top of page

Privacy Policy

​

Japan
United Kingdom / Europe /United States

​​

​​​​​​​​

Global Privacy Policy

Pomvom™

Last Updated: December 1, 2025

​

Pomvom Ltd. and its affiliated companies (“Pomvom”, “we”, “our”, or “us”) are committed to protecting your personal data. Pomvom provides photo and video services (the “Services”) in theme parks and attractions worldwide (the “Venues”). This policy explains how we collect, use, share, and safeguard your data when you use our services.

​

This policy applies when you:

  • Visit a theme park or attractions where Pomvom provides photo and video services.

  • Use our web application (the “App”) to view, redeem, or purchase your media.

  • Visit our websites or landing pages.

  • Interact with us by email, chatbot, or social media.

  • Work with us as a customer or venue partner (in which case we may process limited personal data about your staff or representatives).

​

The term “personal data” refers to information that identifies an individual or relates to an identifiable individual. For example, personal data is your name, email address, telephone number, and other contact details which you submit to us.

​

Data We Collect 

We receive, collect, and store personal data you provide to us directly, through your use of our Services, or by our automated photography systems.
A.    Venue Visitors

  • Images and videos captured at rides, attractions, self-capture units or by roaming photographers, when you visit the Venues. 

  •  the date, time, and location where your media was captured;

  • Phone number and/or email address.

  • Purchase details, order history, and related metadata such as transaction ID, date and time of purchase, venue information, product identifiers, and payment references (but not full payment card details).

​

B.    Web Application Users  

  • Account ID (automatically generated when you set up an account).

  • Phone number, email address, and if you choose to log in via a social platform, we may receive your social media account details and email address.

  • Purchase details, card BIN and the last four digits of the card number (We do not store full payment card numbers), order history, and related metadata such as transaction ID, date and time of purchase, venue information, product identifiers, currency, payment method used (e.g., card, PayPal), IP address, zip code and country location.

  • Information about your use of the App, including IP address, city location, device/browser/OS details, connection information, language, city location, access and time logs, network logs (including access key), duration of use, bugs and errors data, click stream data and the interactions with the App and features.

  • Marketing communication preferences and consent logs.

  • Images you upload to the App; 

  • AI-generated or AI-modified outputs of your photos (“AI Creations”), and related technical metadata (e.g., timestamps, transformation logs).

​

C.    Communications and Support

  • Ticketing details, chat transcripts, and support history.

  • We may record calls, emails, or screen captures for training, compliance, or quality assurance.

  • Any other information you provide via the “Contact Us” page, chatbot, or by email.

​

D.    Business Partner Personnel
If you are an employee or representative of one of the Venues, business partners, or vendors, we may process:

  • Name, job title, work location, phone number, and email address.

  • Data needed for account management, onboarding, training, proposals, negotiations, billing, and service delivery.

  • Information from third parties for compliance checks.

  • Support tickets and related correspondence.

​​

E.    Data about others

  • If you provide us with personal data about someone else through the Services, you must do so only with that person’s express authorization and after informing them of this Privacy Policy.

 

How We Use Personal Data

We use personal data for the following purposes:

  • To provide the Services and related merchandise, process payments and deliver purchases.

  • To create and manage your registered account, verify your identity, and allow you to securely access, view, and share your media.

  • To operate, maintain, and improve the Services, including developing new features and enhancing existing functionality.

  • To analyze the use of our Services and related operations, including through the aggregation and de-identification of certain data, in order to understand guest engagement, enhance service performance, and support venue operations.

  • To apply AI-powered features, such as background removal, image compositing, overlays, AI cartoon and AI headshot (subject to your choices), to enhance and personalize your media.

  • To solicit your feedback and handle customer service interactions, including responding to inquiries and managing support tickets.

  • To send promotional materials and other communications, where permitted by law or based on your consent.

  • To comply with contractual and legal obligations, industry standards, and our internal policies, to prevent fraud or misuse, and to support law enforcement.

  • To manage relationships with the Venues, business partners, or vendors.

  • To perform any other function for which we provide specific notice at the time of collection.

​

Lawful Basis for Processing

We rely on the following legal bases under data protection laws:

  • Contract: to deliver the Services you request. This includes, for example, creating and managing your account, verifying your identity, providing access to your photos and videos, processing purchases, delivering merchandise, and providing customer service and support. Without this processing, we would not be able to provide the Services you request.

  • Consent: In some cases, we rely on your consent. For example, we will use consent to send you marketing communications by email or SMS, to use certain cookies and tracking technologies, or when you choose to log in through a social media account. You can withdraw your consent at any time.

  • Legitimate interests: We process personal data where it is necessary for our legitimate business interests and where these interests are not overridden by your rights. This includes operating and improving the Services (for example, analyzing usage patterns, fixing errors, and developing new features), ensuring network and information security, preventing fraud and misuse, managing relationships with venue partners and business customers, training our staff, and producing aggregated or statistical information that helps us run the Services more effectively.

  • Legal obligation: We may also process personal data where required to comply with legal duties. This includes, for example, keeping financial and tax records of transactions, retaining information necessary for consumer protection and product safety laws, responding to lawful requests from authorities, or complying with privacy, employment, and other regulatory requirements.

​

Sharing Personal Data


We do not sell, rent, or lease personal data. We may share your information in the following circumstances:

  • Within our group: We may share data internally within our corporate group, subject to confidentiality obligations and this policy.

  • With Venue partners: When you visit a theme park or other attraction, we may share information with the Venue so that they can operate their services. Venues may use this information for their own purposes; please review their privacy notices for details of their practices.

  • With service providers: We engage trusted vendors and service providers worldwide to support our Services and carry out tasks on our behalf. These functions include hosting and security, payment processing, usage analytics, customer support, marketing and business development (including advertising and events), messaging, AI-based media enhancement and manipulation, sales and invoicing, legal and compliance support, and operational or training services. These providers receive only the personal data as necessary and are contractually required to protect it and use it solely to deliver the contracted services.

  • For legal and safety reasons: We may disclose data if we believe it is necessary or appropriate to comply with laws, court orders, or government regulations; respond to lawful requests from authorities; detect, prevent, or address fraud, security, or technical issues; enforce our agreements and policies; protect the rights, property, or safety of Pomvom, our customers, venue partners, or others; or pursue available remedies or limit potential damages. Such disclosures are limited to what is required or permitted by law.

  • Corporate transactions: In the event of a merger, acquisition, or other corporate restructuring, personal data may be transferred to the new entity, provided appropriate safeguards remain in place and this policy continues to apply.

  • With your consent: Any sharing of personal data outside the purposes described above will only occur with your prior consent.

​

International Data Transfer

​

We store and process information, including personal data, in the UK, US, EU, Israel and Japan. Because we operate internationally, and our vendors are global providers, your personal data may be transferred to, stored in, or accessed from countries outside your place of residence. If you are a resident in a jurisdiction where transfer of personal data related to you to another jurisdiction requires consent, then you provide us with your express and unambiguous consent to such transfer.
Whenever such transfers occur, we take appropriate steps to ensure that your personal data receives an adequate level of protection in line with applicable law. This includes relying on adequacy decisions issued by the European Commission or UK authorities (for example, Israel is currently recognized as providing adequate protection), entering into Standard Contractual Clauses (SCCs) with recipients of the data, and in some cases relying on other safeguards such as recognized certification schemes or contractual commitments. These measures are designed to ensure that your rights and protections travel with your data, no matter where it is processed.

​

Data Retention

All captured images are automatically deleted within 45 days of capture, whether purchased or not. Some venues may apply shorter retention periods due to contractual, legal, or technical requirements. To ensure you retain access to your media, we recommend purchasing and downloading it promptly after completing your order. Raw archives stored on local systems at the venue are generally deleted within 30 days. 
User accounts that remain inactive are deleted within 45 days of capture, unless you continue to use the Services. If you have purchased an annual pass from a venue, your account will be retained for 12 months from the date of purchase. When we delete an account or associated personal data from our active systems, limited copies may remain in backups or archives, and certain information may be retained where required for legal, financial, or other legitimate business purposes.
Chatbot transcripts are generally kept for up to 45 days, technical logs such as IP addresses for up to 30 days, and financial records (including billing and invoices) for up to 6–7 years, as required by applicable law.

​

Security Measures

We work hard to protect personal data from unauthorized access, alteration, disclosure, or destruction. The Services are protected by a layered security program that includes physical, technical, and administrative controls, such as network firewalls and filtering, encryption in transit (TLS/SSL) and at rest, strict role-based access with least-privilege and need-to-know, multi-factor authentication for privileged access, data minimization and segregation, secure logging and monitoring, regular audits and vulnerability management, and documented incident-response procedures. Access to personal data is restricted to authorized Pomvom personnel and vetted service providers who are bound by confidentiality and security obligations. 
While we take industry-standard measures and comply with applicable laws, no system can be guaranteed 100% secure; we are not responsible for unauthorized or unintended access beyond our reasonable control. If you believe your privacy has not been handled properly or you become aware of any attempt to access your data without authorization, please contact [email protected]

​

Children & Minors

Our Services are designed for a general audience and are not directed at children under the age of 13 in the United States, 16 in the United Kingdom and the European Union, or 18 in Japan. Children in these age groups are not permitted to create accounts or make purchases directly. Any access to the Services on their behalf must be managed through an account created by a parent or legal guardian, who is responsible for all use of the Services.
As part of our Services, photos and videos may include minors. This media is captured in public attractions but is offered and sold only to the parent or legal guardian, not to the child. The content is processed and safeguarded in accordance with this Privacy Policy, and parents remain in control of accounts and purchases linked to their children’s media. If we become aware that a child has attempted to open an account or purchase directly, we will promptly delete the account and related data.

​

Your Rights and Choices

You have rights regarding your personal data processed by us, which include: 

  • Accessing your data: You can request access to the personal data we hold about you and, for certain data, receive a portable copy.

  • Correcting your data: You can ask us to correct any inaccurate or incomplete information we have about you.

​​

If our processing of your personal data falls under EU or UK data protection laws, you may be also entitled to the following rights (which may apply only in certain circumstances or with specific limitations):

  • Deleting your data: You have the right to request the deletion of your data under specific circumstances.

  • Restricting processing: You can restrict or object to certain data uses, such as direct marketing.

  • Withdrawing consent: You can withdraw your consent at any time if our data processing is based on your consent.

  • Objecting to automated decisions: You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

  • Filing a complaint: You can lodge a complaint with a data protection regulator (e.g., the ICO in the UK, an EU supervisory authority, or relevant US/Japanese regulators).

​​

We may send you marketing communications if you have provided consent or where the law permits. You can opt out of these at any time by using the unsubscribe link in our emails, reply STOP to the message, or contacting us at [email protected]. Even if you opt out of marketing, we may still send non-marketing communications related to your account or transactions (e.g., purchase confirmations or security alerts).


When you use our Service, you agree and consent to the possibility that images containing you and others may be captured, modified, and made available for sale or distribution. Your photograph and/or video may also be viewed by the public on the internet. You can stop using our Service at any time, after which we will stop collecting your personal data. Because our automated photography systems capture images in public attractions, we cannot prevent them from being taken in advance. However, if an image of you has been captured and you do not want us to keep it, you can speak with a member of our staff or contact [email protected] to request its removal. You may still purchase a physical print before requesting removal. Once an image is removed, the deletion is permanent and cannot be reversed.


You can request termination of your account and deletion of your data at any time by contacting us. Once we process such a request, your account information and any associated data (including digital media) will be deleted from our live systems, subject to the retention rules described in this Privacy Policy. It may take additional time before residual copies are fully removed from backup systems. In certain circumstances, we may continue to retain limited personal data as described in this Privacy Policy (for example, to comply with legal obligations or for security, fraud-prevention, and record-keeping purposes). 


To exercise any of these rights or choices, contact [email protected]. We may ask for reasonable information to verify your identity before responding.

​

Cookies & Tracking

We use cookies and similar technologies to provide and secure our Services, keep sessions stable, remember your preferences, analyze how the Services are used, and support marketing campaigns by measuring effectiveness and tailoring content. Some cookies are essential for the proper operation of the Services, while others help us improve performance and enhance your experience. We also use standard analytics tools such as Mixpanel, and may adopt additional tools from time to time, to better understand how visitors interact with the Services; these tools set their own cookies and operate under their own privacy policies (for example, see the Mixpanel Privacy Policy at https://mixpanel.com/legal/privacy-policy). Like many websites, we obtain information when your browser accesses our website or App, and we may use or share anonymous, statistical, or aggregated information with our affiliates for legitimate business purposes, which cannot reasonably be used to identify you. You can manage your cookie preferences at any time through our website footer, which provides more details on the types of cookies we use and how they can be controlled. For more information, please see our Global Cookie Policy

 

AI Processing

We use artificial intelligence (AI) technologies to enhance and personalize your media. These include background removal, overlays, and features such as AI Cartoon and AI Headshot, as well as other tools designed to improve quality and create special effects. AI is used to provide better experience and deliver the features you choose. 

 

Updates

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our Services. Updates take effect once the revised policy is posted, and each version will include a “last updated” date so you can see when it was most recently revised. We encourage you to review this Privacy Policy periodically to stay informed about our current privacy practices.

 

Contact Us

You have any questions or concerns about how we process your personal data, please contact our Data Protection Officer at [email protected]. We will review your inquiry and make good-faith efforts to respond promptly.
Data Protection Officer and EU/UK Representatives

  • Data Protection Officer: [email protected] 

  • EU Representative: C/ Federico Mompou 5, Parque Empresarial Las Tablas, Edificio 1, Planta 3, 28050, Madrid, Spain — [email protected] 

  • UK Representative: Units 3 & 4 Haydock Park Road, Osmaston Park Industrial Estate, Derby DE24 8HT — [email protected] 

 

 

Specific Provisions for U.S. Residents & Notice at Collection

This section applies to visitors, users, and others who reside in the United States. We include it to comply with applicable U.S. state privacy laws, such as the California Consumer Privacy Act (CCPA/CPRA). Terms defined under these laws have the same meaning when used here, and this section prevails if it conflicts with other parts of this Policy.


We collect the categories of personal information described in the section “Data We Collect,” including identifiers (such as name and email), commercial information (such as purchases), internet and network activity, location data, and inferences drawn from this information. We obtain this data directly from you, from your activity on the Services, and from trusted service providers. We use it for the purposes described in this Policy (under section “How We Use Personal Data”), including to provide and improve our Services, support customer service, send marketing (where permitted), comply with legal obligations, and prevent fraud or misuse.


We share personal information with our service providers, affiliates, and venue partners as described in “Sharing Personal Data.” In the preceding twelve (12) months, Pomvom has not sold personal information in exchange for money. However, we have engaged third parties that provide services such as analytics, marketing automation, and user experience, and we allow them to collect limited personal data through our Services. Under the California Consumer Privacy Act (as amended by the CPRA), this may be considered “sharing” for cross-context behavioral advertising. The categories of personal data that may have been shared for these purposes during the past 12 months include: Identifiers (such as unique account IDs, online identifiers, and device information); Internet or network activity information (such as usage data, browsing behavior, and interactions with our Services); Commercial information (such as purchase or transaction history); Location data (approximate location derived from IP address or device settings); Inferences drawn from the information above to help improve or personalize user experience. We do not knowingly sell or share the personal data of minors.


As a U.S. resident, you may have additional rights, including the right to request access to the personal data we hold about you, the right to request deletion, the right to request data portability, and the right not to be discriminated against for exercising your rights. You can exercise these rights by emailing [email protected]. We will need to verify your identity (or that of your authorized representative) before fulfilling your request. We generally respond within 30 days, though we may extend this by an additional 30 days if needed, in which case we will notify you. You may also appeal our decision and, if unsatisfied, submit a complaint to your state Attorney General.


Do Not Sell or Share My Personal Information: Under U.S. state privacy laws, including the California Consumer Privacy Act (as amended by the CPRA), you may have the right to direct us not to “sell” or “share” your personal information. While Pomvom does not sell personal information in exchange for money, we may allow certain third-party service providers (such as analytics and marketing partners) to collect limited data through our Services, which may be considered “sharing” under these laws. If you are a U.S. resident and wish to exercise your right to opt out of such sharing, you can do so by sending an email request to [email protected]


Do Not Track Settings: California law (Cal. Bus. & Prof. Code § 22575) requires us to explain how we respond to “Do Not Track” signals sent by your browser. At present, we do not respond to the Do Not Track settings. “Do Not Track” is a browser preference that allows you to indicate that you do not want your online activity tracked across different websites. For more information about this feature and how to enable it, you can visit www.donottrack.us.

 

Specific Provisions under Japanese Data Protection Laws

This section is provided to comply with Japanese privacy laws, including the Act on the Protection of Personal Information (“APPI”), and applies where those laws govern our processing. In case of any conflict, this section prevails.


The categories of personal data we collect, the purposes for which we use it, and the third parties with whom we share it are described elsewhere in this Privacy Policy. In addition, under the APPI you have specific rights:

  • You may request deletion or suspension of processing of your personal data where it is not necessary to provide, protect, or improve our Services, or to comply with law.

  • You may request access to your personal data, a summary of our data security measures, and a list of third parties with access to your data, including their territories.

​​

To exercise these rights, please contact us at [email protected]. Only you or an authorized representative may submit a request, and we may require sufficient information to verify your identity and understand your request. The entity responsible for managing personal data is Pomvom Ltd., with our Data Protection Officer available at Units 3 & 4 Haydock Park Road, Osmaston Park Industrial Estate, Derby DE24 8HT, UK, or via [email protected].

 

Japanese Right of Portrait

Through the imagic™ system operated by Pomvom, you may be able to download content (such as photos or videos) created by third parties, including WARNER BROS. STUDIOS JAPAN LLC and its vendors (“Content”). Pomvom is not responsible for this Content and the relevant content services operated by the third parties. 
You agree to respect other users’ privacy and other relevant rights and use such Content for private use only. By using any content service provided by third parties, you agree and consent that images which include you together with other people may be captured, modified and included in the Content and sold or otherwise distributed to others. You agree not to assert any portrait right, publicity right, privacy right or any other applicable right in relation to the Content.

​

bottom of page