Privacy Policy
Last updated: 01.11.2025
PRIVACY POLICY
Last updated: 01.11.2025
1. Who we are
This Privacy Policy explains how Lensed By AS (“we”, “us”, “Lensed By”) processes personal data when providing event photography services at https://lensedby.com.
In most cases, we act as a data processor on behalf of an event organiser who is the data controller under the GDPR. We only process data according to their documented instructions.
For all privacy inquiries or data rights requests, contact:
📩 privacy@lensedby.com
2. When we act as data processor
We act as a processor when an organiser commissions us to photograph an event and make photos searchable and available to participants.
| Data processed | Purpose | Legal basis | Retention | Controller |
|---|---|---|---|---|
| Photos taken at the event (where participants may be identifiable, e.g. bib number) | To make photos available to participants for viewing, download or purchase | Art. 6(1)(f) GDPR – legitimate interests of organiser and participants | Defined by organiser | Event organiser |
| Face embeddings (mathematical vectors generated from uploaded selfies or detected faces in photos) | To allow participants to find their photos using face-search instead of manual browsing | Same as above | Same as above | Event organiser |
- We do not store uploaded selfies. If a participant uploads a selfie to help locate photos, it is processed temporarily and deleted immediately after the face embedding is generated.
- Although we use automated facial recognition technology, we do not process biometric data for the purpose of uniquely identifying a person under GDPR Art. 9. Only non-reversible mathematical face vectors are stored, and they cannot be reconstructed into an image.
- We do not sell or share personal data to third parties.
3. When we act as data controller
For limited processing activities, Lensed By AS is the controller:
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email address and purchase details when buying photos | Deliver purchased content, send receipts, provide support | Art. 6(1)(b) – contract performance | 5 years (Bokføringsloven §13) |
| Web server logs (IP address, timestamp, browser metadata) | Security, abuse prevention, debugging | Art. 6(1)(f) – legitimate interest | 30–90 days (Azure defaults) |
| Session cookies required for platform stability and login | Site functionality | Art. 6(1)(f) – legitimate interest | Session / up to 1 year |
- We do not use analytics cookies, marketing cookies, or third-party tracking pixels.
- All data is hosted in Microsoft Azure (Norway East / West Europe).
4. Photography at public events
At events where we provide official photography, participants may appear in photos that are later offered for sale or free download.
Participants are normally informed by the organiser that photography will take place. It is generally expected and accepted that:
- Photos are taken as part of participation in a public race/event
- Photos may be searched by bib number or face matching
- Photos may be purchased or downloaded afterward
Legal basis: Art. 6(1)(f) GDPR – legitimate interests of the organiser, the participants, and Lensed By AS.
You may object to this processing at any time (see Section 7).
If the event includes minors, the organiser (not Lensed By) is responsible for ensuring a valid legal basis (e.g. consent from parents/guardians).
5. Your rights
You have the following rights under the GDPR:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (“right to be forgotten”) (Art. 17)
- Right to restriction (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
To exercise your rights, email: privacy@lensedby.com
If we are acting as a processor, we will forward your request to the organiser who is the data controller.
6. Cookies
We only use technically necessary cookies (such as Azure session cookies).
We do not use analytics, advertising, or tracking cookies.
Therefore, a cookie banner is not required under GDPR/ePrivacy rules.
7. Objection and withdrawal of consent
- If you gave consent for a specific processing activity (e.g. temporary selfie upload for face search), you may withdraw that consent at any time. This will not affect processing carried out before withdrawal.
- If we process personal data based on legitimate interests (Art. 6(1)(f) GDPR), you may object at any time.
If you object, please explain why you believe we should stop processing your data. We will review the request and either:
- Stop the processing, or
- Adjust the use of the data, or
- Explain compelling legitimate grounds that allow continued processing
You may object without justification if your data is used for direct marketing — we do not carry out such marketing, but this right is still maintained.
To object, contact: privacy@lensedby.com
8. Sub-processors
We use the following GDPR-compliant service providers:
| Service | Provider | Location | Data involved |
|---|---|---|---|
| Hosting & storage | Microsoft Azure | Norway / EU | Photos, embeddings, logs |
| Payments | Stripe | EU/EEA region | Billing + transaction data |
| Transactional email (receipts, links) | MailerSend | EU infrastructure | Email + delivery metadata |
All sub-processors are bound by Data Processing Agreements (DPAs) and act only on our instructions.
9. Data security
- All data is encrypted at rest and in transit
- Access is restricted to authorised personnel and protected by MFA, audit logs, and least-privilege policies
- We do not perform automated decision-making with legal or significant effects (Art. 22 GDPR)
10. Changes to this policy
We may update this Privacy Policy when required. The latest version is always available at lensedby.com/privacy.
11. Contact
Lensed By AS
Email: privacy@lensedby.com
Website: https://lensedby.com