GDPR Compliance
Last Updated: February 18, 2026
1. Introduction
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations processing personal data of individuals in the European Economic Area (EEA). At Viallo, we are committed to protecting your privacy and ensuring compliance with GDPR.
This page explains your rights under GDPR and how we comply with these regulations. For more information about how we collect and use your data, please see our Privacy Policy.
2. Data Controller
For the purposes of GDPR, the data controller is:
Company Name:
Zava Solutions LLC
Registered Address:
30 N Gould St Ste N
Sheridan, WY 82801
United States
Contact Email:
3. Your Rights Under GDPR
If you are located in the EEA, you have the following rights regarding your personal data:
3.1 Right to Access
You have the right to request a copy of the personal data we hold about you. This includes:
- What personal data we process
- Why we process it
- Who we share it with
- How long we keep it
- Where it came from
How to exercise:
Access your data through your account settings or email us at [email protected]
3.2 Right to Rectification
You have the right to correct inaccurate or incomplete personal data we hold about you.
How to exercise:
Update your information through your account settings or contact us to make corrections.
3.3 Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal data in certain circumstances:
- The data is no longer necessary for the purpose it was collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- The data must be erased to comply with a legal obligation
How to exercise:
Delete your account through account settings or email us at [email protected]
Note: We may retain certain data if required by law or for legitimate business purposes (e.g., fraud prevention, legal compliance).
3.4 Right to Restrict Processing
You have the right to request that we restrict processing of your personal data in certain situations:
- You contest the accuracy of the data
- Processing is unlawful but you don't want the data erased
- We no longer need the data but you need it for legal claims
- You have objected to processing pending verification
How to exercise:
Email us at [email protected] with your request
3.5 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
How to exercise:
Export your data through account settings or request a data export by emailing [email protected]
We will provide your data in JSON format, including your albums, photos, and account information.
3.6 Right to Object
You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
How to exercise:
Email us at [email protected] with your objection
3.7 Right to Withdraw Consent
Where we process your data based on consent, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.
How to exercise:
Manage your cookie preferences on our Cookie Preferences page, or contact us at [email protected]
3.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with GDPR.
How to exercise:
Contact your local data protection authority. You can find a list of EU supervisory authorities at edpb.europa.eu
4. Legal Basis for Processing
We process your personal data based on the following legal grounds:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Contract performance |
| Storing albums and photos | Contract performance |
| Extracting photo metadata (EXIF) | Contract performance |
| Share link analytics | Legitimate interests |
| Payment processing | Contract performance |
| Analytics cookies (Google Analytics, Meta Pixel) | Consent |
| Service improvement | Legitimate interests |
| Security and fraud prevention | Legitimate interests |
| Legal compliance (e.g., tax records) | Legal obligation |
5. International Data Transfers
Your personal data may be transferred to and processed in countries outside the EEA. When we transfer data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions by the European Commission (where applicable)
- Data Processing Agreements (DPAs) with all processors
Our service providers (Stripe, Google, Apple, Sentry, Meta, Cloudflare, MongoDB, Vercel, Railway, OpenStreetMap (Nominatim), CARTO) may process data outside the EEA depending on the provider and data flow. Where required, we use appropriate safeguards such as SCCs or adequacy decisions and enter into DPAs with relevant providers.
6. Data Retention
We retain your personal data for as long as necessary to:
- Provide the Service to you
- Comply with legal obligations (e.g., tax records for 7 years)
- Resolve disputes and enforce agreements
- Prevent fraud and abuse
| Data Type | Retention Period |
|---|---|
| Active account data | While account is active |
| Deleted account data | Deleted immediately upon request |
| Photos and media | Deleted immediately upon account deletion |
| Payment records | 7 years (legal requirement) |
| Server logs | Retained by hosting provider (Railway, Vercel) per their policies |
| Share link analytics | Stored while share link exists (access log limited to 1,000 entries) |
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit: All data is transmitted over TLS (HTTPS)
- Password hashing: Passwords are hashed using bcrypt with a high cost factor and are never stored in plain text
- Authentication: Secure JWT tokens stored in httpOnly cookies with CSRF protection
- Access controls: Strict ownership validation ensures users can only access their own data
- Rate limiting: API rate limiting to prevent abuse
- Input validation: All user input is validated and sanitized to prevent injection attacks
- Error monitoring: Automated error tracking with PII redaction
8. Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware
- Notify affected individuals without undue delay if there is a high risk
- Provide information about the nature of the breach and remedial actions
9. Children's Data
Our Service is not intended for children under 16 years of age (the minimum age under GDPR). We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any automated processing we perform is used only to improve the Service and does not result in decisions that affect your rights.
Examples of automated processing we use:
- EXIF extraction: Automatic extraction of photo metadata (date, location, camera info) for organizing albums
- Share link analytics: Visitor counting using pseudonymized identifiers derived from IP address and user agent
- Auto-organization: GPS-based clustering of photos into places using location data from photo metadata
11. Share Link Analytics and Public Sharing
Viallo allows you to share albums using share links. Share links can be accessed by people who are not logged in to Viallo. When someone accesses a shared album link, we process limited technical data to provide the share experience, protect the Service, and provide analytics to the album owner.
When a share link is accessed, we may process:
- IP address: Used for security and abuse prevention and may be stored in share link access logs
- User agent string: Used to detect device/browser type and may be stored in share link access logs
- Referrer: If provided by the browser, used to understand how the share link was accessed
- Access timestamps: Date and time of access
- Visitor identifier: A pseudonymous identifier derived from IP address and user agent to estimate unique visitors
Share analytics are intended for the album owner (for example, view counts, unique visitor estimates, and device/browser breakdown). We do not use share link analytics for targeted advertising.
Note: IP addresses and user agent strings may be personal data under GDPR. We treat this information as personal data and process it only for the purposes described above.
12. Third-Party Processors
We work with the following third-party processors who handle your data:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing for subscriptions | USA (SCCs) |
| Sentry | Error monitoring and performance tracking. May collect error details, device info, and anonymized session replays (with all text masked and media blocked) to diagnose issues. | USA (SCCs) |
| Meta (Facebook) Pixel | Website analytics and conversion tracking. Only activated with your consent (consent-gated for GDPR regions). | USA (SCCs) |
| Google reCAPTCHA | Spam and bot prevention | USA (SCCs) |
| Google Analytics | Website usage analytics. Only activated with your consent (consent-gated for GDPR regions). | USA (SCCs) |
| Google OAuth | Authentication (Sign-In with Google) | USA (SCCs) |
| Apple Sign-In | Authentication | USA (SCCs) |
| Cloudflare R2 | Photo and media file storage | Germany (EU) |
| OpenStreetMap (Nominatim) | Reverse geocoding (we send GPS coordinates to obtain place names) | Global |
| CARTO | Map tiles and basemaps for map display (requests from your device may include IP address and technical data) | Global |
| MongoDB Atlas | Cloud database for account and album data | Configurable (SCCs) |
| Vercel | Web application hosting | Global (SCCs) |
| Railway | API server hosting | USA (SCCs) |
SCCs = Standard Contractual Clauses approved by the European Commission for international data transfers.
All processors are bound by data processing agreements that ensure GDPR compliance.
13. How to Exercise Your Rights
To exercise any of your GDPR rights:
Contact Us:
Email: [email protected]
Subject Line: "GDPR Request - [Your Right]"
Please include your account email and specify which right you wish to exercise. We will respond within 30 days (or 60 days for complex requests).
We may need to verify your identity before processing your request.
14. Updates to This Page
We may update this GDPR compliance page from time to time. We will notify you of significant changes by updating the "Last Updated" date and, where appropriate, sending you an email notification.
Related Documents: Privacy Policy | Terms of Service | Cookie Policy | Cookie Preferences