Privacy Policy

Last Updated:


Your privacy matters to us. This Privacy Policy explains how Alby Online Ltd collects, uses, shares, and protects personal data in connection with the alby platform. It applies to Hosts, Contributors, and all other visitors to our website and platform.

1. Who We Are

Alby Online Ltd (“alby”, “we”, “us”) is a company incorporated in England and Wales. We operate the alby platform, a private event media-sharing service available globally.

For the purposes of UK GDPR and the Data Protection Act 2018, alby is the data controller for personal data we collect from Hosts in connection with their accounts, billing, and platform administration. For media and content uploaded to Host albums, the Host acts as the data controller and alby acts as data processor. See Section 3 for more detail.

Our registered office and data protection contact: legal@alby.photos

2. Scope of This Policy

This policy covers:

  • Personal data we collect from Hosts when they register, subscribe, and use the Platform;

  • Personal data collected from Contributors at the point of uploading media;

  • Technical data collected automatically from all users of the Platform;

  • Personal data contained in media uploaded to the Platform (including photographs, videos, and voice notes that may depict third parties);

  • Biometric data processed through the facial recognition feature.

This policy does not cover third-party websites or services that may be linked to from the Platform.

3. Controller / Processor Framework

The distinction between data controllers and data processors is important, and alby has been designed with this distinction in mind:

3.1 alby as Data Controller

alby is the data controller for:

  • Host account data (name, email address, billing information, organisation details);

  • Technical and usage data collected for platform operation, security, and analytics;

  • Communications data (support emails, feedback, correspondence).

3.2 Hosts as Data Controllers

When a Host creates an album, they become the data controller for:

  • Contributor names and any other personal data submitted by Contributors at the point of upload;

  • All media content uploaded to the album (photographs, videos, voice notes, guestbook messages);

  • Any personal data visible in or derived from uploaded media (including images of third parties who did not themselves upload content).

alby processes this data on behalf of the Host as a data processor. Our Data Processing Agreement sets out the terms of this arrangement and is incorporated into our Terms of Use.

3.3 alby as Data Controller for Limited Purposes

Even in the context of Host albums, alby retains controller status for the limited purposes of:

  • Platform security and fraud prevention;

  • Compliance with legal obligations (including law enforcement requests);

  • Service improvement and platform diagnostics (using anonymised or aggregated data only).

4. Personal Data We Collect

4.1 Hosts

  • Full name and email address (for account registration);

  • Payment, billing address, and tax information (processed by our payment provider, Stripe; alby does not store card or payment details);

  • Organisation or company name (optional);

  • Usage data, including events created, media volumes, and feature usage;

  • Device and browser information collected automatically.

4.2 Contributors

  • Display name (required at the point of upload);

  • Email address (optional, or required if the Host has enabled this);

  • Uploaded media: photographs, videos, voice notes, and text messages;

  • Interaction data: likes, comments, and favourites associated with your session.

Contributors do not create alby accounts. Their personal data is stored in connection with the Host’s album and is subject to the Host’s data retention decisions.

4.3 Media Content and Third-Party Data Subjects

Uploaded photographs and videos may depict individuals who are not themselves Contributors or Hosts. These individuals are data subjects whose personal data is processed within the platform. Hosts, as data controllers, are responsible for ensuring the lawful processing of such data. alby provides the technical infrastructure; it does not make content decisions.

Individuals who appear in uploaded content but have not themselves uploaded may request removal of content in which they appear by contacting the Host or by submitting a request to legal@alby.photos.

4.4 Children’s Data

alby recognises that media uploaded to the Platform frequently depicts children. We do not knowingly collect personal data directly from children. The following provisions apply:

  • Children under 18 (or the applicable age of majority in the relevant jurisdiction) may not create Host accounts;

  • Content featuring children may only be uploaded by adults with appropriate authority to do so — this includes parents, guardians, and adults acting within the scope of a private event;

  • Hosts are responsible for ensuring that content depicting children is not distributed beyond the private group for which it is intended;

  • alby applies privacy-protective default settings. These defaults must not be overridden by Hosts in ways that would expose children’s data to unintended audiences;

  • Parents or guardians may request removal of any content depicting their child by contacting the Host or by writing to legal@alby.photos. We will action such requests promptly.

UK ICO Age-Appropriate Design: alby’s platform design follows the principles of the UK ICO’s Children’s Code (Age Appropriate Design Code) where applicable, including privacy-by-default settings and avoidance of practices that exploit or endanger children.

4.5 Automatically Collected Data

  • IP address and approximate geolocation;

  • Device type, browser, and operating system;

  • Pages visited and features used;

  • Session duration and referral source;

  • Cookies and similar tracking technologies (see our Cookie Policy at alby.photos/cookies).

5. How We Use Personal Data

5.1 Hosts

We use Host personal data to:

  • Create and manage your account (“Legal basis: contract”);

  • Process payments and manage subscriptions (contract);

  • Send service communications including invoices, renewal reminders, and important updates (contract / legitimate interests);

  • Provide customer support (contract);

  • Ensure platform security and prevent fraud (legitimate interests);

  • Comply with legal obligations (legal obligation);

  • Improve the Platform using aggregated, anonymised analytics (legitimate interests).

5.2 Contributors

We use Contributor personal data to:

  • Enable you to upload media and participate in the Host’s album (legitimate interests of the Host, or consent where required by applicable law);

  • Associate your display name with your uploaded content as attribution (legitimate interests);

  • Process and store your media securely on behalf of the Host (contract with Host as data controller);

  • Apply AI content moderation to screen for prohibited content (legitimate interests of alby and the Host in maintaining a safe platform).

5.3 Legitimate Interests

Where we rely on legitimate interests as a lawful basis, we have assessed that our interests are not overridden by the interests or rights of the individuals concerned, given the private, invite-only nature of the Platform, the limited scope of data use, and the availability of effective objection and takedown mechanisms.

6. Biometric Data and Facial Recognition

Facial recognition is an optional feature that can be enabled by Hosts. When activated:

  • alby’s systems detect and process facial embeddings (mathematical representations of facial features) from uploaded photographs. These embeddings constitute biometric data and are classified as special category personal data under UK GDPR Article 9 and equivalent legislation.

  • Facial embeddings are used solely for the purpose of grouping photographs by individual within the album. They are not used for identification, surveillance, law enforcement purposes, or any commercial purpose.

  • Embeddings are stored only for the duration of the album and are permanently deleted upon album deletion or expiry.

  • Hosts who activate this feature are responsible for disclosing it to Contributors and for ensuring compliance with biometric data laws applicable in their jurisdiction.

  • A Data Protection Impact Assessment (DPIA) has been carried out for this feature, as required by UK GDPR Article 35. A summary is available on request.

  • In jurisdictions with specific biometric data requirements — including Illinois (BIPA), Texas, Washington, and other US states — Hosts must obtain the specific consents required by applicable law before activating this feature.

Opt-out: Contributors or third parties who appear in photographs and do not consent to facial recognition processing may contact legal@alby.photos to request deletion of any facial embeddings associated with their images.

7. Cookies and Tracking

We use cookies and similar technologies to operate the Platform, remember your session, and analyse usage. You can manage cookie preferences via the cookie settings available on the Platform. Further detail is provided in our Cookie Policy at alby.photos/cookies.

8. Sharing Your Data

We do not sell your personal data. We share personal data only in the following circumstances:

8.1 Service Providers

We use carefully selected third-party service providers who process personal data on our behalf, including:

  • Amazon Web Services (AWS): cloud hosting and storage infrastructure, operating across multiple regions globally. Data may be stored in the UK, European Economic Area (EEA), or United States depending on your region and our infrastructure configuration;

  • Stripe: payment processing. Stripe is responsible for the secure handling of payment card data;

  • AI processing providers: for AI image editing and content moderation features;

  • Email and communications providers: for transactional emails and platform notifications.

All third-party processors are engaged under data processing agreements that require them to process data only on our instructions and in accordance with applicable law.

8.2 Hosts and Contributors

Contributor-uploaded content is visible to the Host and to other Contributors who have access to the album, subject to the privacy and permission settings applied by the Host.

8.3 Legal Obligations

We will disclose personal data to law enforcement, regulatory authorities, or other third parties where we are legally required to do so, or where we reasonably believe such disclosure is necessary to prevent illegal activity, protect public safety, or protect the rights of alby or others.

8.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of alby’s business, personal data may be transferred to the acquiring entity, subject to appropriate protections and notification to affected users.

9. International Data Transfers

alby operates globally and uses AWS multi-region infrastructure. Personal data may be transferred to and processed in countries outside the UK and the European Economic Area, including the United States.

Where such transfers occur, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission or the UK Information Commissioner’s Office (UK Addendum to SCCs);

  • Adequacy decisions where applicable;

  • Other legally recognised transfer mechanisms.

You may request information about the specific safeguards applicable to your data by contacting legal@alby.photos.

10. Data Retention

10.1 Host Account Data

We retain Host account data for as long as your account is active and for a period of 7 years following account closure, to comply with legal and financial record-keeping obligations.

10.2 Album and Media Content

Media uploaded to a Host’s album is retained for as long as the album is active. Upon expiry or cancellation of a paid subscription, media is archived for 90 days and then permanently deleted. Hosts should download all content they wish to retain before the end of this period.

Biometric facial embeddings are deleted upon album deletion or expiry.

10.3 Contributor Data

Contributor display names and session data are retained for as long as the associated album is active and for a reasonable period thereafter to enable the Host to export records. alby does not retain Contributor data beyond the lifecycle of the album without legal justification.

10.4 Anonymised Data

We may retain anonymised and aggregated data derived from platform use indefinitely for the purpose of product improvement and analytics. This data cannot be used to identify any individual.

11. Your Rights

Depending on your location, you may have the following rights in relation to your personal data:

  • Right of access: to request a copy of the personal data we hold about you;

  • Right to rectification: to request correction of inaccurate or incomplete data;

  • Right to erasure (“right to be forgotten”): to request deletion of your personal data in certain circumstances;

  • Right to restriction: to request that we restrict processing of your data in certain circumstances;

  • Right to data portability: to receive your data in a structured, machine-readable format;

  • Right to object: to object to processing based on legitimate interests;

  • Rights in relation to automated decision-making: not to be subject to solely automated decisions that significantly affect you.

For UK and EU residents, these rights are set out in the UK GDPR / EU GDPR. For California residents, equivalent rights are provided under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), as described in Section 13 below.

To exercise any of these rights, please contact legal@alby.photos. We will respond within 30 days. We may need to verify your identity before processing your request.

Content removal requests: If you wish to request removal of content you have uploaded, or content in which you appear, please contact the Host in the first instance. If you are unable to reach the Host, or if the Host fails to act, contact legal@alby.photos and we will facilitate your request.

12. Security

We implement technical and organisational security measures appropriate to the risk, including:

  • Encryption of data in transit using TLS;

  • Encryption of data at rest in AWS storage;

  • Access controls and authentication requirements for Platform access;

  • Regular security monitoring and vulnerability assessments;

  • Incident response procedures.

No system is completely secure. In the event of a data breach that is likely to result in a risk to individuals, we will notify the relevant supervisory authority (and affected individuals, where required) in accordance with applicable law.

13. Jurisdiction-Specific Provisions

13.1 UK and European Economic Area

Our primary legal framework is the UK GDPR, supported by the Data Protection Act 2018. For users in the EEA, EU GDPR applies. Our lawful bases for processing are as described in Section 5. Our lead supervisory authority in the UK is the Information Commissioner’s Office (ICO). You have the right to lodge a complaint with the ICO at ico.org.uk if you believe we have mishandled your personal data.

13.2 United States — California (CCPA / CPRA)

California residents have the right to:

  • Know what personal information is collected about them and how it is used;

  • Delete their personal information, subject to certain exceptions;

  • Opt out of the sale or sharing of their personal information. alby does not sell personal information;

  • Non-discrimination for exercising their privacy rights.

To exercise CCPA rights, contact legal@alby.photos or visit alby.photos/privacy-request. We will respond within 45 days.

13.3 United States — Biometric Data (BIPA and State Laws)

In Illinois and other US states with biometric privacy laws, processing of biometric data (including through our facial recognition feature) may require specific written consents. Hosts who activate the facial recognition feature are responsible for ensuring compliance with applicable state biometric privacy laws and for obtaining any required consents from Contributors.

13.4 Australia

For users in Australia, data handling is also subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles. We maintain alignment with these standards. You may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you have concerns.

13.5 Canada (PIPEDA / Law 25)

For Canadian users, personal information is handled in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). Quebec residents also have rights under Law 25. You may withdraw consent to non-essential processing at any time by contacting legal@alby.photos.

13.6 Brazil (LGPD)

For users in Brazil, alby processes personal data in accordance with the Lei Geral de Proteção de Dados (LGPD). You have the right to confirm the existence of processing, access your data, correct inaccuracies, anonymise, block, or delete unnecessary data, and port your data.

14. Children’s Privacy

alby does not knowingly collect personal data directly from children under 13 (or the applicable minimum age in your jurisdiction) for the purpose of creating accounts. The platform is designed for use by adults. Media depicting children may be present in Host albums; the lawful processing of such content is the responsibility of the Host acting as data controller.

If you believe that a child’s personal data has been collected in violation of applicable law, please contact legal@alby.photos and we will take appropriate action.

15. Third-Party Links and Services

The Platform may contain links to third-party websites or integrate with third-party services (such as social media sharing). alby is not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through the Platform.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. We will notify Hosts of material changes by email and by notice on the Platform at least 14 days before the changes take effect. The date of the most recent update is shown at the top of this document.

For Contributors, the current version of this policy is displayed at the point of upload. Continued use of an album after a policy update constitutes acceptance of the revised terms.

17. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please contact:

Alby Online Ltd

Data Protection Contact: legal@alby.photos

Website: www.alby.photos

Registered in England and Wales

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. In the UK this is the Information Commissioner’s Office (ICO): ico.org.uk, 0303 123 1113.