Privacy Policy
Last updated: May 2026
This Privacy Policy explains how Alvaro Ferrer in the name of RollEvent (“we”, “us”) collects, uses, and shares personal data when you use the RollEvent mobile app (the “App”). If you have questions, contact us at alvaro.ferrer.rizzo@gmail.com.
1. Summary
RollEvent is a shared “disposable camera” app: you create or join an event (“roll”), take photos during it, and everyone’s photos are revealed to the event’s members 24 hours after the event ends. To do this we process your email address, a display name you choose, the photos you take, basic device/usage information, your app language, and (if you buy a roll) a purchase confirmation from Apple or Google. We do not sell your personal data.
2. Data we collect
Account data. Your email address, used to create and authenticate your account (via email one-time code or password). Authentication is provided by Supabase Auth.
Profile data. A display name you choose, your app language/locale, an onboarding flag, and the time you accepted these terms and this policy.
Content you create. Photos you take in the App and their metadata (dimensions, capture time), and the events (“rolls”) you create or join, including event name, type, dates, and join code. Photos may contain images of you and other people. Within an event, your photos become visible to the other members of that event after the reveal window; the event host can hide individual photos.
Purchase data. If you buy a roll, the purchase is processed by Apple or Google through RevenueCat. We receive a transaction/purchase identifier and entitlement status. We never receive or store your payment card details.
Notification data. If you enable notifications, a push token for your device so we can tell you when a roll has developed. We also send this notification by email.
Device & usage data. Standard technical data needed to operate the App (e.g. app version, OS, device type, error logs) via our infrastructure providers.
Reports. If you report a photo, we store the report (which photo, who reported it, who uploaded it, and timestamps) to review and act on it.
We do not intentionally collect special-category data; however, user-submitted photos may inherently reveal personal characteristics. Do not upload content you are not entitled to share.
3. How we use data and our legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and secure your account; authenticate you | Performance of a contract |
| Host events and store/show photos to event members | Performance of a contract |
| Process roll purchases | Performance of a contract |
| Send “roll developed” notifications (push/email) | Performance of a contract / legitimate interests |
| Review reports, moderate content, enforce the Terms, ban abusers | Legitimate interests; legal obligation |
| Maintain security, prevent fraud/abuse, debug | Legitimate interests |
| Comply with legal obligations | Legal obligation |
If your jurisdiction requires consent for notifications or analytics, we rely on your consent and you may withdraw it at any time.
4. Sharing and sub-processors
We do not sell personal data. We share it only with service providers that process it on our behalf:
- Supabase — database, storage (photos), and authentication hosting. Project data is hosted in the EU.
- Expo (Expo Application Services) — app delivery and push notification dispatch.
- Apple App Store / Google Play and RevenueCat — in-app purchase processing and validation.
- Apple Push Notification service / Firebase Cloud Messaging — push delivery transport.
- Resend — sending transactional notification emails.
Each provider is bound to process data only as instructed. We may also disclose data where required by law, to enforce our Terms, or to protect users’ safety.
5. International transfers
Some providers may process data outside your country. Where required, such transfers are covered by appropriate safeguards (e.g. Standard Contractual Clauses).
6. Retention and deletion
We keep your data while your account exists. You can permanently delete your account from within the App (Account → Delete account). Deletion is immediate and irreversible and removes your profile, your account, your push tokens, and every photo you have taken — including photos you contributed to shared rolls hosted by other people. If you are the host of a roll, deleting your account deletes that entire event and all of its photos for every participant. The App warns you about this before you confirm.
Reports and limited records may be retained as needed to enforce our Terms, resolve disputes, or meet legal obligations. Backups are purged on a rolling basis.
7. Your rights
Depending on where you live, you may have rights to access, correct, delete, or port your data, to object to or restrict processing, and to withdraw consent. You can exercise deletion directly in the App; for other requests contact alvaro.ferrer.rizzo@gmail.com. You may also complain to your local data protection authority.
8. Children
The App is not directed to children under [MINIMUM AGE — e.g. 13, or 16 in the EEA]. We do not knowingly collect data from children under that age. If you believe a child has provided data, contact alvaro.ferrer.rizzo@gmail.com.
9. Security
We use access controls (row-level security), encryption in transit, and signed, time-limited links for photo access. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
10. Changes
We may update this policy. Material changes will be notified in the App or by email, and the “Last updated” date will change. Continued use after changes take effect constitutes acceptance.
11. Contact
Alvaro Ferrer, Madrid, Spain
Email: alvaro.ferrer.rizzo@gmail.com · Data protection contact: alvaro.ferrer.rizzo@gmail.com