Time for Pictures

1. Introduction

Time for Pictures ("we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our platform. It applies in accordance with:

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) — for users in the United Kingdom
The EU General Data Protection Regulation (EU GDPR, Regulation (EU) 2016/679) and the German Bundesdatenschutzgesetz (BDSG) — for users in Germany and the European Union

Where we refer to "GDPR" in this policy, this applies to both the UK GDPR and EU GDPR unless otherwise stated.

2. Data Controller

The data controller responsible for your personal data is:

Matthew Rolt
Hubelbrunnenstr. 10, 67688 Rodenbach, Germany
E-mail: [email protected]

3. Data We Collect

We collect the following categories of personal data:

Category	Examples	Purpose
Account data	Name, email address, password hash	Account creation and authentication
Profile data	Display name, profile photo, bio, city, specialisms, portfolio images, website URL	Profile display and community discovery
Identity verification	Government-issued ID and selfie (processed by Stripe Identity — we receive only the verification result)	Optional user safety verification
Communications	Messages sent between users on the platform	Facilitating collaboration; safety moderation
Booking & payment data	Booking records, Stripe transaction IDs (card data held exclusively by Stripe)	Processing studio bookings and payments
Technical data	IP address, browser type, device info, session cookies	Platform security and analytics

4. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

Contract performance (Art. 6(1)(b)): Account management, profile display, booking facilitation, and messaging.
Consent (Art. 6(1)(a)): Optional identity verification via Stripe Identity; analytics cookies (where applicable).
Legitimate interests (Art. 6(1)(f)): Platform security, fraud prevention, and anonymised analytics to improve our services. We have balanced these interests against your rights and determined they do not override your fundamental rights.
Legal obligation (Art. 6(1)(c)): Retention of financial records as required by applicable law.

5. How We Use Your Data

We use your personal data to operate and improve the Platform, facilitate connections between photographers, models, and studios, process bookings and payments, enforce our Terms of Service, send transactional emails (such as email verification and booking confirmations), and respond to support requests. We do not sell your personal data to third parties and do not use it for unsolicited marketing without your consent.

6. Data Sharing and Third-Party Processors

We share your data only with trusted third-party service providers acting as data processors on our behalf, under data processing agreements in compliance with GDPR:

Stripe, Inc. (USA) — payment processing and optional identity verification. Certified under the EU–US Data Privacy Framework.
Amazon Web Services (AWS) — cloud infrastructure and file storage. Data stored in the EU (Frankfurt, eu-central-1).
Resend, Inc. (USA) — transactional email delivery (e.g. email verification). Certified under the EU–US Data Privacy Framework.

We may also disclose your data where required by law, court order, or to protect the rights and safety of our users.

7. International Data Transfers

Some of our service providers (Stripe, Resend) are based in the United States. For EU users, transfers are made on the basis of the EU–US Data Privacy Framework adequacy decision (10 July 2023) and Standard Contractual Clauses (SCCs) under Art. 46(2)(c) EU GDPR. For UK users, transfers are made on the basis of the UK's International Data Transfer Agreement (IDTA) or equivalent adequacy regulations under the UK GDPR.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy:

Account and profile data: for the duration of your account; deleted within 30 days of account deletion
Messages: for the duration of your account; deleted within 30 days of account deletion
Financial records (transaction IDs): 6 years (UK) / 10 years (Germany) as required by applicable tax and commercial law
Server logs: 7 days
Identity verification result: until account deletion; underlying documents retained by Stripe per their policies

9. Your Rights

Under the GDPR (both UK and EU), you have the following rights:

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction (Art. 18): Request that we limit how we process your data.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to object (Art. 21): Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond within one month (30 days) as required by GDPR.

10. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the relevant supervisory authority:

For UK users — Information Commissioner's Office (ICO):
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ico.org.uk | Helpline: 0303 123 1113

For German / EU users — Landesbeauftragter für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (LfDI RLP):
Hintere Bleiche 34, 55116 Mainz, Germany
www.datenschutz.rlp.de

11. Cookies and Tracking

We use session cookies that are strictly necessary to maintain your login state and provide core platform functionality. These do not require consent under the UK Privacy and Electronic Communications Regulations (PECR) or the German TTDSG. We do not use third-party advertising cookies or tracking pixels. Where we use optional analytics cookies, we request your consent via our cookie banner and you may withdraw it at any time.

12. Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, or misuse. All data is transmitted over HTTPS (TLS). Passwords are stored as bcrypt hashes. Payment card data is never stored on our servers — it is processed exclusively by Stripe.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or through a prominent notice on the Platform at least 30 days before the changes take effect. The date at the top of this page indicates when this policy was last updated.

14. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us at [email protected].

Privacy Policy