28 Shots ("we", "us") makes the 28 Shots app and this website. This policy explains what data we collect, why, and what your choices are. We're a small team based in the UK, and this policy is written to actually reflect what the app does — not boilerplate.
28 Shots doesn't have a sign-up flow. Guests join an event by typing a display name — nothing else is collected from them. Hosts and guests are both identified internally by an anonymous device ID generated on first use, via Firebase Anonymous Authentication. We never see or ask for an email address or phone number to use the core app.
We do not sell your data to anyone, and we don't use your photos for advertising, marketing, or model training.
Photos and event data are kept until the host deletes the event, at which point everything tied to it — photos, guest records, bounties, print orders — is permanently deleted from our systems. There's no separate "trash" or recovery period once an event is deleted.
Because 28 Shots is used at real events, photos will often include people who aren't the guest who took them — including, at family events, children. Hosts are responsible for how they use and share the finished gallery once it's downloaded from the app. If you appear in a photo taken at an event and want it removed, contact the event's host directly, or reach us using the details below and we'll help where we can.
If you're in the UK or EU, you have rights under UK/EU GDPR to access, correct, or request deletion of personal data we hold about you. Since most of what we hold is tied to an anonymous device ID rather than an identity we can look up by name or email, the fastest way to exercise these rights is usually through the host of the specific event, or by contacting us with enough detail (event name, approximate date, device) for us to locate the right records.
Questions about this policy or a request regarding your data: hello@28shots.app.
If this policy changes in a material way, we'll update the date at the top of this page.