Legal

Privacy Policy

Template — have a lawyer review before you rely on it. This page explains how BoothMemo handles personal data: the recordings guests leave at a booth, and the accounts operators and hosts use to run them. BoothMemo is a white-label video-guestbook platform operated by Cleoda SRL (Romania, EU). A key point runs through everything below: for guest recordings, the operator or host who runs the event is the controller, and BoothMemo is their processor — we handle that data on their instructions, not for our own purposes. For operator/host accounts, BoothMemo is the controller. Last updated 5 June 2026.

1. Who is responsible for your data (controller vs processor)

BoothMemo serves two kinds of customers, and the roles differ depending on whose data we mean.

  • Guest recordings — the operator (a PRO who runs branded booths for their own clients) or the host (someone running a tablet at their own party) is the data controller. They decide to run the booth, set the branding and retention, and own the resulting gallery. BoothMemo (Cleoda SRL) is the processor: we store and deliver those recordings on the controller's behalf and on their instructions.
  • Operator and host accounts — for the account you create to use BoothMemo (sign-up, login, billing, your event settings), BoothMemo (Cleoda SRL) is the controller.

If you are a guest and want to reach the controller for your recording, that is the operator/host who ran the booth at your event. BoothMemo can pass requests along, and you can always use the self-service delete link described in section 5.

2. What data we process

Guests (at a booth):

  • The recording itself — a short video, selfie/photo, or audio message. Video and selfies contain your image/face, and video and audio contain your voice. These can be personal data and, depending on context, may be sensitive.
  • Email address and name, only if you choose to provide them so we can deliver your recording.
  • A consent record: whether you consented, a consent version, and a timestamp of when consent was given.
  • A private delivery token that links your QR code/email to your specific recording (and lets you delete it).
  • Basic technical metadata needed to store and serve the file (e.g. file paths, timestamps).

We do not run facial recognition, build biometric profiles, or use guest recordings to train models. The face and voice in a recording are simply the content of the message you chose to leave.

Operators and hosts (account holders):

  • Account details: name, email, password (stored hashed, never in plain text), and company/brand details.
  • Your event configuration (branding, languages, retention settings) and the gallery of recordings collected at your events.
  • Billing-related information for your plan (see section 9 on payments).

3. Why we process it, and our lawful basis

  • Guest recordings — consent (GDPR Art. 6(1)(a), and Art. 9 where applicable). Before a guest records, the booth captures a clear consent step; consent is stored versioned and timestamped with the recording. We only stamp a consent record when consent was actually given. Guests can withdraw consent at any time by deleting their recording (section 5); withdrawal does not affect processing that already happened.
  • Operator/host accounts — contract (GDPR Art. 6(1)(b)). We process account data because it is necessary to provide the service you signed up for: creating events, branding booths, delivering recordings, and running your gallery.
  • Legitimate interests / legal obligations (Art. 6(1)(f) and (c)). For limited, expected purposes such as securing the platform, preventing abuse, keeping basic billing records, and complying with law.

As a processor for guest recordings, we act only on the documented instructions of the operator/host controller (configured through their account and our agreement with them).

4. How long we keep it (retention & scheduled deletion)

Recordings are kept for a per-event retention window and then deleted automatically.

  • The default house window is about 365 days. Operators can set a shorter window per event (for example, the per-event plan is presented with a 30-day window).
  • Deletion is enforced by a scheduled cleanup job that runs regularly. It finds recordings older than their event's retention window and removes both the stored files and the database row, honoring each event's individual setting.
  • Account data is kept for as long as your account is active, and for a limited period afterward where needed for billing records or legal reasons.

A recording can also disappear earlier than its window if a guest (or the controller) deletes it. Deletion is permanent and cannot be undone.

5. Your rights — including erasure via your private link

Under the GDPR you have the right to access, rectification, erasure, restriction, objection, and data portability.

The most direct one for guests is erasure, and BoothMemo builds it in:

  • Every delivered recording carries a private token (in your QR code and/or delivery email). That token is your key to your recording.
  • Use the "Delete my recording" link — it opens a confirmation page, and on confirming, your recording's files and record are permanently removed (the action is idempotent: if it's already gone, that's fine). This is our implementation of the right to erasure (GDPR Art. 17).
  • For any other request (access, a copy, correction, objection), contact us or the event's controller using section 11.

Because the operator/host is the controller for guest recordings, we may forward or coordinate certain requests with them. You also have the right to lodge a complaint with a supervisory authority — in Romania, the ANSPDCP (National Supervisory Authority for Personal Data Processing).

6. Sub-processors

We use a small set of EU-oriented infrastructure providers to run the service. Each acts as a sub-processor under appropriate data-processing terms:

  • Supabase — database and file storage (recordings, metadata, accounts).
  • Resend — sending delivery emails (your recording link) and related transactional email.
  • Vercel — application hosting and serving the website/app.

We engage sub-processors only to the extent needed to deliver BoothMemo, and we require them to protect personal data consistent with this policy and applicable law.

7. International transfers

BoothMemo is built and operated in the EU, and we configure our infrastructure to keep personal data hosted in the EU/EEA wherever feasible.

If any sub-processor processes data outside the EEA (for example, certain email-delivery operations), such transfers are made under appropriate safeguards recognized by the GDPR, such as Standard Contractual Clauses and adequacy decisions where they apply. You can contact us for more detail on the specific safeguards in place.

8. Security

We design the platform so that one customer's data cannot leak into another's, and so that stored files are not openly accessible.

  • Multi-tenant isolation at the database — separation between operators/events is enforced at the data layer (row-level security), so one tenant cannot read another tenant's recordings or settings.
  • Time-limited signed URLs — recording files are not public. Each access mints a fresh signed URL that expires after one hour; the private link keeps working because the token is looked up and re-signed on each visit, never exposing a permanent public file URL.
  • Signed, expiring admin sessions — operator/admin login uses an HMAC-SHA256 signed session cookie with a 24-hour lifetime that cannot be forged without our server secret. In production the service refuses to run with a default/public secret (fails closed).
  • Encryption in transit (HTTPS), hashed passwords, and scheduled-job endpoints protected by a secret so they cannot be triggered publicly.

No system is perfectly secure, but these controls are core to how the product is built rather than bolted on afterward.

9. Cookies, local storage & payments

BoothMemo's tracking footprint is deliberately light. We don't run advertising or cross-site tracking on the product.

  • `admin_auth` — the signed authentication cookie that keeps an operator/admin logged in (24h). Strictly necessary.
  • Booth-session cookie — keeps a tablet running as a specific branded booth during an event. Strictly necessary.
  • Language preference — your chosen interface language is stored in your browser's localStorage (`bm_lang`), not used for tracking.

Payments: Plans are Per-event €39, Starter €69/month, and Pro €149/month — prices in EUR, VAT excluded, and you can cancel anytime. Automated card payment (Stripe) is not yet live; plans are currently activated manually, so we do not process card details through the site today. When online payments go live, the payment processor will handle card data under its own terms and this policy will be updated.

10. Changes to this policy

We may update this policy as the product or the law evolves (for example, when online payments go live, or when we add or change a sub-processor). We'll revise the "last updated" date at the top, and for material changes affecting guests or account holders we'll provide a more prominent notice where practical.

This is a template and has not yet been reviewed by a qualified lawyer for any specific jurisdiction; do not rely on it as legal advice until it has been.

11. Contact & how to exercise your rights

Operated by: Cleoda SRL (Romania, EU), under the BoothMemo brand.

Contact / data requests: [contact@cabinaregala.ro](mailto:contact@cabinaregala.ro)

  • Guests: the fastest way to erase a recording is the "Delete my recording" link in your QR/email (section 5). For access, correction, or other requests, email us — or ask the operator/host who ran your event, who is the controller for your recording.
  • Operators & hosts: email us for any request about your account data, for our data-processing agreement, or for the current list of sub-processors and transfer safeguards.
  • Supervisory authority: you may also complain to your local data protection authority (in Romania, the ANSPDCP).