Privacy Policy
Last updated: June 2026
1. Identity and contact details of the controller
PartiPix is operated by Devminds, a sole proprietorship registered in Belgium under enterprise number BE 0688.824.615, with registered address at Grote Veldstraat 140B, 8840 Staden, Belgium.
For all data protection enquiries, you may contact us at privacy@devminds.be. General correspondence may be directed to olivier@devminds.be.
Devminds has not appointed a Data Protection Officer (DPO), as this is not required for its current scale and processing activities.
2. Controller and processor roles
PartiPix operates in a dual role depending on the category of personal data involved:
- Customer accounts: Devminds acts as the data controller for personal data of registered customers (event organisers) — including email address, name, and payment details.
- Guest photos and related data: The event organiser (customer) acts as the data controller for photos uploaded by their guests. Devminds acts solely as a data processor on behalf of the event organiser, processing guest photos in accordance with the Data Processing Agreement (DPA) the event organiser accepts at registration.
This distinction is essential under the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
3. Personal data we process
3.1 Customer account data (controller role)
- Email address and display name (registration and login)
- Password hash (for email/password accounts)
- Google or Microsoft OAuth identity tokens (for social login)
- Payment data (processed by Stripe on our behalf — we receive only partial card details and transaction references)
- Event configuration data: event names, dates, QR codes, moderation settings
- Email address change requests and confirmation tokens
- DPA acceptance record: version number, timestamp, and IP address (see section 11)
3.2 Guest data (processor role on behalf of event organiser)
- Photos uploaded by guests (originals, processed versions, and thumbnails)
- Guest session identifier (anonymous, stored only in a session cookie)
- Optional guest display name (entered voluntarily by the guest)
- IP address and user-agent string at upload time (for abuse prevention)
4. Purposes and legal bases
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Customer account creation and authentication | Art. 6(1)(b) — contract performance |
| Processing payments via Stripe | Art. 6(1)(b) — contract performance |
| Sending transactional emails (registration, password reset) | Art. 6(1)(b) — contract performance |
| Storing DPA acceptance record (version, timestamp, IP) | Art. 6(1)(c) — legal obligation (GDPR Art. 28) |
| Processing guest photos on behalf of the event organiser | Art. 6(1)(b) — contract with event organiser (DPA) |
| AI-based content moderation (when enabled by the event organiser) | Art. 6(1)(f) — legitimate interest (safety) / Art. 6(1)(b) — contract |
| Fraud prevention and platform security | Art. 6(1)(f) — legitimate interest |
| Service improvement and error monitoring (anonymised) | Art. 6(1)(f) — legitimate interest |
5. Automated decision-making
PartiPix offers an automated AI content moderation feature (ai_auto mode) that may automatically reject guest photos without human review. This feature:
- Is enabled or disabled by the event organiser per event — it is never applied without the organiser's explicit configuration choice.
- Uses Azure AI Content Safety (Microsoft) to evaluate each photo for categories including sexual content, violence, hate content, and self-harm imagery, with configurable severity thresholds (Relaxed, Standard, or Strict).
- May result in a guest's photo being automatically rejected and not displayed on the slideshow, constituting a decision with significant effect on the guest within the meaning of GDPR Article 22.
- Does not involve profiling of individuals; each photo is evaluated in isolation.
You have the right to contest automated decisions and request human review. Please contact the event organiser directly, or reach us at privacy@devminds.be.
6. Sub-processors
We engage the following sub-processors to operate the PartiPix platform:
| Sub-processor | Role | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure hosting — Container Apps, Azure SQL, Blob Storage, SignalR Service, Application Insights | EU (Netherlands / Belgium regions) |
| Stripe | Payment processing and invoicing | USA / EU (compliant with standard contractual clauses) |
| Azure AI Content Safety (Microsoft) | AI-based photo content moderation (when enabled by event organiser) | EU (Netherlands region) |
| Azure Communication Services (Microsoft) | Transactional email delivery (registration, password reset) | EU |
We will notify customers of any changes to our sub-processor list with reasonable notice.
7. Data retention
- Customer account data: retained for the duration of the account and for 30 days after account deletion to allow recovery, then permanently deleted.
- Guest photos: retention depends on the event organiser's chosen package (Small: 30 days, Medium: 90 days, Large: 1 year after the event end date). After the retention period, photos are automatically and permanently deleted from our storage systems.
- Payment records: retained for 7 years in accordance with Belgian accounting law (Wetboek van Vennootschappen en Verenigingen).
- DPA acceptance records: retained for the duration of the customer relationship and 7 years thereafter, to demonstrate compliance with GDPR Article 28.
8. International transfers
Personal data is processed within the European Economic Area (EEA). Stripe processes payment data under Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to the United States. We do not make other transfers of personal data outside the EEA.
9. Your rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15): request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): request deletion of your personal data where no longer necessary.
- Right to restriction of processing (Art. 18): request that we limit processing in certain circumstances.
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests.
- Right not to be subject to automated decisions (Art. 22): contest decisions made solely by automated means with significant effect on you.
To exercise any of these rights, contact us at privacy@devminds.be. We will respond within 30 days.
10. Right to lodge a complaint with the GBA
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données):
Gegevensbeschermingsautoriteit (GBA)Drukpersstraat 35
1000 Brussels, Belgium
www.gegevensbeschermingsautoriteit.be
contact@apd-gba.be
11. DPA acceptance IP address storage
When a customer accepts the Data Processing Agreement (DPA) during registration or upon DPA version update, PartiPix records the customer's IP address, the exact DPA version accepted, and the timestamp of acceptance. This record is stored as proof of freely given, specific, informed, and unambiguous consent in accordance with GDPR Article 7 and Article 28. This constitutes a privacy-by-design measure to demonstrate compliance with our legal obligations as a data processor.
12. Security measures
We implement appropriate technical and organisational security measures, including:
- Encryption of data in transit (TLS 1.2+) and at rest (Azure Storage encryption)
- Managed identity authentication (no hard-coded credentials)
- Role-based access control limiting data access to operational necessity
- Automated data retention policies with permanent deletion after period expiry
13. Cookies
For details on the cookies we use, please see our Cookie Policy.
14. Changes to this policy
We may update this Privacy Policy as our services evolve or legal requirements change. Registered customers will be notified of material changes by email. The date of the last update appears at the top of this document.