GDPR Compliance

Photography Management System by Legacy Photography is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This page outlines how we comply with GDPR requirements and your rights as a data subject.

Our GDPR Commitment

We are committed to:

Processing personal data lawfully, fairly, and transparently
Collecting data only for specified, explicit, and legitimate purposes
Ensuring data is adequate, relevant, and limited to what is necessary
Keeping personal data accurate and up to date
Storing data only for as long as necessary
Processing data securely with appropriate technical and organizational measures

Legal Basis for Processing

We process personal data based on the following legal grounds:

Contract Performance: To provide our photography management services
Legitimate Interests: For business operations and service improvements
Legal Obligations: To comply with laws and regulations
Consent: Where you have explicitly agreed to specific processing

Your Rights Under GDPR

1. Right to Access

You have the right to request a copy of the personal data we hold about you. This includes:

What personal data we have
Why we're processing it
Who we share it with
How long we keep it

2. Right to Rectification

You can request that we correct any inaccurate or incomplete personal data. We will update your information promptly and notify any third parties if required.

3. Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

The data is no longer necessary for the original purpose
You withdraw consent and there's no other legal basis
You object to processing and there are no overriding legitimate grounds
The data was unlawfully processed

4. Right to Data Portability

You can request your personal data in a structured, commonly used, and machine-readable format. You can also request we transfer this data directly to another service provider where technically feasible.

5. Right to Restrict Processing

You can request we limit how we use your personal data while we:

Verify the accuracy of data you've contested
Determine legitimate grounds for processing you've objected to
Preserve data for legal claims

6. Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

Data Protection for Photographers

As a photographer using our platform, you act as a data controller for your clients' data. We provide tools to help you comply with GDPR:

Client Consent Management: Tools to obtain and document consent
Data Export: Export client data in portable formats
Deletion Tools: Remove client data when requested
Security Features: Encryption and access controls to protect data
Privacy Settings: Control what client data is collected and how it's used

International Data Transfers

When we transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards:

Standard Contractual Clauses (SCCs) with data processors
Adequacy decisions where applicable
Additional security measures for data protection

Data Retention

We retain personal data based on:

Active Accounts: Data kept while account is active
Legal Requirements: Financial records kept for 7 years
Deleted Accounts: Most data deleted within 90 days
Backups: Backup data retained for 90 days for recovery purposes

Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect data from children. If we discover we have collected data from a child, we will promptly delete it.

Data Protection Officer

For GDPR-related inquiries, contact our Data Protection team:

Email: dpo@photomanagementsystem.com
Response time: Within 30 days

How to Exercise Your Rights

To exercise any of your GDPR rights:

Contact us at privacy@photomanagementsystem.com
Provide proof of identity for security
Specify which right(s) you wish to exercise
We will respond within 30 days

Automated Decision Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.

Data Breach Notification

In the unlikely event of a data breach:

We will notify affected users within 72 hours
We will notify relevant supervisory authorities as required
We will provide information about the breach and our response
We will take immediate steps to mitigate harm

Cookies and Tracking

We use cookies in compliance with GDPR:

Essential cookies for platform functionality
Analytics cookies with consent
Clear cookie policy and management options
Respect for Do Not Track signals

Third-Party Processors

We work with GDPR-compliant processors:

Stripe: Payment processing (PCI DSS compliant)
SendGrid: Email delivery (Privacy Shield certified)
Twilio: SMS services (GDPR compliant)
Cloudflare: Storage and CDN (GDPR compliant)
Firebase: Authentication (Google Cloud GDPR compliance)

Supervisory Authority

You have the right to lodge a complaint with your local supervisory authority if you believe we have not handled your data appropriately. Find your local authority at: https://edpb.europa.eu

GDPR Questions or Requests?

Contact our Data Protection team:

Email: dpo@photomanagementsystem.com

We aim to respond to all GDPR requests within 30 days.

Updates to GDPR Compliance

We regularly review and update our GDPR compliance measures. This page was last updated on January 1, 2025. We will notify users of significant changes to our data protection practices.