Privacy Policy

Neighbors Enterprises LLC is a Georgia, USA limited liability company. You can reach us by mail at 4685 Amberwood Trail, Marietta, GA 30062 or by email at privacy@nbrs.app. For other questions, write contact@nbrs.app.

For the Service, NBRS is the "business" under US state privacy laws and the "controller" under the GDPR for data we collect directly from you. For photographs commissioned by a school, club, or other organization, that organization is a joint controller with us — they are responsible for obtaining parental consent under their photo-release agreements before their members are photographed.

We collect the following categories of information:

• Account information. Name, email address, a hashed password, and optionally a phone number, backup email, organization membership, and role.
• Purchase information. Billing name and address, phone number, the last four digits and brand of your card, a Stripe customer / payment-intent identifier, the items purchased, totals, and any tax we calculated. We never see or store full card numbers — that data goes directly from your browser to Stripe.
• Photographs and videos. Imagery captured by our photographers, including images that depict identifiable individuals (which often includes minors aged roughly 8–22), plus the metadata embedded by the camera (capture time, shutter settings, GPS coordinates if the camera recorded them).
• Operational data. Bookings you create, contracts you sign, time-tracking entries for our staff (including arrival selfies and odometer photos), gallery purchases, and media you upload.
• Device and usage data. IP address, browser and operating system, approximate region inferred from IP, pages viewed, timestamps, error logs, and (after you opt in) a push-notification token.
• Cookies and similar technologies. An authentication-session cookie, a theme preference, and short-lived gallery-access tokens. See the cookie section below.

• Directly from you — when you create an account, place an order, fill out a form, or upload a file.
• Automatically — through cookies and server logs as you use the Service.
• From the organization you belong to — a school, club, or team may share a member roster so we know which players are on the field at a given event.
• From our photographers — the imagery captured at the events the organization commissions.

• To deliver the Service — showing you a gallery, processing your order, granting download access, maintaining your account.
• To process payments — through Stripe, which also calculates sales tax based on the address you give us at checkout.
• To detect and prevent fraud and abuse — including new-device sign-in alerts and rate-limiting.
• To improve the Service — first-party, aggregate analytics. We do not share user-level analytics with third-party ad networks.
• To communicate with you — transactional email about your account, orders, and contracts is sent regardless of marketing preferences. Promotional email is only sent if you opt in, and you can unsubscribe at any time.
• To meet tax, accounting, and other legal obligations — including retaining records of sales for the period required by US tax law.
• For AI-assisted photo handling — we may send photographs to Anthropic's Claude API to suggest categorization for our staff, generate captions, or summarize engagement for the owner. Images are sent over TLS and are not used by Anthropic to train models. We disclose this so you understand that an image of you or your child may be processed by a third-party AI provider as part of normal operations.

Our principal jurisdiction is the United States, but if you access the Service from the EU, the UK, or another jurisdiction with a GDPR-style framework, we rely on the following legal bases:

• Performance of a contract — to provide the Service to you (account, gallery access, orders).
• Legitimate interests — to run, secure, and improve the Service, and to fulfill the contract with the organization that commissioned the photography.
• Consent — for opt-in marketing email, push notifications, and any optional processing you separately agree to.
• Legal obligation — to keep tax records and respond to lawful requests.

We share personal data only with the vendors we need to run the Service. They are bound by contract to process the data only on our instructions:

• Stripe, Inc. — payment processing and sales tax calculation.
• Vercel, Inc. — application hosting in the United States.
• Neon, Inc. — the Postgres database that stores account, order, and operational data, hosted in the United States.
• Cloudflare, Inc. — DNS for nbrs.app and R2 object storage for the photographs, videos, and other media we deliver. R2 buckets may be located in the United States or the European Union (see "International transfers" below).
• Resend, Inc. — delivery of transactional and opt-in marketing email.
• Anthropic, PBC — AI-assisted photo categorization, captioning, and engagement summaries. We send images to Anthropic over TLS for these features; Anthropic does not use the data to train its models.
• Apple Inc. — Apple Push Notification service, used only after you opt in.

We may also disclose data when required to do so by law (for example in response to a subpoena), to protect the safety of our users or the public, to enforce these terms, or as part of a corporate transaction such as a merger or acquisition (in which case we will give you notice and an opportunity to opt out where the law requires it).

We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined in the CCPA / CPRA and similar US state laws.

• Account data — while your account is active, and for up to seven (7) years after you close it, so we can comply with our tax and audit obligations.
• Photographs and videos — retained for the term agreed with the organization that commissioned the shoot. After that term we delete the master files unless we are required to keep them for a legal reason.
• Purchase records and tax records — seven (7) years.
• Audit logs — seven (7) years.
• Short-lived purchase / gallery access tokens — 90 days.
• Server and security logs — typically 90 days, longer if needed to investigate an incident.

Most of our infrastructure is hosted in the United States. Cloudflare R2 may store media files in either the United States or the European Union. If you are in the EU, the UK, or Switzerland and your data is transferred to the United States, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) to provide adequate protection.

The Service is not directed at children under 13, and we do not knowingly collect personal information directly from children under 13. Account creation is restricted to adults (18+).

Photographs of minors on the Service are commissioned by the organization the minor is a member of — typically the school program, club, or team. That organization warrants to us that it has the appropriate consent from each minor's parent or legal guardian under the photo-release and media-consent agreements the organization manages. NBRS receives only the resulting photographs; we do not run the parental-consent flow ourselves, and our role is limited to capturing, hosting, and delivering the imagery on the organization's behalf, in a manner consistent with the federal Children's Online Privacy Protection Act (COPPA).

If you are the parent or legal guardian of a minor who appears in a photograph on the Service and you want that photo removed, email privacy@nbrs.app with the gallery link or a description of the image. We will comply within seven (7) business days for credible requests, without charging a fee and without requiring the organization's involvement.

Depending on where you live, you may have some or all of the following rights with respect to your personal information:

• Right to know what we collect, why, and who we share it with.
• Right to access a copy of the personal information we hold about you.
• Right to delete your personal information, subject to legally permitted exceptions (for example tax-record retention, fraud prevention, exercising or defending legal claims, or other narrow exceptions allowed by applicable law).
• Right to correct inaccurate personal information.
• Right to data portability — to receive your data in a portable, commonly used format.
• Right to opt out of the "sale" or "sharing" of personal information and of targeted advertising. As stated above, we do not sell or share in these senses; there is nothing to opt out of, but the right still belongs to you.
• Right to limit the use of sensitive personal information.
• Right to non-discrimination — we will not deny you service, charge you a different price, or provide you a different level of service because you exercised your rights.
• Right to appeal a denial of your rights request. If we deny or partially deny your request, you may appeal by replying to our response within 30 days; we will substantively respond within 60 days of receiving the appeal.

How to exercise. Email privacy@nbrs.app from the address associated with your account, or use the in-app deletion flow at Settings → Personal → Delete account. We will verify your identity by matching the request to the account on file and, if needed, by asking for additional information to confirm we are speaking with the right person. We will respond within 45 days (extendable by 45 more days where allowed by law and we tell you why). Authorized agents may submit requests on your behalf with written authorization.

US state privacy laws (the CCPA / CPRA, VCDPA, CPA, CTDPA, UCPA, and TDPSA) give residents specific rights, all of which we honor as described above.

Categories of personal information we have collected in the prior 12 months map to the CCPA categories: identifiers (name, email, IP); customer records (billing address, phone, card last four); commercial information (purchase history); internet activity (browsing on our Service); geolocation (approximate region from IP only); audio, electronic, visual, or similar information (the photographs and videos); professional or employment-related information (for staff accounts); and inferences drawn from the above (for example which folder of a gallery you have been browsing).

Sensitive personal information. The photographs we host may depict minors. We use this information only to provide and deliver the Service and we do not use it to infer characteristics about you for advertising. If you are a California resident, you have the right to limit our use of sensitive personal information to those permitted purposes — and you already have it: that is the only way we use it.

Sold or shared in the prior 12 months. None.
Disclosed for a business purpose in the prior 12 months. All categories above, to the service providers listed in "Who else sees your data."

California "Shine the Light." Under California Civil Code §1798.83 you may request a list of the categories of personal information we disclosed to third parties for their own direct-marketing purposes in the prior year. We do not disclose personal information for that purpose.

We use industry-standard safeguards to protect your data, including TLS encryption in transit, encryption at rest for stored media and database backups, restricted internal access on a need-to-know basis, audit logging, password hashing through Better Auth, and optional two-factor authentication. No system is perfectly secure; if we ever become aware of a breach affecting your personal information, we will notify you and the relevant regulators as required by law.

We use a small number of first-party cookies and similar technologies:

• Essential — an authentication-session cookie that keeps you signed in, and short-lived tokens that grant access to a gallery you have a link to. These are required for the Service to work.
• Functional — your theme (light / dark) preference and similar UI settings.
• Analytics — first-party usage counters that help us understand which features are used. We do not load third-party advertising or cross-site tracking scripts.

You can clear or block cookies through your browser settings. Blocking essential cookies will prevent you from staying signed in or viewing private galleries.

Do Not Track and Global Privacy Control. Because we do not sell or share personal information for cross-context behavioral advertising, browser-level Do Not Track and Global Privacy Control signals have no additional effect on how we treat your data — there is nothing to opt out of. We will honor the GPC signal as a valid opt-out request for any future processing for which it is required by law.

We may update this policy as the Service evolves. If we make a material change, we will email active account-holders before the change takes effect and post a banner on the Service. Continuing to use the Service after a change means you accept the updated policy.

Privacy requests, photo-removal requests for minors, and data-rights requests:

• Request your data — email privacy@nbrs.app with the subject "Data access request."
• Request photo removal of a minor — email privacy@nbrs.app with the gallery link or a description of the photo and your relationship to the subject. We respond within seven (7) business days.
• Anything else — contact@nbrs.app.
• By mail — Neighbors Enterprises LLC, [BUSINESS ADDRESS], USA.