mac.mn — Event Photo Platform

1. Introduction

EventPhoto is committed to protecting your privacy. This policy explains how we handle personal information and biometric data when you use our AI-powered event photography platform.

2. Facial Recognition & Face Vectors

Our platform uses advanced AI to help you find your photos. When you upload a search image (selfie), our system converts it into a "Face Vector"—a mathematical representation of facial features.

Temporary Processing: Search images are processed in real-time and are not permanently stored in our primary database.
Non-Surveillance: We do not use this technology for general surveillance or to track individuals across non-related galleries.
Anonymized Math: Face Vectors are proprietary mathematical hashes and cannot be used to reconstruct your actual face by third parties.

3. Data Collection & Consent

By using the "Search by Face" feature, you provide explicit consent for us to process your biometric data for the sole purpose of identifying your images in event galleries.

We also collect:

Account Info: Name, email, and profile details for registered users.
Transaction Data: Payment history and licensed photo purchases.
Event Metadata: Location, date, and participant bib numbers for race events.

4. Selfie Storage & Biometric Data (Mongolian PII Law Compliance)

EventPhoto complies with the Law of Mongolia on Personal Data Protection (2021). Facial biometric data is classified as sensitive personal information and is handled as follows:

Default: In-memory only. When you upload a selfie without enabling "Keep my selfie stored," we extract your face embedding, delete the original image from our servers immediately, and retain only the mathematical face vector (faceId) required for matching.
Optional persistence. If you check "Keep my selfie stored for ongoing matching," your selfie image is retained in our secure Immich instance so that new event photos uploaded in the future are automatically matched to your face without requiring a new upload.
Revoke at any time. You may delete your selfie and face data from your profile at any time. Deletion removes the stored image and de-registers your face vector from all future matching.
No third-party sharing. Biometric data is never sold, licensed, or shared with third parties outside of the contracted AI processing pipeline.

Хувийн мэдээлэл ба Биометрийн мэдээлэл хамгаалах тухай

EventPhoto нь Монгол Улсын Хүний хувийн мэдээлэл хамгаалах тухай хуулийг (2021) чандлан мөрддөг. Царай таних биометрийн мэдээлэл нь хүний эмзэг мэдээлэлд тооцогдох бөгөөд дараах журмаар боловсруулагддаг:

Үндсэн тохиргоо (Зөвхөн шуурхай санах ойд): Хэрэв та "Миний зургийг хадгалах" сонголтыг идэвхжүүлээгүй бол систем зөвхөн царайны математик дугаарыг (face vector) салгаж аваад эх зургийг манай серверээс шууд устгах болно.
Хадгалах сонголт: Хэрэв та зөвшөөрөл өгсөн бол таны зураг манай аюулгүй санд хадгалагдах ба ирээдүйд орох шинэ зургуудаас таныг автоматаар хайх боломжтой болно.
Дуртай үедээ устгах: Та өөрийн бүртгэлээс зураг болон биометр мэдээллээ хэзээ ч бүрмөсөн устгах боломжтой.
Гуравдагч этгээдэд дамжуулахгүй: Биометрийн мэдээллийг хэзээ ч гуравдагч этгээдэд худалдах, задруулах, дамжуулахгүй.

5. Data Retention

Biometric face vectors (mathematical embeddings) are retained while your account is active to enable automatic photo matching. If you have not enabled selfie storage, no image file is retained — only the vector. You may request full deletion of all biometric data at any time via your profile settings or by contacting us directly.

6. Your Rights (GDPR & Mongolian PII Law)

Regardless of your location, we provide high-standard data rights:

Right to Access: Request a copy of the data we hold about you.
Right to Erasure: Request the total deletion of your profile and biometric data.
Right to Object: Opt-out of biometric processing at any time.

7. Third-Party Services

We use secure cloud infrastructure (e.g., AWS/Google Cloud) and payment processors (e.g., QPay/Stripe). These partners are strictly prohibited from using your data for any purpose other than providing the contracted service.