Privacy Policy
Kaptur ("we", "us", "our") is operated by an independent solo developer based in India. This policy explains what personal data we collect when you use the Kaptur platform (kaptur.me, the studio dashboard at app.kaptur.me, and the client mobile app), why we collect it, how we store it, and the rights you have over it.
This policy is written to comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and, where studios serve clients outside India, the EU GDPR and UK GDPR.
1. Who is responsible for your data
| Data Fiduciary | Kaptur (solo proprietorship), India |
| Contact | hello@kaptur.me |
| Grievance Officer | Udit Sharma · hello@kaptur.me |
| Response window | Within 30 days of a verified request |
2. Who is the data principal
Two distinct groups use Kaptur, and we treat their data differently:
- Studios — photography businesses that sign up at app.kaptur.me. For studio account data, Kaptur is the Data Fiduciary.
- Clients of studios — the end couples / families / individuals whose photos a studio uploads. For these photos and client contact records, the studio is the Data Fiduciary and Kaptur is the Data Processor acting only on the studio's instructions.
3. What we collect
From studios
- Account details — studio name, email, password (hashed by Firebase Authentication), country, currency
- Profile information — logo, brand accent colour, business address, GSTIN where applicable
- Billing information — plan tier, subscription expiry, payment events (we do not store card numbers; those are held only by Razorpay or Stripe under PCI DSS)
- Usage data — albums created, photo counts, storage consumption, last sign-in time
- Support correspondence — emails you send us
From clients of studios (uploaded by the studio)
- Name, phone number, event/album name, a 4-digit access PIN
- Photographs uploaded by the studio for the client to review and select
- Selections, comments, and print orders the client places through the app
- Anonymous mobile-app device session (no name, email, or persistent identifier is captured by us)
From visitors to kaptur.me
- Standard server logs (IP address, user-agent, referrer), retained 30 days
- Google Analytics 4 events (page views, clicks). Cookies expire after 14 months.
- Any details you voluntarily submit through the Contact form
4. Why we collect it (lawful basis)
- Contract — to deliver the service you signed up for
- Legal obligation — tax and accounting records (preserved for the period required by Indian law)
- Legitimate interest — fraud prevention, security monitoring, product improvement
- Consent — analytics cookies, marketing emails (you may withdraw consent at any time)
5. AI face recognition
Studios on the Enterprise tier can enable AI face-find for their clients. Face recognition runs entirely on the client's own device using on-device machine learning models. Face embeddings (mathematical vectors derived from a photo) are not transmitted to or stored on Kaptur servers. We never run cloud-side biometric inference. The studio decides whether to enable this feature for a given album.
6. Where we store data
- Account + metadata — Google Cloud Firestore (asia-south1, Mumbai region for Indian studios; nearest region for international studios)
- Photographs — Cloudflare R2 object storage (encrypted at rest, served over TLS)
- Authentication — Firebase Authentication (Google LLC, USA — subject to standard contractual clauses)
- Payments — Razorpay (India) for INR transactions; Stripe (Ireland / USA) for all other currencies
- Email — transactional email is sent through a verified provider on our behalf
Cross-border transfers are limited to the processors listed above and rely on the safeguards each processor publishes.
7. How long we keep it
- Active studio accounts — for as long as the studio remains active
- Cancelled studio accounts — soft-deleted with a 30-day grace period; permanent erasure after day 30 (you can cancel deletion within the grace window)
- Photographs — until the studio deletes them or cancels its account; clients should ask the studio directly
- Tax and payment records — retained for the period required by Indian law (currently 8 years)
- Server logs — 30 days
8. Your rights under the DPDP Act
You have the right to:
- Access the personal data we hold about you
- Request correction or completion of inaccurate data
- Erasure of your data ("right to be forgotten"), subject to legal retention requirements
- Nominate a person to exercise these rights on your behalf
- File a grievance with our Grievance Officer (see Section 1) and, if unresolved, with the Data Protection Board of India
Studio accounts include a self-service "Delete account" button that triggers a verified 30-day deletion workflow. Clients of studios should contact their studio directly; if the studio is unresponsive, write to us.
9. Who we share data with
We do not sell personal data. We share data only with the processors named in Section 6, and only to the extent required to deliver the service. We will disclose data to law enforcement only in response to a valid legal order under Indian law.
10. Security
- TLS 1.2+ in transit, AES-256 at rest
- Firebase Security Rules enforce per-studio isolation; production access is signed-in only
- Payment webhooks are signature-verified server-side
- Cloudflare R2 object access uses short-lived (15-minute) signed URLs
- We will notify affected users and the Data Protection Board within 72 hours of any verified personal-data breach
11. Children
Kaptur is intended for use by photography businesses. Studios are responsible for obtaining verifiable parental consent before uploading photographs of children under 18, in accordance with Section 9 of the DPDP Act.
12. Changes to this policy
We will post material changes here and notify active studios by email at least 14 days before they take effect.
13. Contact
Questions, requests, or grievances: hello@kaptur.me or use the Contact form.