Why We Delete Your Data (And Why Enterprise Clients Trust Us Because of It)

Our AI photo booths create moments that people genuinely want to share - a conference attendee transformed into a cyberpunk avatar, an F1 fan turned into a racing driver, a product launch guest reimagined in a brand's visual universe. But every one of those moments starts with a photograph of a real person's face.

For the enterprise clients we work with - Lenovo, Dell, SAP, AWS, Rolls-Royce - the question is never just "does the AI look good?" It's "what happens to that photograph after the activation ends?"

This page explains exactly how we handle guest data, what we collect, what we don't, and why our default position is deletion.

Anonymous by Design

The most effective way to protect personal data is to avoid collecting it in the first place.

Our standard workflow is designed to process images without collecting Personally Identifying Information (PII). When a guest steps up to a Primatix booth, we capture a photograph, the AI generates the output, and the result is delivered. We do not require names, email addresses, or phone numbers to process an image.

Where a client requires lead capture - that data collection is an explicit opt-in configured per project, with its own retention policy agreed in advance with the client.

The distinction matters: data collection is never a default. It is always a deliberate, scoped decision made in collaboration with the client's data protection requirements.

How Data Flows Through the System

Transparency about the processing pipeline is what enterprise data protection officers actually want to see. Here is how guest images move through our system:

1. Capture — A photograph is taken at the booth (kiosk, iPad, or guest's own device via BYOD).
2. Processing — The image is sent to our AI pipeline for transformation. The AI generates the styled output.
3. Delivery — The finished image or video is delivered to the guest via the booth screen, QR code download and branded gallery.
4. Deletion — Source images and generated outputs are deleted according to the project's retention policy. The default is deletion once the activation concludes. Clients can specify custom retention windows based on their compliance requirements.

At no point in this pipeline is guest data shared with third parties, used for marketing purposes, or retained beyond the agreed period.

Three Principles We Don't Compromise On

Our Data Protection Policy is aligned with GDPR and CCPA. Every activation we deploy operates on three non-negotiable principles:

Data Minimisation. We collect only what is necessary to deliver the experience. For a photo booth activation, that means the source image and nothing else. We do not require registration, account creation, or personal details to generate an AI image. Where additional data is collected (email for video delivery, lead capture forms), the scope and retention are defined per project and agreed with the client before deployment.

Storage Limitation. Every project has a custom image retention policy documented before the activation begins. Raw source images are deleted first. Generated outputs are retained only for the duration specified by the client — typically to allow guests to download their images from the branded gallery. Once the retention window closes, all data is purged. There is no indefinite storage.

Purpose Limitation. Guest images are used exclusively to generate the AI output for that specific activation. Images are never repurposed for marketing materials, social media, case studies, or any other use without explicit consent. A guest's likeness will never appear in our portfolio or promotional content unless they have specifically agreed to it.

No AI Training on Guest Data

This is the question every enterprise client asks, so we will be direct: no guest images are used to train any AI models.

Guest photographs enter the processing pipeline, the AI generates the output, and the source data exits the system. The AI models we use are pre-trained. They are not learning from, adapting to, or retaining any information from individual guest images.

This applies to every deployment, every client, every market. There are no exceptions and no opt-out required - it is the default.

Compliance Framework

We operate under a compliance framework designed to meet the requirements of multinational enterprise clients deploying activations across multiple jurisdictions.

GDPR (UK and EU)

• Full compliance with the UK GDPR and EU GDPR as our baseline standard
• Data processing agreements available for all client engagements
• Complete support for data subject rights: access, rectification, erasure, and portability
• Documented breach notification procedures with stakeholder communication within required timeframes

CCPA (California / US)

• No sale of personal data — under any circumstances
• Deletion by default satisfies the strictest CCPA retention requirements
• Full support for consumer right-to-know and right-to-delete requests

COPPA (US - Children's Privacy)

• Anonymous-by-design processing means we minimise PII collection from all guests, including minors
• No behavioural tracking, no profiling, no cross-site data collection
• Safe for family-friendly events and activations where children may participate

Information Security Management

• Information security management programme aligned to ISO 27001 principles
• Dedicated processing infrastructure for AI workloads
• Incident response procedures documented and tested

Whether an activation runs in London, Las Vegas, Seoul, or Bucharest, the same compliance framework applies.

What This Means for Your Procurement Process

If you are evaluating AI photo booth providers for an enterprise activation, here is what you can expect from Primatix during the procurement and security review process:

• Data Processing Agreement (DPA) - available on request, covering all standard GDPR controller-processor obligations
• Custom retention policies - configured per project to match your internal data governance requirements
• Security questionnaire responses - we regularly complete enterprise security assessments for clients in financial services, technology, and healthcare
• Dedicated point of contact - for data protection queries during and after the activation

We have been through this process with global brands, agencies, and their legal teams. We understand what enterprise procurement requires and we are set up to support it efficiently.

The Bottom Line

Our position on data is simple: we collect the minimum required to deliver the experience, we process it securely, and we delete it when we're done. Guest data is never sold, never used for AI training, and never retained beyond the agreed period.

That approach is why clients like Dell, SAP, AWS, and Rolls-Royce trust us with their brand activations. And it is why their data protection teams approve us.

If you have specific security or compliance questions about deploying an AI photo booth activation, contact our team directly. We are happy to walk through our data handling processes in detail or provide documentation for your security review.