In short: your memories are yours. This page explains, in plain language, what happens to your data.
Last updated: 29 May 2026
This privacy policy explains which personal data we process when you use photoloft, for what purpose, on what legal basis, and the rights you have. The EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG) apply.
The controller responsible for processing your data under the GDPR is:
Altinum Technologies® e.U., Dorf 12a, 6352 Ellmau, Austria. Company register FN 370339 t, VAT ATU65278512. photoloft is a product of Altinum Technologies® e.U.
For any privacy questions and to exercise your rights, the easiest way to reach us is:
We are not legally required to appoint a data protection officer. The contact above answers privacy requests directly.
photoloft involves three parties: you, the host of an event, and us as the operator.
For running the platform, your account, and payment, we are the controller.
For an individual event, the host decides who is invited and which photos are collected in their gallery. To that extent the host is jointly responsible for the circle of guests and the content of their gallery; we provide the technology and process the photos on their behalf.
Who is invited to an event is decided by the host alone — not by us. That is why, when setting up the event, the host expressly commits to informing their guests in advance that photos are collected via photoloft and processed there. Informing the guests beforehand is the host's responsibility; we keep a documented record of the host accepting this obligation.
To upload photos or browse a gallery, you sign in with your email address. We send you a one-time sign-in link (magic link) by email — no password needed.
We store your email address, the time of sign-in, and technical session data (e.g. your active sessions and devices) so you stay logged in and your account stays secure.
Providing your email address is required to use the service; without it you cannot take part in an event.
Legal basis: performance of a contract or pre-contractual steps, Art. 6(1)(b) GDPR.
The photos you upload are stored in the gallery of the relevant event and are visible to the other guests of that same event. Every photo is encrypted the moment it arrives and stays encrypted at rest. You can delete your own photos again at any time.
Every gallery is private: it can only be reached via the event link after signing in with your own email address — and only by the guests of that same event. Galleries are not publicly accessible and are not indexed by search engines. The contents of different events are strictly separated from one another.
By uploading, you confirm that you are allowed to share the images and that you respect the rights of the people shown (personality rights, Section 78 of the Austrian Copyright Act, UrhG). The host — not us — decides on a gallery's content: if you want to be removed from a photo, contact the host; you can delete your own uploaded photo yourself at any time. Only manifestly unlawful content can be reported to us at abuse@photoloft.app — such content we do remove.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and the legitimate interest in operating the shared event gallery (Art. 6(1)(f) GDPR).
To keep inappropriate content out of the gallery, an automatic moderation system checks every photo before it becomes visible. If the system detects e.g. violence or not-safe-for-work content, the image is filtered out with a stated reason. This check runs at a service provider in a European data centre.
Legal basis: legitimate interest in a safe and lawful gallery (Art. 6(1)(f) GDPR).
If the host enables Smart-Mode, we automatically organise photos by moments and keywords (e.g. "cake cutting", "dance floor") and put together a highlight selection, so you can find specific pictures without scrolling through thousands of photos.
This analysis also runs at AI services in European data centres. Your photos are not used to train AI models.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) or legitimate interest in a convenient gallery (Art. 6(1)(f) GDPR).
When a host buys a plan, we handle the payment through our payment provider Stripe. You enter the payment details (e.g. card data) directly with Stripe; we ourselves neither see nor store full card data. We retain invoice and accounting records as far as we are legally required to.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and compliance with tax and commercial retention obligations (Art. 6(1)(c) GDPR).
We send you service emails that are necessary for using the product: sign-in links, notifications about your event, and reminders before the storage term ends. Delivery runs through an email service provider. We do not send marketing newsletters.
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
When you access our servers, technical data is processed (e.g. IP address, time, page requested, browser type) to run the service securely and reliably and to prevent abuse. We delete these logs as soon as they are no longer needed for those purposes. For troubleshooting we also use a monitoring tool that records technical error data.
Legal basis: legitimate interest in security and reliability (Art. 6(1)(f) GDPR).
We use strictly necessary cookies only: for your sign-in (session), to protect against form abuse, and to securely display your gallery's photos in your browser. We also remember your language choice.
We do not use tracking, analytics, or advertising cookies, and we do not embed services such as Google Analytics. That is why there is no cookie banner to click away here.
Legal basis: legitimate interest in technical operation (Art. 6(1)(f) GDPR). No consent is required for strictly necessary cookies.
We do not share your data for marketing purposes. To operate the service, we work with carefully selected service providers (processors) that act only on our instructions and under a data processing agreement (Art. 28 GDPR):
We provide a current list of our service providers on request.
Your photos and content are processed and stored exclusively on servers within the European Union (Germany, backups in Finland).
Some of our service providers belong to corporate groups headquartered in the USA (e.g. Amazon, Microsoft, Stripe, Sentry). Even though processing takes place in EU data centres, access from a third country cannot be completely ruled out in every case. For such cases we rely on the European Commission's Standard Contractual Clauses and — where the providers are certified — on the EU-US Data Privacy Framework.
On top of that we protect your data technically: it is encrypted, and the corresponding key is stored split up so that no single provider can read the images.
Legal basis for transfers: Art. 44 et seq. GDPR in conjunction with appropriate safeguards.
We keep data only as long as necessary for the respective purpose:
Under the GDPR you have the following rights:
An informal message to the address above is enough. Much of this you can also do yourself directly: delete your own photos or delete your account in the dashboard. We respond within one month at the latest.
If you believe we are not processing your data lawfully, you can lodge a complaint with the competent supervisory authority:
Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40–42, 1030 Vienna, dsb@dsb.gv.at
Automatic moderation can filter out a photo, but it has no legal or similarly significant effect on you within the meaning of Art. 22 GDPR. We do not carry out automated profiling about you.
photoloft is intended for adults. The host decides who is invited to their event.
We may adjust this privacy policy, for example when the service or the legal situation changes. You will always find the current version on this page. For material changes that affect your data, we will additionally inform you.
