Privacy Policy

The controller of personal information collected through the Service is Everseed Ventures (the "Company", "we", "our", or "us"), operating Filmo from the Province of Alberta, Canada.

For event content you upload (photos, captions, event titles), the event Creator (host) is a joint controller, as they decide who is invited and the purpose for which the event content is collected. The Company processes the content on the Creator's and Guests' behalf to operate the Service.

Privacy questions, requests, and complaints can be sent to team@everseedventures.com. A mailing address is available on request.

Information you provide

• Email address and display name (when you create an account or join an event as a Guest).
• Event metadata you create: event title, cover image, opens/reveals times, optional PIN, optional brand event-type selection.
• Guest name supplied at join time, optional marketing opt-in preference, optional reveal-notification opt-in.
• Photographs and any captions you upload through the Filmo camera or photo upload interface.
• Payment information you submit through Stripe — Stripe handles your card data directly; we receive a token, the last four digits of the card, and basic billing metadata for receipts.
• Any messages you send us by email (support, abuse, legal, copyright).

Information collected automatically

• Technical information about your device and browser: IP address, user-agent string, language preference, timezone, screen size, and similar diagnostic signals.
• Authentication cookies and tokens needed to keep you signed in (set by Supabase Auth on our behalf).
• Locale preference cookie (`filmo-lang`) when you explicitly switch languages, so the next visit lands on the language you chose.
• Server logs of requests to the Service, including timestamps, URL paths, response codes, and basic error context. We do not log photo contents.

We do not use third-party advertising cookies, behavioural-tracking pixels, fingerprinting libraries, or session replay. We do not maintain advertising profiles about you.

We use personal information to:

• Provide the Service: authenticate you with a one-time email code, create and run events, store and serve photos within an event, deliver the reveal experience, and process payments.
• Communicate with you: send transactional emails (sign-in codes, reveal notifications, payment receipts, account or security notices). Marketing emails are sent only to recipients who opted in.
• Operate, secure, and improve the Service: monitor performance, prevent abuse, detect fraud, debug errors, run capacity planning, and study aggregate usage patterns.
• Comply with legal obligations: respond to lawful requests from authorities, retain records as required by tax or accounting laws, and enforce these Terms.
• Protect rights, property, and safety: investigate violations of the Acceptable Use rules, including by accessing event content in narrowly necessary cases (for example, to respond to a credible abuse report).

Legal bases (EEA / UK / GDPR users)

Where the GDPR applies, our legal bases are: (a) performance of a contract with you (operating the Service you signed up for); (b) our legitimate interests (running, securing, and improving a service we provide on the terms you accepted, where those interests are not overridden by your rights); (c) your consent (for marketing emails and optional features); and (d) compliance with a legal obligation. You can withdraw consent at any time without affecting prior processing.

We do not sell your personal information. We share it only with the following categories of recipients:

• Other participants in the same event. Photos you upload are shared with everyone the Creator invited to the event, in line with the reveal mechanic and the in-product disclosures. The Creator can also download the originals.
• Service providers we rely on to run the Service, acting as our processors under written agreements: Supabase Inc. (authentication, database, file storage, edge functions); Stripe, Inc. (payments); Resend (transactional email); Vercel Inc. (hosting and content delivery); Google LLC (optional sign-in, where enabled).
• Professional advisers (lawyers, accountants, auditors), where reasonably necessary.
• Authorities and other parties where required by law, in response to a valid legal process, or where we believe in good faith that disclosure is necessary to protect rights, safety, or the integrity of the Service. For child sexual exploitation, we will preserve and report content as the law requires.
• A successor entity in the event of a corporate transaction (merger, acquisition, financing, restructuring, asset sale, or similar), in which case the receiving party will be bound to handle the information consistently with this Policy or, if changes are required, on at least 30 days' notice to you.

We do not provide your personal information to advertisers, data brokers, or third-party AI training providers.

We operate from Canada, but our service providers may store and process your information in the United States, the European Union, and other jurisdictions. Where applicable law (including PIPA, PIPEDA, and the GDPR) requires it, we put in place appropriate transfer safeguards — for example, contractual protections with our processors and use of regions or commitments offered by them to meet adequacy or comparable standards. You may contact team@everseedventures.com for more detail on the safeguards that apply to a specific transfer.

• Account information: kept while your account exists. If you delete your account, we delete the account record and de-identify or delete associated personal information within 30 days, subject to legal-hold and backup-retention exceptions.
• Event content (photos, captions, event metadata): kept for the lifetime of the event and for a reasonable archival period thereafter, typically up to 12 months after the reveal date unless the Creator deletes the event sooner or asks us to delete it. We may shorten this period as the Service evolves; we will not extend it without notice.
• Payment records: kept for the period required by Canadian tax and accounting law (currently up to 7 years).
• Server logs: kept for up to 90 days for the purposes described above, then deleted or aggregated.
• Reports of abuse and associated content: kept for the period necessary to investigate and to defend against any related claim, and for the period required by law where we are obliged to report content to authorities.

Encrypted backups may retain copies of deleted data for a short additional period before they cycle out.

Subject to the limits of applicable law, you have the right to:

• Access the personal information we hold about you and receive a copy in a portable format.
• Ask us to correct information that is inaccurate or incomplete.
• Ask us to delete information we no longer have a lawful basis to keep, and to delete content you have uploaded (subject to any legal-hold requirements).
• Object to or ask us to restrict certain processing.
• Withdraw consent (for example, unsubscribe from marketing emails) without affecting the lawfulness of prior processing.
• File a complaint with a supervisory authority — in Alberta, the Office of the Information and Privacy Commissioner of Alberta (https://oipc.ab.ca); federally in Canada, the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca); in the EEA, your national data protection authority; in the UK, the Information Commissioner's Office (https://ico.org.uk).

To exercise any of these rights, write to team@everseedventures.com. We may need to verify your identity before acting on a request. We aim to respond within 30 days of a verified request, or sooner where required by law.

California (CCPA/CPRA)

If you are a California resident, you have the rights described above, including the right to know what we collect, the right to correct or delete it, and the right not to be discriminated against for exercising your rights. We do not sell or share personal information for cross-context behavioural advertising as those terms are defined under California law.

We use commercially reasonable technical and organisational measures to protect personal information, including transport encryption (TLS) for all traffic to and from the Service; encryption at rest for stored photos with the storage provider we use; signed, expiring URLs to serve original-resolution images; row-level security policies in our database to prevent cross-tenant access; least-privilege access for our team; and incident-response procedures.

No system is perfectly secure. If we learn of a personal-information breach that affects you and that we are required to notify under applicable law, we will let you know by email and, where required, file the appropriate reports with the relevant authority within the time the law requires.

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact team@everseedventures.com and we will delete it. Creators are responsible for obtaining the consent required by applicable law before inviting children to an event.

If you are in the EEA or the UK and under 16 (or the minimum age set by your country), please do not use the Service without the involvement of a parent or guardian.

We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, give in-product or email notice to affected users. Your continued use of the Service after a change becomes effective constitutes acceptance of the updated Policy.

Privacy questions, data-subject requests, complaints, abuse reports, and legal notices all go to team@everseedventures.com. For general questions you can also write to hello@filmo.cam. A mailing address for service of legal process is available on written request.