Reverie
LoginSign Up

Legal

Privacy Policy

Last updated: May 25, 2026

This Privacy Policy explains how Reverie processes personal data for accounts, private event galleries, QR-code access links, image and video uploads, billing, analytics, security, and support.

Controller and contact

Reverie is operated by Christoph Schmatzler, trading as Leuchtturm Software, Bornhövedstr. 17, 23554 Lübeck, Germany. You can contact us at christoph@schmatzler.com. For account, billing, security, analytics, and service-operation data, Christoph Schmatzler, trading as Leuchtturm Software, is the controller under the GDPR.

Event host responsibility

For photos, videos, QR-code access, guest uploads, guest access, and event member data, the event host is usually the controller and Reverie acts as a processor that handles the data on the host's instructions. Event hosts are responsible for telling guests how the gallery is used and for obtaining any permissions required for their event, photographers, guests, children, and identifiable people shown in uploaded media. Event access links and QR codes are credentials; if a host prints or publicly displays them and enables the gallery, anyone who scans or opens the link may view uploaded event media.

What Reverie does

Reverie lets event hosts create private event galleries and share QR-code access links. Guests can open a link in their browser, upload photos or videos, and view gallery media when the host enables gallery access. Hosts and authorized members can manage the event, access links, prompts, billing, uploads, downloads, and media deletion.

Personal data we process

  • Account data, including name, email address, profile image, language, role, email verification state, ban state where relevant, and account timestamps.
  • Authentication and security data, including session identifiers, cookies, IP address, user agent, active event, OAuth identifiers, verification tokens, and login or error events.
  • Event data, including event names, slugs, language, members, invitations, access-link names and tokens, event features, prompts, and settings.
  • Uploaded media, including the original image or video bytes, MIME type, file size, storage key, ETag, media type, technical variants or previews, and timestamps. Media files may also contain metadata embedded by your device, such as camera or location metadata.
  • Billing data, including event billing state, owner name and email, Polar customer and order identifiers, product identifiers, payment state, refund state, checkout return URLs, and customer IP address where Polar checkout needs it.
  • Usage, diagnostics, and observability data, including pages viewed, feature-flag checks, product actions, API paths, request IDs, response status, timing, browser details, error reports, logs, and approximate location inferred by providers.
  • Support messages and other information you send to us.

Purposes and legal bases

  • To provide Reverie, authenticate users, create sessions, maintain event galleries, process uploads, serve previews and downloads, and send service emails: performance of a contract or steps before entering a contract, and legitimate interests in operating the service.
  • To process paid plans, tax-relevant billing records, refunds, chargebacks, and accounting obligations: performance of a contract and legal obligations.
  • To secure Reverie, prevent abuse, enforce access permissions, investigate incidents, and debug errors: legitimate interests in reliability, abuse prevention, and security.
  • To measure product usage, evaluate feature flags, and improve performance and usability: legitimate interests or consent where consent is required.
  • To comply with law, answer lawful requests, preserve claims, and enforce our terms: legal obligations and legitimate interests.

Cookies, local storage, and analytics

Reverie uses cookies and similar browser storage for essential functions such as login, session management, security, event context, local interface preferences, and language settings. We use PostHog for analytics, feature flags, error reporting, and API logs. Where device storage or access is not strictly necessary for the service you requested, we handle it only where legally permitted, including consent where required by the TDDDG and GDPR. You can also restrict cookies and local storage in your browser.

Sharing and service providers

We do not sell personal data. We share data only as needed to provide Reverie, follow your or an event host's instructions, comply with law, protect rights and safety, or enforce our terms. Event media and gallery data may be visible to the event host, authorized event members, guests with a valid access link, and people with whom they share access.

  • Cloudflare for DNS, website hosting, API hosting, Workers, R2 object storage, Images transformations, Queues, Hyperdrive, email sending, security, and related logs.
  • PlanetScale for managed PostgreSQL database infrastructure.
  • Amazon Web Services (AWS) for ECS/Fargate compute, private networking, secrets management, and service logs in Frankfurt.
  • PostHog for analytics, feature flags, diagnostics, error reporting, and logs.
  • Google for optional Google sign-in when you choose to use it.
  • Polar for checkout, payment processing, invoices, taxes, refunds, customer portal, and merchant-of-record services for paid purchases.

International transfers

Reverie is operated from Germany and uses providers that may process data in the EU/EEA, the United States, or other countries. Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards such as adequacy decisions, data processing agreements, standard contractual clauses, and provider security measures where applicable.

Retention and deletion

  • Event media is stored in private object storage and is automatically eligible for deletion 12 months after the most recent upload for that event. Reverie checks for deletion candidates daily and deletes matching media objects and related media records.
  • Uploads are accepted only during the active upload window. Reverie currently blocks new uploads when the latest upload for the event is at least 28 days old, or when the host finalizes the event by requesting a full-gallery export.
  • Account, event, membership, invitation, access-link, prompt, and billing records are kept while needed to provide Reverie, administer the account or event, comply with law, resolve disputes, enforce terms, prevent abuse, and keep legally required business records.
  • Operational logs, analytics, backups, and security records are kept for limited periods according to provider settings and operational needs. Deletion may not remove copies already downloaded, exported, cached, or shared by event hosts, members, or guests.

Security

We use technical and organizational measures designed to protect personal data, including HTTPS, private object storage, permission checks, event roles, access-link revocation, session cookies, email verification, provider secret management, logging, and abuse monitoring. No online service can be guaranteed to be completely secure.

Your rights

Where the GDPR applies, you may have rights to access, correct, delete, restrict, or object to processing of your personal data, as well as data portability and withdrawal of consent. You may also complain to a data protection supervisory authority. To exercise rights, contact us using the email above. For event media controlled by an event host, we may need to involve or refer you to that host.

Children

Reverie is not directed to children. Event hosts must ensure that they have appropriate permission before inviting children or uploading, requesting, displaying, or sharing photos or videos of children. Contact us if you believe a child's personal data has been uploaded without appropriate permission.

Automated decisions

Reverie does not make automated decisions that produce legal effects concerning you or similarly significant effects. We may use automated checks, limits, feature flags, logging, and security signals to operate and protect the service.

Changes

We may update this Privacy Policy when Reverie, our providers, or legal requirements change. Material changes will be communicated in the product or on our website where appropriate. The latest version applies from the date shown on this page.