Last updated: 2026-05-22 — v1.1.1
Privacy Notice
Veloxshot processes personal data of photographers, participants, and individuals photographed at events. This Privacy Notice explains what data we process, for what purposes, and under which legal bases, in accordance with the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares - LFPDPPP).
Data Controller
Veloxshot — address and contact at legal@veloxshot.com.
Personal Data We Process
- From photographers: name, email, tax identification data when applicable, banking details for payments via Stripe Connect, uploaded photographs, and metadata.
- From participants: name, email, bib number, purchased photographs, and transaction history.
- From individuals photographed at events: facial vectors derived from the photographs uploaded by photographers to enable biometric search.
- From any visitor: technical data (IP address, user agent), cookie preferences, and consent audit logs.
Purposes of Processing
Primary Purposes (necessary for the service):
- To operate the photograph sales platform.
- To process payments via Stripe.
- To enable photograph searches by bib number and facial recognition.
- To comply with applicable tax and legal obligations.
Secondary Purposes (with your consent):
- Usage analysis to improve the product.
- Marketing (currently inactive; any future campaigns will require additional express consent).
Biometric Data and Facial Recognition Search
Veloxshot offers a selfie-based search so that event participants can locate the photographs in which they appear. This feature processes sensitive personal data under Article 9 of the LFPDPPP, and therefore requires express, informed, and specific consent.
Legal Bases
- Express and informed consent of the data subject, collected through an independent mechanism (separate from the acceptance of the Terms of Service).
- Contractual fulfillment: execution of the requested search service.
Data Processed
- Temporary selfie: sent to AWS Rekognition solely to perform the search. It is NOT stored in our systems and is discarded immediately after processing.
- Facial vectors of photographed individuals: faces detected in the photographs uploaded by photographers are indexed in event-specific AWS Rekognition collections to allow biometric matching.
- Consent audit logs: timestamp, IP address, user agent, version of the accepted notice, and attestation of legal age are retained. These are kept for 5 years from the withdrawal of consent, in accordance with the applicable civil statute of limitations in Mexico.
Retention
Facial vectors indexed in AWS Rekognition are automatically deleted 180 days after the date of the event or the last upload of photographs to the event, whichever occurs later. After deletion, photographs remain available for search through other methods (event browsing, bib number, shared links).
There is no mechanism in this version for retention extension at the photographer's request.
Subprocessors
- AWS Rekognition (Amazon Web Services Inc., us-east-1 region). Subject to the AWS Data Processing Agreement (DPA) and international transfer requirements under the LFPDPPP.
Minors
Veloxshot prohibits the processing of biometric data of individuals under 18 years of age without the express authorization of their parent or legal guardian. By using the selfie search, the user declares and attests that they are over 18 years old or possess such authorization. Responsibility for non-compliance with this restriction rests with the parent or legal guardian.
Withdrawal of Consent
You can withdraw your consent to the processing of biometric data at any time via the Privacy Preferences link in the website footer. The withdrawal takes effect immediately; the next selfie search will prompt you for a new consent.
ARCO Rights
You have the right to Access, Rectify, Cancel, and Oppose the processing of your personal data (ARCO rights). To exercise them — including requesting the deletion of a specific facial vector linked to a photograph where you appear — please write to us at legal@veloxshot.com.
We will respond within a maximum period of 20 business days in accordance with Article 32 of the LFPDPPP.
International Transfers
Some of our data processors process data outside of Mexico:
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| AWS (S3, Lambda, Rekognition) | Photograph storage + biometric processing | USA (us-east-1) | AWS DPA |
| Clerk | Authentication | USA | Clerk DPA |
| Stripe | Payments | USA | Stripe DPA |
| SendGrid | Transactional email | USA | Twilio/SendGrid DPA |
| Render | Hosting | USA | Render DPA |
These providers may use subprocessors or internationally distributed infrastructure. Veloxshot maintains contracts requiring protection levels equivalent to those of the LFPDPPP.
Security
We implement reasonable technical, administrative, and physical measures to protect your data:
- Encryption in transit (TLS) and at rest where supported by the provider.
- Restricted access to authorized personnel based on operational necessity.
- Logical segregation of biometric vectors into AWS Rekognition collections per event.
- Minimization: we do not store original selfies; only vectors derived from photographers' photos.
- Continuous monitoring and audits.
Use of AI
Veloxshot DOES NOT use the photographs or selfies uploaded to the system to train proprietary or third-party artificial intelligence models. Any future use for such purposes would require your additional explicit consent.
Cookies
The use of cookies is governed by the independent Cookie Policy. You can manage your preferences from the Privacy Preferences link in the footer.
Changes to this Notice
When this Privacy Notice changes substantially, we will notify you by email or request your re-acceptance when you log in. The version you accepted is recorded with a timestamp.
Photo views and impressions
When you browse photo galleries, we record which photos appear on your screen and which photos you open. We use this data to help photographers understand which of their photos generate interest, to detect abuse, and to verify that albums are reaching real participants. We process this data under our legitimate interest in operating and improving the Veloxshot service.
Each record contains the photo identifier, a salted hash derived from your IP address and browser (used to spot abusive traffic, not to identify you), and a timestamp. We do not store your IP address in this log. Raw records are deleted after 30 days; only aggregated counts (e.g. "this album received 1,247 views") are retained beyond that window.
Contact
Questions? Write to us at legal@veloxshot.com.