Legal

Privacy Policy

Last updated: 17 May 2026

1. Who we are

Ode Events is a trading name of Laramattix Ltd, registered in Scotland (company number SC884319), with a registered office at Office 2/3 48 West George Street, Glasgow, United Kingdom, G2 1BP. We are registered with the Information Commissioner's Office (ICO registration number ZC115769).

For the purpose of UK GDPR, we act as a data controller for account and billing data. When processing guest and event data created by organisers, we act as a data processor on behalf of event organisers, who are the data controllers for their own event data (photos, RSVPs, guest sessions, and comments).

If you have a question about how your data is used within a specific event — including requests to access, correct, or delete content you uploaded — please contact the event organiser directly. For questions about the platform itself, contact us at hello@ode.events.

We are not required to appoint a Data Protection Officer under UK GDPR and have not done so. For any data protection queries, you can reach us at hello@ode.events.

2. Data we collect

Account holders (organisers):

  • Email address and display name (required for signup)
  • Payment information (processed by Stripe — we do not store card details)
  • Event data you create (pages, settings, content)

Guests (non-account users):

  • Optional alias (display name) chosen at join time
  • Photos and captions you upload
  • Comments you leave on photos
  • RSVP responses (attendance status, meal choices, plus-one names)
  • Session cookie — stored in your browser, used only to identify your session within the specific event

Children:

This service is not directed at children under 16. You must be at least 16 years old to create an account or use the service. If we become aware that data from a user under 16 has been collected, we will delete it promptly. To report a concern, email hello@ode.events.

Data we do not collect:

We do not collect IP addresses beyond standard server logs, location data, device fingerprints, or browsing history. We do not use advertising trackers, third-party analytics, or any form of cross-site tracking.

3. How we use your data and our lawful basis

We only process personal data where we have a lawful basis to do so under UK GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)) — processing organiser account data, event data, and payments to provide the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — processing guest data (alias, photos, comments, RSVPs) to enable participation in events created by organisers. Our legitimate interest is providing the functionality guests access when joining an event. This processing is limited to what is necessary and guests retain full rights described in Section 6. A Legitimate Interests Assessment (LIA) has been carried out and is available on request.
  • Legal obligation (Art. 6(1)(c)) — retaining billing records where required by tax or financial regulations.

We do not rely on consent as a lawful basis for any processing activity described in this policy. As a result, there is no consent to withdraw. If you wish to stop your data being processed, your relevant right is the right to erasure or the right to object — both described in Section 6.

We do not carry out automated profiling that produces legal or similarly significant effects on individuals. We do use automated image analysis to detect and remove prohibited content at the point of upload — this is described in Section 4.

We do not sell your data, use it for advertising, or share it with third parties except as required to operate the service (see Section 8).

4. Photos and uploaded content

Event organisers are the data controllers for content uploaded to their events. By uploading photos to an event, you confirm that you have the right to share them. You should not upload photos of identifiable individuals who have not consented to their image being shared with the event's guests.

Photos may incidentally contain special category personal data within the meaning of UK GDPR Article 9 — for example, images that reveal health conditions, religion, or ethnicity. We do not process such data for those purposes; it is stored and displayed exactly as uploaded. The uploading guest's act of sharing the photo constitutes their explicit consent to that content being visible to other event guests, and organisers are reminded of their responsibility not to share images of individuals without appropriate consent.

If you are a person who appears in a photo and wish to exercise your data subject rights (including erasure), you should contact the event organiser, who is responsible for responding to such requests. If you cannot reach the organiser or believe your rights are not being respected, you may contact us at hello@ode.events and we will assist in escalating the request.

All photos uploaded to the platform are automatically scanned for inappropriate or illegal content using AWS Rekognition, an image analysis service provided by Amazon Web Services, Inc. This scan takes place at the point of upload, before any photo is displayed to event guests. Images identified as containing explicit nudity, graphic violence, visually disturbing content, or hate symbols are automatically removed and are not stored or displayed. Image data is transmitted to AWS Rekognition solely for the purpose of this analysis and is not retained by AWS beyond the duration of the request. This processing is carried out on the basis of our legitimate interest in preventing the distribution of harmful or illegal content through the platform (Art. 6(1)(f) UK GDPR).

Photos are stored securely and are only accessible to guests who have joined the specific event. Event organisers can delete individual photos or entire events at any time through the dashboard.

5. Data retention

The following rules govern how long we retain event and personal data:

  • Events with an album open date — all event data (photos, comments, guest sessions, and RSVP responses) is permanently deleted when the album window expires. The album window is calculated as the album open date plus the retention period for your plan (ranging from 7 days to 1 year depending on your tier).
  • Events without an album open date — all event data is permanently deleted 3 years after the event was created.
  • Unpaid draft events that have never been activated are permanently deleted 1 year after creation.
  • RSVP responses are deleted 90 days after the event start date, regardless of the album window. The approximate expiry date is displayed on the RSVP form at the point of submission and in the organiser's RSVP dashboard.

Organisers can delete their entire event and all associated data at any time from the dashboard, regardless of the retention period. When an organiser deletes an event, all associated data — including guest photos, comments, and RSVP responses — is permanently deleted.

Account data (email, display name) is retained until you delete your account. You can delete your account at any time from your account settings, or by emailing hello@ode.events. Deleting your account permanently deletes all events you own and all associated data, including any active paid events. This action is irreversible and no refund will be issued.

Financial and billing records are retained for a minimum of 6 years from the end of the relevant accounting period, as required by UK tax law. This obligation applies independently of account deletion — deleting your account removes your login credentials and personal profile but does not erase billing records that we are legally required to keep.

Organiser responsibilities: where organisers act as data controllers for their event data, they are responsible for providing their own privacy notice to guests. By activating an event on this platform, organisers acknowledge this responsibility.

6. Your rights (UK GDPR)

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your personal data (“right to be forgotten”)
  • Restriction — ask us to limit how we process your data
  • Portability — receive your data in a structured, machine-readable format. This right applies to data processed under contract or consent (primarily organiser account data). It does not apply to guest data processed under legitimate interests. However, if you are a guest and cannot exercise the right to portability, you can still request a copy of your data under the right of access above — we will provide it in a readable format on request.
  • Object — object to processing based on legitimate interests

Guests with an active session: if you still have your original session cookie (i.e. you have not cleared your browser data or switched device), you can delete your own photos, comments, and RSVP responses directly from the event page without contacting us.

All other requests: email hello@ode.events. If you submitted data as a guest without creating an account, please include the event name, the approximate date of your submission, and the name or alias you used — we will use these details to locate and verify your data before acting on any request.

We will respond within one calendar month of receiving your request. In complex or high-volume cases, we may extend this by a further two months — we will notify you within the first month if an extension is needed and explain why.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

7. Cookies

We use two categories of cookies: strictly necessary cookies (which do not require consent) and optional marketing cookies (which are only set after you explicitly accept them via our cookie banner).

Strictly necessary cookies

These are essential for the service to function and cannot be disabled. They do not require consent under the UK Privacy and Electronic Communications Regulations (PECR).

CookiePurposeDuration
sb-*-auth-tokenKeeps organisers signed in to their account (set by Supabase authentication)Session / up to 1 week
ode_session_[event-id]Identifies a returning guest within a specific event. Does not track you across events or websites.1 year
ode_cookie_consentStores your cookie preference (accepted or declined) so we do not ask again.Persistent (localStorage)
ode_privacy_moderation_v1Records that you have acknowledged our privacy policy update regarding automated photo moderation, so the notice is not shown again.Persistent (localStorage)

Optional marketing cookies (consent required)

These cookies are only set if you click “Accept all” on our cookie banner. You can decline them without affecting your use of the service.

CookiePurposeDuration
_fbpSet by Meta (Facebook) Pixel. Used to identify browsers for advertising attribution and to build retargeting audiences on Facebook and Instagram.90 days
_fbcSet by Meta (Facebook) Pixel when you arrive via a Facebook ad. Used to attribute conversions back to the specific ad that brought you here.90 days

The Meta Pixel sends anonymised event data (page views, sign-ups) to Meta Platforms Ireland Ltd. This data may be used to show Ode Events advertising to people with similar profiles to our visitors. Meta's use of this data is governed by their Privacy Policy.

8. Third-party services and data processors

We share data with the following third-party processors, each covered by a Data Processing Agreement (DPA) or equivalent contractual safeguard:

  • Supabase — database and file storage. Our primary database and file storage are hosted in the EU (Ireland). Supabase Inc. is a US-based company and may access data for support and infrastructure purposes under Standard Contractual Clauses (SCCs) with a UK Addendum (IDTA).
  • Stripe — payment processing (PCI-DSS compliant; card details are not passed to or stored by us). Data may be transferred to the US under the UK-US Data Bridge and SCCs.
  • Vercel — hosting and CDN (application code and edge functions). Data may be transferred to the US under the UK-US Data Bridge and SCCs.
  • Resend — transactional email (account verification, notifications). Data may be transferred to the US under Standard Contractual Clauses (SCCs) with a UK Addendum (IDTA).
  • Amazon Web Services, Inc. (AWS Rekognition) — automated image content moderation. Uploaded photos are transmitted to AWS Rekognition for analysis to detect prohibited content. Images are not stored by AWS beyond the duration of the request. AWS is a US-based company; transfers are made under Standard Contractual Clauses (SCCs) with a UK Addendum (IDTA).
  • Meta Platforms Ireland Ltd — advertising attribution and retargeting via the Meta Pixel (Facebook/Instagram), only where you have consented to marketing cookies. Hashed event data (page views, sign-ups) is transmitted to Meta to measure ad effectiveness and build advertising audiences. Data may be transferred to the US under the UK-US Data Bridge and SCCs. Meta's processing of this data is subject to their own privacy policy. This processor is only active for users who have accepted optional cookies.

All international transfers are made in compliance with UK GDPR Chapter V. Where adequacy decisions do not apply, we rely on Standard Contractual Clauses (SCCs) approved under the UK International Data Transfer Agreement (IDTA) or the UK-US Data Bridge, as applicable to each processor.

9. Security and breach notification

We maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure. These include encrypted data storage, access controls, and regular security reviews.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay. We will report notifiable breaches to the ICO within 72 hours of becoming aware of them, as required by UK GDPR Article 33.

To report a suspected security vulnerability, email hello@ode.events.

10. Contact

Questions about this policy? Email us at hello@ode.events.