Grinfetti logo

Privacy Policy

Last updated: 2 June 2026

This Privacy Policy explains how Grinfetti ("we", "us", or "our") collects, uses, stores, and shares personal information when you use our website, admin dashboard, mobile and tablet applications, APIs, and related services (collectively, the "Service"). It applies to account holders who manage events on Grinfetti. Guest attendees at your events interact with the Service through your events; their data is primarily controlled by you as the event host, as described below.

By using the Service, you acknowledge this Privacy Policy. If you do not agree, please do not use the Service.

1. Who is responsible for your data

Your account data.For information relating to your Grinfetti account (such as your name, email, and billing), we are the responsible party for personal information under applicable law (for example, the operator of the Service under the Protection of Personal Information Act, 2013 ("POPIA") in South Africa).

Guest and event data. When you run events, you decide what guest information to collect (for example, guest names, photos, and email addresses for gallery links). You are responsible for telling guests how their data will be used, obtaining any required consents, and complying with privacy laws that apply to your event. We process guest data on your instructions to provide the Service (for example, storing photos, generating gallery links, and sending emails you trigger).

If you have questions about guest data at a specific event, contact the event host first. For questions about how Grinfetti processes data on behalf of hosts, contact us using the details in Section 14.

2. Information we collect

Depending on how you use the Service, we may collect:

Account and profile information

  • Name and email address
  • Sign-in details (password hash, or identifiers from supported providers such as Google or Apple)
  • Profile image, if you provide one or one is supplied by a sign-in provider
  • Account preferences and settings

Event and content information

  • Event names, dates, branding, and configuration you set up
  • Photos captured or uploaded through booth apps and the admin dashboard
  • Guest display names entered at the booth
  • Email addresses you or guests provide for gallery notifications (for example, when a guest requests their gallery link by email, or when you send a gallery email from your account)
  • Slideshow and gallery assets you upload or curate

Billing information

  • Subscription and purchase records (plan type, credits, transaction references). Payment card details are collected and processed by our payment provider (currently Paystack), not stored in full on our servers
  • Billing email and related metadata needed to manage your plan

Technical and usage information

  • Device type, app version, and general usage needed to operate and secure the Service
  • IP address, timestamps, and server logs
  • Authentication session cookies or tokens that keep you signed in to the admin dashboard
  • Error and performance data needed to diagnose issues

3. How we use information

We use personal information to:

  • Create and manage your account and authenticate you
  • Provide event, gallery, slideshow, and booth features you configure
  • Store, process, display, and transmit photos and related content
  • Send gallery notification emails when you or a guest requests them
  • Process payments, subscriptions, and event credits
  • Provide support and respond to enquiries
  • Protect the Service, prevent abuse, and enforce our Terms & Conditions
  • Improve reliability and develop new features
  • Comply with legal obligations

We do not sell your personal information. We do not use guest photos for advertising profiling. We do not send marketing emails to guests unless you initiate a communication through the Service (such as a gallery link email).

4. Legal bases for processing

Where applicable law requires a legal basis, we rely on:

  • Contract: processing needed to provide the Service you signed up for
  • Legitimate interests: securing and improving the Service, fraud prevention, and internal reporting, balanced against your rights
  • Consent: where you or your guests have given consent (for example, a guest entering an email to receive a gallery link), or where law requires consent
  • Legal obligation: where we must retain or disclose information by law

Under POPIA, we process personal information lawfully and in a manner that does not infringe your privacy. You may object to certain processing where the law allows.

5. How we share information

We share personal information only as needed to operate the Service:

  • Service providers who host infrastructure, store files, deliver email, process payments, or provide authentication (for example, cloud hosting, object storage, Paystack, and sign-in providers). They may only use data to perform services for us under appropriate safeguards
  • Event hosts and guests: photos and gallery links are visible according to your event settings (for example, public gallery links you share)
  • Legal and safety: if required by law, court order, or to protect rights, safety, and security
  • Business transfers: in connection with a merger, acquisition, or sale of assets, subject to this Policy or notice to you

We do not share guest personal data with unrelated third parties for their own marketing.

6. International transfers

We may process and store information in South Africa and in other countries where our service providers operate. Where personal information is transferred across borders, we take steps reasonably required by applicable law (such as ensuring appropriate safeguards with processors).

7. Retention

We keep personal information for as long as your account is active and as needed to provide the Service, resolve disputes, enforce agreements, and meet legal requirements.

  • Event photos and guest sessions remain until you delete them, delete the event, or delete your account
  • When you delete your account, we remove or anonymise account data and delete associated events and stored files as described in the product, subject to limited retention where the law requires (for example, billing records)
  • Server logs and security records may be kept for a limited period for operations

8. Security

We use technical and organisational measures designed to protect personal information, including access controls, encryption in transit where supported, and secure handling of credentials. No method of transmission or storage is completely secure; you are responsible for keeping your password and account access confidential.

9. Your rights and choices

Depending on your location and applicable law (including POPIA), you may have the right to:

  • Access personal information we hold about you
  • Correct inaccurate information in your account settings
  • Request deletion of your account and associated data
  • Object to or restrict certain processing
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with a supervisory authority

Account holders can update profile details in the account area and request account deletion where the product provides it. To exercise other rights, email support@grinfetti.com. We may need to verify your identity before responding.

Guests should contact the event host regarding photos or data collected at an event. We will assist hosts where we act as their processor and the request is valid.

In South Africa, you may contact the Information Regulator if you believe your rights under POPIA have been infringed: www.inforegulator.org.za.

10. Cookies and similar technologies

The admin website uses cookies and similar technologies for authentication, security, and basic functionality (for example, keeping you signed in). Booth apps may use local storage on the device for offline photo uploads and session state. You can control cookies through your browser settings; disabling essential cookies may prevent you from using signed-in features.

11. Children

The Service is not directed at children under 18 for account registration. Event hosts are responsible for ensuring photography and data collection at their events comply with laws regarding minors and for obtaining parental consent where required.

12. Third-party links and services

The Service may link to third-party sites or use third-party sign-in and payment services. Their privacy practices are governed by their own policies. We encourage you to review those policies when you use them.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. Material changes may be notified by email or in-product notice. Continued use after changes take effect means you accept the updated Policy.

14. Contact

Privacy questions or requests: support@grinfetti.com

See also our Terms & Conditions, the Help centre, or return to the Grinfetti home page.