Privacy Policy
Last updated: 18 May 2026
Effective date: 18 May 2026
This Privacy Policy explains how EventLens DOO Zrenjanin (“EventLens”, “we”, “us”, “our”) collects, uses, shares, and protects your personal data when you use our application (app.eventlens.app), and any related services (collectively, the “Service”).
EventLens is a photo-sharing platform that helps event attendees find and receive photographs of themselves and other people, taken at events by professional photographers, by using facial-recognition technology to match a user’s selfie to event photos.
Because we process biometric data (a mathematical representation of your face derived from your selfie), we have written this policy to be explicit about what that data is, how we use it, how long we keep it, and how you can have it deleted.
Plain-language summary
- We use a selfie you give us to find photos of you at an event you attended.
- We do not sell your data, and we do not use your face or your photos to train any AI model.
- You can ask us to delete your data at any time by emailing info@eventlens.rs.
- If you delete your account, your data is held for a 30-day grace period (so you can recover it by logging back in), and is permanently anonymized after that. Your account and personal details are permanently deleted, but anonymized order and receipt records are kept for the legally required period (currently 10 years under Serbian tax law).
1. Who we are (Data Controller)
The data controller responsible for your personal data is:
EventLens DOO Zrenjanin
Klajnova 18, 23000 Zrenjanin, Republic of Serbia
Company ID: 21998303
TIN (PIB): 114277204
Phone: +381 (0)62 944 96 76
Email: info@eventlens.rs
Website: https://eventlens.rs
You may contact us at the addresses above to exercise the rights described in Section 9.
2. Who this policy applies to
EventLens has several types of users. The data we process depends on the role you play:
- Guests — event attendees who use EventLens to find and (optionally) purchase photos of themselves and other people.
- Organizers (Hosts) — individuals or companies who create and manage events on EventLens.
- Photographers, Uploaders, and Taggers — professionals invited by an Organizer to capture, upload or tag photos for an event.
- Visitors — anyone browsing our website or web-based application.
Where a section applies only to one group, we say so explicitly.
3. The data we collect
3.1 Data you give us directly
| Category | Examples | When we collect it |
|---|---|---|
| Account data | Email address, password (stored only as a salted hash by our authentication provider), first name, last name, profile photo | At sign-up and when you update your account |
| Selfie image | A photograph of your or other people’s face that you take or upload inside the Service | When you scan or upload to find your or the other people’s photos |
| Communication data | Messages you send to support, feedback you give us | When you contact us |
| Business profile (Organizers / Photographers only) | Business email, phone number, website, Instagram URL, business profile photo | When you set up an organizer or photographer profile |
| Order data | Items in your cart, purchaser email, language and currency preferences, billing details you enter at checkout | When you place an order |
| Preferences | Language, currency, country, notification toggles | When you set or change your preferences |
3.2 Biometric data we derive
When you upload or take a selfie inside EventLens, our facial-recognition provider (Amazon Web Services Rekognition) analyzes the image and generates a numerical representation of your face — commonly called a faceprint or face embedding. The faceprint is used to find matching faces in event photos.
The faceprint is a mathematical vector. It cannot be reversed into a recognizable image of you, and it is not used to identify you outside of EventLens.
We treat both your original selfie and the derived faceprint as biometric personal data under Article 9 of the GDPR (and equivalent provisions of Serbia’s Zakon o zaštiti podataka o ličnosti) and process them only on the basis of your explicit consent, given via the consent screen the first time you use the EventLens application.
3.3 Event content uploaded by Organizers and Photographers
If you are an Organizer or Photographer, you upload photographs of attendees. Those photos depict the faces and likenesses of other people. You are responsible for ensuring you have the legal right to capture, upload, and share that content — see our Terms of Use for details. EventLens hosts that content on your behalf for the limited purpose of delivering it to the attendees.
3.4 Data we collect automatically
| Category | Examples |
|---|---|
| Device and browser | Device identifier, browser type and version, operating system, language |
| Network | IP address, approximate location (country / city level) derived from IP |
| Usage | Pages and features used, timestamps, referring URL, session duration |
| Cookies / local storage | Session cookies, authentication tokens, a device ID we generate for fraud-prevention and rate-limiting purposes |
We do not sell your data and we do not use it for cross-site advertising tracking.
3.5 Data we receive from third parties
- Authentication provider (AWS Cognito): identity tokens when you sign in.
- Payment processor (OTP Banka Srbija via the SIA gateway): the outcome of your payment (success / failure / cancellation) and a transaction reference. We do not receive or store your full card number, PIN, or CVV — those are handled by the bank directly under PCI DSS.
- Event Organizers: if an Organizer adds you to a guest list, invites you, or grants you access to photos, we receive the email address they used.
4. Why we use your data (purposes and legal bases)
| Purpose | Legal basis under GDPR / Zakon o zaštiti podataka o ličnosti |
|---|---|
| Matching your selfie to event photos (facial recognition) | Explicit consent (Art. 9(2)(a)), given via the Photo Matching and Data Privacy Consent screen the first time you register for the Service |
| Creating and operating your account, processing your orders, delivering purchased photos | Performance of a contract with you (Art. 6(1)(b)) |
| Issuing fiscal receipts (fiskalni račun) for purchases, in accordance with Serbian fiscalization law | Legal obligation (Art. 6(1)(c)) |
| Sending you transactional emails (fiscal receipts, the magic-link to your purchased photos, password resets, deletion confirmations) | Performance of a contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for fiscal receipts |
| Sending event-related notifications (new photos added, person claimed, event expiring, photos found) — which you can switch off in your settings | Legitimate interest (Art. 6(1)(f)), with a clear opt-out |
| Requesting optional, anonymous post-event feedback by email | Consent (Art. 6(1)(a)), given via the registration consent wall |
| Fraud prevention, abuse prevention, securing the Service | Legitimate interest (Art. 6(1)(f)) |
| Complying with tax, accounting, and other legal obligations | Legal obligation (Art. 6(1)(c)) |
| Improving the Service in aggregate (e.g., monitoring error rates, performance) | Legitimate interest (Art. 6(1)(f)) |
We do not use your selfie, your faceprint, or your photos to train any general-purpose AI or facial-recognition model. Your biometric data is used solely to find your photos within the specific event(s) you participate in.
5. How long we keep your data
We keep data only as long as we need to for the purposes above.
| Data | Retention period |
|---|---|
| Account data (profile, email, name) | Until you delete your account. After you request deletion, the account enters a 30-day grace period during which you can recover it by simply logging back in. After 30 days it is permanently anonymized. |
| Selfie image (original, in our S3 storage) | While your account is active. Deleted at the latest when your account is deleted, or at your written request. |
| Faceprint (in AWS Rekognition’s event collection) | Per event: while the event is active. When the event reaches the Organizer’s configured retention deadline (or when the Organizer deletes the event), the entire event face collection is deleted from AWS Rekognition. |
| Event photos (originals, watermarked previews, frames, promos) | While the event is active. Deleted from S3 after a configurable retention period or when the event is deleted by the Organizer. |
| Purchase / order records and fiscal receipts | Kept for the period required by Serbian tax and accounting law (currently up to 10 years), in anonymized form where possible. |
| Server logs (access logs, error logs) | Typically up to 90 days, then deleted or aggregated. |
| Magic-link access tokens (the links emailed to you after purchase) | Valid for the lesser of 30 days or the event’s expiry date, whichever comes first. After expiry the token can no longer be used. |
After an event expires, photos of you, your faceprint inside that event, and your association with that event’s photos are removed from our active systems. Anonymized order records and fiscal receipts remain for legal reasons.
6. How we share your data
We do not sell your personal data. We share it only in the following situations:
6.1 Service providers (processors)
We rely on a small number of trusted providers to operate EventLens. They process your data only on our instructions and under contractual confidentiality and security obligations:
| Provider | Purpose | Where they process data |
|---|---|---|
| Amazon Web Services (AWS) — including S3, Cognito, Rekognition, Lambda, SQS | Hosting, authentication, facial recognition, image processing | EU and / or US (see Section 7 on transfers) |
| OTP Banka Srbija (via the SIA payment gateway) | Card payment processing in RSD | Republic of Serbia and the European Union |
| Email-delivery providers | Sending transactional and notification emails | EU / US |
We make commercially reasonable efforts to keep this list accurate. We will update this policy when we add or change a significant processor — including any new payment processor we may introduce in the future to allow charging in currencies other than RSD.
6.2 Event Organizers and Photographers
If you are a Guest, the Organizer of an event you attend (and their invited Photographers) can see:
- The fact that one or more photos of you exist at their event.
- An avatar / preview image used to manage tagging.
- Your email address if you provided it to claim access to your photos.
- Aggregated stats (e.g., how many of your photos have been published, how many you purchased).
Organizers and Photographers do not receive your raw selfie, your faceprint, or your password.
6.3 Other Guests
By default, photos uploaded for an event are visible in that event’s public gallery to other Guests who are scanning for their own photos. You can ask an Organizer to mark you as “do not publish”, or use the in-app opt-out (where the Organizer has enabled it) to hide solo photos of you from the public gallery. Multi-person photos may still appear in the gallery because they contain other people.
6.4 Legal and safety
We may disclose your data when we are required to by law, court order, or a regulator, or when we reasonably believe disclosure is necessary to:
- enforce our Terms of Use;
- detect, prevent, or address fraud, abuse, or security issues;
- protect our rights, property, or safety, or those of our users or the public.
6.5 Business transfers
If EventLens is involved in a merger, acquisition, financing, or asset sale, your data may be transferred to the successor entity. We will require the successor to honor this Privacy Policy or notify you of any material change.
7. Where your data is processed
EventLens is established in the Republic of Serbia. Our infrastructure providers (primarily AWS) may store and process data in data centers located in the European Union and / or the United States. Card payments are processed by OTP Banka Srbija in Serbia and the EU.
When personal data is transferred outside the EEA, the UK, or Switzerland to a country that is not the subject of an adequacy decision, we rely on appropriate safeguards under Article 46 GDPR — typically the European Commission’s Standard Contractual Clauses (SCCs) combined with technical measures such as encryption in transit and at rest.
You can request a copy of the relevant safeguards by emailing info@eventlens.rs.
8. How we protect your data
We apply industry-standard security measures, including:
- Encryption in transit (HTTPS / TLS) for all traffic between your device and our servers.
- Encryption at rest for selfies, photos, and database records stored in AWS.
- Access controls — only authenticated team members with a business need can access systems holding personal data, and access is logged.
- No password storage by us — authentication is delegated to AWS Cognito, which stores only salted hashes.
- No card-data storage by us — full card details are handled by OTP Banka Srbija under PCI DSS.
- Rate limiting and fraud detection on scan and payment endpoints to deter abuse.
- Regular security reviews of our code and infrastructure.
No system is 100% secure. If a personal-data breach affects you, we will notify you and the relevant supervisory authority where required by law.
9. Your rights
Depending on where you live, you have some or all of the following rights:
- Right of access — ask us for a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) — ask us to delete your personal data. You can delete your account directly in the app (Account Settings → Account Deletion), or email us.
- Right to restrict processing — ask us to pause certain processing while we resolve a query.
- Right to object — object to processing based on our legitimate interests, including direct-marketing emails.
- Right to data portability — ask us to export your data in a structured, commonly used, machine-readable format.
- Right to withdraw consent — where we rely on your consent (including consent for facial recognition and feedback emails), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right to lodge a complaint — with your local data-protection authority. In Serbia, this is the Commissioner for Information of Public Importance and Personal Data Protection (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti), Bulevar kralja Aleksandra 15, 11000 Belgrade.
To exercise any of these rights, email info@eventlens.rs. We respond within one month of receipt. We may ask you to verify your identity before acting on a request, and we may extend the response period by up to two further months for complex requests, in which case we will tell you why.
There is no charge for exercising these rights, unless your request is manifestly unfounded or excessive.
10. Cookies and similar technologies
We use cookies and similar technologies (such as localStorage) for:
- Strictly necessary purposes — keeping you logged in, remembering your cart, our device-ID for fraud prevention.
- Functional purposes — remembering your language and currency preference.
- Analytics (aggregated and pseudonymized) — understanding how the Service is used so we can improve it.
We do not use advertising or third-party tracking cookies. Where local law requires it, we will ask you for consent before setting non-essential cookies, and you can change your choices at any time in your browser or device settings.
11. Children
EventLens is not directed at children under 16, and we do not knowingly collect personal data from anyone under that age. Children under 16 may appear in photographs uploaded by Organizers and Photographers; in that case the Organizer or Photographer is responsible for obtaining parental consent and for the lawful basis of capturing and uploading those images.
If you believe we hold data about a child without proper authorization, please contact info@eventlens.rs and we will investigate and, where appropriate, delete the data.
12. Marketing communications
We only send marketing or promotional emails where you have opted in, or where local law permits us to email existing customers about similar services. Every marketing email contains an unsubscribe link, and you can also disable notification categories in your account settings.
Transactional emails (fiscal receipts, password resets, magic-link access to your photos, account-deletion confirmations) are part of the Service and cannot be opted out of while your account is active.
13. Automated decision-making
The face-matching pipeline that decides whether a particular event photo is “of you” is automated. However, it does not produce any legal or similarly significant effect on you — at worst, it shows you a photo that is not of you, or fails to show you one that is. You can:
- Adjust which photos are linked to you by re-scanning with a different selfie.
- Ask the Organizer to manually tag, untag, or hide photos.
- Ask us, at info@eventlens.rs, to reset the matching for you in a specific event.
We do not use your data for any other form of automated decision-making with significant effects.
14. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will change the “Last updated” date at the top of this page. If the changes are material, we will give you reasonable advance notice — for example, by email or by an in-app notice — before the new policy takes effect.
The current version is always available at https://eventlens.rs/privacy-policy.
15. Contact us
If you have questions, comments, or complaints about this policy or how we handle your data, contact:
EventLens DOO Zrenjanin
Klajnova 18, 23000 Zrenjanin, Republic of Serbia
Company ID: 21998303 · TIN (PIB): 114277204
Email: info@eventlens.rs
Phone: +381 (0)62 944 96 76
We will respond as quickly as we can — usually within a few working days.