Privacy Policy

Who we are

CrowdCapsule is operated by Quadrant Advisers Limited, a company registered in England and Wales (Company No. 14170146). We are the data controller for the purposes of UK GDPR and, where applicable, EU GDPR.

Contact: hello@crowdcapsule.io

What data we collect and why

• Name — to personalise communications
• Email address or WhatsApp number — to create your account and deliver your gallery
• Payment information — processed by our payment provider (Stripe); we do not store card details

Legal basis: Contract performance (Article 6(1)(b) UK/EU GDPR). You need an account to use the service.

• Mobile phone number — collected automatically when you message our WhatsApp number
• Photos and videos you send — used solely to compile your event gallery

Legal basis: Legitimate interests (Article 6(1)(f) UK/EU GDPR) — processing guest media to deliver the service the organiser has contracted for. We have assessed that this does not override guest privacy rights given the limited scope, short retention, and clear context.

What we do not collect

• We do not collect names of guests
• We do not use cookies or tracking pixels on this website
• We do not build profiles on guests or organisers
• We do not use data for advertising or analytics beyond basic service metrics
• We do not read message content other than to identify event codes and extract media

Data retention — 7-day auto-delete

All guest media (photos and videos) are permanently deleted from our systems 7 days after the event date. The event date is set by the organiser at the time of booking.

Organiser account data (name, email/phone, payment records) is retained for 6 years to comply with UK tax and accounting obligations (HMRC requirement), then deleted.

WhatsApp conversation logs are not retained beyond the processing window.

Data transfers outside the UK

We use the following third-party processors, some of which may store data outside the UK or EEA:

Your rights

Under UK GDPR (and EU GDPR where applicable), you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erasure (“right to be forgotten”) — note: guest media is auto-deleted at 7 days regardless
• Restrict or object to processing
• Data portability (where technically feasible)
• Lodge a complaint with the ICO (UK): ico.org.uk · 0303 123 1113

To exercise any right, email hello@crowdcapsule.io. We will respond within 30 days (the statutory maximum under UK GDPR).

Security

Media is stored in encrypted cloud storage (Cloudflare R2). Access is restricted to automated processing pipelines and authorised personnel only. We do not grant third parties access to guest media for any purpose other than processing your event gallery.

In the event of a data breach affecting personal data, we will notify the ICO within 72 hours where required, and affected individuals without undue delay where the breach poses a high risk to their rights.

Children

CrowdCapsule is not directed at children under 13. We do not knowingly collect data from children. If a guest under 13 sends media via WhatsApp, the event organiser is responsible for ensuring appropriate parental consent has been obtained.

If you believe a child has submitted data without consent, contact hello@crowdcapsule.io and we will delete it immediately.

Changes to this policy

We will notify registered organisers of material changes by email at least 14 days before they take effect. The current version is always published at crowdcapsule.io/privacy.

Contact

For data protection queries specifically, use the subject line: DATA PROTECTION REQUEST

We do not currently have a Data Protection Officer (DPO). If our processing scale increases materially, we will appoint one.