Privacy Policy

Last updated May 23, 2026

1. Introduction

Buster66, LLC, doing business as (“d/b/a”) High Velocity Photos (“High Velo,” “we,” “us,” or “our”), a Florida limited liability company located at 707 Gentry Ct, Gotha, FL 34734, operates the High Velo Photos platform. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

2. Information We Collect

We collect the following categories of information:

  • Account Information: First name, last name, email address, mobile phone number, mailing address, and date of birth provided during registration.
  • Biometric Data: Facial images and facial recognition embeddings (numerical vectors) when you register a face for photo matching. See Section 4 for details.
  • Photos: Event photos uploaded by photographers and face registration photos uploaded by fans and parents.
  • Usage Data: Pages visited, features used, and interaction patterns to improve the Service.
  • Device Information: Browser type, operating system, and screen size for responsive design optimization.

3. How We Use Your Information

We use your information to:

  • Provide and operate the High Velo Photos platform
  • Match your registered face to event photos using AI facial recognition
  • Send transactional notifications (verification codes, photo match alerts) via email or SMS
  • Send marketing communications if you have opted in (you may unsubscribe at any time)
  • Process marketplace transactions between photographers and fans
  • Improve our AI matching accuracy and platform features
  • Comply with legal obligations

4. Biometric Data & Facial Recognition

Our Service uses Microsoft Azure AI Face API to detect and match faces in photographs. When you register a face:

  • Your facial image is processed to generate a numerical embedding (a mathematical representation of facial features).
  • Embeddings are stored securely in our Azure Cosmos DB database.
  • Embeddings are compared against faces detected in event photos using cosine similarity matching.
  • We do not sell, lease, or trade biometric data to third parties.
  • You may request deletion of all biometric data at any time by contacting privacy@highvelo.com.

You represent that any individual whose face you register is at least 13 years old, and that you are their parent or legal guardian if they are a minor. When registering a face on behalf of a minor, you confirm that you are the parent or legal guardian and have authority to provide consent for the collection and processing of their biometric data.

Faces in uploaded event photographs. Separately from registered faces, when a photographer uploads an event photograph, our facial-recognition technology detects the faces in that photograph and computes a numerical faceprint for each one so the photo can be matched to people who have registered a face. For a face that was not registered by its owner, this faceprint is transient and match-only — it exists only in memory for the moment it takes to perform the match and is then immediately discarded; we do not store it. This processing applies to everyone who appears in an uploaded photograph, including individuals who are not High Velo users. Photographers who upload photographs represent that they have obtained the notices, consents, or releases required by applicable biometric-privacy law (or that an appropriate event or venue notice was provided) for the people who appear in those photographs, as described in our Terms and Conditions. If you appear in an uploaded photograph and want the faceprint derived from your image removed, you may contact privacy@highvelo.com and we will remove the photograph. A self-service subject opt-out / removal path is being built (TODO: link the subject opt-out flow here once it ships — Option C of the biometric design note). Because the faceprint we compute for a detected (non-registered) face is transient and never stored, there is nothing for us to retain — see the Data Retention section below.

5. Data Storage & Security

All data is stored on Microsoft Azure infrastructure located in the United States (East US region). We implement the following security measures:

  • Encrypted data transmission (HTTPS/TLS)
  • Content Security Policy headers to prevent cross-site attacks
  • Time-limited access tokens for photo URLs
  • Rate limiting and input validation on all API endpoints
  • Role-based access controls for administrative functions

6. Third-Party Services

We use the following third-party services to operate our platform:

  • Microsoft Azure: Cloud hosting, database, storage, and AI facial recognition services
  • SendGrid: Transactional and marketing email delivery
  • Twilio: SMS verification and notification delivery

Each provider operates under their own privacy policies and data processing agreements with us.

7. Google Photos & Cloud Import (Picker API)

If you choose to import photos from Google Photos through your Account Storage page, the following terms apply to that integration:

  • We use Google’s Photos Picker API (OAuth scope photospicker.mediaitems.readonly) to let you import photos you have already stored in your personal Google Photos library.
  • We only access photos you explicitly select inside the Google-hosted Picker UI. We never gain read access to your full Google Photos library and we cannot see, list, or download photos you have not selected.
  • The OAuth access token Google issues to us is short-lived (approximately one hour). The accompanying refresh token is retained AES-256-GCM encrypted at rest in our database, partitioned under your own user document, so that we can guarantee revocation propagates to Google when you choose to disconnect. We decrypt the refresh token only when you click Disconnect on the Account Storage page — at which point we call Google’s revocation endpoint to immediately invalidate our access on Google’s side, then delete our local copy. We do not use the refresh token for background sync, library enumeration, or any non-revocation purpose.
  • Photos you select are downloaded from Google’s servers through our Azure Function App and stored in our Azure Blob Storage account (sthvfilesmvp.blob.core.windows.net) at your request. Once imported, they are treated identically to any other user-uploaded photo on High Velo — subject to face matching, package inclusion, and the other choices you make in the Service.
  • We do not share imported Google Photos data with any third party other than the cloud-storage, email, and SMS providers already disclosed in Section 6.
  • You can revoke our Google Photos access at any time from the Account Storage page. Clicking Disconnect decrypts your stored refresh token, posts it to Google’s OAuth revocation endpoint (https://oauth2.googleapis.com/revoke) to immediately invalidate any token we hold on Google’s side, and then deletes our local copy of the encrypted token pair from your user record. Imported photos that already live in our storage remain under your control through the standard Delete Photo and Delete Account flows.
  • We do not use Google Photos data for AI training, analytics, advertising, or any purpose other than fulfilling your explicit import request. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

8. Data Sharing

We do not sell, rent, or share your personal information with third parties for their marketing purposes. No mobile information or SMS opt-in consent data will be shared with third parties or affiliates for marketing or promotional purposes. We may share information:

  • With service providers who assist in operating our platform (see Section 6)
  • With photographers when you purchase or request a photo package (limited to the information needed to fulfill the transaction)
  • When required by law, regulation, or legal process
  • To protect the rights, safety, or property of High Velo, our users, or the public

9. Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information via your Account Profile page
  • Delete your face registration photos and biometric data at any time
  • Opt out of marketing communications
  • Request deletion of your account by contacting privacy@highvelo.com

10. Children's Privacy

High Velo Photos is designed to be used by parents and guardians on behalf of minors. We do not knowingly collect personal information directly from children under 13. Face registration for minors must be performed by a parent or legal guardian who consents on their behalf.

11. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our services. You may delete individual face registrations at any time from the My Faces page.

Biometric data (faceprints). We retain your and your child's registered faceprint while your account is active and permanently destroy it within 3 years of your last activity on High Velo, or upon account deletion or your deletion request — whichever comes first.

Faceprints from uploaded event photographs. When we detect a face in an uploaded event photograph that you did not register yourself, the faceprint we compute for it is transient and match-only: it exists only in memory for the moment it takes to match the face against the registered faceprints of people who explicitly enrolled, and it is immediately discarded. We do not store, retain, or reuse it — for any event, in any state, regardless of where the event is located. Durable faceprint storage is reserved exclusively for the faceprint you (or, for a child, their parent or legal guardian) chose to register, which is governed by the 3-year schedule above. If you appear in an uploaded photograph and want the photograph itself removed, contact us at privacy@highvelo.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the Service after changes constitutes acceptance of the revised policy.

13. SMS Messaging Program (CTIA / TCPA Disclosures)

Notification messages from HighVelo are organized into three categories, each independently controllable from the Notification Preferences page:

  • System-essential — sign-in verification codes and two-factor authentication (2FA) codes. The channel for these messages (email or SMS) is governed by your sign-in method on the Preferences page; they cannot be opted out of while your account is active.
  • Activity — transactional alerts such as photo match notifications, forum replies, and purchase confirmations. You can enable or disable these independently for email and SMS.
  • Marketing — promotions, product updates, and newsletters. You can enable or disable these independently for email (governed by CAN-SPAM) and SMS (governed by TCPA). Revoking marketing consent on one channel does not affect the other, and does not affect activity or system-essential messages.

If you opt in to SMS on the registration form (or later via the Notification Preferences page), you may receive recurring SMS from HighVelo for the activity and/or marketing categories you have enabled. Your TCPA SMS consent and your CAN-SPAM marketing consent are captured and stored separately, with the date, source page, and disclosure version recorded at the time of opt-in.

Consent is not a condition of purchase or any service. You can create and use a HighVelo account without enabling SMS or marketing. You can opt in or out of any category at any time on the Notification Preferences page; revoking one category leaves the others untouched.

Frequency: Up to approximately 10 messages per month, depending on which categories you have enabled for SMS. Message and data rates may apply through your mobile carrier.

Opt-out: You may opt out at any time by replying STOP to any HighVelo SMS, or by toggling the relevant SMS category off on the Notification Preferences page. After opting out of all SMS categories you will receive a single confirmation SMS, after which no further messages will be sent unless you opt in again. Opting out of SMS does not affect your email notifications, and vice versa.

Help: Reply HELP to any HighVelo SMS for assistance, or email privacy@highvelo.com.

Carriers: Mobile carriers are not liable for delayed or undelivered messages.

Data sharing: No mobile information, phone numbers, or SMS opt-in consent data will be shared with third parties or affiliates for marketing or promotional purposes. All categories of personal information exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. Information sharing is limited to subcontractors that support our messaging program (such as Twilio, our SMS delivery provider) and only as required to deliver the messages you have requested.

Message types & sample messages:

  • 2FA verification: “HighVelo: Your verification code is 123456. Reply STOP to opt out, HELP for help. Msg & data rates may apply.”
  • Photo match alert: “HighVelo: We found 4 new photos of you from Saturday’s event. View at highvelo.com/photos. Reply STOP to opt out.”
  • Purchase confirmation: “HighVelo: Your purchase of ‘Race Day Highlights’ is confirmed. Photos available at highvelo.com/packages. Reply STOP to opt out.”
  • Forum reply: “HighVelo: Someone replied to your post in the community forum. View at highvelo.com/forum. Reply STOP to opt out.”

14. Contact Us

For privacy-related questions or requests, contact us at privacy@highvelo.com.