Last modified: 5/5/26
This statement is published by Solodigitalis Inc. ("Company", "We") as a companion to our Privacy Policy. Where the Privacy Policy describes what personal information we collect and why, this statement describes where user information (including but not limited to personal information) is processed and stored, which sub-processors are involved at each stage, and what the Operator's account region does and does not control.
It is intended for prospective and current customers — particularly those with regulatory, contractual, or internal requirements about data residency — who need a precise picture of the data lifecycle across the Platform (as defined in the Privacy Policy). Nothing in this statement overrides the Privacy Policy or our terms of use; it adds operational detail.
Throughout this statement we use the following terms:
Internally we run two distinct data planes: the operator data plane (referred to in our infrastructure as "booth.events") for Operator Data, and the guest data plane (referred to as "shared.gallery") for Guest Data. They are separate databases, separate object storage, and separate server-side services. References to these data planes throughout this statement use those names.
Each Operator selects an account region once during sign-up. The default suggestion is derived from the Operator's sign-up IP and may be during signup. The choice is bound to the Operator's account at creation time. The currently available account regions are:
References elsewhere in this statement to the Operator's account region refer to whichever of these the Operator selected. We may add further account regions over time; this section is the authoritative list.
The Operator's account region has the following effects:
The table below shows, at each stage, what happens to Operator Data and Guest Data, who processes it, and where it sits.
| Stage | Operator Data | Guest Data |
|---|---|---|
| Sign-up | Identity and credentials captured at the operator dashboard and stored in the operator data plane in the United States. | Not applicable. Guests do not sign up. |
| Account region | Operator selects their account region; the choice is bound to the Operator's account. | Determined by the Operator's account region for the event the Guest attends. |
| Payment | Card details are handled exclusively by Stripe and never traverse our servers. We retain only charge metadata, the last four digits of the card, and the billing country supplied by Stripe. Card numbers, CVC, and expiry are never seen or stored by us. | Not applicable. |
| Event setup | Event configuration (branding, templates, prompts, the data-collection question schema) is stored in the operator data plane in the United States. | Not applicable until the event begins. |
| Capture (iPad) | Operator-authored configuration is delivered to the iOS app over TLS. | Photographs and videos are captured on the iPad. By default they are also written to the device's Camera Roll, so the Operator keeps a local copy on the iPad; this default can be disabled — for an individual device or for all of an Operator's devices — by request to our support team. |
| Upload | Not applicable. | Photographs, videos, and any Guest-entered contact details upload over TLS to the guest data plane in the Operator's account region. Pending uploads are held in an app-private, on-device queue and retried automatically, including across app restarts; the queued copy is removed once the upload succeeds. |
| AI generation (when enabled) | Not applicable. | When the Operator has configured an AI feature on the event, the source photograph and the operator-authored prompt material are sent to the relevant AI partner — Magipic AI for portrait and filter generation, or Google Generative AI (Gemini) for AI custom prompts. The generated output is returned to the guest data plane in the Operator's account region. |
| Delivery to Guest | Not applicable. | Email (Amazon SES) and SMS (Twilio for international numbers, Esendex US for United States numbers) are dispatched from United-States-based providers regardless of the Operator's account region. The recipient address is shared with the delivery provider solely for the purpose of dispatching the message the Guest has requested. |
| Operator access | When the Operator views sessions, contact details, or data-collection answers in the dashboard — or exports them as a CSV — the request is routed to the guest data plane in the Operator's account region. Guest Data is not copied into or stored within the operator data plane in order to be displayed. | Reads (and CSV exports) served from the regional database in the Operator's account region. |
| Retention | Retained for the life of the account; deleted on account closure per the Privacy Policy. | Photographs, videos, Guest contact details, free-text answers, and per-Guest delivery records are hard-deleted together with the gallery they belong to. See Retention and deletion for the schedule. |
The following table lists the sub-processors involved at each stage of the data lifecycle, the categories of data they receive, and the region in which they process it. We contractually require third parties to keep personal information confidential, use it only for the limited purposes for which we disclose it, and process it in accordance with applicable privacy and data protection laws and contractual obligations, consistent with the practices set out in our Privacy Policy.
| Sub-processor | Purpose | Data categories | Processing region | Applies to |
|---|---|---|---|---|
| Google Cloud / Firebase (Privacy Notice) | Identity, database, object storage, server-side compute for both data planes | All Operator Data and all Guest Data | Operator data plane: United States. Guest data plane: the Operator's account region. | Operator and Guest |
| Vercel (Privacy Policy) | Hosts the Operator dashboard and the public shared.gallery website | Page requests, public IP addresses (used to derive a default region suggestion at sign-up) | Global edge network; logs in the United States | Operator and Guest (gallery viewing) |
| Stripe (Privacy Policy) | Payment processing | Card details (held in Stripe only), billing country, charge metadata | Per Stripe | Operator |
| Brevo (Privacy Policy) | Operator transactional and product email | Operator email address, name, account events | European Union | Operator |
| Intercom (Privacy Policy) | In-app support chat and operator email correspondence | Operator identifier, email address, support messages | Per Intercom | Operator |
| Sentry (Privacy Policy) | Error and crash monitoring (web dashboard and iOS app) | Operator identifier, email address, stack traces, device information | United States | Operator |
| Google reCAPTCHA (Privacy Policy) | Sign-up fraud prevention | IP address, browser signal | Global | Operator |
| Magipic AI (Privacy Policy) | AI portrait and filter generation when an Operator uses Magipic AI features | Reference photograph, prompt metadata | Per Magipic AI | Guest (photographs used as input) |
| Google Generative AI — Gemini (Privacy Policy) | AI image generation when an Operator uses AI custom prompts | Reference photograph, operator-authored prompt text | Per Google | Guest (photographs used as input) |
| Amazon Web Services — SES (Privacy and data protection) | Sending Guest gallery emails | Guest email address, gallery link | United States (us-east-1) | Guest |
| Twilio (Privacy Policy) | Sending Guest gallery SMS to non-United-States numbers | Guest phone number, message content | Per Twilio | Guest |
| Esendex US (Privacy Policy) | Sending Guest gallery SMS to United States numbers | Guest phone number, message content | United States | Guest |
All endpoints that accept Operator Data or Guest Data require TLS. We apply web-application firewall protections in front of the guest data plane, including IP-based rate-limiting and filters for common attack patterns aligned with the OWASP Core Rule Set (such as injection, cross-site scripting, and automated scanner detection).
Requests from the Booth.Events iOS app to the guest data plane may additionally be authenticated using Apple's device-attestation features (DeviceCheck and App Attest), so that an Operator's event can only be uploaded to from a genuine, registered installation of the app on Apple hardware.
We will publish updates to this statement on this page, with the revision date at the top of the document.
Questions, due-diligence requests, data-processing addendum requests, and data-deletion requests may be sent to our Privacy Officer at hello@booth.events.