Last updated: May 2026 • Effective: March 2026
We collect minimal data to deliver face-matched photo experiences at events. Your face data is deleted after 30 days. We never sell your data. You have full control over your privacy at any time.
TIME&SPACE is an event media platform based in Lisbon, Portugal. We provide a face-recognition photo delivery system that helps event guests find and download their photos.
Company: Welcome Objective Unipessoal Lda, trading as TIME&SPACE
NIF: 517881721
Registered office: Lisbon, Portugal
Data Controller: Welcome Objective Unipessoal Lda (TIME&SPACE)
Privacy Contact: [email protected]
Legal Contact: [email protected]
We collect only what's necessary to run the platform. Here's the breakdown:
Your face data is protected under GDPR Article 9 (special category data). Here's how we handle it:
A facial embedding is a mathematical representation of your face (512 numbers). It is not a photo of your face. It cannot be reverse-engineered into an image. It's similar to a fingerprint: unique, but not revealing.
Your face embedding is used only for photo matching. We never share it with third parties, never use it for marketing or advertising, and never build a face database for surveillance.
Under GDPR, we process data for these lawful reasons:
Account data and event photos. Necessary to provide the platform
Biometric data (face embeddings). GDPR Article 9 requires explicit consent for special category data
Fraud prevention, platform security, analytics, and service improvement. Tracking referral link click counts and commission calculations (to operate the referral programme)
Tax records (7 years under Portuguese law), GDPR compliance. IBAN and NIF collected for payout processing are retained under Portuguese tax law (Artigo 123.º CIRS)
When an event organiser activates a sponsor for an event, guest photo downloads may include a sponsor logo watermark. Here is how this works:
The watermark is applied by the event organiser at their instruction. TIME&SPACE merely executes the watermarking configuration.
Guests are informed of active sponsorships on their event gallery page, so they know sponsored content may appear on their downloaded photos.
TIME&SPACE does not receive payment directly for sponsor watermarks. Sponsor arrangements are between the organiser and the sponsor only.
If you participate in the TIME&SPACE referral programme, either as a referrer sharing your link, or as a referred organiser who signed up via a referral link, we process the following data:
Referral attribution and commission calculation: Legitimate interest (operating the referral programme, fraud prevention). Payout processing and financial records: Legal obligation (Portuguese tax law, Artigo 123.º CIRS requires financial records to be kept for 7 years).
You may request deletion of your referral data (click history, attribution, earnings records) at any time by emailing [email protected]. Note that financial records (paid commissions, IBAN, NIF) may be retained for up to 7 years under tax law even after an account deletion request.
Full programme terms are at timeandspace.app/terms#referral.
Deleted automatically after 30 days
Deleted when the event ends or you withdraw consent
Kept for the event's retention period (configurable: 30, 90, or 365 days). Default: 180 days
Retained until you request deletion. You can delete your account anytime.
Kept indefinitely for legal compliance (GDPR proof of consent)
Kept for 7 years (Portuguese tax law, Artigo 123.º CIRS)
Commission records retained for 7 years (Portuguese tax law). IBAN and NIF stored only after a payout is requested; retained for 7 years as financial records. Referral attribution data (who referred whom) retained as long as your account is active, then deleted with your account
Anonymised aggregate data kept for service improvement
Under GDPR and similar privacy laws, you have these rights:
Request a copy of all data we hold about you in a portable format (CSV, JSON)
Request deletion of your account, photos, face data, or consent logs. We will delete within 30 days (some data kept for legal reasons).
Update your account information through your dashboard or request corrections via email
Request that we stop using your data (except for legal obligations)
Export your data in a machine-readable format to move to another service
Opt out of marketing emails, analytics, and certain legitimate interest processing
Withdraw consent for face recognition anytime. No penalty.
To exercise any of these rights, email [email protected] with your request. We will respond within 30 days.
TIME&SPACE is based in the EU (Portugal), and most data is stored in the EU (Supabase). Some processors are based outside the EU (US).
When we transfer data outside the EU, we use Standard Contractual Clauses (SCCs) to ensure equivalent protection. For US processors, we rely on adequacy decisions or adequacy mechanisms.
You have the right to know which countries your data travels to. Contact [email protected] for a list of all data processors and their locations.
The TIME&SPACE mobile app allows registered users to create a guest profile, RSVP to events, follow other users, and discover events. The following data is processed when you use these features:
When you follow another user, your followers can see which public events you have RSVPed to, so they can discover events through your activity. You can set individual RSVPs to private at any time. We show your social context to help others find events. For example, "2 people you follow are going to this event." We do not share your name with other users in this context without your consent.
If you use the AI Concierge tab, your conversation history is stored for up to 30 days. Conversations are private. They are never shared with other users. They are included in your data export (DSAR) and deleted when you delete your account. The Concierge is clearly identified as an AI assistant and does not share your data with any AI training systems.
Legal basis for processing: Legitimate interest (providing the social and discovery features you actively use). You can withdraw from social features at any time by deleting your guest profile in Settings.
Organiser and Photographer accounts can create a public profile page at timeandspace.app/u/[username]. This is optional and fully controlled by you.
Your account email, phone number, billing information, and all private fields are never shown on your public profile.
Your chosen username forms your public URL. Usernames can be changed once every 30 days. When you change your username, your old URL redirects to your new one for 90 days, after which it becomes available to others. Your previous username is stored during this redirect window and permanently deleted once the 90-day window expires.
Your public profile is visible by default once you set a username. You can hide it at any time in Account Settings → Public Profile. Hiding your profile makes the page private but does not delete your username or data. You can re-enable visibility at any time.
Legal basis for processing: Legitimate interest in providing a professional presence on the platform. You can withdraw at any time by hiding your profile or deleting your account.
The TIME&SPACE mobile app may send push notifications. Under EU law, push notifications require your prior consent. We use two separate consent categories:
Notifies you when your photos are ready, or when new photos have been matched to your face at an event. These are functional notifications directly related to the service you are using.
Notifies you about new events, platform features, or promotions. These require separate opt-in consent and are off by default.
You can change your push notification preferences at any time in Settings → Notifications. Withdrawing consent stops future notifications immediately. Your consent choices are logged in our system with a timestamp.
When you download or use the TIME&SPACE app from the Apple App Store or Google Play Store, Apple and Google may collect analytics and diagnostic data according to their own privacy policies. This data is collected by Apple and Google directly, not by TIME&SPACE.
For information on what Apple collects, see apple.com/privacy. For Google, see policies.google.com/privacy.
You have the right to request a full export of all personal data we hold about you (Data Subject Access Request or DSAR). For registered users, this is available directly from your account settings:
You can also request your data by email at [email protected] with subject line "Data Export Request". We will respond within 30 days.
Minimum age: 16 years old, worldwide. There are no country exceptions. This applies to creating a guest profile, RSVPing to events, and using the B2C mobile app. This rule satisfies GDPR Article 8 (EU standard) and exceeds the minimum requirements of COPPA (US, under-13).
At registration, we collect your date of birth. If you are under 16, you will not be able to create an account. The platform shows you a message explaining that you can still use TIME&SPACE at events by scanning the QR code without creating an account. No age restriction applies to anonymous event scanning.
We do not knowingly collect personal data from children under 16. If we discover that a user is under 16, we will delete their account and all associated data immediately.
California (CCPA/COPPA): Our 16+ worldwide gate automatically satisfies COPPA (US children under 13). California residents have the right to know what personal data we collect, request deletion, and opt out of any sale of data. TIME&SPACE does not sell personal data. To exercise CCPA rights, email [email protected] with subject "CCPA Request."
TIME&SPACE is established in Portugal (EU). Our designated DSA contact point for authorities, trusted flaggers, and users making DSA-related requests is:
If you have privacy concerns, you can lodge a complaint with your data protection authority:
Portugal: CNPD (Comissão Nacional de Proteção de Dados)
EU: Contact your national data protection authority (search at edpb.ec.europa.eu)
California (CCPA): See our Children and minimum age section above for full CCPA rights. In summary: TIME&SPACE does not sell personal data. To exercise CCPA rights, email [email protected] with subject "CCPA Request".
You also have the right to use the EU Online Dispute Resolution platform for disputes.
We may update this policy. Material changes will be announced via email and on this page. Continued use after changes means you accept the new policy.
We're committed to being transparent about how we handle your information. If you have any questions or concerns about your privacy, contact us at [email protected].
You also have the right to lodge a complaint with your national data protection authority. We will cooperate fully with any investigation.