Privacy Policy
Last updated: 2 June 2026
1. Data Controller
ShowCheeseShare (“we”, “our”, “us”) is the data controller for personal data processed through this service. You may reach us at support@showcheeseshare.com.
2. Data We Collect
We collect the following categories of personal data:
- Account information — your name, email address, and hashed password when you register an account.
- Uploaded media — photos and videos you upload to events, along with associated metadata (file name, size, MIME type, upload timestamp). Photos retain the EXIF metadata your camera or phone embedded (including possibly GPS location coordinates, capture time, camera make/model and lens). By default, public download links and gallery previews are served from a derived JPEG with all EXIF metadata removed; the pristine original is only served when the event owner explicitly enables the "serve originals" setting in their event configuration.
- Device cookies — small tokens stored in your browser to maintain your session, theme preference, locale, and device identity for event access.
- IP addresses — recorded in server access logs and security audit logs.
- Usage logs — actions performed within the service (file uploads, downloads, event creation) for security and auditing purposes.
3. How We Use Your Data
- To provide and operate the ShowCheeseShare service, including hosting and serving your events.
- To process, store, and deliver media uploads on your behalf.
- To send transactional emails (account confirmation, password reset, subscription receipts).
- To detect and prevent abuse, fraud, and security incidents.
- To produce aggregate, anonymised analytics to improve the service (no individual profiling).
4. Legal Basis (GDPR Art. 6)
- Consent (Art. 6(1)(a)) — account creation, cookie storage for non-essential purposes.
- Contract performance (Art. 6(1)(b)) — processing uploads, managing subscriptions, and sending transactional emails.
- Legitimate interest (Art. 6(1)(f)) — security audit logs, IP address retention for abuse prevention.
5. Data Retention
- Uploaded media — stored until the event is deleted by its owner, or until account deletion, whichever comes first.
- Account data — retained for the lifetime of the account, then purged within 30 days of deletion.
- Security and audit logs — retained for 90 days, then automatically purged.
- Device and session cookies — session cookies expire when the browser is closed; persistent cookies expire as described in Section 7.
6. Your Rights (GDPR Art. 15–22)
You have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of all personal data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data via your account settings or by contacting us.
- Right to erasure (Art. 17) — request deletion of your account and all associated data. Requests processed within 30 days.
- Right to data portability (Art. 20) — export your events and uploaded media in machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest (e.g., security logs).
To exercise your rights, email privacy@showcheeseshare.com or use our takedown request form. You do not need an account to file a request — anyone who appears in or holds rights to a photo on the service may submit one. We respond within 30 days as required by GDPR Art. 12(3).
7. Cookies
We use only functional cookies necessary for the service to operate. We do not use advertising or cross-site tracking cookies.
| Cookie | Purpose | Expires |
|---|---|---|
| sc_theme | Stores your preferred colour theme (dark/light). | 1 year |
| sc_locale | Stores your preferred display language. | 1 year |
| sc_session | Authenticates your logged-in session. | Session |
| sc_device_* | Identifies your device for event access without requiring login on every visit. | 30 days |
| sc_event_* | Remembers which password-protected events you have unlocked on this device. | 30 days |
8. Third Parties
- Stripe — payment processing for subscription plans. Stripe processes card data under their own privacy policy. We do not store card numbers.
- SMTP provider — transactional email delivery (account confirmation, password resets, billing receipts). Only your email address is shared.
We do not sell, rent, or share your personal data with any other third parties for marketing purposes.
9. International Data Transfers
ShowCheeseShare is hosted on servers within the European Union. If data is transferred outside the EEA (for example, through our email or payment providers), we ensure appropriate safeguards are in place — including Standard Contractual Clauses approved by the European Commission — in accordance with GDPR Chapter V.
10. Contact
For any privacy-related questions or to exercise your rights, contact us at: support@showcheeseshare.com. We aim to respond to all requests within 30 days.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where required by law, notify you by email. Continued use of the service after changes are posted constitutes your acceptance of the revised policy.