Privacy Policy

Last updated: March 19, 2026

1. Information We Collect

When you use Photo Portugal, we may collect the following information:

  • Account information: name, email address, profile photo (from Google OAuth or uploaded), phone number (if provided)
  • Photographer profiles: bio, languages, locations, portfolio photos, pricing, availability
  • Booking data: dates, times, locations, session type, number of participants, and any special requests
  • Messages: communications between clients and photographers through our platform
  • Payment information: billing details processed securely by Stripe (we do not store your full card number)
  • Usage data: pages visited, device type, browser, IP address, referring URL, and interaction patterns
  • Cookies and similar technologies: session tokens, authentication state, and analytics identifiers (see Section 8)

2. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

  • Contract performance (Article 6(1)(b)): processing necessary to fulfil bookings between clients and photographers, manage your account, facilitate payments, and deliver the services you request through our platform.
  • Consent (Article 6(1)(a)): for non-essential cookies, marketing emails, and promotional communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legitimate interest (Article 6(1)(f)): for platform security and fraud prevention, anonymous analytics to improve our service, enforcing our Terms of Service, and communicating essential service updates.
  • Legal obligation (Article 6(1)(c)): to comply with tax, accounting, and other legal requirements applicable under Portuguese and EU law.

3. How We Use Your Information

  • To provide, operate, and improve our photography marketplace services
  • To facilitate bookings and communication between clients and photographers
  • To display photographer profiles and portfolios publicly on the platform
  • To process payments and issue invoices
  • To send booking confirmations, reminders, and service-related notifications
  • To send marketing communications (only with your consent, and you can opt out at any time)
  • To prevent fraud, detect abuse, and ensure platform security
  • To analyse usage patterns and improve user experience
  • To comply with legal obligations, including tax and accounting requirements

4. Information Sharing & Third-Party Services

We do not sell your personal information. We share data only in these cases:

  • Between booking parties: clients see photographer profiles and public portfolios; photographers see client name, contact details, and booking information necessary to deliver the service.
  • Service providers (data processors): we use the following third-party services to operate our platform:
  • Stripe — payment processing. Stripe receives your billing details to process transactions securely. Stripe Privacy Policy
  • Google — OAuth authentication and sign-in. Google receives your authentication token when you sign in with Google. Google Privacy Policy
  • DigitalOcean — cloud hosting and infrastructure. Your data is stored on DigitalOcean servers. DigitalOcean Privacy Policy
  • Twilio — SMS notifications for booking updates and verification. Your phone number is shared with Twilio when SMS notifications are enabled. Twilio Privacy Policy
  • Legal requirements: if required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Photo Portugal, our users, or the public.

5. Data Processing Agreements

We have entered into Data Processing Agreements (DPAs) with all third-party processors listed above, as required by Article 28 of the GDPR. These agreements ensure that our processors handle your personal data in compliance with European data protection law, implement appropriate technical and organisational security measures, and only process data on our documented instructions.

6. International Data Transfers

Photo Portugal is based in Portugal and primarily stores data within the European Union. However, some of our third-party processors may process personal data outside the EU/EEA:

  • Stripe processes payment data in the United States and other jurisdictions where Stripe operates.
  • Google may process authentication data in the United States and other global data centres.

Where data is transferred outside the EU/EEA, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary measures where necessary, and adequacy decisions where applicable. You may request a copy of the relevant safeguards by contacting us at info@photoportugal.com.

7. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy:

  • Account data: retained while your account is active, plus 2 years after account deletion to handle any post-deletion enquiries, disputes, or legal claims.
  • Booking and transaction data: retained for 7 years after the booking date to comply with Portuguese tax and accounting obligations.
  • Messages: retained for 1 year after the associated booking is completed, then permanently deleted.
  • Analytics data: retained for 26 months, then automatically aggregated or deleted.
  • Marketing consent records: retained for as long as we send marketing communications, plus 3 years after consent withdrawal for accountability purposes.

When data is no longer needed, it is securely deleted or irreversibly anonymised.

8. Cookies

We use the following types of cookies:

  • Essential cookies: required for authentication, session management, and core platform functionality. These cannot be disabled.
  • Analytics cookies: used to understand how visitors interact with our site and to improve our service. These are only set with your consent.

We do not use third-party advertising or tracking cookies. You can manage your cookie preferences at any time through your browser settings or our cookie consent banner.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • HTTPS/TLS encryption for all data in transit
  • Secure password hashing (bcrypt) for locally-created accounts
  • Role-based access controls on our database and admin systems
  • Regular security reviews and dependency updates
  • Encrypted backups with restricted access

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

10. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR:

  • Right of access (Article 15): request a copy of all personal data we hold about you.
  • Right to rectification (Article 16): request correction of inaccurate or incomplete personal data.
  • Right to erasure (Article 17): request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing (Article 18): request that we limit how we use your data in certain circumstances.
  • Right to data portability (Article 20): receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV), and transmit that data to another controller without hindrance.
  • Right to object (Article 21): object to processing based on legitimate interest, including profiling.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at info@photoportugal.com. We will respond to your request within 30 days.

11. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In Portugal, the competent authority is:

Comissão Nacional de Proteção de Dados (CNPD)

Av. D. Carlos I, 134 — 1.º

1200-651 Lisboa, Portugal

Website: www.cnpd.pt

You may also lodge a complaint with the supervisory authority in your EU/EEA member state of residence, place of work, or the place of the alleged infringement.

12. Children's Privacy

Photo Portugal is not intended for use by children under the age of 18. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@photoportugal.com, and we will take steps to delete that information promptly.

13. Business Transfers

If Photo Portugal is involved in a merger, acquisition, asset sale, or bankruptcy, your personal data may be transferred as part of that transaction. In such an event, we will notify all affected users at least 30 days before the transfer of personal data and before any new privacy policy takes effect. You will have the option to delete your account and data before the transfer is completed.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or by posting a prominent notice on our platform at least 14 days before the changes take effect. Your continued use of Photo Portugal after the effective date constitutes acceptance of the updated policy.

15. Contact

For any privacy-related questions, data subject requests, or concerns about this policy, contact us at:

Photo Portugal

Email: info@photoportugal.com

Website: photoportugal.com

Take Photo Portugal with you

Browse photographers, book sessions, and manage everything from your phone.

Download on the App Store
Get it on Google PlaySoon