Fotofren Privacy Policy
Last updated: 15. february 2026
This Privacy Policy explains how Fotofren (“we”, “our”, or “the service”) collects, uses, stores, and protects your personal data when you use the Fotofren platform at app.fotofren.com. It is written to be clear for users and to meet the requirements of the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (personopplysningsloven).
1. Who is responsible for your data? (Data controller)
The data controller—the party responsible for deciding how your personal data is processed—is:
Fotofren / Nesset Film AS
Email: [email protected]
If you have questions about this policy or want to exercise your rights, contact us at the email above. For GDPR-related complaints you may also contact your local data protection authority (see section 10).
2. What data we collect and why
We only collect and process data that is necessary to provide the service, to run and secure the platform, and to comply with the law.
2.1 Account and profile
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email address | Account creation, sign-in, password reset, transactional emails | Contract (Art. 6(1)(b)) |
| Name (optional) | Display in groups (e.g. who uploaded a photo, who invited you) | Contract / consent |
| Profile image (optional) | Display in the service | Consent |
| Email verification status | Ensure we can reach you and reduce abuse | Contract / legitimate interest |
You can sign up with email and password or via Google. If you use Google, we receive your email and optionally your name and profile picture from Google, in line with Google’s OAuth consent screen.
2.2 Sessions and security
| Data | Purpose | Legal basis |
|---|---|---|
| Session token, expiry | Keep you logged in securely | Contract |
| IP address, user agent | Security, abuse prevention, troubleshooting | Legitimate interest (Art. 6(1)(f)) |
2.3 Groups, photos, and comments
| Data | Purpose | Legal basis |
|---|---|---|
| Group names and membership | Create and manage groups, show who is in each group | Contract |
| Photos you upload (image file and optional caption) | Provide the photo-sharing service to your group | Contract |
| Comments you post | Provide the commenting feature | Contract |
| Who uploaded/added what and when | Attribution and moderation (e.g. hide/unhide by group owner) | Contract |
Content you add (photos, captions, comments) is stored so that you and your group members can use the service. Group owners can hide photos or comments from other members; we do not use this content for advertising or analytics beyond what is needed to run the service.
2.4 Emails we send
We send transactional emails only, for example:
- New photo in a group (to other group members)
- Invitation to join Fotofren (when another user invites you)
We use a third-party email provider (Postmark) to send these emails. We do not use your data for marketing or newsletters unless you have explicitly agreed to that in a separate consent.
2.5 Waitlist and invites
If sign-up is gated by a waitlist or invites:
| Data | Purpose | Legal basis |
|---|---|---|
| Waitlist: email, approval status, approval time/approver | Control who can create an account | Legitimate interest / consent (depending on how you joined the waitlist) |
| Invites: inviter, invitee email, whether invite was used | Allow invited users to sign up; limit abuse (e.g. invite limits) | Contract / legitimate interest |
2.6 Admin and operations
A limited number of administrators can access aggregated statistics (e.g. number of users, groups, photos) and, where necessary, waitlist and invite data, to run the service, fix issues, and prevent abuse. Access is restricted and logged where feasible.
3. How long we keep your data (retention)
- Account and profile: Until you delete your account (or ask us to delete it). After deletion, we remove or anonymise your data as described in section 6.
- Sessions: Session data is removed when the session expires or when you sign out.
- Photos and comments: Stored for as long as the group and the content exist. If you delete a photo or comment, we remove it (and the file, where applicable) from our systems. If you delete your account, we handle your content as part of account deletion.
- Waitlist: We keep waitlist entries as long as needed to operate the waitlist and sign-up gating; approved entries may be kept for a limited period after approval for audit/abuse prevention, unless you request erasure and we have no legal obligation to retain.
- Invites: Invite records (inviter, invitee email, used/not used) are kept for the duration of the invite feature and for a limited period thereafter for operational and abuse-prevention purposes.
We may retain certain data longer where required by law (e.g. tax, legal claims) or for legitimate security or abuse-prevention reasons, in line with GDPR.
4. Who we share data with (recipients and subprocessors)
We do not sell your personal data. We share data only as follows:
- Hosting and database: The application and database are run on infrastructure (e.g. cloud or dedicated servers) that may be operated by third parties. Those providers process data on our instructions to host and run the service.
- Email (Postmark): We use Postmark to send transactional emails. Recipient email addresses and the content of those emails (e.g. “new photo in [group]”) are sent to Postmark to deliver the message. Postmark is a subprocessor acting on our behalf.
- Google (OAuth): If you sign in with Google, Google provides us with your email (and optionally name and profile picture) according to your Google account settings and Google’s privacy policy.
We choose service providers that we believe offer adequate safeguards (contracts, and where relevant, standard contractual clauses or other transfer mechanisms) so that your data is protected in line with applicable law.
If we add new subprocessors that process personal data, we will update this policy and, where required by GDPR, inform you or obtain consent as needed.
5. International transfers
Our main systems may be located in the European Economic Area (EEA). Some service providers (e.g. email or hosting) may be in the USA or other countries. When we transfer personal data outside the EEA, we do so only with appropriate safeguards in place, such as:
- EU-approved standard contractual clauses (SCCs), or
- A decision by the European Commission that the country ensures an adequate level of protection, or
- Other mechanisms permitted under GDPR Chapter V.
You can request more detail about the safeguards we use for a specific transfer by contacting us at the email in section 1.
6. Your rights under GDPR (and Norwegian law)
If you are in the EEA (including Norway), you have the following rights in relation to your personal data:
| Right | What it means |
|---|---|
| Access (Art. 15) | You can ask for a copy of the personal data we hold about you. |
| Rectification (Art. 16) | You can ask us to correct inaccurate or incomplete data (e.g. name, email). |
| Erasure / “right to be forgotten” (Art. 17) | You can ask us to delete your personal data, subject to legal exceptions (e.g. we must keep some data for legal obligations). |
| Restriction (Art. 18) | You can ask us to restrict how we use your data in certain situations (e.g. while we verify accuracy). |
| Data portability (Art. 20) | Where processing is by automated means and based on contract or consent, you can ask for your data in a structured, machine-readable format, and to have it sent to another provider where technically feasible. |
| Object (Art. 21) | You can object to processing based on legitimate interest (e.g. certain security logging). We will stop unless we have overriding legitimate grounds. |
| Withdraw consent | Where we rely on your consent, you can withdraw it at any time; that does not affect the lawfulness of processing before withdrawal. |
| Complaint (Art. 77) | You have the right to lodge a complaint with a supervisory authority, in particular in your country of residence. In Norway: Datatilsynet. |
To exercise any of these rights, contact us at the email in section 1. We will respond within the time limits set by law (generally one month under GDPR, extendable where necessary). We may need to verify your identity before fulfilling a request.
Deleting your account: You can delete your account from the application settings (when available) or by asking us. Account deletion will result in removal or anonymisation of your account data, sessions, and your photos and comments, in line with our retention and technical design. Content that others have posted (e.g. comments on your photos) may be retained or anonymised as appropriate.
7. Security
We take reasonable technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorised access. This includes secure connections (HTTPS), access controls, and secure storage of credentials and data. No system is completely secure; we encourage you to use a strong password and to keep your login details confidential.
8. Children
The service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will delete it in line with our legal obligations.
9. Changes to this policy
We may update this Privacy Policy from time to time (e.g. when we add features or change providers). We will post the updated version on the service and indicate the “Last updated” and “Effective” dates. If changes are material (especially if they affect how we use your data or your rights), we will notify you by email or a prominent notice in the service before the changes take effect, where required by law.
We encourage you to review this policy periodically.
10. Contact and supervisory authority
Data controller (privacy and data requests):
Fotofren / Nesset Film AS
Email: [email protected]
Supervisory authority (Norway):
Datatilsynet
Datatilsynet – contact and complaint
Other EEA countries: You can find your local data protection authority via the European Data Protection Board: edpb.europa.eu.
This document is the English version of the Fotofren Privacy Policy. A Norwegian translation is provided for convenience; in case of conflict, the English version shall prevail unless otherwise required by applicable law.