Privacy Policy

Last updated: February 10, 2026

This Privacy Policy explains how FrameFast (including the FrameFast Studio iOS app and all FrameFast websites and services, collectively, the “Service”) collects, uses, discloses, and protects personal data.

Important: FrameFast is built for event photography distribution and may process biometric data (face recognition) when event participants upload a selfie to find their photos. We require explicit consent for this processing.

1) Who we are (Data Controller)

Data Controller: FrameFast
Contact: contact@framefast.io

2) Personal data we collect

Photographers (Studio/Dashboard users)

  • Account data: name, email, account identifiers (e.g., Clerk user ID).
  • Event data: event name, dates, settings, and related identifiers.
  • Uploaded content: event photos you upload to the Service and related metadata we derive for processing (e.g., image dimensions, file size, and limited EXIF-derived metadata).
  • Consent records: timestamps and IP address (if available) for certain consent actions.
  • Payments: purchase records and payment-related identifiers (e.g., Stripe customer ID, Stripe session ID). We do not store full card numbers; payment processing is handled by payment providers.
  • Device/app permissions (FrameFast Studio): local network access and camera access are requested by the iOS app to connect to and download photos from cameras via USB/WiFi and to support related workflows.

Event participants (public event pages)

  • Selfie image: when you use “find my photos”, you may upload a selfie image.
  • Biometric data: we (or our face-recognition service provider) process facial features extracted from the uploaded selfie to match photos within a specific event.
  • Search records: event ID, consent timestamp, your IP address (if available), and the resulting matched photo IDs.
  • Downloads: we may log download requests for abuse prevention and rate limiting.

3) How we use personal data

  • Provide and operate the Service (upload, processing, hosting, and delivery of photos).
  • Perform face recognition searches within a specific event when a participant uploads a selfie and provides consent.
  • Process payments and maintain credit balances (where applicable).
  • Maintain security, prevent fraud/abuse, and enforce rate limits.
  • Monitor reliability and fix bugs (e.g., error monitoring).
  • Comply with legal obligations and respond to lawful requests.

Where Thailand’s Personal Data Protection Act B.E. 2562 (PDPA) applies, we process personal data on one or more of the following bases:

  • Contract: to provide the Service to photographers.
  • Consent: for face recognition searches (biometric data) and other cases where consent is required.
  • Legitimate interests: to secure and improve the Service (e.g., abuse prevention).
  • Legal obligation: where we must comply with applicable laws.

5) Sensitive personal data (biometrics)

Face recognition involves biometric data, which may be considered sensitive personal data under the PDPA. We require explicit consent from participants before processing a selfie for face recognition, and we limit processing to the purpose of finding matching photos for the relevant event.

We do not use participant selfies or face recognition data to train machine-learning models.

6) How we share personal data

We share personal data only as needed to operate the Service, including with:

  • Cloud infrastructure and storage: to store and deliver photos and selfies (e.g., object storage/CDN).
  • Face recognition providers: to perform face detection/search for a specific event (a face-recognition service provider, which may be operated by us or a third party).
  • Authentication: to manage user login and identity (e.g., Clerk).
  • Payments: to process payments (e.g., Stripe, Apple In-App Purchase where used).
  • Error monitoring: to detect and fix reliability issues (e.g., Sentry).

We do not sell personal data.

7) International transfers

Our service providers and infrastructure may process or store personal data outside Thailand. For example, our primary database is hosted on Neon (Singapore), and photos/selfies are stored in Cloudflare R2 (Singapore). Face-recognition processing (if used) may be performed by a face-recognition service provider in the regions used to operate that service. Where applicable, we take steps intended to ensure an appropriate level of protection for cross-border transfers in line with the PDPA.

8) Retention

We retain personal data only as long as necessary for the purposes described above, including for security and compliance. By default, events and associated content are designed to expire after a limited retention period (for example, events are configured to expire after approximately 30 days, and deletion workflows may include an additional grace period for operational cleanup).

Exact retention may vary based on configuration, event lifecycle, and legal requirements. If you need urgent deletion, contact us at contact@framefast.io and include any relevant details (such as the event name/link and what you want deleted). We will handle urgent deletion requests as soon as reasonably possible.

9) Security

We implement reasonable technical and organizational measures to protect personal data, including access controls, encryption in transit, and restricted access to systems.

10) Your rights (PDPA)

Subject to applicable law, you may have rights to:

  • access and obtain a copy of your personal data;
  • request correction of inaccurate data;
  • request deletion/erasure or destruction of data;
  • request restriction of processing;
  • object to processing in certain circumstances;
  • withdraw consent (where processing is based on consent); and
  • data portability (where applicable).

To exercise these rights, contact us at contact@framefast.io. We may need to verify your identity before responding.

11) Cookies and similar technologies

Our websites use cookies or similar technologies that are necessary to operate the Service (for example, security and basic site functionality). We may also use analytics cookies to understand usage and improve the Service. As of February 10, 2026, we have not finalized which analytics providers (if any) we use; if enabled, we will disclose them via our cookie banner/settings and update this policy. Where required, we will request consent for non-essential cookies and provide choices/controls.

12) Children

The Service is not intended for children. If you believe a child has provided personal data, please contact us.

13) Changes

We may update this Privacy Policy from time to time. We will post the updated version and update the “Last updated” date.

14) Contact

For privacy questions or requests, contact: contact@framefast.io