Home / Privacy Policy

Privacy Policy

Effective date: June 1, 2026  ·  Last updated: June 1, 2026

PhotoUncle ("we," "us," or "our") is committed to protecting the privacy of every person who uses our platform — especially children. This Privacy Policy explains how we collect, use, store, and protect personal information, with a special focus on our obligations under the Children's Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA).

By using PhotoUncle, you agree to the practices described in this policy. If you are a school using our platform, your agreement to our Service Agreement also constitutes acceptance of this Privacy Policy on behalf of your institution and the families it serves.

1. Who We Are

PhotoUncle is a SaaS platform built to help schools and daycares securely distribute event photos to the correct parents using on-device AI face recognition. We operate under the brand PhotoUncle, owned by Vishv Verma, based in California, USA.

Contact: privacy@photouncle.com

2. COPPA — Children's Privacy

We take children's privacy extremely seriously. PhotoUncle is designed for use by schools and licensed daycares, and children's personal information (including facial images and photos) is handled according to COPPA requirements.

School as Data Controller

For COPPA purposes, the school or daycare that subscribes to PhotoUncle acts as the "operator" collecting information from or about children with verifiable parental consent obtained through enrollment. PhotoUncle operates as the data processor acting under the school's instruction. Schools must ensure they have valid parental consent before providing any child data to our platform.

What Child Data We Process

  • Photos uploaded by teachers that may depict children
  • 512-dimensional facial embedding vectors derived from those photos (used only for matching)
  • Student name and parent email address (provided by the school's teacher/admin)

How We Protect Child Data

  • No public URLs, ever. Every photo is served through authenticated, private endpoints. Raw media URLs are never exposed.
  • On-device AI only. Face recognition runs entirely on our own infrastructure using InsightFace ArcFace. No child photo or facial data is ever sent to Google, AWS, Azure, or any external API.
  • No third-party analytics on pages showing child photos.
  • Parents see only their own child. Our system enforces per-user, per-child access at the application level.
  • Auto-deletion. School event photos are deleted at the end of the academic year plus 30 days.
  • Correction audit trail. Every "not my child" report is logged for COPPA compliance review.

3. Information We Collect

School Administrators and Teachers

  • Name, email address, phone number
  • School name, address, enrollment information
  • Uploaded photos and videos for events
  • Stripe payment information (processed by Stripe — we do not store raw card data)

Parents

  • Email address and name (provided when registering via invite link)
  • One photo or face identification tap used to create a facial embedding for their child
  • Purchase history for optional download subscriptions

Students (Children)

  • First and last name (provided by school)
  • Photos uploaded by teachers
  • Facial embedding vectors (512-dimensional, stored in our database, never transferred externally)

Automatically Collected Information

  • Server logs (IP address, browser type, pages visited) — retained for 30 days
  • Session cookies required for login and security
  • We do not use advertising trackers, Google Analytics, or any third-party analytics

4. How We Use Your Information

  • Operate and deliver the PhotoUncle service (photo upload, AI face matching, parent gallery delivery)
  • Send invite emails and event-ready notifications to parents
  • Process school subscription billing via Stripe
  • Process parent download purchases via Stripe
  • Respond to support requests and flag reports
  • Maintain COPPA and FERPA audit logs
  • Improve platform reliability and accuracy (using aggregate, non-identifiable data only)

We never sell, rent, or trade personal information to third parties. We do not use child data for advertising purposes under any circumstance.

5. Data Sharing

We share data only in these limited cases:

  • Stripe — payment processing (school invoices and parent downloads). Stripe's privacy policy governs their data handling.
  • Google Drive — event videos uploaded by teachers are stored in a PhotoUncle-owned Google Drive account (not the school's Drive). Access is controlled by PhotoUncle. Videos are only shared with parents who have an active download subscription.
  • Legal obligations — we will disclose information if required by law, court order, or to protect the safety of children.

We do not share facial embeddings, photos, or student data with any advertising network, data broker, or analytics platform.

6. Data Retention and Deletion

  • School event photos and facial embeddings: Deleted at academic year-end plus 30 days.
  • Individual free tier: Auto-deleted after 90 days. Users are notified at day 80 and day 85.
  • Parent account data: Retained while the account is active. Deleted on request.
  • Billing records: Retained for 7 years per financial record requirements.
  • Audit logs: Retained for 3 years per COPPA compliance requirements.

7. Your Rights

Depending on your location, you may have the following rights:

  • Access — Request a copy of the data we hold about you or your child.
  • Correction — Request correction of inaccurate data.
  • Deletion — Request deletion of your data or your child's data.
  • COPPA deletion — Parents may request deletion of their child's facial embeddings and matched photos at any time by contacting privacy@photouncle.com. We will process requests within 10 business days.
  • California residents (CCPA) — You have the right to know what data we collect, the right to delete it, and the right not to be discriminated against for exercising these rights.

8. Security

We implement industry-standard security measures including:

  • HTTPS (TLS) encryption for all data in transit
  • Encrypted database connections
  • Private, auth-gated URLs for all photo serving
  • No child photos processed by external APIs
  • Access controls and role-based permissions
  • Regular security reviews

9. Cookies

We use only functional session cookies required for login and security (CSRF protection). We do not use advertising cookies, tracking pixels, or third-party analytics cookies on any page that may display child photos.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Schools and admins will be notified of material changes by email. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related questions, COPPA deletion requests, or data access requests:

descriptionTerms of Use homeBack to Home