Spekto is a platform for real-time photo sharing at events. We only collect what's needed for the service to work — nothing more. No tracking, no ads, no third-party cookies.
Data controller
The data controller for Spekto is Brattheng AS (Norwegian org. no. 933 662 463). Questions about privacy can be sent to [email protected].
What we store
Organizers (signed in)
| Data | Purpose | Retention |
|---|---|---|
| Email address | Sign-in and event communication | As long as the account exists |
| Name | Displayed in admin panel | As long as the account exists |
| Payment information | Event purchase (handled by Stripe) | 5 years (legal requirement) |
| IP address | Security and troubleshooting | 90 days |
Guests (no sign-in required)
| Data | Purpose | Retention |
|---|---|---|
| Photos and video | Displayed in the event's live feed | Deleted with the event |
| EXIF metadata (GPS, date) | Chronological sorting of photos | Deleted with the event |
| Name (optional) | Shown as photographer in the feed | Deleted with the event |
| Guestbook (text, audio and video) | Messages, voice recordings and video greetings in the guestbook | Deleted with the event |
| Session ID (cookie) | Identify your photos and likes | Deleted with the event |
| IP address | Security and troubleshooting | 90 days |
EXIF metadata (such as GPS location) is only used internally for sorting and is never shown to other guests.
Legal basis
- Sign-in and event management — necessary to deliver the service (GDPR Art. 6(1)(b))
- Photo uploads and guestbook — consent from the guest (GDPR Art. 6(1)(a))
- AI moderation — legitimate interest in protecting against inappropriate content (GDPR Art. 6(1)(f)). Optional per event.
- MagicFind (facial recognition) — explicit consent for processing of biometric data (GDPR Art. 9(2)(a)). Opt-in per guest.
- Payment — contract and legal obligation for accounting (GDPR Art. 6(1)(b) and (c))
- Security and troubleshooting — legitimate interest (GDPR Art. 6(1)(f))
AI moderation
Organizers can enable automatic content moderation. When active, images are sent to OpenAI and text to Google Gemini to assess whether content is inappropriate. Flagged content may be automatically held back for manual review by the organizer.
The OpenAI Moderation API does not retain content. Audio recordings and video guestbook recordings transcribed via Whisper are processed under OpenAI's API terms without being used for training. Video guestbook recordings are moderated in the same way as audio recordings.
MagicFind (facial recognition)
For Spekto Pro events, organizers can enable MagicFind — a feature that lets guests find photos of themselves via selfie. This feature uses facial recognition based on biometric data (GDPR Art. 9).
How it works
- Indexing: When photos are uploaded to a MagicFind-enabled event, a mathematical representation (embedding) of each face is calculated. This representation cannot be used to reconstruct the face.
- Selfie search: The guest takes a selfie which is analyzed to find matching photos in the feed. The selfie is not stored.
- Processing: All facial analysis happens on Spekto's own servers. No images or biometric data are sent to third parties.
Consent and deletion
- Explicit consent: You are asked to approve the use of facial recognition before MagicFind is activated (GDPR Art. 9(2)(a)).
- Deletion: Face embeddings are automatically deleted when the event is deleted. Organizers can also manually delete all face data.
- No sub-processor: MagicFind uses no external services — all processing happens on our own server.
Who has access
Your data is not shared with others. The following sub-processors handle data on our behalf:
- Cloudflare — network security and HTTPS proxy (IP addresses pass through Cloudflare). EU-US Data Privacy Framework.
- Stripe — payments. Handles all card information directly — we never see card numbers. EU-based processing.
- AWS SES — email delivery from Stockholm (eu-north-1). Email addresses only.
- OpenAI — optional AI moderation of images and audio transcription. USA, standard contractual clauses + EU-US Data Privacy Framework.
- Google Gemini — optional AI moderation of text. EU-US Data Privacy Framework.
- Backblaze B2 — off-site backup of database and media. Stored in EU (Amsterdam), encrypted at rest.
All primary data (database, images, video) is stored on a dedicated server in Norway.
Cookies
We only use technically necessary cookies for sign-in and guest sessions. No analytics, tracking, or advertising cookies. Therefore, no cookie consent is required.
Data deletion
- Guests can delete their own photos and guestbook entries directly in the app.
- Organizers can delete the entire event along with all associated data (photos, comments, guestbook).
- Automatic deletion — events and all associated data are automatically deleted after the expiry date.
Backups
We take daily backups of the database and media to protect against data loss from technical failure. Backup retention is as follows:
- Daily database backups are kept for 30 days locally and 90 days off-site (Backblaze B2).
- Monthly snapshots (first day of each month) are retained permanently off-site for disaster recovery and audit. Storage volume is small (approximately 1 MB per month).
- Media files are backed up as a mirror — if a photo or event is deleted, the backup copy is typically removed within 24 hours (no versioning).
- Deletion requests — if we ever need to restore from a monthly snapshot, we keep a log of which data was deleted after the snapshot timestamp and exclude it from the restore. Deleted personal data is never restored.
Local backups are stored on a dedicated server in Norway. Off-site copies reside in Backblaze B2 (EU, Amsterdam) and are encrypted at rest.
Your rights
You have the right to:
- Access what we have stored about you
- Have your information corrected or deleted
- Request restriction of processing
- Receive your data in a portable format (data portability)
- Lodge a complaint with the Norwegian Data Protection Authority if you believe we are not complying with the rules
Send an email to [email protected] and we'll take care of it.