ShotsDesk

Privacy Policy

How ShotsDesk handles personal data โ€” for studio owners and the clients they serve.

Last updated ยท 14 May 2026

ShotsDesk ("we", "us") provides studio management software to photographers ("Studios"). This Privacy Policy explains what data we process, why, and the rights you have under the EU General Data Protection Regulation (GDPR) and comparable laws.

1. Who is the controller?

For your studio account and the data you enter (clients, projects, invoices, galleries) the Studio is the data controller. ShotsDesk acts as a data processor on your behalf โ€” see our Data Processing Agreement.

For account-level data (your login email, billing, support correspondence) ShotsDesk is the controller. Contact: privacy@shotsdesk.com.

2. What data we process

  • Account data โ€” email, password hash, locale, time zone.
  • Studio content โ€” clients, leads, projects, bookings, invoices, photos and metadata you upload.
  • Billing data โ€” Stripe customer ID, subscription status (payment details are stored by Stripe, not by us).
  • Usage data โ€” IP, user agent, request timestamps, error logs (kept for security and debugging).
  • Cookies โ€” strictly necessary cookies for auth and language. Optional analytics only with consent.

3. Legal bases

  • Contract โ€” running the service you signed up for.
  • Legitimate interest โ€” security, fraud prevention, product improvement.
  • Consent โ€” optional analytics cookies, marketing emails.
  • Legal obligation โ€” invoice retention, tax records.

4. Sub-processors

We rely on the following sub-processors. All are bound by data processing terms:

  • Lovable Cloud / Supabase โ€” application hosting, database, file storage (EU region).
  • Stripe โ€” payments and subscription billing.
  • Resend / Lovable Emails โ€” transactional email delivery.
  • Cloudflare โ€” edge runtime and DDoS protection.

5. Retention

Studio content is retained until you delete it or close your account. Invoices are retained for 7 years where required by law. Backups are kept for 30 days and then permanently purged.

6. Your rights (GDPR)

  • Access โ€” download a JSON export of all your data from Settings โ†’ Privacy & data.
  • Erasure โ€” delete your account from the same screen.
  • Rectification โ€” edit any record directly in the app.
  • Portability โ€” the export is machine-readable JSON.
  • Object / restrict โ€” email privacy@shotsdesk.com.
  • Complaint โ€” you may file a complaint with your local supervisory authority (e.g. the Dutch Autoriteit Persoonsgegevens).

7. International transfers

Data is stored in the EU by default. Where sub-processors operate outside the EU (e.g. Stripe, Cloudflare), transfers rely on Standard Contractual Clauses.

8. Security

Encryption in transit (TLS 1.2+), encryption at rest, row-level security on every database table, and least-privilege service credentials. Incidents are notified within 72 hours where required.

9. Changes

We will notify Studios by email of material changes at least 30 days before they take effect.

10. Contact

ShotsDesk ยท privacy@shotsdesk.com