In this privacy notice, we inform you about the processing of personal data when using our website or our services.

Personal data is information that relates to an identified or identifiable person. This primarily includes information that allows conclusions to be drawn about your identity, such as your name, telephone number, address or email address. However, personal data also includes certain identifiers such as your IP address or the device ID of the device you are using.

1. Responsible Person and Contact Person

The contact person and data controller for the processing of your personal data when you visit this website is

GotPhoto, Inc., 305 Broadway – Floor 7, New York, NY 10007, United States

Email: privacy@gotphoto.com

If you have any questions about data protection in connection with our services or the use of our website, you can contact us at any time using the above mentioned email address.

2. Data Storage and Integration

2.1 AWS Aurora and AWS DynamoDB

We use AWS Aurora and AWS DynamoDB from Amazon Web Services EMEA Sarl, 38 John F. Kennedy, L-1855, Luxemburg (“AWS”) to store your data. These databases may store the following information:

• Your details: email address, phone number (if applicable), first name, last name
• Subject details: first name, last name, group/grade, teacher, gender, birthdate, organization, address
• Order details: Billing address, purchased products and photos, order amount, order date, delivery address
• Technical data: IP Address, User-Agent / Browser Information, Operating System, Referrer URL, Cookies, Timestamp, Session ID
• Data analytics: location (based on IP address), device/browser information, where did they come from (referral), user behaviour and events (clicks, scrolls, session recordings, task completion, etc)
• Data processing by AWS is necessary to provide you with the secure storage of your data.

The AWS Data Processing Addendum (https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf) is incorporated into the AWS service terms.

Further information can be found in AWS’ privacy policy at https://aws.amazon.com/privacy/.

2.2 Snowflake

We use Snowflake provided by Snowflake Computing Netherlands B.V., FOZ Building, Gustav Mahlerlaan 300-314, 1082 ME Amsterdam, Netherlands (“Snowflake”) as a data warehouse. Snowflake enables us to securely store and analyze all data.

All data in Snowflake is anonymized and encrypted.

Further information can be found at https://www.snowflake.com/privacy-policy/.

2.3 Airbyte

Airbyte provided by Airbyte, Inc., 2261 Market Street, Suite 4381, San Francisco, CA 94114, United States (“Airbyte”) is a powerful data integration engine that enables us to consolidate all of the data processed and stored in the databases and data warehouse listed above. We have an interest in identifying changes in the source file and replicating them in the target system, thus properly synchronizing the data across all systems we use.

For our core data we have deployed the self-managed version of Airbyte in our own infrastructure. The data does not leave our servers and Airbyte has no access to any of the data processed.

2.4 Metabase

Metabase provided by Metabase, Inc., 9740 Campo Rd. Suite 1029, Spring Valley, CA 91977 (“Metabase”) is a data intelligence tool that we use to visualize data, gain insights from such data and share the corresponding reports with our team for collaborative data analysis.

We self-host Metabase on our servers and Metabase has no access to any of the data processed.

Further information on data processing by Metabase can be found at https://www.metabase.com/privacy-policies.

2.5 Wiz.io

We use the Wiz.io cloud security platform, provided by Wiz, Inc. 395 9th Avenue, Floor 52, New York, NY 100001, United States (“Wiz”), to monitor and secure our cloud infrastructure. Wiz enables us to detect vulnerabilities, misconfigurations and potential security risks in the environments where our systems and customer data are hosted.

When operating, Wiz may process the following personal data of our customers:

• Security and access metadata: identifiers contained in system logs, which may indirectly reference customer data.
• System and infrastructure data: cloud resource identifiers that point to customer data storage.
• Scan results and classifications: metadata about security issues and data exposure (e.g. whether a storage bucket or database may contain personal data such as names, contact details, or photographic images).
• Customer and end-customer personal data: Wiz Sensitive Data Scanning may scan and classify files containing personal data that we process for our customers. Wiz does not copy or permanently retain the full contents of such files but may store metadata and limited redacted snippets to enable classification and verification.

We use Wiz for the following purposes:

• To protect our IT systems and the personal data we process on behalf of our customers.
• To identify and remediate vulnerabilities, misconfigurations, and accidental data exposure.
• To comply with our legal obligation under UK GDPR to implement appropriate technical and organisational measures to protect personal data.

We have concluded a data processing agreement with Wiz.

3. Data Processing on our Website

3.1 Accessing our Website / Technical Information

Each time you use our website, we collect technical information that your browser automatically transmits to enable you to visit the website. This technical information consists of the so-called HTTP header information, including the user agent, and includes in particular

• IP address of the requesting device,
• Method (e.g. GET, POST), date and time of the request,
• Address of the requested website and path of the requested file,
• if applicable, the previously accessed website/file (HTTP referrer),
• Information about the browser and operating system used,
• Version of the HTTP protocol, HTTP status code, size of the delivered file,
• Request information such as language, type of content, encoding of content, character sets,
• If applicable, the user name applied for authentication in the case of directory password protection.

The processing of this technical information is absolutely necessary to enable your visit of the website, to ensure the permanent functionality and security of our systems and to maintain our website. The technical information is temporarily stored in internal log files for the purposes described above, limited in content to what is absolutely necessary, in order to find the cause and take action in the event of repeated or criminal access that jeopardizes the stability and security of our website. For these storage purposes your IP address will be anonymized immediately.

3.2 Contact

You have several options to contact us. These include email, telephone, our contact form and our live chat. In this context, we process data exclusively for the purpose of communicating with you.

The data collected by us when you contact us will be automatically deleted after your enquiry has been fully processed, unless we still need this data to fulfil contractual or legal obligations (see section 10 “Storage period”).

3.2.1 Contact Form

The contact form, which can be accessed via our Help Centre (https://help.gotphoto.com/hc/de), is provided by Freshworks Inc, 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, United States, who process your data on our behalf. We have a data processing agreement in place with Freshworks Inc.

Further information on data protection can be found here: https://www.freshworks.com/legal/.

3.2.2 Live Chat (HubSpot)

Our live chat, which is used to improve communication with website visitors, is provided by HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland (“HubSpot”).

In order to answer live enquiries, the chat content you provide is collected and stored for the duration of the chat. We only collect your email address and telephone number, if you voluntarily provide them to us and give us permission to contact you subsequently. The chat will be deleted immediately as soon as the chat conversation has ended.

We have concluded a data processing agreement with HubSpot.

Further information can be found in HubSpot’s privacy policy.

3.3 Registration for Photographers and User Authentication

You have the option to register for a user account in order to use the full range of functionalities of our software and to operate a photography online shop via our platform.

The data fields first and last name, the selection criteria (professional or amateur photographer or photo order), email address, telephone number (optional), desired domain or shop name must be provided by you. Registration is not possible without the provision of this data.

For the operation of the online shop we collect further data if this is necessary for the fulfilment of the contract between us.

3.4 Orders

Photographers have the option to order software licenses or physical products in our online shop. During the ordering process we collect the mandatory information required to fulfil the contract:

• First name and surname,
• Email address,
• Telephone number,
• Billing and shipping address.

3.5 Newsletter

You have the option to subscribe to our newsletter, in which we regularly inform you about webinars, new guides, innovations to our products and promotions.

You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details given above or in the newsletter (e.g. by email or letter) is also sufficient for this purpose.

3.6 Advertising to Existing Customers by Email

If you register for a user account or make a purchase from us, we will also use your contact details to send you further information about our products and services by email (“existing customer advertising”). This may include news, promotions and offers as well as feedback and other surveys.

You can object to the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by sending a message to the contact details given above (e.g. by email or letter).

3.7 Surveys

You have the opportunity to take part in one of our surveys. We use the results of these surveys to improve our service.

You can object to receiving a satisfaction survey and the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by sending a message to the above-mentioned contact details (e.g. by e-mail or letter).

3.8 Contests

In the context of contests, we use your data for the purpose of organizing the contest and notifying the winners. Detailed information can be found in the terms and conditions for the respective contest.

3.9 Job Applications

You can apply for open job positions by email or via our career portal. The purpose of data collection is the selection of applicants for the possible establishment of an employment relationship. In order to process your application, we collect the data you provide (usually: first and last name; email address; application documents such as references and CV; earliest possible starting date for the job; channel through which you became aware of the job advertisement; telephone number; salary expectations). We would like to point out that confidentiality cannot be guaranteed if application documents are sent by email without encryption.

Ashby, Inc, 49 Geary Street, Suite 411, San Francisco, CA, 94108, United States, is providing our career portal and managing applications. We have concluded a data processing contract with the provider. The provider’s privacy policy can be accessed here: https://www.ashbyhq.com/resources/privacy.

We store your personal data upon receipt of your application. If we accept your application and an employment relationship is established, we will store your application data for as long as it is required for the employment relationship and to comply with statutory regulations.

If we reject your application, we will store your application data for a maximum of six months following the rejection, unless you give us your consent to store it for longer. If you have given us explicit consent, we will store your data in our pool of applicants (talent pool) for twelve months after the end of the application process in order to identify any other interesting positions for you and to contact you again if necessary. After this period, the data will be deleted. You can revoke this consent at any time for the future by sending us an email to jobs@fotograf.de.

4. Recruitment

4.1 Sourcing for Recruitment

We use Juicebox PeopleGPT, an AI-powered sourcing and candidate intelligence platform developed by Juicebox App, Inc., 110 South Park Street, San Francisco, CA 94107, United States (“Juicebox”). These tools enable us to identify, research and engage potential candidates more efficiently by leveraging publicly available professional data.

When we use Juicebox the following types of personal data may be processed:

• Publicly available professional profile data, such as: name, job title and employment history, education and qualifications, skills and endorsements, public professional social media (e.g. LinkedIn), blogs or company websites
• Contact details: business emails, where discoverable via public or consented sources)
• Recruitment-related notes and interaction history created by our hiring team

We use Juicebox to discover and evaluate candidates who may be a good fit for open roles, support fair and efficient hiring by surfacing relevant candidate information, enrich our understanding of candidates through publicly available data.

The data surface by Juicebox is collected from publicly accessible sources. We do not store personal data from these sources longer than necessary for recruitment purposes, unless a candidate progresses in the hiring process. Contact details or profile information obtained by Juicebox are not used for marketing and are handled in accordance with this privacy notice and applicable laws.

4.2 Candidate Online Assessment

As part of our job recruitment and selection process, we may invite you to complete one or more online assessments through our assessment platform provider, TestGorilla B.V., Singel 542, 1017 AZ Amsterdam, Netherlands (“TestGorilla”). These assessments are designed to help evaluate your skills, aptitudes, or personality traits in a fair and consistent way across all applicants.

We process your personal data in connection with the use of TestGorilla for the purpose of evaluating your suitability for the role to which you have applied. If you are selected to participate in a TestGorilla assessment, you will be asked to complete the test directly on the TestGorilla platform.

The types of personal data that may be processed during the assessment include:

• First name and surname
• Email addressIP address and browser metadata
• Answers to test questions
• Assessment scores and evaluation results
• Video or webcam recordings
• Demographic information (optional)

Your personal data will be shared with TestGorilla for the purposes of administering the assessment and reporting the results back to us.

We retain assessment data only as long as necessary for the recruitment process and in accordance with our internal retention policy, which means no longer than six months unless you are hired or wish to become part of our talent pool, in which case different rules apply. TestGorilla may retain certain data in accordance with their own retention policy, which includes storing your test scores for benchmarking and psychometric analysis in anonymized form.

4.3 Interview Notes

As part of our recruitment process, we use Metaview, an AI-powered notetaker tool for recruiters, provided by Metaview Global Limited, 21-33 Great Eastern Street, London, EC2A 3EJ, United Kingdom (“Metaview”). When enabled, Metaview records, transcribes and summarises interviews conducted bia video or voice conferencing platforms.

Participation in a recorded interview is voluntary. Your consent will be explicitly requested before any recording takes place. If you do not consent, Metaview will not be activated during your interview and we will proceed without AI-assisted notetaking.

When Metaview is enabled for your interview, the following types of personal data may be processed:

• First name and surname
• Email address

Interview Content:

• Audio and/or video recordings of the interview
• Transcripts and AI-generated summaries of the conversation
• Information you provide during the interview (e.g. responses, professional background)

Technical and Metadata

• Date, time and duration of the interview
• Participants’ roles (e.g. interviewer, candidate)

Additional Technical Information (processed by Metaview for security, performance monitoring and analytics)

• IP address
• Device type, brand and model, operating system
• Language preference
• Location data (general, based on IP)
• Network type and connection speed
• Referral source (how the session was initiated)

The data collected through Metaview is used solely for supporting interviewers with accurate and consistent notes, enhancing fairness and reducing bias in candidate evaluations and improving recruitment workflows and decision making.

We have a data processing agreement in place with Metaview. Data is stored securely in accordance with Metaview’s contractual obligations and applicable data protection law. Interview data will be retained only for as long as necessary to evaluate your application and in accordance with our internal retention policy, which means no longer than six months unless you are hired or wish to become part of our talent pool, in which case different rules apply.

We do not use data collected via Metaview for any purposes unrelated to recruitment, and we do not share it with third parties for marketing or profiling.

5. Use of Tools on the Website or to Provide our Services

Our website and services comprise a range of applications and features (collectively “tools”), that are provided either by us or by third parties.

The tools we use are listed below organized by category. We inform you about the providers of the tools, the collection of data and the transfer of data to third parties.

In the event that the information in the preference management banner contradicts the information in this privacy notice, the information in this privacy notice shall take precedence.

5.1 Technologies Used

Some of the tools used on this website or within our services rely on technologies that enable the storage of, or access to, information on your device, including:

• Cookies: Information stored in the browser, consisting of a cookie name, a value, the storing domain and an expiry date. So-called session cookies are deleted after the session, while other cookies are deleted after the specified expiry date. Cookies can also be removed manually.
• Local Storage / Session Storage: Information stored in the browser, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiry date and remains stored. Information in local and session storage can also be removed manually.
• Fingerprints: Profile stored by a service, created on the basis of automatically transmitted connection information (“passive fingerprinting”) and/or by retrieving the information through scripts (“active fingerprinting”) (in particular IP address, information about end user device, browser, plugins/add-ons, operating system, language, time zone, scripts, fonts, screen resolution, time of access). Fingerprints make it possible to recognize visitors. They cannot be prevented completely. However, active fingerprinting can be reduced or prevented by blocking scripts. In this case, however, most services will no longer work.
• Pixel/ web beacon: A graphic automatically loaded by a service which makes it possible to recognise visitors or, for example, to determine when an email has been opened. Similar to fingerprints, information can be retrieved and profiles can be created. The use of pixels can be prevented by blocking images in emails.

Information about the cookies we use can be found in our cookie declaration at https://www.gotphoto.com/cookie-declaration/. This cookie declaration is automatically generated by Usercentrics.

5.2 Data Processing and Opting-Out

5.2.1 Necessary and Optional Data Processing

We use tools strictly necessary for the operation of our website and the provision of our services. These are used in order to customize the use of our website and to make it as convenient and time-saving as possible. In certain cases, such tools may also be required for the performance of a contract or for taking steps prior to entering into a contract. In these situations, access to and storage of information on your device is essential.

We also use other tools, for instance tools to improve the user experience on our website and to offer you more functions and tools for statistical recording and analysis of general user behavior. In these cases, where legally required, we give you the opportunity to opt out of data processing. Where legally required, you can also refuse to give a tool access to and store information on your device.

5.2.2 Opting Out of Sale/Sharing and Targeted Advertising

In certain U.S. states you have the right to opt out of the sale or sharing of your personal information and of the use of your personal information for targeted advertising. GotPhoto does not sell personal data for money. However, under certain state privacy laws, the use of some third-party analytics and advertising tools (e.g. tools provided by Meta, Google or Microsoft) may be classified as a “sale” or “sharing” of personal information.

To help manage these rights, we use a preference management tool provided by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (“Usercentrics”). The tool generates a banner that informs you about the data processing on our website and gives you the opportunity to opt out of data processing for analytical and advertising purposes. This banner appears the first time you visit our website and when you call up the selection of your settings again to change them. The banner will also appear on subsequent visits if you have deactivated the storage of cookies or if the cookies or information in Usercentrics’ local storage have been deleted or have expired.

When you visit our website, your opt-out choices, your IP address, information about your browser, your device and the time of your visit are transmitted to Usercentrics. Usercentrics also stores the necessary information on your device in order to retain your opt-out preferences. If you delete your cookies or information in local storage, we will ask you to make your choice again when you visit the site at a later date.

5.3 Essential Tools

We use certain tools to enable the basic functions of our website (“essential tools”). Without these tools, we would not be able to provide our service. Access to and storage of information in the end device is absolutely necessary in these cases.

5.3.1 Google Tag Manager

Our website uses Google Tag Manager, a service provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other geographical areas by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).

Google Tag Manager is used exclusively to manage website tools by integrating so-called website tags. A tag is an element that is stored in the source code of our website in order to execute a tool, for example through scripts. If these are optional tools, they will only be integrated by Google Tag Manager with your consent.

Google collects information about the tags integrated through our website for the purpose of ensuring stability and functionality for the use of Google Tag Manager, but generally no personal data is collected, in particular no data about user behavior, the IP address or the pages visited.

We have concluded a data processing agreement with Google Ireland Limited.

Further information can be found in Google’s privacy policy.

5.3.2 Freshdesk (HelpCentre)

We use Freshdesk provided by Freshworks Inc, 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, United States (“Freshworks”) for our HelpCentre.

In our HelpCentre you can, for example, ask questions about our services, the website or our company and leave us a comment.

When using Freshdesk, the IP address of the device and the address of the subpage from which you access Freshdesk are recorded. Moreover, Freshdesk processes all data, messages and other material provided by you through the HelpCentre. This may include your first name, last name, business name, telephone number and email address.

We have a data processing agreement in place with Freshworks Inc.

Further information on data protection can be found here: https://www.freshworks.com/legal/.

5.3.3 jam.dev

We use jam.dev by Jam, Inc., 4806 Ribbecke Ave, Unit B, Austin, TX 78721, United States (“jam.dev”) for incident reporting.

The tool enables us to capture bugs reported by you, diagnose them and resolve technical issues brought to our attention. The bug reports provided by you may include screen recordings displaying personal data. Personal data that may appear on screen recordings, includes names, images, or other identifying information. Recordings are automatically deleted after a specified retention period.

5.3.4 Intercom

Intercom is a provider of proactive customer engagement tools. These tools are provided in the United States by Intercom, Inc., 55 2nd Street, 4th Floor, San Francisco, CA 94105, United States and for all other geographical areas by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Ireland (together „Intercom“).

We use Intercom to share relevant technical information related to the GotPhoto platform, for instance downtimes, planned maintenance, bugs, new features or significant system changes. Intercom also enables us to offer you context-sensitive help and information in the form of tool tips and product tours as well as guidance around the best usage of the GotPhoto platform. Educating our customers can help them make more money and save time. All this information is displayed in the admin area of our customers’ GotPhoto account.

The following information is processed by Intercom in order to provide the described features: customer first name, last name, email address and basic user behavior (page visits).

We have concluded a data processing agreement with Intercom.

5.4 Functional Tools

We also use optional tools to enhance the user experience on our website and in the provision of our services, as well as to offer additional features (“functional tools”). While these tools are not strictly necessary for the basic operation of the website, they can provide significant benefits, particularly by improving user-friendliness and enabling additional communication, display or payment options.

5.4.1 FIN AI Chatbot

Our website uses FIN, a service provided in the United States by Intercom, Inc., 55 2nd Street, 4th Floor, San Francisco, CA 94105, United States and for all other geographical areas by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Ireland (together „Intercom“).

FIN is an AI chatbot that uses sophisticated AI language models to automatically solve customer service issues. The AI chatbot understands complex queries, asks clarifying questions and fully converses with the user.

The following information is processed: any personal data contained in questions, data, content or information submitted by you during each conversation with FIN.

FIN uses OpenAI as a sub-processor of any personal data submitted to FIN. Any processing of personal data by OpenAI is governed by a data processing agreement in place between Intercom and OpenAI.

OpenAI has activated zero retention for all customer inputs and outputs. As a result, the inputs and outputs will not be stored by OpenAI. OpenAI is contractually prohibited from using customer data to improve or train its AI model.

We have concluded a data processing agreement with Intercom.

5.4.2 Aircall and AI Voice Agent

We use Aircall as our phone support provider, including Aircall’s AI Voice Agent, an automated system that may handle certain inbound calls at any time, such as when support agents are unavailable, when we receive calls outside of regular business hours or for users, who do not receive live phone support as part of their plan. The service is provided by Aircall.io, Inc., 44 W 28th Street, 14th Floor, New York, NY 10001, United States.

Depending on availability, your call may be answered by either a GotPhoto support agent or the AI Voice Agent. The AI Voice Agent:

• Responds to common questions using AI-generated responses based on a configured knowledge base,
• Collects limited information (your name, contact details and reason for calling), and
• Takes a message for our team to follow up when regular support resumes.

When you interact with our phone support, Aircall processes the following limited personal information on our behalf:

• Contact Information: Name, phone number, email (if provided)
• Call Details and Metadata: Date, time, duration, caller number, routing details
• Intake Responses (AI Voice Agent): Short responses to intake questions (e.g., your name, reason for calling, preferred callback time)
• Call Recordings: All calls, including those handled by the AI Voice Agent, are recorded by default. A notice is provided at the beginning of each call to inform you that the call is being recorded.

The data processed by Aircall is used solely for the following purposes:

• To respond to your inquiry and follow up
• To provide context to our support team
• For quality assurance and internal training
• To operate the phone system and improve support workflows.

When your call is handled by the AI Voice Agent, a message at the start of the call will inform you that you are speaking with GotPhoto’s virtual assistant. This ensures that you are aware when you are interacting with an automated system.

Aircall acts as a service provider to GotPhoto under applicable U.S. privacy laws. Aircall processes your information solely on our behalf and does not use your personal information for its own purposes.

5.4.3 tl;dv

We use the meeting assistant tl;dv provided by tldx Solutions GmbH, Kaiser-Friedrich-Allee 51, 52074 Aachen, Germany (“tl;dv”).

tl;dv records, transcribes and summarizes meetings. It provides valuable insights from the meetings. tl;dv processes the following data:

• Your name and email address to set up meeting
• IP address
• geographical location (approximate)
• operating system, browser type, version
• browser configuration, plugins
• language preferences, cookie data
• pages accessed (date, time, URL, title, length of visit)
• device type, device settings, application IDs, unique device identifiers
• video recording and transcript of the meeting.

More information on data processing by tl;dv can be found here: https://tldv.io/privacy/.

5.4.4 Gong

Gong is a revenue intelligence platform provided by Gong.io, Inc., 201 Spear Street, 13th Floor, San Francisco, CA 94105, United States (“Gong”).

We use Gong to record, transcribe and analyze sales calls. The call recordings are also used for internal training purposes to improve the communication with our (potential) customers.

“Gong bot” joins each scheduled sales call to record the session (both audio and video are recorded). Each call is transcribed from speech to text and analyzed by conversation analytics technology.

Gong processes the following data:

• (Potential) customer’s name, email, phone number, time zone, usually city, state, and country,
• lead status, lifecycle stage
• (Potential) customer’s business address, phone number, GMV, company size, number of heads
• Contract commitment/commitment, history of deals
• Meeting/call/interaction (like a text or email) that we have with the (potential) customer
• We have concluded a data processing agreement with Gong.io, Inc.

5.4.5 Acuity Scheduling

In order to offer free consultation calls with our brand ambassadors, we use a third-party scheduling tool provided by Acuity Scheduling, Inc., headquartered at 225 Varick Street, 12th Floor, New York, NY 10014, United States (“Acuity”).

This tool helps us coordinate appointments with prospective or interested customers in a streamlined way and supports our lead generation and customer engagement efforts.

When you choose to book a call through this system, the following personal data is collected and processed on our behalf by Acuity:

• Identification Data: first name, last name, email address, phone number, and the name of your photo studio.
• Appointment Details: your selected date and time for the session, as well as the name of the GotPhoto brand ambassador providing the consultation.
• Communication Data: content of confirmation emails and reminders related to your scheduled session, and any information provided if you choose to cancel or reschedule (e.g. cancellation reasons).
• Intake Form Data: responses to any custom questions or forms that are configured for the session, such as information about your current needs, business priorities, or specific topics you’d like to cover during the call.

We use this data exclusively for managing and optimizing the consultation scheduling process. Acuity acts as our service provider and processes this data in accordance with our instructions.

5.4.6 Google Meet

Google Meet is a service provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).

We use Google Meet to conduct and record interviews with our (prospective) customers in order to get feedback on our products and services. Google processes the customer’s name and email to set up the interview as well as audio and video recording of the customer during the interview.

Further information on how Google processes data can be found in Google’s privacy policy: https://policies.google.com/privacy.

5.5 Analysis Tools

To improve our website and services, we use optional tools for statistical recording and analysis of general user behavior based on access data (“analysis tools”). We also use such tools to evaluate the effectiveness of our various marketing channels.

5.5.1 Google Universal (Google Analytics)

Our website uses Google Analytics, a service provided in Europe, the Middle East and Africa (EMEA) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other geographical areas by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (together “Google”).

Google Analytics uses JavaScript and pixels to read information on your device, as well as cookies to store information on your device. Google Analytics serves to evaluate your usage behavior and improve our website. We will process the information obtained to analyze your use of the website and to compile reports on website activity for the website operator.

We have chosen the following data protection settings for Google Analytics:

• IP anonymization (shortening of the IP address before evaluation so that no conclusions can be drawn about your identity);
• Automatic deletion of old logs/limitation of storage duration;
• Deactivated Measurement Protocol;
• Deactivated cross-page tracking (Google signals);
• Deactivated data sharing with other Google products and services.

The following data is processed by Google Analytics:

• IP address;
• Referrer URL (previously visited page);
• Pages accessed (date, time, URL, title, length of visit);
• Downloaded files;
• Clicked links to other websites;
• If applicable, achievement of certain goals (conversions);
• Technical information: Operating system; browser type, version and language; device type, make, model and resolution;
• Approximate location (country and, if applicable, city, based on anonymised IP address).

We have concluded a data processing agreement with Google Ireland Limited.

Further information can be found in Google’s privacy policy.

5.5.2 PostHog

Our website uses PostHog, an analysis tool provided by PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, United States (“PostHog”).

PostHog tracks user behavior on and interaction with our website. We use this information to improve product performance, troubleshoot issues and optimize the overall user experience.

PostHog processes anonymized behavioral data such as clicks, page views, session duration, and interaction events.

Further information on data processing by PostHog can be found in https://posthog.com/privacy.

5.5.3 HubSpot

Our website uses an analysis and tracking tool from Hubspot. This tool can be used to monitor and analyze visitors’ interactions with our website. This helps us to attribute your visits to specific campaigns we have created and generally analyze the sources for our website traffic. The tool can recognize and differentiate between new and returning visitors.

The following data is processed by HubSpot:

• IP address
• geographical location
• type of browser
• duration of visit
• websites accessed
• actions you take on our site, such as page views, clicks, form submissions, and other.

We have concluded a data processing agreement with HubSpot.

Further information can be found in HubSpot’s privacy policy.

5.5.4 Microsoft Clarity

Our website uses Clarity, a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States (“Microsoft”).

Clarity is a behavioral analysis tool that captures how you use and interact with our website through metrics, heatmaps, and session replay. In order to do so, the following information is processed: IP address, location, browser information, visited website and subpages, date and time of access to the website, clicks, scrolls and mouse movements. Clarity assigns each user a unique user ID and uses tracking technologies to determine online activity. We use this information for site optimization and advertising.

For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement: https://privacy.microsoft.com/en-gb/privacystatement.

5.6 Marketing Tools

We also use optional tools for advertising purposes (“marketing tools”). Some of the access data collected when you use our website is used for interest-based advertising. By analyzing and evaluating this access data, we are able to show you personalized advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites of other providers.

In the following section, we would like to explain these technologies and the providers used for this in more detail. The data collected may include in particular

• the IP address of the device;
• the information of a cookie or in local storage or session storage;
• the device identifier of mobile devices (e.g. device ID, advertising ID);
• Referrer URL (previously visited page);
• Pages accessed (date, time, URL, title, length of visit);
• Downloaded files;
• Clicked links to other websites;
• If applicable, achievement of certain goals (conversions);
• Technical information: Operating system; browser type, browser version and browser language; device type, device make, device model and device resolution;
• Approximate location (country and city, if applicable).

However, the data collected is only stored under a pseudonym, so that no direct conclusions can be drawn about individuals.

5.6.1 Hubspot

We use Hubspot for tracking and remarketing purposes. Hubspot processes your pseudonymized email address and shares it with Meta Platforms and Google Ads.

This allows us to achieve conversion tracking and optimize our marketing campaigns. By sharing the data with the platforms we are able to retarget a specific audience.

We have concluded a data processing agreement with HubSpot.

Further information can be found in HubSpot’s privacy policy.

5.6.2 Intercom

We use Intercom to market relevant product and service offers to our customers. This marketing information is displayed directly in the admin area of our customers’ GotPhoto account.

The following information is processed by Intercom: customer first name, last name, email address and basic user behavior (page visits).

We have concluded a data processing agreement with Intercom.

5.6.3 Veed.io

We use Veed.io, a video editing platform offered by Veed Limited, 17-18 Clere Street, London, EC2A 4LJ, United Kingdom, to prepare and enhance organic social media videos for publishing on our channels (“Veed”). These videos may contain voices, images, quotes or testimonials of individuals who are employees or our customers and have provided their explicit consent to appear in such content.

Veed provides AI-powered editing functionality, which may involve scanning the internet for keywords or related context for editing purposes. However, Veed is not embedded into our website and does not collect any website visitor data or install cookies through our online presence.

Veed may process the following categories of personal data:

• Audio-visual content including identifiable voices and facial images
• Testimonial statements or quotes.

Veed enables us to edit and optimize uploaded media for our social media communication. It leverages AI capabilities to enhance content, for example with automatic captioning or keyword tagging.

We have concluded a data processing agreement with Veed. Any sub-processors of Veed are bound by data processing agreements as well.

5.6.4 Metricool

We use the social media management platform Metricool, operated by Metricool Software S.L., Calle Téllez, n. 12, Entreplanta H, 28007 Madrid, Spain, for the purpose of planning, publishing and analyzing our presence on social media platforms (“Metricool”). Metricool is not integrated into our website; no scripts or trackers from Metricool are embedded on our site.

When we upload or schedule media content via Metricool, the following categories of third-party personal data may be processed by Metricool on our behalf:

Name, username, handle: posts may include direct mentions or tags of individuals or companies (e.g. @username)
Images or videos containing identifiable individuals: uploaded content (such as photos or videos from events or promotional campaigns) may include individuals who can be identified via facial features, voice or other physical characteristics
Tagged individuals: tags applied to individuals in social media posts (e.g. on Instagram or Facebook)
Links to third-party personal profiles or content: posts may contain URLs that link to personal websites, portfolios, or social profiles of identifiable individuals.

We process personal data in line with applicable data protection laws and only where necessary to manage our social media communications and outreach.

For more details on how we protect third-party data in social media contexts, please refer to section 6. “Online Presences in Social Networks” and section 8. “Disclosure of Data” below.

5.6.5 Meta- Pixel (formerly Facebook- Pixel)

Our website uses the Meta-Pixel service for marketing purposes, which is offered outside the US and Canada by Meta Platforms Ireland Ltd, Serpentine Avenue, Block J, Dublin 4, Ireland and in the US and Canada by Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025, United States (together “Meta Platforms”).

We use Meta-Pixel to analyze the general use of our website and to track the effectiveness of Facebook advertising (“conversion tracking”). We also use Meta-Pixel to display personalized advertising messages based on your interest in our products (“retargeting”). This also involves target group remarketing through custom audiences.

Meta Platforms processes data that the service collects via JavaScript, cookies and other technologies on our website. This includes in particular

• HTTP header information such as information about the browser used (e.g. user agent, language);
• Information on events such as “page view”, other object properties and buttons clicked by visitors to the website;
• Online identifiers such as IP addresses and, where provided, Facebook business-related identifiers or device IDs (such as advertising IDs for mobile operating systems) and information on the status of deactivation/restriction of ad tracking.

Meta Platforms acts as our processor for matching, measurement and analysis services, in particular for analysing the use of our website, matching user IDs and creating reports on our advertising campaigns. We have concluded a data processing agreement with Meta Platforms.

In addition, we and Meta Platforms are jointly responsible for the processing of event data for the targeting of advertisements (through the creation and selection of target groups), the delivery of commercial and transactional messages, the improvement of ad delivery and the personalization of functions and content when using Meta-Pixel. The mutual obligations were set out in a joint contract, which can be accessed at the following address:
https://www.facebook.com/legal/controller_addendum.

Meta Platforms also processes the event data for the protection and security of Meta Platforms’ products, for research and development purposes and to maintain the integrity of the products and improve them.

If you are a member of Facebook or Instagram and have allowed Meta Platforms to do so via the privacy settings of your account, Facebook or Instagram may also link the information collected about your visit to our website to your member account and use it for targeted advertising. You can view and change the privacy settings of your Facebook profile at any time: https://www.facebook.com/settings/?tab=ads.

You can prevent the linking of data collected outside Instagram for the display of personalized advertising in Instagram as described here:
https://de-de.facebook.com/help/instagram/2885653514995517?locale=de_DE.

If you opt out of the use of Meta-Pixel, Meta Platforms will only display generic adverts that are not selected based on the information collected about you on this website. Please be advised that an opt-out mechanism is only provided in states, where this is legally required.

Further information, e.g. regarding joint responsibility and contact details, can be found in Meta Platforms’ privacy policy, in particular for the social networks Facebook and Instagram: https://www.facebook.com/about/privacy/.

5.6.6 Google Ads

Our website uses the Google Ads service, which is offered in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).

Applying Google Ads Conversion Tracking we define customer actions (such as clicking on an ad, page views, downloads) that are recorded and analyzed. We use Google Ads Remarketing to show you individualized advertising messages for our products on Google partner websites. Both services use cookies, JavaScript, pixels and other technologies for this purpose.

If you use a Google account, Google may link your web and app browsing history to your Google account and use information from your Google account to personalize ads, depending on the settings stored in your Google account. If you do not desire a link to your Google account, you must log out of Google before visiting our website.

If you opt out of the use of Google Ads, Google will only display general advertising that has not been selected based on the information collected about you on this website. Please be advised that an opt-out mechanism is only provided in states, where this is legally required.

In addition to opting-out, you may deactivate personalized advertising in Google’s advertising settings:
https://adssettings.google.com/anonymous?hl=de.

Further information can be found here:

• in the notice on data use: https://policies.google.com/technologies/ads;
• in Google’s privacy policy: https://policies.google.com/privacy.

5.6.7 Google Marketing Platform and Ad Manager (formerly DoubleClick)

Our website uses Google Marketing Platform and Google Ad Manager, services provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US (together “Google”).

These services use cookies and other technologies to show you adverts that are relevant to you. The use of the services enables Google and its partner websites to display adverts based on previous visits to our or other websites on the Internet.

If you opt out of to the use of Google Marketing Platform and Ad Manager, Google will only display generic advertising that has not been selected based on the information collected about you on this website. Please be advised that an opt-out mechanism is only provided in states, where this is legally required.

In addition to opting-out, you may deactivate personalized advertising in Google’s advertising settings: https://adssettings.google.com/anonymous?hl=de.

Further information can be found here:

• in the notice on data use: https://policies.google.com/technologies/ads;
• in Google’s privacy policy: https://policies.google.com/privacy.

5.6.8 Microsoft Advertising (formerly Bing Ads)

Our website uses Microsoft Advertising, a service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”). Microsoft uses JavaScript, cookies and local storage to present you with adverts that are relevant to you. The use of these technologies enables Microsoft and its partner websites to display adverts based on previous visits to our or other websites on the Internet. Microsoft may transfer the data collected in this context for analysis to a server in the US and store the data there.

The following information in the Local Storage is stored and read by Microsoft Advertising:

• “_uetsid”: Session ID;
• “_uetvid”: Recognition of visitors, usage analysis, display of personalized advertising;
• “_uetsid_exp”, “_uetvid_exp”: Information about the expiry date of the information in Local Storage.

In addition to opting-out, you may deactivate the personalised ads in Microsoft Advertising or in the settings for ads in your Microsoft account:

• Personalized ads: https://support.microsoft.com/en-us/topic/personalized-ads-and-your-privacy-4527dbbc-0d52-44cf-8ced-7c7f755b6691;
• Settings for displays: https://account.microsoft.com/privacy/ad-settings/signedout.

Please be advised that an opt-out mechanism is only provided in states, where this is legally required.

Further information can be found in Microsoft’s privacy policy: https://privacy.microsoft.com/en-gb/privacystatement.

5.7 External Media

We also use external media in the form of embedded videos.

In these cases, access to and storage of information in the device is subject to consent.

5.7.1 Wistia

We use the service for hosting and embedding videos from Wistia, Inc., 120 Brookline Street, Cambridge, Massachusetts 02139, US on our website.

Wistia collects data about video usage by the visitor, e.g. how much of the video was viewed, at what point the video was paused or whether it was continued at another point, how many videos were viewed and how often they were viewed. The IP address, device class (desktop, mobile), operating system, browser, embedded URL (page on which the video is played), internet provider, location, region and country, session start time (date and time of the first video view per video) are processed.
The following information is stored in the Local Storage:

• “wistia-video-progress”: Saves whether the user has viewed embedded content;
• “Wistia”: Storage of actions performed on the website.

Further information can be found in Wistia’s privacy policy.

6. Online Presences in Social Networks

We maintain an online presence on social networks in to communicate with customers and interested parties and to provide information about our services. Personal data is generally processed by the social networks themselves for their own purposes, such as market research and advertising. This may include the creation of user profiles and the use of cookies and other identifiers to deliver advertising on the social network or on third-party websites.

For our online presences, we may receive information such as aggregated statistics about the use of these platforms. These statistics may include demographic information (e.g. age, gender, region), data on the interaction with our pages (e.g. likes, comments) and information on which types of content are most relevant to our users. We use this information to improve our content and communication with our audience.

If you interact with us on a social network, for example by commenting on a post or sending us a direct message, the handling of your information is subject to the privacy policy of the social network. If we transfer personal information from a social network to our own systems, for example to follow up on a service request, we are responsible for that processing in accordance with this Privacy Notice.

Some social networks may use the information you provide on our pages for their own advertising or analytics purposes. Depending on where you live, this may be considered a “sale” or “sharing” of personal information under applicable state laws, such as the California Consumer Privacy Act. You have the right to opt out of such “sales” or “sharing”. Please see section 11. “Your Privacy Rights (B2B).

For more information about how each social network processes your data and your privacy choices, please refer to their respective privacy policies, linked below. Requests relating to data processed directly by social networks are best directed to the providers themselves, as only they have full access to the relevant information.

Below is a list with information on the social networks where we have an online presence:

• Facebook, Meta Platforms, Inc.
  • Privacy policy: facebook.com/about/privacy
  • Ad preferences: facebook.com/settings?tab=ads
  • General opt-out: youronlinechoices.com
• Instagram, Meta Platforms, Inc.
  • Privacy policy: help.instagram.com/519522125107875
  • Ad preferences: facebook.com/help/instagram/2885653514995517
• YouTube, Google LLC
  • Privacy policy: policies.google.com/privacy
  • Ad preferences: google.com/settings/ads
• X, X Corp.
  • Privacy policy: x.com/en/privacy
  • Personalization settings: x.com/settings/account/personalization
• LinkedIn, LinkedIn Corporation
  • Privacy policy: linkedin.com/legal/privacy-policy
  • Ad preferences: linkedin.com/psettings/guest-controls/retargeting-opt-out

7. Automated Decision-Making and Profiling

We do not use your personal information to make automated decisions, that produce legal or similarly significant effects for individuals, such as decisions that would determine access to employment, credit, insurance, housing or similar essential services.

While we use analytics and marketing tools to improve our platform and to provide relevant communications to our customers, these activities do not have a legal or similarly significant impact on individuals.

8. Disclosure of Data

We only disclose personal information in the following situations:

• with your consent or where you have not exercised an applicable opt-out right,,
• as required by law (e.g. to comply with a subpoena or lawful request),,
• where necessary to protect our legal rights or the security of our business, or
• as needed to carry out a contract with you or to take steps you have requested before entering into a contract.

We also work with trusted service providers to support our operations. These may include photo labs, data centres that host our website and store our databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting firms. Service providers are only permitted to use personal information to perform their specific tasks on our behalf and we require them to protect it through appropriate contractual and security measures.

In some cases, we may share personal information with third parties, such as advertising partners or social networks, so that they can provide services like analytics or targeted advertising. Depending on where you live, this may be considered a “sale” or “sharing” of personal information under applicable state privacy laws, such as the California Consumer Privacy Act. You have the right to opt out of such “sales” or “sharing”. Please see section 5.2.2 “Opting Out of Sale/Sharing and Targeted Advertising”.

9. Data Transfer to Third Countries

As previously disclosed in this privacy notice, we use services whose providers may be located or process personal data in so-called third countries (outside the US), i.e. countries whose level of data protection may not correspond to that of the US.

Outside of the US, we use providers that process personal data in the European Union, the European Economic Area and the UK. In each case we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers.

10. Storage Period

In principle, we only store personal data for as long as necessary to fulfil the purposes for which we collected the data. We then delete the data immediately, unless we still need to retain the data as evidence for civil law claims (until the statutory limitation period expires) or due to statutory retention obligations.

In accordance with the statute of limitation in the State of New York, claims based on contract expire at the earliest six years from the date of breach. For evidence purposes, we must retain contract data for a period of six years from the end of the contract with you.

Thereafter, we still have to store some of your personal data for accounting, tax, audit and potential litigation reasons. We are obliged to comply with statutory documentation obligations and regulatory requirements that may arise from the New York statute of limitations for written contracts, IRS tax documentation requirements, applicable data privacy legislation, as well as other applicable legislation and established principles. The periods specified for the retention of documents are between three to seven years.

11. Your Privacy Rights (B2B)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), individuals acting in a business-to-business (B2B) context, such as contractors or representatives of another business, have specific rights regarding their personal data. These rights include:

• Right to Know/Access: You have the right to know what personal data we have collected about you, the purposes for the data collection, and with whom it is shared.
• Right to Correct: You can request that inaccurate or incomplete personal data held by us be corrected.
• Right to Delete: You have the right to request the deletion of personal data collected about you, subject to certain exceptions (e.g., data needed for legal compliance or ongoing business purposes).
• Right to Opt Out of Sale or Sharing: You can opt out of the sale or sharing of your personal data with third parties for monetary or other valuable consideration.
• Right to Data Portability: You can request your personal data in a portable, machine-readable format, enabling you to transfer it to another entity.
• Right to Non-Discrimination: You cannot be denied goods or services, charged different prices, or provided lower-quality services for exercising your privacy rights.
• Right to Transparent Information: We must provide clear and easily accessible information about data collection and processing practices, which we do in this privacy notice.

We are committed to protecting your privacy and ensuring compliance with applicable laws. Please be advised that for individuals outside of California, these rights may not apply in a B2B context. If you wish to exercise your rights or learn more, please contact us at privacy@gotphoto.com.

Depending on your state of residence (e.g. Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Delaware, Florida and others), you may have additional rights under applicable state privacy laws. These rights may include access, correction, deletion, portability, and the right to opt out of certain processing, including targeted advertising and profiling. Please contact us to exercise these rights.

Please note that some use of third-party advertising and analytics providers, such as Meta Platforms, Google, Microsoft and Hubspot, may qualify as a “sale” or “sharing” of personal information under certain state laws. You may opt out of such sale or sharing at any time by using our “Do Not Sell or Share Personal Information” mechanism described in section 5.2.2 “Opting Out of Sale/Sharing and Targeted Advertising”.

To assert your rights described here, you can contact us at any time using the contact details above. This also applies if you wish to receive copies of guarantees to demonstrate an adequate level of data protection. If the respective legal requirements are met, we will comply with your data protection request.

Your requests for the assertion of data protection rights and our responses to them will be stored for documentation purposes for a period of up to seven years and, in individual cases, beyond this period if there is a reason to assert, exercise or defend legal claims.

12. Changes to the Privacy Notice

We occasionally update this privacy notice, for example when we customize our website or when legal or regulatory requirements change.