GDPR & Data Privacy - Sparkbooth desktop application
Sparkbooth is installed desktop software for Windows and macOS. Photo capture, layout rendering, effects, chroma-key, and printing all happen locally on your booth computer. The software contains no analytics, telemetry, or crash-reporting services — no usage data leaves the device on its own.
This article answers the most common data privacy and GDPR questions we receive from customers running compliance reviews.
Who is the software provider?
John Wu Presents LLC 400 Spear, San Francisco, CA 94105, United States
Privacy policy: https://sparkbooth.com/privacy-policy
Who is the data controller for guest data?
You are. Under GDPR, the booth operator is the data controller for guest photos and contact details. Because processing happens locally on your computer, John Wu Presents LLC is generally not a processor of your guest data at all. A processor relationship exists only if you enable one of the optional Sparkbooth-hosted services (AI Photos, QR Code Photos). Third-party integrations (Twilio, Mailgun, Dropbox, and so on) are contracted directly by you under your own accounts — those vendors are your processors, not Sparkbooth subprocessors.
Does Sparkbooth use cloud services or external servers?
Yes, in four narrow cases. Everything else runs locally.
Sparkbooth-operated services:
- Licensing (
secure.sparkbooth.com) — hosted on AWS in us-east-1 (United States). Contacted at startup and roughly monthly to validate your license. The only personal data it holds is your registered email address. - Update check (
dist.sparkbooth.com) — checked at startup. No personal data is transmitted. - AI Photos (
api.ai.sparkbooth.com) — optional, requires a separate subscription, and off by default. Transmits guest photos for AI transformation. Data handling is described on the AI Photos service's own privacy page. - QR Code Photos (
qrcode.photos/ur-pic.com) — optional, requires a separate subscription, and off by default. Hosts guest photos for QR-code retrieval. Data handling is described on the QR Code Photos service's own privacy page.
The UnlimitedBG background-removal add-on is a first-party product that also requires a separate subscription and is off by default. It processes photos locally — photos are not transmitted.
A small utility service on Microsoft Azure (United States) handles Facebook login token exchange and support-request submission (see the support-request question below).
Third-party integrations (optional, your own accounts):
All disabled by default. Each requires you to create your own account with the vendor and enter your own credentials. Data goes directly from your booth computer to the vendor:
- Email delivery: direct SMTP, Gmail, Mailgun (EU endpoint available), SendGrid, Mandrill, Postmark, SparkPost (EU endpoint available)
- Text/MMS delivery: Twilio, Telnyx, Vonage (Nexmo), Vivial Connect
- Cloud storage and galleries: Dropbox, Google Drive, pCloud, SmugMug, ZenFolio, ShootProof
- Social: Facebook, Pinterest, Flickr, Tumblr, Imgur, Evernote
- Cloud background removal: remove.bg, PhotoRoom, Slazzer, removal.ai
- Mailing list: Mailchimp
What personal data does Sparkbooth process?
- Guest photos — captured every session, processed locally. Transmitted only to services you enable.
- Guest contact data (name, email, phone, Twitter handle, comment) — collected only if you enable the corresponding prompt. Every field is individually toggleable and all are off by default. Transmitted only to the delivery or mailing-list service you enable.
- Your license email address — the only personal data held by the Sparkbooth licensing service. It is required to activate, validate, and recover your license, and to email you activation activity.
- Device information — an OS/CPU/RAM capability line written to the local log file at startup. Stays on your machine unless you submit a support request.
- Usage counters (sessions, prints, uploads) — stored locally, never transmitted on their own.
- IP addresses — incidental to any internet connection the software makes, as with any web request.
Sparkbooth contains no advertising SDKs, no analytics services, and no crash reporters.
Is data processed locally or transferred?
Local: camera capture, live preview, photo effects, green screen, layout composition, GIF encoding, printing, photo storage, guest prompts, settings, counters, and logs.
Transferred, and only under these conditions:
- License email + machine fingerprint → Sparkbooth licensing (AWS us-east-1), roughly monthly.
- Guest photos → AI Photos, QR Code Photos, or cloud background removal — only if you enable the feature.
- Guest photo + contact detail → your chosen email/SMS/upload vendor — only if you enable the feature.
- Guest email address → Mailchimp — only if you enable mailing-list submission.
- Diagnostics (see the support-request question below) → Sparkbooth support — only when you submit a support request.
A fully local configuration is possible: with no uploaders or cloud features enabled, no guest data ever leaves the booth computer. License validation needs internet access about once a month; between checks the software runs offline with a grace allowance based on application launches.
What is sent with a support request?
Nothing is ever sent automatically. When you explicitly submit a support request from the About panel, the request includes your email and message, install information (registered license email, application version, activation status), a configuration summary (app mode, printer, save folders, session/print/upload counters), system information, and the local log file (sparkbooth.txt ). No guest contact data is included.
How long is personal data stored?
On your booth computer (under your control):
- Photos — kept indefinitely in your save folder (default
Documents/sparkbooth/, optional dated subfolders) until you delete them. No automatic expiry. - Guest prompt answers — appended to
prompts.txtin the save folder (one line per session, only when prompts are enabled). Kept until you delete the file. - Send-later upload queue — guest photo and contact data held in the local settings database until sent, then cleared; or manually deleted.
- Settings and service credentials — kept in a password-protected local database until you use the in-app settings reset. Note that uninstalling the app does not remove this folder — for complete removal, run
hard-reset.batin the Sparkbooth application folder (Windows) or choose Utilities → Hard Reset from the app's menu bar (macOS), or delete the folder manually. - Log files — kept until you archive or delete them.
- Automatic cleanups: temporary upload files are deleted after each upload; DSLR originals are deleted at session end when "save original photos" is off; Photo Kiosk cache entries expire after 7 days.
On Sparkbooth servers:
- Licensing — your email address is retained for the life of your license. It cannot be deleted while the license exists because it is the key to validating and recovering the license. No guest data is ever held.
- AI Photos / QR Code Photos — retention is governed by each service's own privacy policy, published on the service's website.
On third-party services: governed by each vendor's terms and your own account settings.
How is personal data deleted?
In the standard configuration, all guest data is local to your booth computer only — it is never uploaded to the internet. Deleting the local files deletes the data completely; there are no server-side copies unless you enabled an optional cloud feature.
- Photos,
prompts.txt, and logs — delete the files like any other. The dated-subfolder option (YYYY_MM_DD) makes per-event deletion easy. - Automatic deletions — temp upload files, DSLR originals (when saving originals is off), Photo Kiosk cache after 7 days, and in-memory guest data cleared at the end of every session.
- Settings, credentials, and the upload queue — use the in-app settings reset, or the hard-reset utility:
hard-reset.batin the Sparkbooth application folder (Windows) or Utilities → Hard Reset in the app's menu bar (macOS). Either removes the application-storage folder that uninstalling alone leaves behind. - Sparkbooth licensing — your email is retained while your license is active (see above).
- AI Photos / QR Code Photos — per each service's own privacy policy.
- Third-party services — through your own account with the vendor.
Can retention and deletion be configured?
You can configure:
- Which guest data is collected at all — every prompt field is individually toggleable and off by default. Data never collected never needs deleting.
- Whether photos are saved, and which variants (singles, originals, processed, GIFs).
- The save location and dated-subfolder rotation, which supports a simple per-event deletion routine.
- Whether any cloud feature is enabled at all.
Not configurable in the current version:
- There is no automatic retention period for saved photos, the guest prompt log, or log files — the software does not auto-purge them after a set number of days. Build deletion into your event workflow (for example, delete the event's dated folder and
prompts.txtafter each event).
Compliance documentation
- Privacy policy: https://sparkbooth.com/privacy-policy
- Data processing agreement: No standalone DPA is offered. For standard (local) use, no processor relationship exists, so no DPA is required. The optional hosted services operate under the privacy policies on their websites; if your review requires a DPA for those services, leave them disabled.
- Subprocessors (for Sparkbooth-operated services only): Amazon Web Services (licensing, us-east-1; CloudFront CDN) and Microsoft Azure (support/token relay, US). Vendors you connect yourself are your processors, not Sparkbooth subprocessors.
- Security measures in the software: all network communication over HTTPS/TLS; service credentials stored in a password-protected local database; guest data cleared from memory after every session; no telemetry.
- Certifications: none held. Sparkbooth's local-first architecture means guest personal data does not transit or reside on our infrastructure in the standard configuration — your own device and processes are the primary security boundary.