Back to home Gallery

Privacy Policy & Data Protection

Last updated: 2026-05-11

1. Introduction

This privacy policy describes how Gallery (“we”, “us”) collects, uses, stores, and protects personal data when you use our website and online services (together, the “Services”).

The Services allow professional photographers to upload and organise photos and related media, create galleries, share access with clients via invitations, and publish portfolio pages. Depending on how you use the Services, you may be a visitor to our website, a registered photographer account holder, or someone viewing a shared gallery.

We do not use Google Analytics, advertising pixels, or other third-party marketing or behavioural tracking tools on our Service.

2. Controller

The controller responsible for processing personal data in connection with the Services is:

Gallery
Contact (privacy & data protection): daniel@du-fotografiert.at

3. Categories of data

We may process the following categories of personal data, depending on your interaction with us:

  • Account & profile data — name, email address, login credentials, role, and profile or portfolio settings you provide.
  • Content you upload — photographs, videos, filenames, and metadata needed to display and deliver galleries and portfolios.
  • Gallery sharing — invitation tokens, optional guest passwords or access codes, and related access logs needed to operate secure sharing.
  • Technical & usage data — IP address, approximate location derived from IP where relevant, HTTP logs, browser type, timestamps, and similar data generated when you use the Services.
  • Communication — messages you send to us (for example support requests) and operational emails we send to you (such as security or service notices).
  • First-party gallery analytics (optional) — where you view a shared gallery, we may record aggregated interaction events (such as views or downloads) for the photographer who owns that gallery. On shared gallery pages, this analytics processing occurs only if you have accepted analytics via our cookie consent mechanism.
  • Cookies & similar technologies — see Section 6.

Uploaded imagery may incidentally depict identifiable individuals or special categories of data as determined by photographers who control that content. Photographers are responsible for obtaining any necessary permissions from their subjects.

4. Purposes and legal bases (GDPR)

Where the GDPR applies, we rely on the following legal bases:

  • Performance of a contract — providing accounts, galleries, portfolios, sharing features, and requested functionality.
  • Legitimate interests — operating, securing, and improving the Services; detecting abuse; troubleshooting; enforcing our terms; and, where applicable, networking and transmission of data over the internet.
  • Consent — where we ask for consent (for example optional analytics cookies on shared galleries), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Legal obligation — retaining or disclosing information where required by applicable law.

5. Recipients and processors

We use trusted infrastructure providers (such as hosting, email delivery, and object storage) to operate the Services. They process personal data only on our instructions and under appropriate contractual safeguards.

We do not sell your personal data. We do not share data with advertisers or third-party analytics platforms for marketing profiling.

We may disclose information if required by law, court order, or governmental request, or to protect our rights, users, or the security of the Services.

6. Cookies and similar technologies

We use cookies and similar technologies that are necessary for security and core functionality (for example session management, authentication, CSRF protection, and preferences).

On shared gallery pages, we may store a cookie that records whether you have accepted or rejected optional analytics. Unless you accept analytics, we do not use third-party advertising or measurement cookies and we do not enable first-party analytics events described in this policy.

You can control cookies through your browser settings; disabling strictly necessary cookies may prevent parts of the Services from working.

7. Retention

We retain personal data only as long as necessary for the purposes above, including to comply with legal, accounting, or reporting requirements. Uploaded content remains stored until deleted by the photographer or otherwise removed in line with our agreements and technical capabilities.

8. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, or alteration. No method of transmission over the internet is completely secure.

9. International transfers

If personal data is transferred outside your country (including outside the European Economic Area), we will ensure appropriate safeguards apply as required by applicable law (for example standard contractual clauses approved by the European Commission).

10. Your rights

Depending on your location and applicable law, you may have the right to access, rectify, erase, restrict, or object to certain processing of your personal data, and to data portability. You may also lodge a complaint with your local supervisory authority.

To exercise these rights, contact us at daniel@du-fotografiert.at. We may need to verify your identity before fulfilling a request.

11. Children

The Services are not directed at children. If you believe we have processed a child’s information without appropriate authority, please contact us and we will take appropriate steps.

12. Changes

We may update this policy from time to time. The “Last updated” date will change when we do. Material changes may be communicated through the Services or by email where appropriate.