Privacy Policy
DRAFT — for review, not yet legally bindingThis Privacy Policy explains how Shutterloft ("we", "us") collects, uses and protects personal data when you use the Service. We act as a data controller for the account data of photographers and studios, and as a data processor for the content and client data that studios upload and manage through the Service. This policy is written to align with the EU General Data Protection Regulation (GDPR) and Norwegian data-protection law.
1. What we collect
- Account data: name, email, password hash, preferred language, and studio details.
- Content: the photographs and metadata (e.g. EXIF) you upload.
- Client interactions: when clients view a shared gallery — favorites/selections, an anonymous visitor identifier (cookie), and limited access logs (timestamp, IP, user agent).
- Billing data: plan and subscription status; card details are handled by our payment provider and are not stored by us.
- Technical data: logs needed to operate and secure the Service.
2. Why we use it (legal bases)
- To provide the Service — performance of our contract with you.
- To secure and improve the Service — our legitimate interests.
- To process payments — performance of contract and legal obligation.
- To send essential service emails (e.g. email confirmation, password reset, proofing and invitation notices) — performance of contract.
3. Sharing
We do not sell personal data. We share data only with service providers ("sub-processors") that help us run the Service — for example email delivery (Mailjet) and payment processing — under contracts that require them to protect the data. A current list is available on request.
4. Storage and retention
We retain account and content data for as long as your account is active. After account closure we delete or anonymise personal data within a reasonable period, except where we must keep limited records to comply with legal obligations (e.g. accounting).
5. Your rights
Subject to applicable law, you may request to access, correct, export, restrict, or delete your personal data, and to object to certain processing. To exercise these rights, contact us at the address below. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority.
6. International transfers
Where data is processed outside the EU/EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
7. Security
We use technical and organisational measures appropriate to the risk, including encryption in transit, hashed passwords, access controls and audit logging. No system is perfectly secure, but we work to protect your data and to notify you of incidents as required by law.
8. Children
The Service is not directed to children under 16, and we do not knowingly collect their data.
9. Contact
For privacy questions or to exercise your rights, contact our data-protection contact at privacy@shutterloft.com.