← Back to Xroma

Privacy Policy

Last updated: June 2026

This Privacy Policy explains how Chulla Life Inc. ("we", "us", "our") collects, uses, stores, and protects your personal data when you use Xroma ("the Service"). We are committed to handling your data lawfully, transparently, and securely in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Xroma is operated by Chulla Life Inc. We are in the process of registering with the UK Information Commissioner's Office (ICO) and will update this policy with our ICO registration number upon completion. We are not currently required to appoint a Data Protection Officer (DPO).

For all data protection enquiries, please contact: [email protected]

2. Data We Collect and Why

Hosts (account holders)

• Name and email address — to create and manage your account, send verification and transactional emails
• Password — stored as a one-way cryptographic hash (PBKDF2); we never store plain-text passwords
• Event data — event name, type, date, time, location, description — to operate your gallery
• Payment data — processed entirely by Stripe; we receive only a transaction reference, never your card details
• Service usage data — event creation dates, photo counts, account activity — to operate and improve the Service

Guests (event participants)

• Photos uploaded — stored temporarily for the event lifecycle duration
• Display name — optional, unverified name associated with uploaded photos
• Guests do not create accounts. We do not collect guest email addresses or any identifying information beyond what they voluntarily provide.

3. Legal Basis for Processing

Under UK GDPR, we process personal data on the following lawful bases:

Processing activity	Lawful basis
Account creation and authentication	Performance of contract (Art. 6.1.b)
Operating your event gallery	Performance of contract (Art. 6.1.b)
Processing payments via Stripe	Performance of contract (Art. 6.1.b)
Sending transactional emails	Performance of contract / Legitimate interests (Art. 6.1.f)
Service improvement and analytics	Legitimate interests (Art. 6.1.f)
Guest photo storage	Legitimate interests of the Host; implicit consent of the uploader
Legal compliance and fraud prevention	Legal obligation (Art. 6.1.c) / Legitimate interests

4. Hosts as Data Controllers for Guest Content

When a Host creates an event and shares the QR code with guests, the Host acts as the independent data controller for the content uploaded by those guests. Chulla Life Inc. acts as a data processor on the Host's behalf for that content. Hosts are responsible for ensuring guests are informed about how their photos will be used and for obtaining any necessary consents under applicable law.

5. Data Storage, Security and International Transfers

Your data is stored on Cloudflare's infrastructure (D1 database and R2 object storage). Cloudflare operates data centres globally, which means your data may be processed outside the United Kingdom. Cloudflare maintains Standard Contractual Clauses (SCCs) and appropriate safeguards for international data transfers. For more information, see Cloudflare's GDPR commitments.

We implement the following security measures to protect your data:

• All connections encrypted via HTTPS/TLS
• Passwords hashed with PBKDF2 (never stored in plain text)
• Authentication via HTTP-only, SameSite cookies (not accessible to JavaScript)
• Access controls limiting data access to authorised systems only
• Rate limiting on authentication endpoints to prevent brute-force attacks

No method of transmission over the internet is 100% secure. While we use industry-standard measures, we cannot guarantee absolute security.

6. Data Retention

Account data is retained for as long as your account remains active. Event galleries and all associated photos are automatically and permanently deleted after the event's expiry period (typically 4 days after the event date, or 7 days from manual activation). You are responsible for downloading your photos before expiry — we cannot recover deleted content.

You may request deletion of your account and all associated personal data at any time by contacting [email protected]. We will complete the deletion within 30 days, except where we are required by law to retain certain data.

7. Third-Party Services

We share limited data with the following trusted third parties to operate the Service:

• Cloudflare — infrastructure, CDN, database, file storage, and DDoS protection. Receives all data stored on the platform. (Privacy Policy)
• Stripe — payment processing. Receives your name, email address, and billing details to process transactions. We do not store card details. (Privacy Policy)
• Resend — transactional email delivery. Receives your email address and name to send account and event emails. (Privacy Policy)

We do not sell your data to any third party. We do not use your data for advertising purposes.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access — to request a copy of the data we hold about you
• Right to rectification — to request correction of inaccurate or incomplete data
• Right to erasure — to request deletion of your data ("right to be forgotten")
• Right to restriction — to request that we limit how we use your data
• Right to object — to object to processing based on legitimate interests
• Right to data portability — to receive your data in a structured, machine-readable format

To exercise any of these rights, contact us at [email protected]. We will respond within one month. In complex cases we may extend this by up to two additional months, in which case we will notify you within the first month. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

Xroma uses a single authentication cookie (xroma_token) strictly necessary for keeping you logged in. This cookie does not track you across other websites and is not used for advertising or analytics. We do not use third-party tracking cookies.

A language preference cookie (xroma_lang) may also be set to remember your language selection. This is a strictly functional cookie.

10. Children

Xroma is not directed at children under 13 years of age. We do not knowingly collect personal data from anyone under 13. If we become aware that a child under 13 has provided us with personal data without appropriate parental consent, we will delete that data promptly. If you believe a child under 13 has used our Service, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email and by displaying a notice on the Service. The date at the top of this page reflects the most recent update. Continued use of the Service after the effective date of any change constitutes your acceptance of the updated policy.

12. Contact and Complaints

For any privacy-related questions, requests, or complaints, contact us at [email protected]. We take privacy concerns seriously and will respond promptly.

If you are not satisfied with our response, you may contact the ICO at ico.org.uk/make-a-complaint or by calling 0303 123 1113.

Chulla Life Inc. · xroma.app