Privacy Policy

Last updated: June 14, 2026

1. Introduction

FrameFlow ("we", "our", or "us") operates frameflow.app (the "Service"). FrameFlow is a client delivery platform for professional photographers, enabling secure photo sharing and gallery management.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Data Controller

FrameFlow
[Your Address]
[Your Email]
KvK: [Your Chamber of Commerce Number]

3. Your Role and Ours

When you use FrameFlow to deliver photos to your clients, you (the photographer) are the data controller for your clients' personal data, and we (FrameFlow) act as a data processor on your behalf.

This means you are responsible for ensuring you have the appropriate legal basis (such as consent or contract) to upload photos and share client contact information with us. We process this data only according to your instructions and the terms of our Data Processing Agreement.

4. Information We Collect

4.1 Information You Provide

• Account information: Name, email address, password (encrypted)
• Profile information: Business name, logo, branding preferences
• Photos and media: Images you upload for client delivery, including embedded metadata
• Client information: Names and email addresses of clients you invite to view galleries
• Payment information: Billing address and payment details (processed by our payment provider)

4.2 Photo Metadata

Photos you upload may contain embedded metadata (EXIF data), including:

• Camera and lens information
• Date and time of capture
• GPS coordinates (if enabled on your camera)
• Copyright and creator information

We store this metadata as part of the image file. You are responsible for stripping location data before upload if your clients have not consented to its storage.

4.3 Information Collected Automatically

• Usage data: Pages visited, features used, time spent on the Service
• Device information: IP address, browser type, operating system
• Gallery access logs: When galleries are viewed (for the photographer's benefit)

4.4 Information About Gallery Recipients

When photographers share galleries, we collect minimal information about recipients: email address (to send gallery invitations) and access logs (when galleries are viewed). Gallery recipients can request deletion of their data by contacting the photographer directly or by emailing us.

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

• Contract: To provide the Service you've signed up for
• Consent: For marketing communications (you can withdraw anytime)
• Legitimate interests: To improve our Service, prevent fraud, and ensure security

6. How We Use Your Information

• Provide, maintain, and improve the Service
• Process your photo uploads and gallery sharing
• Send gallery invitations to your clients on your behalf
• Process payments and manage subscriptions
• Send you technical notices and support messages
• Send marketing communications (with your consent)
• Monitor and analyze usage patterns to improve user experience
• Detect and prevent fraud or abuse
• Comply with legal obligations

7. Data Storage and Security

7.1 Location

Your data is stored on servers located in the European Union, using Hetzner data centers in Germany. All data processing occurs within the EU.

7.2 Security Measures

We implement appropriate technical and organizational measures including:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of sensitive data at rest
• Secure password hashing
• Regular security updates and vulnerability scanning
• Access controls and authentication
• Regular encrypted backups

However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

7.3 Retention

• Active accounts: Data retained while your subscription is active
• Photos: Deleted within 30 days of you removing them, or within 30 days of account closure
• Backups: May persist in encrypted backups for up to 90 days
• Invoices and transaction records: Retained for 7 years (Dutch fiscal requirements)

8. Third-Party Services

We use the following third-party services that may process your data:

• Clerk: Authentication and user management — clerk.com/privacy
• Supabase: Database hosting (EU region) — supabase.com/privacy
• Hetzner: Server infrastructure (Germany) — hetzner.com/legal/privacy-policy
• [Payment Provider]: Payment processing — [Privacy policy link]

All third-party processors are GDPR compliant and have signed Data Processing Agreements with us. A current list of sub-processors is available upon request.

9. Data Sharing

We do not sell your personal data. We may share your information only in these circumstances:

• With your consent: When you explicitly agree
• Service providers: Third parties who help us operate the Service (under strict confidentiality)
• Legal requirements: To comply with legal obligations or respond to lawful requests
• Business transfers: In connection with a merger, sale, or acquisition (you will be notified)

10. International Data Transfers

Your data is processed within the European Union. If we transfer data outside the EU, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses or adequacy decisions).

11. Your Rights (GDPR)

You have the following rights regarding your personal data:

• Right to access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent for marketing or other consent-based processing

To exercise these rights, contact us at [YOUR EMAIL]. We will respond within 30 days.

11.1 Data Portability

You can export your account information (JSON format), your uploaded photos in original format, and gallery and client data (CSV format). Export is available through your account settings or by request.

11.2 Account Deletion

You can delete your account at any time through your account settings or by contacting us. Upon deletion:

• Your account data will be permanently deleted within 30 days
• Your uploaded photos will be permanently deleted within 30 days
• Some data may be retained for legal compliance or fraud prevention
• Invoices and transaction records will be retained for 7 years per Dutch law

12. Cookies

We use cookies and similar tracking technologies to improve your experience.

12.1 Essential Cookies

Required for the Service to function (login sessions, security tokens). These do not require consent under GDPR as they are strictly necessary.

12.2 Analytics Cookies

[Specify: "We use [analytics service]" or "We do not use analytics cookies"]

12.3 Cookie Control

You can control non-essential cookies through our cookie banner or your browser settings. Disabling essential cookies may affect Service functionality.

13. Children's Privacy

The Service is intended for professional photographers (B2B). We do not knowingly allow minors under 16 to create accounts.

Photographers may upload photos that include minors (e.g., family photography, events). Photographers are responsible for obtaining appropriate consent for photos of minors from parents or guardians.

Parents or guardians can request deletion of their child's images by contacting the photographer directly or by emailing us.

14. Marketing Communications

With your consent, we may send you:

• Product updates and new features
• Tips and best practices for photographers
• Special offers and promotions

You can unsubscribe at any time by clicking the "unsubscribe" link in any email or adjusting your account settings.

15. Data Breach Notification

In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33, where the breach is likely to result in a risk to your rights and freedoms.

16. Data Processing Agreement

Business customers may require a Data Processing Agreement (DPA) to comply with GDPR Article 28. Contact us at [YOUR EMAIL] to request our standard DPA.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will notify you via email or prominent notice on the Service at least 14 days before the changes take effect.

18. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Email: [YOUR EMAIL]
Address: [YOUR ADDRESS]

19. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. In the Netherlands, this is:

Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ Den Haag
https://autoriteitpersoonsgegevens.nl