Skip to main content
TIME&SPACE

PRIVACY POLICY

Last updated: March 2026 • Effective: March 2026

We collect minimal data to deliver face-matched photo experiences at events. Your face data is deleted after 30 days. We never sell your data. You have full control over your privacy at any time.

Contents

Who we are

TIME&SPACE is an event media platform based in Lisbon, Portugal. We provide a face-recognition photo delivery system that helps event guests find and download their photos.

Company: TIME&SPACE, Lda. (Lisbon, Portugal)

Data Controller: TIME&SPACE

Privacy Contact: privacy@timeandspace.earth

Legal Contact: legal@timeandspace.earth

What we collect

We collect only what's necessary to run the platform. Here's the breakdown:

Account data (organisers & photographers)

  • Name, email address, and account details
  • Hashed password (if you use password login)
  • Profile information: location, website, bio, social links
  • Payment information (handled securely by Stripe — we don't store your card)

Event data

  • Photos you upload to events
  • Event details: date, location, title, description
  • Event settings: watermark preferences, brand colours, retention period
  • Photo metadata: filename, size, EXIF data (date taken, camera model)

Biometric data (face recognition) — see section below

  • Selfies taken by guests when they scan the QR code
  • Face embeddings (mathematical vectors, not images)
  • Explicit consent is required before any face processing

Guest data (participants)

  • Email address (optional, only if you want match notifications)
  • Matched photos from the event
  • Download history
  • No account is created — guests remain anonymous

Usage & analytics data

  • Download counts, scan counts, view counts
  • Device type and browser (for platform improvements)
  • IP address (for fraud prevention and analytics only)
  • No personally identifiable information is collected

Biometric data (face recognition)

Your face data is protected under GDPR Article 9 (special category data). Here's how we handle it:

What is a face embedding?

A facial embedding is a mathematical representation of your face (512 numbers). It is not a photo of your face — it cannot be reverse-engineered into an image. It's similar to a fingerprint: unique, but not revealing.

How it works

  1. You take a selfie at the event by scanning the QR code
  2. We convert your face into a mathematical embedding
  3. We match that embedding against all event photos
  4. We show you the photos where you appear
  5. Your original selfie image is automatically deleted after 30 days
  6. The embedding is deleted when the event ends

Your consent rights

  • Explicit consent: You must actively agree before your face is processed
  • Optional: You can browse the event gallery without scanning your face
  • Withdraw anytime: Contact us to withdraw consent and delete your face data
  • No retaliation: Refusing face recognition doesn't prevent you from finding photos by browsing

Data deletion timeline

  • Selfie image: Deleted automatically after 30 days
  • Face embedding: Deleted when the event ends or you withdraw consent
  • Consent log: Retained for legal compliance (GDPR proof of consent)

No sharing of biometric data

Your face embedding is used only for photo matching. We never share it with third parties, never use it for marketing or advertising, and never build a face database for surveillance.

How we use your data

  • Photo delivery: Match your selfie to event photos and show you your gallery
  • Communications: Send match notifications, account updates, and support responses
  • Platform improvement: Analyze usage patterns to make the platform better (face recognition accuracy, UI improvements)
  • Event analytics: Provide organisers with aggregate stats (total scans, downloads) — never individual guest data
  • Security: Detect and prevent fraud, abuse, and unauthorized access
  • Legal compliance: Retain records as required by law

Who we share data with

We do not sell your data. Data is processed by trusted service providers only:

Supabase (EU)

Database, storage, authentication. Supabase is GDPR-compliant and EU-hosted.

Vercel (US/Global CDN)

Application hosting and content delivery. Data transferred via Standard Contractual Clauses (SCCs).

Stripe (US)

Payment processing. We do not store card data. Stripe is PCI-DSS compliant.

Resend (US)

Transactional email delivery (match notifications, account alerts). Data transferred via SCCs.

Anthropic (US)

AI-powered features (e.g., photo tagging, captions). Optional and non-essential to core functionality.

Railway (US)

Logo detection microservice. Data transferred via SCCs.

How long we keep your data

Selfie images

Deleted automatically after 30 days

Face embeddings

Deleted when the event ends or you withdraw consent

Event photos

Kept for the event's retention period (configurable: 30, 90, or 365 days). Default: 180 days

Account data

Retained until you request deletion. You can delete your account anytime.

Consent logs

Kept indefinitely for legal compliance (GDPR proof of consent)

Payment records

Kept for 7 years (Portuguese tax law)

Analytics

Anonymised aggregate data kept for service improvement

Your rights

Under GDPR and similar privacy laws, you have these rights:

Right to access

Request a copy of all data we hold about you in a portable format (CSV, JSON)

Right to deletion ("right to be forgotten")

Request deletion of your account, photos, face data, or consent logs. We will delete within 30 days (some data kept for legal reasons).

Right to correction

Update your account information through your dashboard or request corrections via email

Right to restrict processing

Request that we stop using your data (except for legal obligations)

Right to data portability

Export your data in a machine-readable format to move to another service

Right to object

Opt out of marketing emails, analytics, and certain legitimate interest processing

Right to withdraw consent

Withdraw consent for face recognition anytime. No penalty.

To exercise any of these rights, email privacy@timeandspace.earth with your request. We will respond within 30 days.

International data transfers

TIME&SPACE is based in the EU (Portugal), and most data is stored in the EU (Supabase). Some processors are based outside the EU (US).

When we transfer data outside the EU, we use Standard Contractual Clauses (SCCs) to ensure equivalent protection. For US processors, we rely on adequacy decisions or adequacy mechanisms.

You have the right to know which countries your data travels to. Contact privacy@timeandspace.earth for a list of all data processors and their locations.

Cookies

Cookies are small files stored on your device. We use them minimally:

Essential cookies

Session tokens (NextAuth), CSRF protection. These are required for security and cannot be disabled.

Analytics cookies

Optional. Used to understand how you use the platform (e.g., which pages are popular). You can opt out.

No advertising cookies

We do not use cookies to track you across websites or show ads.

Children

TIME&SPACE is not intended for children under 16 in the EU (or 13 in the US). We do not knowingly collect data from minors.

If a child uses the platform at an event, parents/guardians must provide consent for face recognition (via the parent/guardian account or explicit approval at the event).

Contact & complaints

Contact us

Privacy inquiries: privacy@timeandspace.earth

General inquiries: hello@timeandspace.earth

Address: Lisbon, Portugal

Supervisory authority

If you have privacy concerns, you can lodge a complaint with your data protection authority:

Portugal: CNPD (Comissão Nacional de Proteção de Dados)
EU: Contact your national data protection authority (search at edpb.ec.europa.eu)

You also have the right to use the EU Online Dispute Resolution platform for disputes.

Changes to this policy

We may update this policy. Material changes will be announced via email and on this page. Continued use after changes means you accept the new policy.

Terms of Service · Home