Last updated: May 4, 2026
Privacy Policy
PuliRoll provides time-boxed, access-controlled photo pools for events. This Policy explains what we collect, why we collect it, how long we keep it, and the choices you have. It applies to organizers and guests of events run on PuliRoll.
Information we collect
Organizer accounts: email address and authentication metadata, the event configuration you set (name, schedule, capacity, theme, branding), and basic billing details if you purchase a paid plan. Guest sessions: by default we do not require a name, email, or phone number from guests; we issue an opaque session identifier stored in a cookie so guests can upload and view media within the event window. Uploaded content: photos and videos contributed to an event, plus technical metadata such as upload timestamps and storage paths needed to deliver the album. Logs: standard request logs (IP address, user agent, timestamps) used for security, debugging, and abuse prevention.
How we use it
We process this data to operate the service: authenticating organizers, running each event's private pool, enforcing access and capacity rules, billing organizers, providing customer support, preventing abuse, and complying with legal obligations. Event photos are not published as a public gallery, are not indexed by search engines, and are accessible only to people holding a valid join link during the event window, as enforced by the product.
Retention and deletion
Event media is retained for the period defined in the organizer's plan and event configuration, after which it is deleted from our active systems. Organizers can request earlier deletion of an event at any time. Encrypted backups may persist for a limited window (typically up to thirty days) before they are overwritten in normal rotation. Account and billing records are kept while the account is active and afterwards only for the period required by tax and accounting law.
Security
Traffic between your device and PuliRoll uses HTTPS (TLS). Databases and object storage use encryption at rest provided by our infrastructure vendors. Access to production systems is restricted to a small operations team on a need-to-know basis and protected by strong authentication. No service can guarantee absolute security, but we apply reasonable technical and organizational measures and improve them over time.
What we do not do
We do not sell event photos, do not use them to advertise other customers' events, and do not train public machine-learning models on customer-uploaded images. If we add safety classifiers (for example to detect illegal or abusive content), they will run only for those safety purposes and we will describe them on this page.
Photo metadata (EXIF)
Photos uploaded to PuliRoll may contain embedded technical metadata (EXIF), which can include camera details and, depending on the source device, location coordinates. We do not display this metadata in the gallery, and where technically feasible we strip GPS coordinates during ingest. Stored copies remain in our systems only as required to deliver the event album and the export feature, and they are deleted under the retention rules above.
Service providers
PuliRoll runs on third-party infrastructure for hosting, databases, object storage, transactional email, error reporting, and payment processing. These providers act as our processors and only handle data on our instructions to deliver the service. Hosting and storage are located in regions selected for performance and reliability; where personal data is transferred between regions, we rely on the legal mechanisms made available by the respective providers (for example, Standard Contractual Clauses for transfers from the European Economic Area).
Your rights
Depending on your location, you may have rights to access, correct, export, or delete your personal data, to object to or restrict certain processing, and to lodge a complaint with your local data protection authority. Organizers can manage most of this directly from their account; guests and other individuals can contact us using the address below and we will respond within the timeframes required by applicable law.
Children
PuliRoll is built for adult event organizers and their guests and is not directed to children under 13 (or under the equivalent minimum age in your jurisdiction). Organizers are responsible for ensuring that any participation by minors at their events complies with local law and with the consent of a parent or legal guardian. If you believe a child has used the service without appropriate consent, please contact us so we can take action.
Regional notice
PuliRoll may be used by organizers and guests in many countries. Where laws such as the EU/UK GDPR, Brazil's LGPD, California's CCPA/CPRA, or other regional rules apply, the specific rights and definitions of those laws govern in addition to this Policy. Organizers running events in those regions act as the controller of guest content and are responsible for providing the appropriate notices and lawful basis to their guests; PuliRoll acts as their processor for that content.
Contact and changes
Privacy questions, requests, and complaints can be sent to privacy@puliroll.com. We may update this Policy as the product or applicable law changes; the effective date above will be revised and material changes will be communicated through reasonable means.