokens stored in browser local storage to maintain your logged-in session. These are strictly necessary for the platform to function.
  • Preferences — theme selection (light/dark mode) and other UI preferences stored locally on your device.
  • Rate limiting state — OTP request counts stored in local storage to enforce usage limits per user.

Engagement Analytics

On public event galleries and studio storefronts we record aggregate engagement events — page and gallery views, photo downloads, video plays, and clicks on a studio's social, website or WhatsApp links — so studios can understand how visitors interact with their galleries. These are aggregate counts and are not used to build advertising profiles of individual visitors.

We do not use advertising cookies, third-party tracking cookies, or analytics services that profile individual users. Essential storage cannot be disabled without preventing the platform from functioning correctly.

10. Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. When we make material changes, we will notify you by:

  • Posting a notice within the RareCapture platform
  • Sending an email notification to the email address associated with your account
  • Updating the "Last Updated" date at the top of this page

Your continued use of the platform following notification of material changes constitutes your acceptance of the updated policy. If you do not agree to the revised policy, you must cease using the platform and may request deletion of your account.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us:

Privacy, legal & general support: support@rarecapture.pro

We aim to respond to all privacy-related enquiries within 5 business days and to fulfil verified data rights requests within 30 days.

Your continued use of RareCapture means you accept this Privacy Policy. We review it periodically and will post any material changes here.