Depending on your use of the platform, we may process:

A) Studio Account Data

• Name, email, phone
• Studio/shop details
• Billing and payment information
• Account activity

B) Job & Customer Data (processed on your behalf)

• Photos of individuals
• First and last names
• Class/group/teacher information
• Contact details
• Order and shipping details
• Payment information
• Online shop usage data

This data is uploaded by you or entered by your customers.

C) Technical & Website Data

When you use our website or admin system, we may collect:

• IP address (anonymized where applicable)
• Browser/device information
• Operating system
• Session and usage data
• Interaction events (clicks, visits)

We process personal data to:

• Operate and secure the GotPhoto platform
• Host and provide password-protected galleries
• Process and fulfill orders
• Enable automatic photo sorting
• Send important notifications
• Provide support and resolve issues
• Improve system performance
• Offer product updates, training resources, and relevant communications

We do not process data for unrelated purposes.

Your role depends on how you collect the data:

If you collect data directly from parents or individuals:

You are the Controller (you determine the purpose and means of processing).
We act as your Processor.

If you receive data from a school/nursery under their agreement:

The school is the Controller.
You are the Processor.
We act as your Subprocessor.

In all cases, we process personal data strictly under the Principal Contract with you.

Yes.

We process personal data:

• Only as contractually agreed
• Only based on your documented instructions
• Or where legally required

If we believe an instruction violates the law, we will notify you.

You may send instructions to: privacy@gotphoto.com

If a parent, student, or customer contacts us about:

• Access
• Correction
• Deletion
• “Do Not Sell” requests
• Unsubscribe requests

We will:

1. Direct them back to you (the Studio)
2. Notify you of the request
3. Act only based on your instructions

We do not independently decide how to respond to individual rights requests unless legally required.

• Securely storing your photos
• Creating thumbnails and previews
• Reproducing images for prints and photo products
• Adjusting or formatting files for production
• Displaying images in online galleries (including password-protected galleries)
• Processing and fulfilling customer orders

No. We do not sell personal data for money.

However, some analytics and advertising technologies may legally qualify as “sharing” under certain U.S. state laws. Where required, we provide opt-out mechanisms via our preference management system.

We use established and secure infrastructure providers, including:

• AWS (Aurora and DynamoDB) for secure database storage based in the European Union (Frankfurt, Germany)
• Snowflake as our encrypted data warehouse based in the European Union (Frankfurt, Germany)
• Self-hosted tools for internal data synchronization and reporting
• Cloud security monitoring systems to detect vulnerabilities and prevent data exposure

We implement appropriate technical and organizational safeguards to protect the data we process.

Yes.

Data may be processed:

• In the United States
• In Germany
• In the EU/EEA
• In other jurisdictions with appropriate safeguards

We implement appropriate legal mechanisms for international data transfers.

You confirm that you have provided required notices and obtained necessary consents where applicable.

To operate and improve our platform, we use trusted service providers for:

• Cloud infrastructure and storage
• Payment processing
• Support systems
• Analytics and performance monitoring
• Marketing and communication tools
• Security monitoring

We:

• Carefully select subprocessors
• Contractually require equivalent data protection obligations
• Regularly monitor compliance
• Apply safeguards for international transfers

You authorize us to engage subprocessors under the DPA.

We implement appropriate technical and organizational measures, including:

• Secure cloud infrastructure
• Logical separation of customer data
• Access controls and authentication
• Encryption
• Confidentiality obligations for staff
• Ongoing security monitoring
• Vulnerability detection
• Secure deletion procedures

Our minimum security standards are outlined here:
https://www.gotphoto.com/technical-and-organizational-measures/

We may update measures as technology evolves — but never below agreed standards.

You are responsible for:

• Determining whether processing is lawful
• Obtaining valid consent (especially for minors)
• Providing required notices to individuals
• Ensuring you have authority to share data with us
• If acting as processor, ensuring authorization to engage subprocessors

If a data security breach occurs involving personal data, we will:

• Inform you without undue delay
• Provide relevant details available to us
• Assist you with regulatory reporting obligations (to the extent required by law)

We retain personal data:

• For the duration of the Principal Contract
• As required for legal, accounting, tax, or contractual obligations
• Typically between 3–7 years depending on legal requirements

Upon termination or request:

• We delete personal data processed on your behalf
• We ensure subprocessors delete or return data
• We destroy residual copies in a non-recoverable manner

We may retain limited documentation where legally required.

Depending on your jurisdiction, you may have rights to:

• Access your data
• Correct inaccuracies
• Request deletion (subject to legal exceptions)
• Request portability
• Opt out of sale/sharing (where applicable)
• Appeal denied requests

To exercise your rights:
privacy@gotphoto.com

No.

We do not use automated decision-making that produces legal or similarly significant effects (e.g., credit, employment, insurance decisions).