Privacy Policy

The summary

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

In order to do my job and to allow me to maintain this website, I need to collect and/or store certain pieces of personal data.  I never collect or store more data than I need, and I never sell it to any third party.  I treat the data I collect and store with care, and ensure it is stored securely and only for as long as I require it.  I will tell anyone who asks exactly what data I have stored about them, and I will do so promptly and accurately.  I will remove any data from my systems that you would rather I don’t store as far as practicable, but if doing so might have implications for how I can do the job you’ve contracted me to do (if relevant), I will inform you of any consequences of this, so you can make an informed decision about such a request.  All data is stored and/or processed in a GDPR-compliant manner.

For any queries about my privacy policy or the data I collect or store, just email me at studio@lauraellenphotography.co.uk.

The full version

Website Visitors

The only data involved in your interaction with my website if you simply visit and browse the website, but never actually get in contact through it, are what are known as cookies.  And when a website uses cookies, it must have a Cookie Policy. Here’s mine, and if you fall into this category, you can read it and move on to look at some of my pretty photos.  The rest of my privacy policy only applies if you actually get in touch in some way.

Cookie Policy

I actually have two cookie policies.  The more exciting one being “eat as many cookies in a day as possible”.  But everyone has that policy, right?  The less exciting but more important one for you to know about relates to cookies used by this website.  These cookies are inedible (sadly) and are used to allow my website to work properly and to allow me monitor the usage of the website.

The cookies my website uses are of three types:

Statistical cookies

Statistical cookies – these allow me to identify the most and least popular pages, distinguish new visitors from returning visitors (anonymously), see when pages are visited, from what browsers or devices, and for how long.  I use Google Analytics to gather those statistics and Google take their GDPR commitments seriously.  These cookies don’t identify you personally, but should you wish to opt out of Google Analytics you can install this plugin in your web browser.  There are 3 such cookies used – two of them are session cookies, which mean they are removed once you leave the site (and allow my analytics figure out, for instance, that you were looking via an iPhone in Safari or a Windows 10 PC in Chrome), and one is a persistant cookie which lives on your computer for 2 years once it’s created (so my analytics can figure out “oh, it’s her again” as opposed to “here’s someone who’s never been here before”).

Marketing cookies

Marketing cookies – part of the Google Analytics service is something called the Google pixel.  It’s a small file that allows Google to serve up ads that I might run with Google Ads to people who have previously visited my website.  On the basis that if you visit my website, and I then run an ad for something, there’s a chance you’ll be interested in it. Have you ever looked at buying a robot dog on Amazon and then noticed you keep seeing ads on other websites for robot dogs for the next week?  Well that’s how this works. It’s not as creepy as it seems (“hey, how do they know I want a robot dog?”) but what’s important for you to know here is that I don’t run ads on Google, so I don’t put this technology to use.  It just comes bundled as part of Google Analytics.  Again if you wish to opt out of Google Analytics you can install this plugin in your web browser.  Facebook also has a pixel but I don’t use that currently.  It’s for the same purpose, but for Facebook ads. If I ever start using it I’ll state so clearly here.  And when NextBigSocialMediaChannel comes along, they might have a pixel and run ads, so I’ll also tell you about that if it ever is something I use.  But right now, while there’s that one Google pixel cookie created, I don’t use any of them. Oh, and it’s also a session cookie so it is removed once you leave the website.  It also only works if you’re logged into Google, so if it creeps you out, only log into Google when you need to.

Functional/technical cookies

Functional/technical cookies – these are cookies that, essentially, allow the site to work.  For instance to give you the best layout of the site, the website needs to know if you’re looking on a tablet or a mobile phone or a desktop etc.  And rather than check this continually, it does so once and stores that file on your PC, and then just uses that file as you go from page to page to give you the optimal view of the website.  There are two such cookies, both of them session cookies, so they are removed once you leave the website.  The other types of cookies are those which figure out if you are someone who is logged into the website or not.  Now this is not Facebook, or a site where people get logins, so the only person affected by those cookies is me – the person who updates the website (something I have to log in to do). But because the website needs to allow me to log in (and stay logged in) it does create a cookie for everyone to note if anyone is logged in.  These are persistent cookies, and there are three of them.

If you’re bothered by the cookies, you might want to research how to delete them, or how to block them.  Just remember if you block them you might find the website doesn’t look so great because that blocks all of them, even the functional cookies that allow the site to work.  And I promise they’re not evil.

People Who Make Contact With Me

If you make contact with me, that contact, initiated by you, will inevitably provide me with some of your personal data.  It may be as simple as your name and email address. You may give me a phone number. You may tell me a little bit about your wedding, or your family or an event you are planning.  My privacy policy sets out how I use that data, in accordance with GDPR.

How I store and process data from people who make contact with me

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

• The data I gather from your contact is used to communicate with you, and to provide you with the information you require.  For instance if you enquire about my availability and price for your wedding I will need to know the date of the wedding and the location in order to provide you with a quote.  At the enquiry stage, I will never seek additional information beyond your name, email address and a reason for your enquiry – you are free to offer further information as you see fit and I will be careful with that data also.  Contact will come from one of 9 places:
  • Website contact form
  • Facebook message
  • Instagram message
  • Twitter direct message
  • Whatsapp message
  • iMessage
  • SMS message
  • Email
  • Phone call

Lawful basis for collecting/storing the data

My lawful basis for collecting and storing this data is legitimate interests – i.e. it is in the interest of my business to store the data required to allow me to communicate with you in response to your initial communication.  I will only ever contact you back to deal with your enquiry and any follow up.  Once we have concluded that discussion, I will never cold call or send you a marketing email about anything that’s not directly to do with your initial enquiry, unless you progress to being a client.

Data retention policy

I retain contact details for people who’ve enquired in a number of places based on where the enquiry came from.  All prospective clients details are added to a client management system called 17Hats which itself is GDPR-compliant.  I log it there to be able to track the performance of by business from year-to-year. The original message may also remain accessible in my Gmail account, or my iCloud/Whatsapp/Facebook/Instagram account, or as a listing in my phone’s call history. All devices that have access to such accounts are password protected. The detail of your enquiry is retained for as long as is necessary to ensure we no longer need to make contact.  Beyond that, I anonymize your details so I can continue to track the performance of my business.

Third parties

What data breach procedures we have in place

• Unless you explicitly sign up for marketing information from me in a GDPR-compliant way, I will NEVER send any prospective clients further marketing material beyond that required to deal with their enquiry. I will not sell or pass on your details to third parties.  Only where that data originated from a third party (e.g. Gmail/Facebook/Whatsapp) with a copy of that data reside with the third party in accordance with their privacy policy, which is typically covered under the terms and conditions of that service.

If you wish to know what data I have stored related to you, send me email with your name and the subject GDPR request to studio@lauraellenphotography.co.uk and I’ll reply to you promptly.

Clients

In order to perform my job for clients, I will be required to collect and store additional personal data, not least the photographs themselves, but also family details, names (and sometimes ages) of third parties, and other data. My privacy policy sets out how I use that data, in accordance with GDPR.

How I store and process data from clients

• If you engage me as your photographer for a wedding, portrait session, commericial shoot, event, or any other purpose we will enter into a contractual arrangment, mutually agreed by both of us, and that contract will set out what photography services I am obliged to provide to you, as well as my fee and payment terms for that service.  As well as the service of photography, there may be a contractual arrangement between us regarding the provision of products (such as a wedding album or USB card).  The data I gather from a client (and third parties associated with the client, such as family and friends) is used to fulfil my contractual obligations to the client.  Such data may include:
  • Details of your family, friends, employees where required (names only)
  • Your postal address/postcode
  • Your family home address/postcode
  • Your phone number
  • Details of your event
  • Your religion (e.g. by knowing that a wedding is, for instance, taking place in a Catholic church)
  • Your sexual orientation (e.g. by knowing that a wedding is, for instance, a same-sex wedding)

Lawful basis for collecting/storing the data

My lawful basis for collecting and storing this data is contractual obligation – i.e. in order to fulfil my contractual obligation to my clients I am required to collect and store that data to allow me to complete the shoot and deliver the final product(s).  I will only ever contact you in relation to your photoshoot, be it in the future or the past, where we have not fully closed out all details of the contract.  Under the lawful basis of legitimate interests, from time to time I will contact former wedding clients who have not yet ordered a wedding album, and who have not expressed a desire to NOT order a wedding album, to enquire if they wish to select their photos for an album.  Where clients request me to no longer contact them about an album I will cease doing so.

Data retention policy

• I retain contact details for clients in a client management system called 17Hats which itself is GDPR-compliant.  I retain it there indefinitely, as I retain your images, so that should you ever lose access to your images I am able to provide you with fresh access.  If I don’t store your contact details for as long as I store the images, I cannot make any connection between your images and you in the future.  For all other information related to your event – including details of third parties such as family and friends – I delete those details once I have fulfilled my contractual obligation.  Contracts are retained indefinitely for tax and auditing purposes.  Photographs are retained indefinitely and securely archived in password protected hard drives.

Use of your images

Photographs which include people in an identifiable manner are classed as personal data under GDPR. They also, therefore, fall under the remit of this privacy policy.  There are four distinct uses of the images beyond the supply of the final product to you (album or USB card).

Online storage of images

• My client galleries are all stored in Pixieset, as well as being provided directly to the client via a USB card (and possibly in printed form).  The Pixieset account is password protected and a professional-grade service with high end security to protect the images.  My galleries are all not searchable and are unlisted, meaning only those with a direct link (and/or a password) can access them.  My lawful basis for storing these images is contractual obligation, and I retain them indefinitely for the client’s benefit. Such a gallery may be shown by me to prospective clients in order to sustain my business, under the lawful basis of legitimate interests.

Blog and social media use of images

• With the explicit consent of the client (verbal and/or written) as the lawful basis, and in the case of photographs of children, with the consent of the parent/guardian (verbal and/or written secured directly or via the client), I may publish a selection of images from a shoot on my blog, or in my social media feeds.  Consent may be conditional on the client previewing the images first if desired, and is not required by the contract (i.e. it will be freely given).  Consent can be withdrawn at any stage.  Failing a withdrawal of consent, images posted to my blog and/or social media feeds will remain there indefinitely to provide a visual history of my business to prospective clients.

Website portfolio

• It is necessary for me to show my best images to prospective clients, as well as a consistent and regularly updated sample of my work. My “shop window” for doing this is my website. From time to time, therefore, I will add portfolio images to my website to promote my business.  My lawful basis for doing so is legitimate interests, and in choosing which images I post, I will take into consideration the consent (or lack of consent) for blog and social media use, as well as the content of the image itself, in order to fairly balance the rights of those contained in the image against the interests of my business.  For commercial clients, or where a confidentiality clause has been agreed with the client, I will adhere to such a clause.  Where I wish to post an image from a client who has not explicitly consented to blog and social media use of images, and while relying on legitimate interests as the lawful basis for sharing portfolio images on my website, I will inform the client of my intended use of the image in advance and reasonably consider requests to not proceed with the use.  It’s important to distinguish this use case from the blog/social media use case which is under the lawful basis of consent from the client. It is in the interest of my business to be able to show current work of a high standard on my website from a range of recent client shoots. However it is not required that I show all images, or indeed images from all shoots.

Awards programmes

• In the interest of continual professional development, I may enter my best images into awards programmes.  My lawful basis for doing so is legitimate interests, and in choosing which images I enter, I will take into consideration the consent (or lack of consent) for blog and social media use, as well as the content of the image itself, in order to fairly balance the rights of those contained in the image against the interests of my business.  For commercial clients, or where a confidentiality clause has been agreed with the client, I will adhere to such a clause.  Where I wish to enter an image from a client who has not explicitly consented to blog and social media use of images into an awards programme, and while relying on legitimate interests as the lawful basis for doing so, I will inform the client of my intended use of the image in advance and reasonably consider requests to not proceed with the use.

If you are a former/future client and wish to know what data I have stored related to you, send me email with your name and the subject GDPR request to studio@lauraellenphotography.co.uk. If you previously consented to my use of your images for blog/social media use and wish to withdraw that consent, you can do so by sending me an email with your name and the subject Consent withdrawal to studio@lauraellenphotography.co.uk. In both cases I’ll reply to you promptly.

Guests at Weddings

My style of wedding photography involves photographing everything related to the wedding day – not just the bride(s) and/or groom(s). This requires me to photograph wedding guests, but equally because I market myself as such a photographer; it requires me to show photographs of people other than my clients.

My policy regarding photographs of guests

My style of wedding photography involves photographing everything related to the wedding day – not just the bride(s) and/or groom(s). This requires me to photograph wedding guests, but equally because I market myself as such a photographer; it requires me to show photographs of people other than my clients.

• It is not possible (nor required by GDPR) for me to seek consent of wedding guests to take their photographs.   Additionally, my lawful basis for showing such images on my blog, social media, and/or website portfolio is legitimate interests because my business is only sustained by showing photographs that fit with my style of photography.  GDPR makes no declaration regarding photographs of third parties.  Nor does it generally seek consent as a requirement to take or show photographs.  More relevant in this instance is general privacy law.  In order to balance the rights of guests who appear in my photographs against the legitimate interests of my business, I apply the following two tests:
  • As a guest at the wedding, would that person reasonably have expected to have appeared in such a photograph?
  • If someone published that photograph of me on their website/blog/social media channel, would I be likely to be put out by that or feel it infringed my rights in some way?

• The fair and reasonable answer to BOTH of those questions dictates the balance between the legitimate interest of my business and the rights of wedding guests who appear in my photographs and only where I feel both are fairly balanced will I publish a photo of a wedding guest on my blog/social media channel/website.  At any stage should you, as a guest, express a preference not to appear on my blog/social media channel/website, I will immediately comply with such a request.  In complying with such a request, where I feel the image in question is of particular importance to my business, I may enter into an open and transparent conversation with you to seek your consent for continued use of the image in circumstances that you are happy with.

If you wish to discuss my use of an image of you as a wedding guest, send me email with your name and the subject Wedding guest image use to studio@lauraellenphotography.co.uk and I’ll reply to you promptly.

Other Wedding Suppliers

From time to time I will collect and store the contact details and business details of fellow wedding suppliers.  My privacy policy sets out how I use that data in accordance with GDPR.

How I store and process details of fellow suppliers

• Where I have details of fellow suppliers they may be volunteered to me by the supplier personally, I may seek their details verbally or via email, or they may be provided by a bride or groom.  On occasion I will search the details via online search engines/social media services.  My storage of such details is always secure in iCloud, Gmail and 17Hats as outlined previously for other personal data.  I only use that data for the mutual marketing of each other’s service, or to direct future clients if a recommendation for such a supplier is sought.
• On occasion a fellow wedding supplier will appear in my images. Where I publish such an image the same two tests as for wedding guests is applied to the decision to publish.

If you are a wedding supplier and wish to discuss what data I hold about you, or to discuss my use of an image of you, send me email with your name and the subject Wedding supplier GDPR to studio@lauraellenphotography.co.uk and I’ll reply to you promptly.

This policy was last updated on Wednesday 9^th July 2019. The current version of this policy is v1.0.  To receive a PDF copy of this policy email studio@lauraellenphotography.co.uk with the subject Privacy Policy PDF request.