Privacy Policy

This Privacy Policy explains how DOTENVTECH SOLUTIONS LLP (“InstaPhotoAI”, “we”, “us”) handles personal data in connection with the InstaPhotoAI website, desktop application and hosted services (the “Service”).

We act as a data controller for studio account information and as a data processor for the photographs and biometric embeddings that studios upload on behalf of their event guests.

• Studio account data: your email address, password (stored only as a salted bcrypt hash), studio name, display name, and the username/slug derived from them.
• Billing data: plan, invoice history, payment status. Card and bank details are handled by Razorpay (see “Third parties” below) and never stored on our servers.
• Photos you upload: the original-resolution images and any previews/thumbnails generated from them.
• Face embeddings: numerical vectors computed from faces detected in uploaded photos and from guest selfies. Embeddings are not photographs and cannot be reversed into one, but they can match the same person across photos and so are treated as biometric data.
• Guest selfies: the selfie image is processed to compute an embedding and is then discarded; only the embedding is retained, scoped to the event.
• Operational logs: IP address, user-agent, timestamps, error traces. Used to debug issues, prevent abuse, and satisfy security obligations.

• To provide the Service: hosting albums, matching faces, generating invoices.
• To secure the Service: detecting abuse, rate-limiting, fraud signals on payments.
• To support you: replying to support@instaphoto.ai requests.
• To comply with law: tax records, requests from law enforcement that meet legal standards.

We do not sell personal data. We do not use guest selfies, face embeddings or photos to train any AI model.

• Studio account data: retained while your account is active and for up to 12 months after closure for tax and audit purposes.
• Photos and face embeddings: retained while the corresponding event is active. After studio cancellation we keep them for 30 days as a grace period, then delete them. Backups are rotated out within an additional 30 days.
• Guest selfie images: deleted within seconds of the embedding being computed. We never persist the selfie photograph.
• Logs: retained for up to 90 days, then aggregated or deleted.

We use the following sub-processors. Each is bound by appropriate data-processing terms:

• MongoDB Atlas (cloud database) — stores studio metadata, event records and face embeddings.
• Cloudflare R2 (object storage) — stores uploaded photographs and generated previews.
• Qdrant Cloud (vector database) — indexes face embeddings for fast similarity search.
• Razorpay (payments) — processes subscription and usage charges, handles refunds, and is the sole holder of card and bank details.

Depending on where you are located, you may have rights to access, correct, delete, export, restrict processing of, or object to our processing of your personal data. Indian users have rights under the Digital Personal Data Protection Act, 2023 (DPDP), including the right to grievance redressal.

To exercise any of these rights, write to support@instaphoto.ai from the email address on file. We will verify your identity, respond within 30 days, and explain in writing if a request is partially or fully refused.

Studios can delete events and their associated photos and embeddings at any time from the desktop application or the studio dashboard. To request deletion of an entire studio account, write to support@instaphoto.ai with the subject line “Account deletion request”. We will confirm receipt and complete deletion within 30 days, subject to legal hold and tax-record obligations.

Event guests who want their face embedding deleted should contact the studio that organised the event. Studios are required to honour such requests promptly. If a studio does not respond, you may escalate to support@instaphoto.ai and we will act as a backstop.

We use a single first-party session cookie (ipa_session) to keep you signed in. It is HTTP-only, marked Secure in production, and SameSite=Lax. We do not use third-party advertising cookies on this site. Razorpay may set cookies on its own checkout domain when you make a payment; those cookies are governed by Razorpay’s policy.

All traffic to the Service uses TLS. Passwords are stored only as salted bcrypt hashes. Face embeddings are stored in databases that are not publicly accessible. Access to production data is restricted to authorised personnel and audited. No system is perfectly secure; if you discover a vulnerability, please disclose it responsibly to support@instaphoto.ai.

We are based in India. Some of our sub-processors operate in other regions (typically the United States and the European Economic Area). Where personal data crosses borders, we rely on the safeguards offered by the sub-processors’ data transfer agreements and on applicable Indian law.

The Service is not directed at children under 18. Studios are responsible for ensuring that any biometric processing of minors at events is supported by parental or guardian consent in line with applicable law.

We may update this Privacy Policy from time to time. We will update the effective date above and, for material changes, give reasonable notice (for example, by email or an in-app notice).

For privacy questions, complaints or to exercise your rights, contact the grievance officer at support@instaphoto.ai. Postal correspondence can be addressed to DOTENVTECH SOLUTIONS LLP at the address listed on our website footer.