Privacy Policy

Privacy Policy for Photographers

Last updated: January 2025

1. Introduction

graindevue.com ("Platform," "Service," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our professional photography platform as a photographer.

By using our Platform, you consent to the data practices described in this Privacy Policy.

2. Data Controller Information

Data Controller: graindevue.com is operated by a company registered in France.

• Email: tony@graindevue.com
• Website: https://graindevue.com

For any questions regarding the processing of your personal data or to exercise your rights under GDPR, please contact us at the email address above.

As our organization does not meet the thresholds requiring a mandatory Data Protection Officer under Article 37 of the GDPR, we have not appointed a DPO. However, you may contact us directly for any privacy-related inquiries.

3. Information We Collect

3.1 Personal Information

Account Information:

• Name, email address, and phone number
• Profile information (location, bio, preferences)
• Profile images and portfolio content
• Account credentials and authentication data

Professional Information:

• Business details and professional credentials
• SIRET number (for French photographers)
• Portfolio images and work samples
• Service packages and pricing information
• Availability calendar and booking preferences

Financial Information:

• Stripe Connect account identifier for payouts (we do not store your bank account details - these are managed securely by Stripe)
• Subscription and payment history
• Transaction records

3.2 Booking and Transaction Information

Booking Details:

• Client bookings and specifications
• Event dates, times, and locations
• Contract terms and agreements
• Communication records and messages
• Progress updates and delivery status

Payment Information:

• Payment configuration (deposit percentage, balance timing)
• Transaction amounts and currency
• Deposit and balance payment records
• Payout history via Stripe Connect

3.3 Gallery and Content Data

Gallery Information:

• Photos uploaded to client galleries
• Gallery metadata and organization
• Storage usage and quota
• Archive records

3.4 Communication Data

Messages and Notifications:

• In-app messages with clients
• System notifications and updates
• Email communications
• SMS notifications (if enabled)
• Push notifications (if enabled)

3.5 Technical Information

Usage Data:

• Platform access logs and analytics
• Feature usage and interaction patterns
• Device information and browser data
• IP addresses and location data
• Performance and error logs

Cookies and Tracking:

• Session cookies for authentication
• Analytics cookies for service improvement
• Preference cookies for user experience
• Security cookies for fraud prevention

4. How We Use Your Information

4.1 Platform Operations

Service Provision:

• Creating and managing your photographer account
• Displaying your profile and portfolio to potential clients
• Facilitating bookings and contracts
• Processing payments and payouts via Stripe Connect
• Enabling communication with clients
• Providing customer support

Platform Features:

• Managing your packages and availability
• Tracking project progress and delivery
• Managing client galleries and storage
• Processing subscription payments
• Generating analytics and insights for your business

4.2 Communication

User Communications:

• Sending booking notifications and updates
• Delivering contract notifications
• Providing payment and payout status updates
• Sending subscription reminders
• Responding to support requests

Marketing Communications:

• Platform updates and new features (with consent)
• Photography industry tips and best practices (with consent)
• Special offers and promotions (with consent)

4.3 Security and Compliance

Security Measures:

• Preventing fraud and abuse
• Monitoring for suspicious activity
• Protecting against unauthorized access
• Maintaining platform integrity

Legal Compliance:

• Meeting regulatory requirements (GDPR, French data protection laws)
• Tax reporting compliance
• Financial regulation requirements
• Responding to legal requests

5. Information Sharing and Disclosure

5.1 Sharing with Clients

Profile Information:

• Your profile is visible to potential clients
• Portfolio images are displayed publicly
• Contact information is shared with clients who book you
• Booking details are shared between parties

Communication:

• Messages are shared between conversation participants
• Booking updates are visible to both parties
• Contract information is accessible to signatories

5.2 Service Providers (Sub-processors)

We share your data with the following categories of service providers. For detailed information about international transfers, see Section 9.

Payment Processing:

• Stripe (including Stripe Connect) for payment processing and payouts

Platform Infrastructure:

• Convex for real-time database services
• Cloudflare for content delivery, security, and gallery storage (R2)

Communication Services:

• Email service providers for transactional emails

5.3 Legal Requirements

Law Enforcement:

• Responding to valid legal requests
• Complying with court orders
• Reporting suspected illegal activity

Regulatory Compliance:

• Tax reporting and compliance
• French and EU data protection law compliance
• Financial regulation requirements

6. Data Security

6.1 Security Measures

Technical Safeguards:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication and access controls
• Regular security audits (SOC 2 Type II certified infrastructure)
• Backup and disaster recovery systems

Operational Safeguards:

• Access controls and role-based permissions
• Incident response and breach notification procedures
• Regular security reviews and updates

6.2 Data Retention

Account Data:

• Active account data is retained while account is active
• Inactive accounts are archived after 2 years
• Account deletion requests are processed within 30 days
• Some data may be retained for legal compliance

Transaction Data:

• Payment and payout records are retained for 10 years (French tax compliance requirement)
• Booking records are retained for 5 years
• Communication logs are retained for 3 years

Gallery Data:

• Gallery photos are retained until you archive the booking
• Archived bookings have photos permanently deleted
• Storage quota is freed upon archiving

7. Your Rights and Choices

7.1 Access and Control

Account Management:

• View and update your profile information
• Manage your packages and availability
• Control privacy settings and visibility
• Download your data (data portability)
• Request account deletion

Gallery Management:

• Upload and manage client galleries
• Archive completed bookings to free storage
• Control gallery access for clients

Communication Preferences:

• Opt out of marketing communications
• Choose notification delivery methods
• Manage email and SMS preferences

7.2 Data Rights (GDPR)

As a user in France or the EU, you have the following rights under the General Data Protection Regulation:

• Right to access your personal data (Article 15)
• Right to rectification of inaccurate data (Article 16)
• Right to erasure ("right to be forgotten") (Article 17)
• Right to data portability (Article 20)
• Right to object to processing (Article 21)
• Right to restrict processing (Article 18)
• Right to withdraw consent at any time for consent-based processing
• Right to lodge a complaint with the CNIL (see Section 13)

To exercise these rights, contact us at tony@graindevue.com. We will respond within 30 days as required by GDPR.

7.3 Opt-Out Options

Marketing Communications:

• Unsubscribe from marketing emails
• Opt out of SMS marketing messages
• Disable push notifications

Data Collection:

• Disable analytics cookies
• Request data deletion
• Limit data sharing

8. Subscription and Billing

8.1 Subscription Data

Billing Information:

• We collect payment information for your monthly subscription (€29/month)
• Payment is processed securely through Stripe
• Subscription history is retained for accounting purposes
• We do not store your full credit card number - this is handled securely by Stripe

Subscription Management:

• You can cancel your subscription at any time
• Cancellation takes effect immediately
• Non-paying accounts become invisible to clients but retain data

9. International Data Transfers

Important: Your personal data is stored and processed primarily within the European Union. We are transparent about where your data is stored and the safeguards in place.

9.1 Data Storage Locations

Data Type	Service Provider	Storage Location	Legal Safeguard
Account data, bookings, contracts, messages	Convex	European Union (Ireland, AWS)	Data remains in EU
Gallery photos	Cloudflare R2	European Union (EU jurisdiction)	Data remains in EU
Payment data	Stripe	Ireland (EU) with potential US transfers	EU-US Data Privacy Framework + SCCs
Emails	Email service provider	European Union	Data remains in EU

9.2 Legal Basis for Transfers

Your data is stored primarily within the European Union. For payment processing, some data may be transferred to the United States by Stripe. We rely on the following legal mechanisms for such transfers:

1. EU-US Data Privacy Framework (DPF): Stripe participates in and has certified its compliance with the EU-US Data Privacy Framework, which was adopted by the European Commission on July 10, 2023, providing an adequate level of protection for personal data transferred from the EU.

2. Standard Contractual Clauses (SCCs): In addition to the DPF, we have entered into the European Commission's Standard Contractual Clauses with our service providers, providing additional safeguards for your data.

9.3 Sub-processors

Our primary sub-processors and their locations:

Convex (Database Services) - European Union (Ireland)

• Purpose: Real-time database for account data, bookings, contracts, and messaging
• Safeguards: SOC 2 Type II certified, GDPR compliant
• Data stored in EU data centers (Ireland)
• Data Processing Agreement: https://www.convex.dev/legal/dpa

Cloudflare (Storage & CDN) - European Union

• Purpose: Gallery photo storage (R2 with EU jurisdiction), content delivery, security
• Safeguards: ISO 27001, SOC 2 Type II, EU Cloud Code of Conduct certified
• Your gallery photos are stored exclusively in EU data centers

Stripe (Payment Processing) - Ireland (EU) / United States

• Purpose: Subscription payments, client payments, photographer payouts via Stripe Connect
• Safeguards: PCI DSS Level 1, SOC 2 Type II, EU-US DPF certified, SCCs in place
• EU operations handled by Stripe Payments Europe, Limited (Ireland)
• Privacy Center: https://stripe.com/legal/privacy-center

9.4 Your Rights Regarding Transfers

You have the right to:

• Request information about the safeguards in place for international transfers
• Object to transfers to specific countries (though this may affect service availability)
• Request a copy of the Standard Contractual Clauses
• Lodge a complaint with the CNIL if you believe your data is not adequately protected

10. Children's Privacy

10.1 Age Restrictions

• Our Platform is not intended for children under 18
• We do not knowingly collect personal information from children
• Accounts must be created by individuals 18 years or older

11. Third-Party Services

11.1 Integrated Services

Payment Processing:

• Stripe for subscription payments
• Stripe Connect for client payment processing and payouts
• Stripe Privacy Policy: https://stripe.com/privacy

Platform Infrastructure:

• Convex for real-time database services - https://www.convex.dev/security
• Cloudflare for content delivery, security, and gallery storage (R2) - https://www.cloudflare.com/trust-hub/gdpr/

11.2 External Links

• Our Platform may contain links to external sites
• We are not responsible for third-party privacy practices
• Users should review third-party privacy policies

12. Changes to This Privacy Policy

12.1 Policy Updates

• We will notify users of significant changes via email
• Updates will be posted on our Platform with the revision date
• For material changes affecting your rights, we will seek your consent where required
• Continued use after notification constitutes acceptance

12.2 Review Schedule

• Annual review of privacy practices
• Updates based on legal requirements (GDPR, CNIL guidance)
• Changes based on user feedback

13. Contact Information and Complaints

13.1 Privacy Inquiries

Data Protection Contact:

• Email: tony@graindevue.com
• Website: https://graindevue.com

Response time: Within 30 days for GDPR-related requests.

13.2 Regulatory Authorities

If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the supervisory authority:

France (Lead Supervisory Authority):

• CNIL (Commission Nationale de l'Informatique et des Libertés)
• Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
• Website: https://www.cnil.fr
• Online complaint: https://www.cnil.fr/fr/plaintes

Other EU Countries:

• Contact your local data protection authority
• European Data Protection Board (EDPB): https://edpb.europa.eu

14. Legal Basis for Processing (GDPR Article 6)

14.1 Processing Grounds

Contract Performance (Article 6(1)(b)):

• Providing Platform services
• Processing bookings and payments
• Managing your account and subscription
• Facilitating communication with clients
• Processing payouts via Stripe Connect

Legitimate Interests (Article 6(1)(f)):

• Platform security and fraud prevention
• Service improvement and analytics
• Business development

We have conducted a balancing test to ensure our legitimate interests do not override your rights and freedoms.

Consent (Article 6(1)(a)):

• Marketing communications
• Optional analytics cookies
• Optional features and services

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Legal Obligations (Article 6(1)(c)):

• Tax and financial reporting (10-year retention for French law)
• Regulatory compliance
• Responding to legal requests

15. Data Breach Response

15.1 Notification Requirements

User Notification:

• Notification without undue delay and within 72 hours of becoming aware of a breach (GDPR Article 33)
• Clear description of the incident
• Potential impact on your data
• Recommended protective measures
• Contact details for further information

Regulatory Notification:

• CNIL notification within 72 hours as required by GDPR and French law
• Cooperation with regulatory authorities

16. Cookies and Tracking Technologies

16.1 Cookie Types

Strictly Necessary Cookies (No consent required):

• Authentication and session management
• Security and fraud prevention
• Platform functionality
• Load balancing

Analytics Cookies (Consent required):

• Usage statistics and trends
• Performance monitoring
• User experience improvement

16.2 Cookie Management

User Controls:

• Cookie consent banner on first visit
• Browser cookie settings
• Platform privacy preferences
• Withdraw consent at any time via cookie settings

For detailed information about cookies, see our Cookie Policy.

---

By using graindevue.com Studio, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

Effective Date: January 2025