Privacy Policy
Effective Date: January 3, 2026
Last Updated: January 3, 2026
Version: v1.0-2026-01-03
1. Introduction
Vela Photo ("we," "our," "us") operates the Vela Photo wedding photography timeline management platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service in compliance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.
2. Data Controller Information
For purposes of the GDPR and other data protection laws, Vela Photo is the data controller for personal information collected through our Service.
Company: Rocket Creative LLC d/b/a UXUI Design Corp
Privacy Contact: privacy@velaphoto.com
Address: [Business Address]
For GDPR-specific inquiries or to exercise your rights under EU law, please contact us at the email above.
3. Information We Collect
3.1 Information You Provide
Photographer Account Data:
- Name, email address, phone number
- Business name, website, address
- Password (stored as a secure hash, never in plain text)
- Billing information (processed securely through Stripe; we only store the last 4 digits of cards)
Couple/Client Data (provided by photographers or directly by couples via intake forms):
- Names, email addresses, phone numbers, pronouns
- Wedding date, ceremony and reception locations
- Family member names and relationships
- Cultural, religious, or faith-based ceremony preferences
- Wedding party member details
3.2 Automatically Collected Information
- IP address and approximate location
- Device type, operating system, and browser information
- Pages visited, features used, and timestamps
- Referring website and exit pages
3.3 Information from Third Parties
- Stripe: Transaction confirmation, payment status (we do not receive or store full credit card numbers)
- Google Maps: Location and travel time calculations (anonymized)
4. How We Use Your Information
- Service Delivery: Create wedding timelines, generate shot lists, send notifications
- Account Management: Authenticate users, manage subscriptions, process payments
- Communication: Send service updates, respond to support inquiries, renewal reminders
- Security: Prevent fraud, detect abuse, protect against unauthorized access
- Analytics: Understand usage patterns, improve features (using aggregated/anonymized data)
- Legal Compliance: Comply with laws, respond to legal requests, enforce our terms
5. Legal Basis for Processing (GDPR)
Under the GDPR, we process personal data based on the following legal grounds:
- Contract Performance (Article 6(1)(b)): Processing necessary to deliver the services you signed up for—creating timelines, managing your account, processing payments.
- Legal Obligation (Article 6(1)(c)): Processing required by law—tax records (7 years), fraud prevention, responding to valid legal requests.
- Legitimate Interest (Article 6(1)(f)): Security monitoring, service improvement, analytics (balanced against your rights). You may object to processing based on legitimate interest.
- Consent (Article 6(1)(a)): Marketing communications, optional analytics cookies. You may withdraw consent at any time.
6. Data Sharing and Disclosure
We NEVER sell your personal data.
We share data only with the following categories of recipients:
6.1 Service Providers (Subprocessors)
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database hosting | All application data | USA (AWS) |
| Stripe | Payment processing | Billing info, email | USA |
| Vercel | Website hosting | IP addresses, logs | Global CDN |
| Resend | Email delivery | Email addresses, names | USA |
| Sentry | Error monitoring | Error logs (no PII) | USA |
| Google Maps | Location/travel time | Addresses only | USA |
6.2 Other Disclosures
- Legal Requirements: Law enforcement requests, court orders, legal proceedings
- Business Transfers: In case of merger, acquisition, or asset sale (with prior notice to you)
- Protection: To protect our rights, safety, or property, or that of our users
7. Data Retention
We retain your data only as long as necessary for the purposes described in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Account lifetime + 7 years | Tax compliance |
| Wedding data | Until deleted or 2 years post-wedding | Service delivery |
| Payment records | 7 years | Tax law requirement |
| Security logs | 90 days | Security monitoring |
| Analytics data | 2 years (aggregated) | Service improvement |
| Support communications | 3 years | Customer service |
8. Your Rights Under GDPR (EU/EEA Residents)
If you are located in the European Union or European Economic Area, you have the following rights:
- Right of Access (Art. 15): Request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format (JSON, CSV).
- Right to Object (Art. 21): Object to processing based on legitimate interest.
- Right to Restrict Processing (Art. 18): Request limitation of processing in certain circumstances.
- Right to Withdraw Consent (Art. 7): Withdraw consent for processing based on consent (e.g., marketing emails) at any time.
- Right to Lodge a Complaint: File a complaint with your local Data Protection Authority.
To exercise your rights: Email privacy@velaphoto.com with your request. We will respond within 30 days (extendable by 60 days for complex requests).
9. Your Rights Under CCPA (California Residents)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of what personal information we collect, use, disclose, and sell.
- Right to Delete: Request deletion of your personal information (subject to legal exceptions).
- Right to Opt-Out of Sale: We do NOT sell personal information, so this right does not apply.
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Limit Use of Sensitive Personal Information: We collect minimal sensitive information and use it only for providing the Service.
To exercise your rights: Email privacy@velaphoto.com or call [Phone Number]. We will verify your identity and respond within 45 days.
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:
- EU Residents (GDPR): We will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay if the breach poses high risk.
- California Residents (CCPA): We will notify affected individuals and the California Attorney General within required timeframes.
- All Users: We will provide details of the breach, data affected, and recommended protective steps via email and website notice.
11. International Data Transfers
Your data is primarily processed in the United States. For transfers from the EU/EEA to the US, we rely on:
- Standard Contractual Clauses (SCCs): We have executed SCCs with our subprocessors (Supabase, Stripe, etc.) as approved by the European Commission.
- Adequacy Decisions: Where applicable, we transfer data to countries with adequacy decisions.
- Your Consent: By using our Service, you consent to the transfer of your data to the US for processing.
12. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in Transit: All data transmitted using TLS 1.3
- Encryption at Rest: Database encryption via Supabase
- Secure Authentication: Passwords hashed using bcrypt with salt
- Access Controls: Role-based access, least-privilege principles
- Security Headers: HSTS, CSP, X-Frame-Options, and other protections
- Regular Audits: Periodic security assessments and monitoring
However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
13. Cookies and Tracking Technologies
We use cookies and similar technologies for:
- Essential Cookies: Authentication, security, session management (required for Service)
- Functional Cookies: Remember your preferences and settings
- Analytics Cookies: Understand usage patterns (opt-in, can be disabled)
You can manage cookie preferences through our cookie banner or your browser settings. See our Cookie Policy for details.
14. Children's Privacy
Vela Photo is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we discover that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@velaphoto.com.
15. Do Not Track Signals
Our Service does not currently respond to "Do Not Track" (DNT) browser signals because there is no consistent industry standard for compliance. However, you can manage tracking through our cookie preferences and browser settings.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Email notification to your registered account
- Prominent notice on our website
- Requiring re-acceptance for material changes affecting your rights
The "Last Updated" date at the top of this policy indicates when it was last revised.
17. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights:
Privacy Inquiries: privacy@velaphoto.com
General Support: support@velaphoto.com
Mailing Address: [Business Address]
We aim to respond to all privacy-related inquiries within 30 days.