Privacy Policy

Last updated: 1 December 2025

This Privacy Policy explains how StudioStack Ltd ("we", "us", "our") collects, uses, stores, and protects your personal information when you use the StudioStack service ("Service"). This policy applies to all users of StudioStack, including photographers, videographers, creative studios, and their clients who access the Client Portal.

By using StudioStack, you agree to the collection and use of information in accordance with this Privacy Policy and our Terms of Service. If you do not agree with this Privacy Policy, please do not use the Service.

1. Information We Collect

We collect several types of information to provide and improve the Service.

1.1 Information You Provide Directly

Account Information:

  • Full name and email address
  • Password (stored as encrypted hash)
  • Organisation/business name
  • Phone number (optional)
  • Professional details (photography specialties, business type)

Client Data You Upload:

  • Client names and contact information
  • Client email addresses and phone numbers
  • Additional contact persons (billing, delivery contacts)
  • Job details (dates, times, locations, descriptions, pricing)
  • Communication preferences and notification settings

Content You Upload:

  • Photographs and images
  • Gallery titles and descriptions
  • Watermark templates and branding assets
  • Invoice information (line items, prices, tax amounts)
  • Purchase order numbers and financial references

1.2 Information Collected Automatically

Usage Data:

  • Pages and features you access
  • Time and date of access
  • Actions you take (creating galleries, sending invoices)
  • Browser type, version, and language settings
  • Device type and operating system

Technical Data:

  • IP address and geographic location (country/region)
  • Session identifiers and authentication tokens
  • API request logs and performance metrics
  • Error logs and crash reports

1.3 Information from Third Parties

  • Payment information from payment processors (Stripe)
  • Email delivery status from email providers (Resend)
  • Infrastructure performance data from hosting providers
  • Basic profile information from SSO providers (Google, if enabled)

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 To Provide the Service

  • Create and manage your account
  • Authenticate your identity and secure your account
  • Enable you to create and manage clients, jobs, galleries, and invoices
  • Process and store photographs and content you upload
  • Generate thumbnails and apply watermarks to images
  • Create and deliver galleries to your clients
  • Generate invoice PDFs and send them to clients
  • Send automated email notifications
  • Provide the Client Portal for your clients

2.2 To Improve and Develop the Service

  • Analyze usage patterns to understand feature usage
  • Identify and fix bugs, errors, and performance issues
  • Test new features and improvements during alpha testing
  • Monitor system performance and reliability
  • Optimize infrastructure and reduce costs

2.3 To Communicate With You

  • Send account notifications (password resets, security alerts)
  • Respond to support requests and inquiries
  • Send updates about Service changes and new features
  • Notify you of Terms or Privacy Policy changes
  • Request feedback about the Service

2.4 To Ensure Security and Prevent Fraud

  • Detect and prevent unauthorized access
  • Identify and investigate suspicious activity
  • Enforce our Terms of Service
  • Protect against spam and malicious use
  • Maintain audit logs for security purposes

2.5 Legal and Compliance

  • Comply with applicable laws and regulations
  • Respond to legal processes and law enforcement requests
  • Establish, exercise, or defend legal claims
  • Maintain financial records for tax purposes (7 years)

3. Legal Basis for Processing (UK GDPR)

Under UK GDPR, we must have a lawful basis for processing your personal data:

Contract Performance:

We process your account data to perform our contract with you under the Terms of Service.

Legitimate Interests:

We process data based on our legitimate interests in:

  • Improving the Service and developing new features
  • Ensuring security and preventing fraud
  • Analyzing usage to optimize performance

Legal Obligation:

We process certain data to comply with legal obligations (tax records, legal requests).

Consent:

For certain activities, we obtain your explicit consent (marketing, cookies where required).

4. Your Role as Data Controller

Important: Controller vs Processor Roles

When you upload information about your clients to StudioStack, you are the Data Controller and we are the Data Processor. This distinction is critical under UK GDPR.

4.1 Your Responsibilities as Controller

You are responsible for:

  • Having a lawful basis under UK GDPR to collect and process your clients' personal data
  • Obtaining necessary consents from your clients before uploading their data
  • Providing your clients with appropriate privacy notices
  • Responding to data subject access requests from your clients
  • Ensuring the accuracy and relevance of data you upload
  • Complying with data protection principles (lawfulness, fairness, transparency, accuracy, storage limitation)

4.2 Our Role as Processor

We process your client data only according to your instructions (through your use of the Service features), as necessary to provide the Service, and subject to appropriate technical and organisational security measures.

4.3 Client Rights

Your clients have rights under UK GDPR (access, rectification, erasure, restriction, portability, objection). You are responsible for handling these requests from your clients. We provide tools to help you manage client data, but the obligation to respond rests with you as the Data Controller.

5. How We Share Your Information

We do not sell your personal information. We share your information only in the following limited circumstances:

5.1 Service Providers (Sub-Processors)

We use trusted third-party service providers to help operate the Service:

Hosting and Infrastructure:

  • Vercel (Netherlands/US) - Frontend hosting
  • Render (US) - Backend API and worker hosting
  • Cloudflare (Global) - CDN, storage (R2), DDoS protection
  • Neon (US/EU) - PostgreSQL database hosting

Communication Services:

  • Resend (US) - Transactional email delivery
  • Upstash (Global) - Redis queue management

Payment Processing:

  • Stripe (US/EU) - Payment processing (when enabled)

All sub-processors are selected based on their security standards and data protection commitments. We have contracts requiring them to process data only according to our instructions and comply with UK GDPR.

5.2 Legal Requirements

We may disclose your information if required by law or in response to:

  • Valid legal processes (subpoenas, court orders)
  • Government or regulatory requests
  • To protect our rights or detect fraud

5.3 Business Transfers

If StudioStack is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

6. International Data Transfers

StudioStack operates globally, which means your data may be transferred to, stored in, and accessed from countries outside the United Kingdom.

6.1 Safeguards for International Transfers

When we transfer data outside the UK, we ensure appropriate safeguards:

  • Adequacy Decisions: We transfer data to countries the UK Government has deemed to provide adequate data protection
  • Standard Contractual Clauses: For other countries, we use UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses
  • Additional Safeguards: We implement supplementary security measures where necessary

6.2 Primary Data Locations

Your data is primarily stored in: UK/EU (database servers), United States (hosting infrastructure), and Global (Cloudflare CDN).

7. Data Security

We implement industry-standard security measures to protect your data from unauthorized access, alteration, disclosure, or destruction.

7.1 Technical Security Measures

Encryption:

  • Data in transit encrypted using TLS/SSL (HTTPS)
  • Passwords encrypted using bcrypt hashing
  • Sensitive data at rest encrypted where feasible

Access Controls:

  • Role-based access control within the Service
  • Multi-tenant isolation (your data isolated from other users)
  • Authentication required for all API requests
  • Session management with secure cookies

Infrastructure Security:

  • Secure data centers with physical access controls
  • Network firewalls and DDoS protection
  • Regular security monitoring and threat detection
  • Automated security patches and updates

7.2 Operational Security

  • Regular automated backups of databases and storage
  • Disaster recovery procedures
  • Limited employee access to production data
  • Security incident response plan

7.3 Your Security Responsibilities

  • Choose a strong, unique password
  • Keep your password confidential
  • Secure your devices and internet connections
  • Log out of shared devices
  • Report suspicious activity

7.4 Security Limitations

No system is completely secure. Despite our efforts, we cannot guarantee absolute security. Internet transmission is inherently insecure, and alpha testing software may have undiscovered vulnerabilities. You acknowledge and accept these inherent security risks.

8. Data Retention

We retain your data for as long as necessary to provide the Service and comply with legal obligations.

8.1 Active Accounts

While your account is active, we retain your account information, client data, jobs, galleries, invoices, and uploaded content. You can delete specific data at any time through the Service interface.

8.2 Closed Accounts

When you close your account:

  • We delete or anonymize your data within 90 days
  • Backups may contain deleted data for up to 90 days after deletion
  • After 90 days, data in backups is overwritten according to backup rotation

8.3 Legal Retention Requirements

Certain data is retained longer for legal purposes:

  • Financial Records (7 years): Invoices and payment records required by UK tax law
  • Legal Holds: Data subject to disputes or investigations retained until resolved
  • Security Logs: Typically 12-24 months for fraud prevention

8.4 Export Your Data

You are responsible for exporting any data you wish to retain before closing your account. We provide data export functionality. After the retention period, we have no obligation to recover deleted data.

9. Your Privacy Rights

Under UK GDPR and data protection laws, you have the following rights regarding your personal data:

9.1 Right of Access

Request confirmation of whether we process your personal data and receive a copy of your data. Contact us at hello@studiostack.co.uk. We will respond within 30 days.

9.2 Right to Rectification

Correct inaccurate personal data. You can update most information directly in your account settings.

9.3 Right to Erasure

Request deletion of your personal data when it's no longer necessary, you withdraw consent, or you object to processing. Close your account through settings or contact us. Note: financial records retained 7 years for legal compliance.

9.4 Right to Restriction

Request we restrict processing when you contest data accuracy, processing is unlawful, or you've objected to processing.

9.5 Right to Data Portability

Receive your data in a structured, machine-readable format. Use the data export functionality in account settings.

9.6 Right to Object

Object to processing based on legitimate interests or direct marketing. We will stop processing unless we have compelling legitimate grounds.

9.7 Right to Withdraw Consent

Where processing is based on consent, withdraw consent at any time through account settings or by contacting us.

9.8 Right to Lodge a Complaint

Lodge a complaint with the Information Commissioner's Office (ICO) if you believe we've violated data protection laws. Visit ico.org.uk or call 0303 123 1113.

9.9 Exercising Your Rights

To exercise any rights, email hello@studiostack.co.uk with your request and sufficient information to verify your identity. We will respond within 30 days at no charge (unless requests are manifestly unfounded or excessive).

10. Cookies and Tracking Technologies

StudioStack uses cookies and similar technologies to provide and improve the Service.

10.1 Types of Cookies We Use

Essential Cookies (Strictly Necessary):

  • Session authentication cookies (required to log in)
  • Security cookies (CSRF protection)
  • Load balancing cookies

These cookies are necessary for the Service to function and cannot be disabled.

Functional Cookies:

  • User preference cookies (remember settings)
  • Feature usage cookies

Analytics Cookies:

  • Usage analytics (understand how Service is used)
  • Performance monitoring (identify errors)

10.2 Managing Cookies

You can control cookies through your browser settings. However, blocking essential cookies will prevent you from using the Service.

11. Children's Privacy

StudioStack is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

If you are under 18, do not use the Service or provide any information to us.

If we discover we have collected information from a child under 18, we will delete that information as quickly as possible. If you believe we have collected information from a child under 18, please contact us immediately at hello@studiostack.co.uk.

12. Alpha Testing and Data Protection

Alpha Testing Software Risks

StudioStack is alpha testing software (pre-beta). Alpha software is experimental and may contain bugs that could compromise data security. Data loss or corruption is more likely than in production software.

YOU MUST MAINTAIN YOUR OWN BACKUPS OF ALL CONTENT. We are not responsible if your data is lost, corrupted, or becomes inaccessible. Alpha testing is for feedback and testing only, not for production business use.

By using the alpha Service, you acknowledge the increased risks and accept that data loss may occur. You should not rely on StudioStack as your only copy of data or use it for business-critical operations.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, legal requirements, or our business practices.

Material Changes:

  • We will email you at least 30 days before material changes take effect
  • We may display a prominent notice in the Service
  • We will update the "Last updated" date at the top

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy. If you don't agree to changes, you must stop using the Service and close your account.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Email: hello@studiostack.co.uk

Response Time: We aim to respond to all privacy inquiries within 5 business days during alpha testing, and within 30 days for formal data subject rights requests.

15. Summary of Key Points

For quick reference:

  • What we collect: Account details, client data you upload, photographs, usage data
  • How we use it: Provide the Service, improve features, communicate, ensure security
  • Your role: You're the Data Controller for your client data; we're the Data Processor
  • Data security: Encryption, access controls, backups, monitoring
  • Data sharing: Only with trusted sub-processors, never sold
  • Your rights: Access, rectification, erasure, restriction, portability, objection
  • Data retention: Deleted within 90 days after account closure (except financial records: 7 years)
  • Alpha risks: Maintain your own backups; data loss possible; not for production use
  • Contact: hello@studiostack.co.uk for all privacy inquiries

By using StudioStack, you acknowledge that you have read, understood, and agree to this Privacy Policy.