Deletion and retention
Data deletion
Event Face Finder is designed around event-limited retention. The goal is to delete photos, derivatives, embeddings, access tokens, and search sessions when they are no longer needed for the event.
This MVP deletion policy describes the implemented product flow and known limits. Final response deadlines and country-specific exceptions require legal review.
Guest requests
- Guests can submit removal, report, or deletion requests from the event guest pages.
- Photo-scoped destructive deletion is supported through the support inbox after review.
- Identity-wide deletion is not fully automated yet and requires support review to avoid deleting the wrong person or unrelated group photos.
Organizer and event deletion
- Organizers choose event retention within package limits.
- Retention jobs warn before expiry, mark expired events, queue deletion after the grace period, and block guest search on expired/deleted events.
- Deletion jobs attempt R2 event-prefix cleanup, verify the prefix, remove searchable media and biometric database rows, and store structured deletion proof.
What can remain
- Minimal non-biometric billing, tax, fraud-prevention, support, and audit records may remain when required.
- Those retained records must not include photos, guest selfies, embeddings, access codes, signed media URLs, or raw biometric identifiers.
- Legal, billing, abuse, or privacy holds may pause deletion and must be auditable.
Production validation still required
- Run the R2 deletion smoke against production-like buckets and archive proof output.
- Validate live lifecycle rules and EU bucket jurisdiction.
- Add a reviewed identity-wide deletion workflow before school/minor-heavy or high-risk events.