John Young Photography GDPR Guidance

John Young Photography, Has employed Squarespace to manage my website and follow the guidance on GDPR

Data Protection at Squarespace

PhotoDeck’s business approach has always been to place product quality centre and front and on strong ethical foundations. A deep respect for and attention to personal data are part of our DNA.

We collect only what is necessary to 1) provide the service our members contract, 2) allow our company’s legitimate operations, and 3) comply with the laws we’re subject to. We store as little personal data as needed, for a limited duration, and it would naturally be out of the question to share our users’ data with third parties outside of the scope described above.

PhotoDeck is based in the European Union and is subject to the General Data Protection Regulations (GDPR). The platform’s design choices as well as the tools we provide also help our members conform with the same GDPR.

We distinguish our members’ websites’ and customers’ data from data controlled by Squarespace.

Data related to Squarespace members and visitors

PhotoDeck is Data Controller for data concerning our members (subscribers) and visitors.

WEBSITE TRAFFIC ANALYSIS AND SQUARESPACE VISITOR’S DATA

We use the Matomo software to analyse the traffic and performance of our website. The software is configured in a restrictive manner, in order to avoid the use of persistent cookies and the recording of personally identifiable data. For example, visitors’ IP addresses are anonymized.

PHOTODECK SUBSCRIBER’S PERSONAL DATA

We further distinguish data that we must legally keep for at least 10 years: account creation and expiry dates, contract acceptance date, first and last names, e-mail addresses, language, security information linked to logins (date and IP address, login failures), orders (including IP address), subscriptions, invoices and financial transactions. We also keep e-mail correspondence with our members and other contacts.

Other data is automatically deleted from the operational database when the grace period (up to 2 months) following the last subscription expires (contract termination): password (encrypted and salted), address book, payment details and preferences, carts, referral URLs and campaigns, affiliate links…

These pieces of data are stored on servers located in OVH datacentres, and are partially accessible by the contractor(s) we employ to provide technical support to our members.

NEWSLETTER

We also occasionally send an email newsletter to our current and former members, as well as to other visitors having subscribed to the newsletter. For that, we require and record explicit consent, that is kept without time limit but that is revokable (unsubscription) at any time.

UNIDENTIFIABLE AGGREGATE DATA

Aggregate data about the service (e.g. subscribers number, the usage rate of certain features, etc…) are produced and kept without duration limitation but are not linked nor linkable to identifiable individuals.

Members’ websites’ and clients’ data

Squarespace member is responsible (Data Controller) for his own (Squarespace-powered) website’s data and for that website’s clients’ data.

Squarespace is then a subcontractor (Data Processor) in the GDPR sense: we process data on behalf and under the instruction of the member, and we don’t use that data outside of the scope of the service contracted by that member.

In other words, the data of a member’s website and customers belong exclusively to that member, who controls them fully.

This data includes, besides the member’s images/video clips, website customization and configuration settings, any other personal data stored via the tools provided by Squarespace: for example, the customer’s login credentials, carts, selections (lightboxes), orders, comments left on the website, IP address, physical addresses, etc…

This data is mainly stored on servers located in OVH data centres. The files imported by our members, as well as websites’ static code parts, are stored on the Amazon cloud. The data is partly accessible by the contractor(s) we use to provide technical support to our members.

The data are transmitted to third parties, other than the subcontractors we use (and within the GDPR requirements), only upon instruction from the member (for example, order details transmitted to a lab for fulfilment).

The data is automatically deleted from our operational database at the end of the grace period (up to 2 months) following the last subscription (contract termination). The uploaded images, video clips and documents may be kept for an additional 2 months.

We don’t use creepy tracking cookies. We work eco-responsibly.