Skip to content
Weyfie

Legal

Privacy Policy

Information about the processing of personal data when using Weyfie.

1. Controller

Patrick Hess | Online Media, owner Patrick Hess, Agathastr. 18, 57482 Wenden, Germany, email: patrick@hessonline.net.

2. Data protection officer

No data protection officer has been appointed.

3. Roles for event galleries

This privacy policy describes the processing for which Weyfie itself is responsible under data protection law. This includes registration, login, session management, technical security, payment processing, platform protection and handling reports about images.

The respective gallery owner decides whether Weyfie is used for a specific event, who receives access, whether mobile uploads or a visible gallery are enabled, and which content is published or shared within the gallery. The gallery owner therefore remains responsible for event-related participant information and required consents where legally necessary.

Where Weyfie technically stores and provides gallery content, this is done as a platform service within the usage relationship with the gallery owner. No general data processing agreement is currently provided for the standard private event gallery product.

4. Legal bases

  • Art. 6(1)(a) GDPR: consent
  • Art. 6(1)(b) GDPR: contract and pre-contractual measures
  • Art. 6(1)(c) GDPR: legal obligation
  • Art. 6(1)(f) GDPR: legitimate interests

5. Website delivery and server logs

When the website is accessed, technical access data is processed, in particular IP address, date and time, requested resource, HTTP status, referrer and user agent.

Legal basis: Art. 6(1)(f) GDPR.

6. Registration and gallery creation

For the "create gallery" function, an email address is processed. A time-limited code is created for verification. After successful verification, user data and gallery metadata are stored, in particular user ID, email address, gallery code, plan, image limit and price.

Time-limited user-specific magic links are generated for management access.

Legal basis: Art. 6(1)(b) GDPR.

7. Access protection for galleries and management

Protected galleries are accessed via redeem tokens and time-limited JWT access tokens. JWTs with role and gallery assignment are used for management areas.

For single-use redeem tokens, the remote IP address is stored as redemption information when redeemed.

Passkey authentication can optionally be used for user accounts. Credential ID, public key, algorithm, signature counter, label, timestamps and transport information are stored. Admin accounts use the same login path as regular user accounts.

Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

8. Processing photos in galleries

Images are stored as files in galleries. Thumbnails are additionally processed and stored for display.

Mobile guest uploads are available only for galleries with upload enabled. Before upload, the upload dialog asks for active confirmation. This product confirmation does not replace any further legal consents from recognizable persons.

The upload confirmation also explicitly addresses third-party copyrights and special care with children or young people. The gallery owner and the uploading person remain responsible for content checks in the event context.

The respective gallery owner remains responsible for the event-related decision to collect or publish photos in a specific gallery.

Legal basis for Weyfie platform processing: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

9. Image reports and moderation

Reported images are hidden from public view until reviewed. In particular, gallery code, file name, report status, optional report note, report time and report context are processed.

Reports serve platform protection, responses to complaints and abuse prevention. Weyfie may review, hide, delete or restore reported content.

This also applies to requests from affected persons, guardians or rights holders, especially opt-out requests, photos of children or alleged copyright infringements.

Legal basis: Art. 6(1)(f) GDPR.

10. Email communication

The system sends emails via SMTP for verification codes, login magic links and notifications about reported images.

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

11. Payment processing with PayPal

For paid gallery packages, PayPal is used when the PayPal integration is enabled. Required payment and transaction data is transmitted to and processed by PayPal.

Legal basis: Art. 6(1)(b) GDPR.

12. Web analytics with Matomo

Matomo is used as a self-hosted web analytics solution for page views on publicly accessible pages. The /gallery and /admin routes are excluded from tracking.

Tracking is activated only after actively choosing "Allow all" in the cookie banner. URL and page title are processed. Dynamic URL parts are normalized in the frontend before transmission.

Legal basis: Art. 6(1)(a) GDPR.

13. Fonts

The website uses locally embedded fonts delivered by its own web server.

Legal basis: Art. 6(1)(f) GDPR.

14. Browser storage and cookies

JWTs are stored in the browser for authentication and session management, using local storage and cookies. Technical values are also stored in local storage for controlling the web app install notice and saving the cookie choice.

Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.

15. Recipients and third-country transfers

Recipients of personal data may include hosting and infrastructure providers, email providers and PayPal.

PayPal integrations may involve data transfers to third countries. Transfers take place only on the basis of statutory requirements under Art. 44 et seq. GDPR.

16. Storage period and deletion

In short: Weyfie event galleries are currently not designed for unlimited storage. The most important periods are also shown directly in the product.

  • Gallery and registration data: deletion by the cleanup worker after 60 days
  • Open image reports and affected image files: cleanup by the cleanup worker after 14 days
  • Verification data in the registration process: short, technically limited storage periods

Statutory retention obligations remain unaffected.

17. Rights of data subjects

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)

For requests about a specific event gallery, Weyfie may check whether the respective gallery owner is the contact for the content decision. At the same time, Weyfie may hide images as a precaution until review if a plausible deletion, opt-out or rights notice is received.

18. Withdrawal of consent

Consents given can be withdrawn at any time with effect for the future. For event-related photo publications, the respective gallery owner should also be informed. For fast escalation, the withdrawal can also be reported directly to Weyfie so that the affected image can be hidden as a precaution until review.

19. Right to lodge a complaint

There is a right to lodge a complaint with a data protection supervisory authority.

20. Data security

Technical and organizational measures are used to secure personal data, in particular access controls, role-based permissions, token-based access protection mechanisms and secured authentication methods.

21. Updates to this privacy policy

This privacy policy is updated when data processing or the legal situation changes.