Privacy Policy.
Last updated: May 29, 2026
Twice is a digital disposable camera service for your events (weddings, birthdays, parties, seminars). This policy explains what data we collect, why, how long we keep it, and how you stay in control of it.
We apply the General Data Protection Regulation (GDPR). We limit collection to the strict minimum and we never resell any data.
1. Data controller
The controller of the data collected via twice.cam is:
- Publisher: Jérôme Dathueyt
- Country: France
- Contact: support@twice.cam
2. Data we collect
2.1 Host (organizer) data
- Email address (account creation, magic-link sign-in, Google or Apple OAuth).
- Display name or first name (optional, provided at account or event creation).
- Metadata of created events: title, date, cover photo, settings (filters, quotas, reveal date).
- Payment identifier (Stripe transaction reference on the web, or App Store / Google Play transaction ID for in-app purchases). Card details never pass through our servers: they are entered directly with the payment provider.
- Moderation decisions (photo approved, hidden, deleted).
2.2 Guest data
- First name (or nickname) entered when joining the event, used as the display name in the album.
- Photos taken during the event, along with their technical metadata (capture date, applied filter).
- An anonymous session token (cookie or secure storage) that lets the guest find the album without creating an account.
No email address is asked of the guest. No account is created.
2.3 Technical data
- Standard access logs generated by our host (IP address, timestamp, user-agent), kept for security and fraud prevention.
- Anonymized error diagnostics to fix bugs.
We use no third-party behavioral analytics or advertising tracker.
3. Purposes and legal bases
4. Retention periods
- Photos and albums: kept for at most 12 months from event creation. After that, they are deleted automatically. You can delete an album, or an individual photo, at any time before then.
- Host accounts: kept until you request deletion. Deletion is effective within 30 days at most and erases your events and associated photos.
- Guest sessions: expire automatically with the album they are attached to (either when the host deletes the album, or after 12 months).
- Billing data: kept for 10 years in accordance with French accounting law.
- Technical logs: kept for at most 12 months.
5. Recipients and processors
Your data is never resold. It is entrusted to a small number of technical processors, chosen for their reliability and compliance, and bound to us by contract:
- Supabase — database, authentication, photo storage. supabase.com
- Stripe — payment processing (United States). stripe.com
- Resend — transactional email delivery (United States). resend.com
- Vercel — site and API hosting (United States, global edge). vercel.com
- Google — "Continue with Google" sign-in, and Google Play billing for in-app purchases on Android (United States). google.com
- Apple — Sign in with Apple, and App Store billing for in-app purchases on iOS (United States). apple.com
- Cloudflare — DNS management and email routing (United States). cloudflare.com
6. Transfers outside the European Union
Some of our processors (Stripe, Resend, Vercel, Google, Apple, Cloudflare) are based in the United States or operate via global infrastructure. These transfers are governed by:
- The EU–US Data Privacy Framework when the processor adheres to it.
- The Standard Contractual Clauses (SCCs) approved by the European Commission, otherwise.
Today, some data may be processed or stored outside the European Union, notably in the United States, under the safeguards above. Moving our data storage to the European Union is on our roadmap.
7. Cookies and trackers
Twice only uses strictly functional cookies, necessary for the service:
- A session cookie to keep you signed in (host side).
- A cookie or local storage to keep a guest's session within their event.
- A preference cookie for the theme (light/dark).
No audience-measurement, advertising or social-network cookie is set. These functional cookies do not require prior consent under Article 82 of the French Data Protection Act.
8. Your rights
In accordance with the GDPR, you have the following rights:
- Right of access to your data.
- Right to rectification of inaccurate data.
- Right to erasure ("right to be forgotten").
- Right to portability in a structured, readable format.
- Right to object to processing, where it is based on legitimate interest.
- Right to restriction of processing.
- Right to withdraw your consent at any time, where it was the basis of processing.
- Right to set directives on the fate of your data after your death.
9. Exercising your rights
To exercise any of these rights, write to us at support@twice.cam from the email address associated with your account. We may ask you for proof of identity in case of reasonable doubt about the origin of the request.
We undertake to respond within one month at most from receipt of the request, extendable by two months if the complexity or number of requests warrants it.
10. Security
Photos and data are protected by encryption in transit (HTTPS/TLS) and at rest. Access to an event's data is strictly restricted to the host and their guests via database-level security rules (Row Level Security). Access tokens are time-limited.
11. Minors
Twice is not intended for minors under 15. A host organizing an event involving minors ensures they have obtained the necessary authorizations from legal guardians.
12. Complaint to the CNIL
If, after contacting us, you believe your rights are not respected, you can lodge a complaint with the French data protection authority (CNIL):
- 3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
- www.cnil.fr
13. Changes to this policy
This policy may evolve to reflect technical, legal or service changes. Any substantial change will be notified to you by email or via a banner on the site before it takes effect.
Write to us at support@twice.cam. We answer every request.