ALEXANDRA ARLETT PHOTOGRAPHY PRIVACY POLICY

This Privacy Policy applies to personal data collected by Alexandra Arlett Photography from you as a customer (“you” or “your”). It explains what information I collect, why I collect it, how I use it, the lawful bases on which your data is processed, and your rights under applicable data protection laws, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Who I am

I am Alexandra Arlett Photography. I am the data controller responsible for your personal data.

2. Data I collect

I may collect and process the following personal data:

1.1 Information You Provide Directly

  • Name(s)

  • Contact details (email, phone number, address)

  • Event details (e.g., shoot date, venue, schedule)

  • Contract and booking information

  • Payment information (processed securely via third-party providers; I do not store card details)

  • Any preferences or instructions relevant to your photography session

1.2 Photographic Content

As part of providing photography services, I collect and process:

  • Photographs of you, your guests, and your event

  • Images taken in public or private venues with consent from the event organiser/client

1.3 Website, Gallery and Communication Data

When you visit or interact with my website or online gallery, certain information may be automatically collected by the platforms I use (Squarespace and Pixieset). This may include:

  • IP address, browser type, device details, and general usage data for security, functionality, and analytics.

  • Cookies stored by Squarespace or Pixieset to support site performance and user experience

  • Booking and payment information processed securely through Pixieset (I do not store card details)

2. How I Use Your Data

I use the data I collect for the following purposes:

  • To communicate with you about bookings or enquiries

  • Provide photography services

  • Process payments and issue invoices

  • Respond to questions or requests

  • Keep business records and comply with legal requirements

  • For marketing and advertising purposes (only with your consent), such as sharing selected images on:

- My website and online portfolio

- Social media platforms

- Printed or digital promotional materials

You can withdraw consent for marketing and advertising use at any time.

3. Legal Bases for Processing

I rely on the following lawful bases under UK GDPR:

  • Contractual necessity – processing required to perform the contract you enter into when booking me.

  • Legitimate interests – for purposes such as business administration, improving services, and protecting my legal rights.

  • Consent – for using images for marketing or advertising purposes.

  • Legal obligation – to comply with tax, accounting, and record-keeping requirements

4. Disclosure Of Your Information

I may share your personal data with third parties in the following situations:

  • Service Providers: I sometimes engage selected third parties who act on our behalf to support our operations, such as (i) card processing or payment services (see the section below headed “Payment Information”), (ii) IT suppliers and contractors (e.g. data hosting providers or delivery partners) as necessary to provide IT support and enable us to provide our goods/services, and (iii) providers of specialist services, including retouching, printers, framers and bookbinders, (iv) Advertising, marketing companies, or venues, where necessary to promote my business. Pursuant to our instructions, these parties may access, process or store your personal data in the course of performing their duties to us and solely in order to perform the services I have hired them to provide

  • Business Transfers: if I sell my business or our company assets are acquired by a third party personal data held by us about our customers may be one of the transferred assets.

  • Administrative and Legal Reasons: I may disclose personal data to comply with a legal obligation, judicial or regulatory proceedings, a court order or other legal process; to enforce my Terms & Conditions, or to protect myself or others against loss or damage. This may include exchanging information with police, courts, or law enforcement organisations.

5. Payment Information

Any credit/debit card payments and other payments you make will be processed by third party payment providers. Payment data you submit will be securely stored and encrypted by our payment service providers using up to date industry standards. Please note that I do not directly process or store the debit/credit card data that you submit.

6. Data Retention

I will keep your personal data only for as long as is reasonably necessary for the purposes outlined in this Privacy Policy, or for the duration required by any legal, regulatory, accounting or reporting requirements, whichever is the longer. In particular:

  • Client contact and booking information: Retained for up to 7 years for tax and business record purposes.

  • Photographs: Retained indefinitely unless you request deletion, except where retention is required for contractual or legal purposes.

  • Consent forms: Retained as long as the associated images are in use for marketing and advertising purposes.

  • Marketing communications: Retained until you unsubscribe.

When the applicable retention period expires, your personal data will be securely destroyed in accordance with applicable laws and regulations.

You may request deletion at any time (see Section 7).

7. Your Data Protection Rights

Certain applicable data protection laws give you specific rights in relation to your personal data. In particular, if the processing of your personal data is subject to the GDPR, you have the following rights in relation to your personal data:

  • Right of access: If you ask me, I will confirm whether I am processing your personal data and, if so, provide you with a copy of that personal data along with certain other details. If you require additional copies, I may need to charge a reasonable fee.

  • Right to rectification: If your personal data is inaccurate or incomplete, you are entitled to ask that I correct or complete it. If I shared your personal data with others, I will tell them about the correction where possible. If you ask me, and where possible and lawful to do so, I will also tell you with whom I shared your personal data so you can contact them directly.

  • Right to erasure: You may ask me to delete or remove your personal data, such as where my legal basis for the processing is your consent and you withdraw consent. If I shared your data with others, I will tell them about the erasure where possible. If you ask me, and where possible and lawful to do so, I will also tell you with whom I shared your personal data so you can contact them directly. I may continue processing personal data where this is necessary for a legitimate interest in doing so, as described in this Privacy Policy.

  • Right to restrict processing: You may ask me to restrict or ‘block’ the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or object to me processing it. I will tell you before I lift any restriction on processing. If I shared your personal data with others, I will tell them about the restriction where possible. If you ask me, and where possible and lawful to do so, I will also tell you with whom I shared your personal data so you can contact them directly.

  • Right to data portability: You have the right to obtain your personal data from me that you consented to give me or that was provided to me as necessary in connection with our contract with you. I will give you your personal data in a structured, commonly used and machine-readable format. You may reuse it elsewhere.

  • Right to object: You may ask me at any time to stop processing your personal data, and I will do so:

- If I am relying on a legitimate interest to process your personal data — unless I demonstrate compelling legitimate grounds for the processing, or

- If I am processing your personal data for direct marketing or advertising.

  • Right to withdraw consent: If I rely on your consent to process your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing of your data before I received notice that you wished to withdraw your consent.

  • Right to lodge a complaint with the data protection authority: If you have a concern about my privacy practices, including the way I handled your personal data, you can report it to the UK data protection authority (the Information Commissioner’s Office or ICO), or, as the case may be, any other competent data protection authority of an EU member state that is authorised to hear those concerns (you may find EU Data Protection Authorities’ contact information here).

If you wish to exercise any of these rights, please contact me on alex@alexandraarlett.co.uk. I may also need to ask you for further information to verify your identity before I can respond to any request.