Privacy Policy

Memories Online is a service operated by We Make Memories ("we," "us," or "our"). This Privacy Policy explains what information we collect from users of our website at we-make-memories.com and our related services (the "Service"), how we use it, who we share it with, and the rights you have over it.

2.1 Information you give us

• Account information. When you sign up, we collect your email address and a password (handled by Amazon Cognito; we don't see plaintext passwords).
• Event content. The names of your events, photos you upload, photos your guests upload to events you host, and any captions, comments, or reactions added to those photos.
• Connected accounts. If you connect Google Drive or Dropbox to sync photos out of an event, we store an encrypted refresh token (encrypted with AWS KMS) so we can keep syncing. We never see or store your Google or Dropbox password.
• Communications. If you email us at privacy@we-make-memories.com or another address, we keep that correspondence to respond and follow up.

2.2 Information collected automatically

• Server logs. Standard request logs (IP address, user agent, requested URL, timestamp). We use these for security, debugging, and abuse prevention. Retained for up to 30 days.
• Essential cookies. We use cookies and similar storage strictly to keep you signed in and to remember your session. We do not use third-party analytics or advertising cookies in the Service.

2.3 Information about guests

When someone uploads a photo to an event using a share code, we store the photo and a display name they provide. If they pin or comment on a photo in the gallery, we store that too. We do not require guests to create an account.

We use the information above to:

• Provide the Service: store your photos, render slideshows, sync to your connected drives, generate ZIP exports.
• Send transactional emails: gallery share links, sync notifications, ZIP-ready notifications, password resets.
• Detect, prevent, and respond to abuse, fraud, and security incidents.
• Comply with legal obligations.
• Improve the Service (debugging, performance, fixing bugs you report).

We do not sell your personal information and we do not use it for advertising.

We share information only as follows:

• Service providers (subprocessors). We run on Amazon Web Services, which hosts our database, file storage, authentication, and email delivery in the United States. AWS processes the data on our behalf under their data processing terms.
• Connected accounts you authorize. If you connect Google Drive or Dropbox, we send your photos to the folder you specify in those services. From that point, the photos are governed by Google's or Dropbox's terms and your account settings there.
• Print partners (only if you opt in). If you choose to order a printed photo book through our Shutterfly partnership, the relevant photos and shipping details are shared with Shutterfly to fulfill your order. We are paid a small affiliate commission. Your data is not shared unless you explicitly start a print order.
• Legal compliance. We may disclose information if required by law, valid subpoena, or court order, or if necessary to protect our rights, property, or the safety of our users.
• Business transfers. If we sell or transfer the business, your information may be transferred as part of that transaction, subject to this Privacy Policy.

You can delete any event you own (which removes all of its photos, comments, sync state, and S3 files) from the Library page. You can also disconnect Google Drive or Dropbox at any time from the event editor. To delete your entire account and all associated data, contact us at privacy@we-make-memories.com.

5.1 California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and share about you.
• Request a copy of the personal information we hold about you.
• Request that we delete your personal information.
• Correct inaccurate personal information.
• Opt out of any "sale" or "sharing" of personal information — though, as noted above, we do not sell or share personal information for cross-context behavioral advertising.
• Be free from retaliation for exercising any of these rights.

To exercise any of these rights, email privacy@we-make-memories.com. We will verify your identity (typically by confirming control of the account email) before acting on the request.

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us at privacy@we-make-memories.com and we will delete it.

• Account data: retained until you delete your account.
• Event content (photos, comments, reactions): retained until you delete the event or your account.
• Sync tokens: retained until you disconnect the relevant provider or delete your account.
• Server logs: up to 30 days, then automatically deleted.
• Backups: deletions propagate to backups within a reasonable rolling window.

We protect information using industry-standard technical and organizational measures, including:

• HTTPS in transit for all API and web traffic.
• Encryption at rest for stored files (AWS S3 server-side encryption) and database items.
• OAuth refresh tokens for Google Drive and Dropbox encrypted with AWS KMS.
• Authentication via Amazon Cognito (passwords are hashed; we never see plaintext).
• Least-privilege access controls for our team.

No system is perfectly secure. If we ever experience a breach affecting your data, we will notify you in accordance with applicable law.

Memories Online is operated from the United States and stores data in U.S. AWS regions. If you access the Service from outside the U.S., you understand that your information will be transferred to and processed in the United States, which may have different data protection laws than your country.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. For material changes, we will provide more prominent notice (such as an in-app notice or email).

Questions, concerns, or privacy requests? Email privacy@we-make-memories.com.