Privacy Policy
Last updated: 30 May 2026
This policy explains what personal data Memo (operated by Pantazi Software, Romania) collects when you use me-mo.ro, why we collect it, who we share it with, and how long we keep it. It is written to meet the requirements of the EU General Data Protection Regulation (GDPR) and Romanian Law 190/2018.
1. Who is the controller
Pantazi Software (Romania) is the data controller for the personal data we process about Organizers and guests of the Service. Contact: Contact us.
2. What data we collect
Organizer accounts
- Email address (always)
- Name and profile picture (if signed in with Google; optional via magic-link sign-in)
- Albums you create and their settings
- Payment status and the last 4 digits / brand of the card (held by our payment processor, not by us)
Guest uploaders
- An anonymous random ID stored in the
memo_guest_idcookie, so you can revisit your own uploads - An optional display name you choose for yourself in the upload form
- The photos and videos you upload
- Technical metadata: file size, MIME type, upload timestamp, and the IP address of the request (kept short-term in server logs)
Photo & video content
We strip EXIF metadata, including GPS coordinates, from photos before they are served from our CDN. We do not run face recognition or any machine-learning analysis on uploaded content.
Moderators
We store the email address of anyone invited as a moderator, the token used to accept the invitation, and timestamps for invite, accept, and last-active.
3. Why we use it (legal basis)
- To provide the Service — performance of the contract you enter into when you create an album (Art. 6(1)(b) GDPR).
- To process payments — performance of contract and our legitimate interest in fraud prevention (Art. 6(1)(b) and (f)).
- To send transactional emails (magic links, album ready, capacity warnings, expiry reminders, receipts) — performance of contract.
- To comply with legal obligations (e.g. accounting, responding to lawful requests) — Art. 6(1)(c).
- To keep the Service safe and improve it (basic server logs, abuse prevention) — our legitimate interest, Art. 6(1)(f).
- To measure site usage with Google Analytics — only with your consent (Art. 6(1)(a)), which you give or decline in the cookie banner and can withdraw at any time.
We do not run advertising, we do not sell or rent your data, and we do not use your content to train machine-learning models.
4. Who we share data with (sub-processors)
We rely on a small set of trusted providers to run the Service. Each is contractually bound to use your data only to provide their service to us.
| Provider | Purpose | Region |
|---|---|---|
| Cloudflare R2 | Photo / video object storage + CDN | EU (EEA) |
| Hostinger | Application server (VPS) | EU |
| Resend | Transactional email delivery | EU / US (SCCs) |
| Creem | Payment processing | EU / US (SCCs) |
| OAuth sign-in (only if you choose “Sign in with Google”) | EU / US (SCCs) | |
| Google Analytics | Aggregate usage measurement — only after you accept analytics cookies | EU / US (SCCs) |
Where data is transferred outside the EU/EEA, the transfer relies on the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.
5. How long we keep it
- Album content (photos & videos):until the album’s storage period ends (7 days on Free, 180 days on Starter, 365 on Standard, 730 on Pro), then a 14-day archive grace period during which a ZIP backup is still available, then permanent deletion from R2.
- Organizer account: kept while you have an account. Deleting your account removes albums and account details. We may retain limited accounting records (invoices) for the period required by Romanian tax law.
- Guest cookie ID: 1 year from last visit.
- Moderator session: 30 days from sign-in.
- Server access logs: kept short-term (up to 30 days) for security and debugging.
- Google Analytics cookies: only if you accept — up to 2 years (
_ga) / 13 months (_ga_<id>), or until you clear them.
6. Cookies
We use strictly-necessary cookies to run the Service, plus optional Google Analytics cookies that load only after you accept them in the consent banner. We use no advertising cookies. The full list, with names and purposes, is on our cookies page.
7. Your rights
Under GDPR you can ask us to:
- Confirm what data we hold about you and provide a copy
- Correct inaccurate data
- Delete your data (“right to be forgotten”)
- Restrict or object to processing
- Export your data in a portable format (ZIP of your album)
- Withdraw consent at any time where processing is based on consent
Email Contact us from the address associated with your account. We respond within 30 days. You also have the right to lodge a complaint with the Romanian data-protection authority (ANSPDCP, dataprotection.ro) or your local EU supervisory authority.
8. Security
We use HTTPS for all traffic, server-side hashing for any authentication secrets, scoped pre-signed URLs for uploads and downloads, and access controls so only an Organizer and their invited moderators can see an album’s content. No system is perfectly secure; please report any suspected vulnerability to Contact us.
9. Children
The Service is not directed at children under 16. Organizers are responsible for ensuring that any image of a minor in their album was uploaded with parental consent where required by local law.
10. Changes to this policy
If we make material changes we will email Organizers at least 14 days before they take effect. Minor clarifications take effect when posted, with the “Last updated” date refreshed at the top.
11. Contact
Data protection enquiries: Contact us.