Privacy Policy

Last updated: 13 April 2026

Contents

    1. Introduction

    Welcome to Gather & Group. We are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our wedding photo sharing and organisation service.

    We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy applies to all visitors, couples (account holders), and wedding guests who use our service.

    2. Who We Are

    Gather & Group is a UK-based wedding photo sharing service that allows couples to collect and organise photos uploaded by their wedding guests.

    Data Controller: For account-related data, we act as the Data Controller. For photos and guest data, the couple (account holder) acts as the Data Controller, and we act as a Data Processor on their behalf.

    If you have any questions about this policy or how we handle your data, please contact us at [email protected].

    3. Data We Collect

    3.1 Account Holders (Couples)

    When you create an account, we collect:

    • Account information: Email address, password (encrypted), name, wedding date
    • Payment information: We do not store your payment card details. Payments are processed securely by Stripe
    • Usage data: Login times, features used, gallery activity

    If you purchase photo books, we collect additional information:

    • Delivery information: Your full name, address and telephone number

    3.2 Wedding Guests

    When guests upload photos, we collect:

    • Name: The name guests provide when uploading (stored in a cookie for convenience)
    • Photos and videos: The media files guests choose to upload
    • Photo metadata: EXIF data including date/time taken, GPS location (if present), camera/device information

    3.3 Automatically Collected Data

    When you visit our website, we automatically collect:

    • Technical data: IP address, browser type, device type, operating system
    • Cookies: Essential cookies for site functionality (see our Cookie Policy)

    4. How We Use Your Data

    We use your personal data to:

    • Provide and maintain our service
    • Process payments and manage subscriptions
    • Send important service notifications (e.g., storage expiry reminders)
    • Generate thumbnails and process images for display
    • Assess image quality (blur detection)
    • For Premium users: Group similar faces together to help organise photos by person
    • Respond to your enquiries and provide customer support
    • Improve our service and fix issues

    5. Face Grouping Technology

    Important: Face grouping is only available on our Premium plan. All processing is done locally on our UK servers and face data is never shared with third parties.

    5.1 What We Do (and Don't Do)

    For Premium accounts, we use face clustering technology to help organise photos by grouping similar faces together. Here's exactly what this involves:

    What we do:

    • Detect faces within uploaded photos
    • Create numerical "face embeddings" (mathematical representations of facial features)
    • Group similar faces together into clusters (shown as "Person 1", "Person 2", etc.)
    • Create small thumbnail images of detected faces
    • Allow couples to manually add names to these groups

    What we don't do:

    • We do not perform facial recognition (identifying who someone is)
    • We do not match faces against any database of known individuals
    • We do not automatically identify or name anyone
    • We do not use face data for any purpose other than grouping photos in your gallery

    In simple terms: we group similar faces together, but we don't know who those faces belong to. Any names associated with face groups are added manually by the couple, not determined by our technology.

    5.2 Technical & Legal Classification

    Face embeddings are numerical data derived from facial features. While this is not facial recognition (which involves identifying individuals), we take a cautious approach to protecting this data:

    • Local processing: All face analysis is performed on our UK servers, not sent to third-party services
    • Purpose limitation: Face data is only used for photo organisation within your private gallery
    • Data minimisation: We store compact numerical embeddings, not detailed facial scans or images
    • Automatic deletion: Face embeddings are deleted when your gallery expires or is deleted
    • No identification: The technology groups faces by similarity - it cannot and does not identify individuals

    5.3 Guest Photo Rights

    Wedding guests should be aware that if they upload photos to a Premium gallery, face grouping may be applied to those photos to help the couple organise their gallery.

    Guests can request that their uploaded photos be removed by contacting the couple directly or by emailing us at [email protected].

    Under UK GDPR, we process your data based on the following legal grounds:

    • Contract: To provide the service you've signed up for, including face grouping for Premium plans
    • Legitimate interests: For service improvements, security, and fraud prevention
    • Legal obligation: Where required by law (e.g., financial records)

    7. Data Sharing & Third Parties

    We do not sell your personal data. We share data only with the following trusted parties:

    • Cloudflare: Website security, performance, and content delivery. Cloudflare processes request data (IP addresses, browser information) to protect our site from attacks and improve loading speeds. See Cloudflare's Privacy Policy
    • Stripe: Payment processing. See Stripe's Privacy Policy
    • SMTP2GO: Your email address and those of your guests (when entered by you) will be used to deliver emails related to our service. We use SMTP2GO to efficiently deliver these emails. See SMTP2GO's Privacy Policy
    • Gelato: Your name and address details, along with selected photos will be shared with Gelato when ordering photobooks from us. See Gelato's Privacy Policy
    • Trustpilot: Your Email address will be shared with Trustpilot to help us gather feedback and reviews in order to improve our service. See Trustpilot's Privacy Policy

    7.1 Optional Cloud Storage Connections

    If you choose to connect a cloud storage service for photo downloads, your photos may be transferred to that service. These connections are entirely optional and only activated at your request:

    When you connect a cloud service, you authorise us to transfer your photos to that service on your behalf. You can disconnect these services at any time from your account settings.

    Google Drive - Use of Google User Data

    When you connect your Google Drive account, we access, use, and store Google user data as follows:

    • Data accessed: We request permission to create files and folders in your Google Drive. We do not access, read, modify, or delete any of your existing Google Drive files
    • How we use this data: We use this access solely to create a folder for your gallery and upload copies of your wedding photos and videos to your Google Drive
    • Data storage: We securely store an OAuth token that allows us to upload files on your behalf. This token is encrypted and stored on our UK servers. We do not store copies of your Google account credentials
    • Data sharing: We do not share your Google user data with any third parties. Your photos are transferred directly from our servers to your Google Drive account

    You can revoke our access to your Google Drive at any time by disconnecting the service in your account settings, or by removing access via your Google Account permissions.

    Dropbox - Use of Dropbox User Data

    When you connect your Dropbox account, we access, use, and store Dropbox user data as follows:

    • Data accessed: We request permission to create files and folders in your Dropbox. We do not access, read, modify, or delete any of your existing Dropbox files
    • How we use this data: We use this access solely to create a folder for your gallery and upload copies of your wedding photos and videos to your Dropbox
    • Data storage: We securely store an OAuth token that allows us to upload files on your behalf. This token is encrypted and stored on our UK servers. We do not store copies of your Dropbox account credentials
    • Data sharing: We do not share your Dropbox user data with any third parties. Your photos are transferred directly from our servers to your Dropbox account

    You can revoke our access to your Dropbox at any time by disconnecting the service in your account settings, or by removing access via your Dropbox connected apps page.

    Microsoft OneDrive - Use of Microsoft User Data

    When you connect your Microsoft OneDrive account, we access, use, and store Microsoft user data as follows:

    • Data accessed: We request permission to create files and folders in your OneDrive. We do not access, read, modify, or delete any of your existing OneDrive files
    • How we use this data: We use this access solely to create a folder for your gallery and upload copies of your wedding photos and videos to your OneDrive
    • Data storage: We securely store an OAuth token that allows us to upload files on your behalf. This token is encrypted and stored on our UK servers. We do not store copies of your Microsoft account credentials
    • Data sharing: We do not share your Microsoft user data with any third parties. Your photos are transferred directly from our servers to your OneDrive account

    You can revoke our access to your OneDrive at any time by disconnecting the service in your account settings, or by removing access via your Microsoft account permissions page.

    We may also share data if required by law or to protect our legal rights.

    8. Data Retention

    We retain your data for the following periods:

    • Photos and media: Retained for your plan period (3 months for Basic, 12 months for Premium from your wedding date), plus a 30-day grace period after expiry
    • Account data: Retained while your account is active and for 30 days after deletion
    • Face embeddings: Deleted when photos are deleted or the gallery expires
    • Financial records: Retained for 7 years as required by UK law

    We send email reminders at 30, 7, 3, and 1 day(s) before your storage expires. After expiry, content is soft-deleted (hidden) and permanently deleted after 30 days.

    8.1 Backup Retention

    For disaster recovery and business continuity purposes, we maintain offline backups of our systems. These backups are retained for up to 18 months and are stored securely with restricted access.

    When you delete your data or your gallery expires, we delete it from our live systems as described above. However, deleted data may continue to exist in offline backups until those backups are naturally rotated out (up to 18 months). Manually removing specific data from offline backups is not technically practical.

    Backup data is only accessed in the event of a system failure or disaster recovery scenario, not for day-to-day operations. In the unlikely event that data is restored from a backup, any data that should have been deleted will be re-deleted promptly.

    9. Your Rights

    Under UK GDPR, you have the following rights:

    • Right of access: Request a copy of the data we hold about you
    • Right to rectification: Request correction of inaccurate data
    • Right to erasure: Request deletion of your data ("right to be forgotten")
    • Right to restrict processing: Request that we limit how we use your data
    • Right to data portability: Request a copy of your data in a machine-readable format
    • Right to object: Object to processing based on legitimate interests
    • Right to withdraw consent: Withdraw consent at any time (for consent-based processing)

    To exercise these rights, email us at [email protected]. We will respond within 30 days.

    You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

    10. Data Security

    We take data security seriously and implement appropriate measures including:

    • HTTPS encryption for all data in transit
    • Secure password hashing (bcrypt)
    • Access controls limiting who can view gallery content
    • Regular security updates and monitoring
    • Photos stored in private directories not accessible via direct URL

    While we strive to protect your data, no method of transmission over the internet is 100% secure. In the event of a data breach, we will notify affected users and the ICO as required by law.

    11. International Transfers

    Your data is primarily stored and processed in the UK. However, some of our service providers (such as Stripe) may process data in the United States or other countries.

    Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

    • Standard Contractual Clauses (SCCs) approved by the ICO
    • Data Processing Agreements with third-party providers
    • Transfers to countries with UK adequacy decisions

    12. Children's Privacy

    Our service is designed for couples planning their wedding and is not intended for children under 16. We do not knowingly collect personal information from children under 16.

    Photos uploaded by guests may include images of children attending the wedding. These are controlled by the couple (account holder), who is responsible for ensuring appropriate permissions have been obtained.

    13. Changes to This Policy

    We may update this Privacy Policy from time to time. We will notify account holders of significant changes via email. The "Last updated" date at the top of this policy indicates when it was last revised.

    14. Contact Us

    If you have any questions about this Privacy Policy or our data practices, please contact us:

    For complaints, you may also contact the Information Commissioner's Office (ICO):