I take your privacy very seriously, and will only use your personal information to administer your account and to provide you with the products and services you have requested from me. In GDPR terminology, I collect your data when: the data subject has given consent to the processing of his or her personal data for one or more specific purposes; and where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
For the purpose of the Data Protection Act 1998 (“the Act”), the data controller (“I” or “me”) is Louise Downham of Louise Rose Photography.
As a data controller, I am registered with the ICO.
- What information is being collected, who collects it, why is it collected and how is it being collected?
- Basic personal contact information (name, email and phone numbers) will be collected through the WordPress booking form at the initial enquiry stage so that I can communicate with the Client by email or phone to discuss their photography session.
- Client addresses are collected at checkout (by WooCommerce or Stripe), so I have the relevant address for the photography session and to deliver products.
- Information provided by you if you communicate with me by phone, e-mail or otherwise for any reason.
- This information is stored in client management software (Tave), on Google documents and in my Google calendar. It may also be collected through an information gathering survey (using Typeform).
- Family member’s names (for members present during the photography session) and birth details (for newborn portrait session) may also be collected by me, and saved in Tave or Google documents.
- No information collected is classed as special category data.
- What is the lawful basis for collecting this client data?
- Information is collected on the basis of consent and for contractual purposes.
- Use of this data:
- I will only contact you when you have provided consent and only by those means you provided consent for.
- The information that I collect and store relating to you is primarily used to enable me to carry out my obligations arising from any contracts entered into between you and me. In addition, I may use the information for the following purposes:
- To send you an e-newsletter to tell you about a new service or to keep you up to date, if you have opted in to receive marketing information. You may unsubscribe from receiving these e-newsletters using the unsubscribe link in any e-newsletter.
- To contact you about a previous order.
- Who will client data be shared with?
- First names only are used to accompany photographs or testimonials on the website or in marketing materials. Client surnames are not used to protect Client privacy.
- Client data has never, and will never, be sold to third parties, or shared with third party companies for marketing purposes beyond the reach of the services that I provide.
- Client’s first names are shared with printers, framers, photography retouchers and album suppliers (all of whom are GDPR compliant) for order reference purposes. Surnames are only provided for purposes of embossing the surname on a product ordered by the client.
- Digital files of photographs are also shared with these suppliers for the purposes of creating products ordered by clients, or for creating studio samples where client permission has been given to produce such samples.
- I use some third party companies, all of which are GDPR compliant: Tavé for client management (certified under the Privacy Shield), Shootproof and Pic-Time for back-up of images, Campaign Monitor and Mailerlite for newsletters, Google Drive for document management, DPD for courier delivery, Back Blaze for computer backup (pursuing compliance with the EU Privacy Shield framework) and Stripe for product payments. Images may be sent to a third party retouching service based in the US, which is GDPR compliant – first names are shared with them for reference purposes, but no other details.
- How long will data be stored for?
- Digital photographic files will be retained on my systems, should clients require an additional backup of their images due to loss / fire / theft of original digital copies or products. No charge is made for backing up these files, and accordingly I do not guarantee the safekeeping of files past the date of delivering to clients – the backup is made as an extra measure, just in case it proves helpful one day. If a client wishes for the digital backup to be deleted, they should contact me to request that.
- Storing personal data
- In compliance with the Data Protection Act 1998, personal data supplied to me may be stored for future use.
- Password-protection is used on my computer, mobile phone and all cloud storage that I use.
- Data that is provided to me is stored on my secure computer and in secure cloud storage. Details relating to any transactions entered into on my site will be encrypted to ensure its safety.
- The transmission of information via the internet is not completely secure and therefore I cannot guarantee the security of data sent to me electronically and transmission of such data is therefore entirely at your own risk.
- Where you have given permission for your images to be used as studio samples, I may store printed versions of your photographs (for example as prints, framed prints, albums) in my home.
- Third party links
- You mind find links to third party websites on blog posts within my website. These websites should have their own privacy policies which you should check. I do not accept any responsibility or liability for their policies whatsoever as I have no control over them.
- Access to information
- The Data Protection Act 1998 gives you the right to access the information that I hold about you. Should you wish to receive details that I hold about you please contact me using the contact details below.
- What will be the effect of this on the individuals concerned?
- To withdraw consent to storing your data or digital files at any time, please inform me.
- If a breach of data protection rules occurs that is likely to result in damage to a person’s reputation, financial loss, loss of confidentiality, or major financial or social disadvantage, I will notify the ICO.
- Any complaints, opt-outs or requests to be forgotten should be communicated to me.