Data Collection Policy

Effective Date	April 1, 2026
Data Controller	FotoFast Services, Hyderabad, Telangana, India
Data Contact	legal@fotofast.co
Applicable Law	Information Technology Act, 2000 (India) and IT (Amendment) Act, 2008

1. Data Collection Principles

FotoFast collects only the data that is strictly necessary to provide, improve, and secure our services. We are guided by the following principles:

Minimisation: we collect only what we need, nothing more
Transparency: we tell you exactly what we collect and why
Security: all data is stored with encryption and access controls
Time-limitation: we retain data only as long as legally necessary
Purpose limitation: data collected for one purpose is not used for another without consent

2. Complete Data Inventory

2.1 Client Data

Data Element	Purpose	Retention
Full Name	Booking identity, messaging, invoice	3 years
Mobile Number	OTP delivery, booking confirmation	3 years
Event Name	Booking record, photographer briefing	3 years
Event Location	Photographer assignment by area	3 years
Booking Date	Session scheduling, billing	3 years
Session OTPs	Session authentication	30 days post-session
Payment ID	Transaction verification, refunds	7 years (tax law)
Session Duration	Billing calculation	3 years
Client Rating	Photographer quality management	3 years

2.2 Photographer Data

Data Element	Purpose	Retention
Full Name	Network identity, client communication	Engagement + 1 year
Mobile Number	Login authentication, admin communication	Engagement + 1 year
Email Address	Application communication, approvals	Engagement + 1 year
Area of Operation	Booking assignment algorithm	Engagement + 1 year
Skills & Equipment	Service matching, profile	Engagement + 1 year
FotoFast FF ID	Session authentication, unique identifier	Permanent record
GPS Location	Active session safety and accountability	90 days then deleted
Session History	Performance record, payment calculation	3 years
Rating Score	Quality management, removal decisions	3 years

2.3 Session Data

Data Element	Purpose	Retention
Session Start Time	Billing, dispute resolution	3 years
Session End Time	Billing, dispute resolution	3 years
Session Duration	Invoice generation	3 years
GPS Location Logs	Safety, dispute resolution	90 days
OTP Verification Log	Authentication audit trail	90 days
Payment Status	Financial records	7 years

3. Technical Data Storage

3.1 Firebase Firestore (Google Cloud)

All booking, session, photographer, and application data is stored on Google Firebase Firestore. This data is subject to Google's data processing terms. FotoFast has a data processing agreement with Google ensuring your data is handled to international standards.

3.2 Browser LocalStorage

The following data is stored in your browser's localStorage only — never transmitted to FotoFast servers:

ImgBB API key (AI Studio feature — stored only on your device)
Session history thumbnails for AI Studio
Booking history cache for the Track Session page

3.3 Third-Party Data Processors

Razorpay	Payment processing — razorpay.com/privacy
Firebase / Google	Database and hosting — firebase.google.com/support/privacy
ImgBB	Temporary image hosting (AI Studio only) — imgbb.com/tos
Replicate	AI model processing (AI Studio only) — replicate.com/privacy
WhatsApp	Notification delivery — whatsapp.com/legal/privacy-policy

4. GPS Location Data — Full Disclosure

📍 GPS Tracking — Complete Transparency

WHEN: GPS tracking activates ONLY after the photographer enters the client's verified Start OTP. It stops ONLY when the client's End OTP is confirmed.

WHAT: Latitude, longitude, accuracy radius, and timestamp. Updated every 10 seconds during active session.

WHO CAN SEE IT: FotoFast admin panel only. Clients can view current location via a Google Maps link during active sessions.

STORAGE: Location coordinates are stored in Firebase under the booking record and overwritten with each update. Historical location logs are purged after 90 days.

CONSENT: All FotoFast photographers explicitly consent to GPS tracking during sessions as a condition of joining the network.

5. Data Access Controls

Clients	Can view their own booking details and session status
Photographers	Can view only their assigned bookings and session data
FotoFast Admin	Full access via Firebase Auth protected admin panel
Third Parties	No access unless required by law or explicitly consented to

6. Data Breach Procedure

In the event of a data breach that may affect your personal information:

FotoFast will assess the breach within 24 hours of detection
Affected users will be notified via WhatsApp within 72 hours
Notification will include what data was affected, when it occurred, and what steps to take
If required by Indian IT law, we will report to the appropriate authority
A breach report will be published on fotofast.co within 7 days

7. Your Data Rights — How to Exercise Them

Access Request	Email legal@fotofast.co — "Data Access Request" — responded within 14 days
Correction Request	Email — "Data Correction" — corrected within 7 days
Deletion Request	Email — "Delete My Data" — processed within 30 days
Portability Request	Email — "Data Export" — CSV/JSON provided within 14 days
Opt-Out of Marketing	Reply STOP to any FotoFast WhatsApp message — immediate

8. Legal Compliance

🇮🇳 Compliance Statement

FotoFast operates in compliance with the Information Technology Act, 2000 (India), the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and aligns with international best practices including GDPR principles. We are committed to protecting your data and will continue to update our practices as Indian data protection law evolves.

9. Contact

Email	legal@fotofast.co
Website	https://fotofast.co
Address	FotoFast Services, Hyderabad, Telangana — 500001, India
Response Time	All enquiries responded to within 48 hours on business days