We take your privacy seriously. This policy explains how we collect, use, and protect your personal information.
1. Information We Collect
1.1 Photographer Information
When you create a photographer account, we collect:
- Account Information: Name, email address, phone number, password
- Business Information: Business name, photography specialization
- Payment Information: Square account connection (OAuth tokens)
- Subscription Data: Plan type, billing history, subscription status
1.2 Client Booking Information
When clients book sessions through MiniShoots, we collect:
- Contact Information: Name, email address, phone number
- Booking Details: Session date, time, location preferences
- Payment Information: Processed and stored by Square (we do not store credit card numbers)
- Communication Preferences: SMS consent, email preferences
1.3 Automatically Collected Information
- Device Information: Device type, operating system, app version
- Usage Data: Features used, booking activity, session duration
- Error Logs: Crash reports and error tracking via Sentry
- IP Address: For security and fraud prevention
2. How We Use Your Information
2.1 To Provide the Service
- Create and manage photographer accounts
- Process bookings and payments
- Send booking confirmations and reminders
- Enable communication between photographers and clients
- Manage subscriptions and billing
2.2 To Improve the Service
- Analyze usage patterns to improve features
- Monitor and fix technical issues
- Develop new features based on user needs
- Conduct research and analytics
2.3 To Communicate With You
- Send service-related notifications
- Respond to support requests
- Send important updates about the service
- Provide marketing communications (with your consent)
2.4 For Legal and Security Purposes
- Prevent fraud and abuse
- Comply with legal obligations
- Enforce our Terms of Service
- Protect user safety and security
3. Information Sharing
3.1 With Service Providers
We share data with trusted third-party providers who help us operate the service:
| Service |
Purpose |
Data Shared |
| Square |
Payment processing |
Payment details, booking information |
| Twilio |
SMS notifications |
Phone numbers, message content |
| Resend |
Email delivery |
Email addresses, message content |
| Sentry |
Error tracking |
Error logs, device information |
| Neon (PostgreSQL) |
Database hosting |
All application data |
| Apple / Paddle |
Subscription billing |
Subscription status, purchase receipts |
| Replit Object Storage |
Image hosting |
Uploaded images, session photos |
3.2 With Photographers
Client booking information is shared with the photographer who is providing the service. This includes name, contact information, and booking details.
3.3 Legal Requirements
We may disclose information if required by law, subpoena, or to protect our rights and safety.
3.4 Business Transfers
If MiniShoots is acquired or merged, your information may be transferred to the new owner.
4. Data Security
We implement industry-standard security measures:
- Encryption: Data in transit uses TLS/SSL encryption
- Authentication: Secure password hashing with bcrypt
- Access Controls: Limited employee access to personal data
- Regular Monitoring: Security audits and vulnerability scanning
- Database Security: PostgreSQL with encrypted connections
5. Data Retention
We retain different types of data for different periods based on legal requirements and operational needs:
5.1 Client Booking Data
Client booking information, including contact details, session history, and related records, is retained for 7 years after the last booking. This retention period is required for tax compliance, legal documentation, and potential dispute resolution.
5.2 Photographer Account Data
When a photographer requests account deletion, all associated personal data will be deleted within 30 days of the deletion request, except for data that must be retained for legal or regulatory purposes.
5.3 Payment Records
Payment transaction records, including invoices, receipts, and payment history, are retained for 7 years in accordance with financial regulations and tax requirements.
5.4 Other Data
- Active Accounts: Data retained while account is active
- Backups: Backup data retained for up to 30 days
- Error Logs: Technical logs retained for up to 90 days
6. Your Rights
6.1 Access and Control
You have the right to:
- Access: Request a copy of your personal data
- Correction: Update inaccurate information
- Deletion: Request deletion of your data
- Portability: Export your data in a portable format
- Opt-Out: Unsubscribe from marketing communications
6.2 SMS Opt-Out
Clients can opt out of SMS notifications at any time by replying "STOP" to any SMS from MiniShoots. This will not affect email notifications or the ability to book sessions.
6.3 Do Not Track
Our service does not currently respond to Do Not Track browser signals.
7. Children's Privacy
MiniShoots is not intended for users under 13 years old. We do not knowingly collect information from children. If we discover we have collected data from a child, we will delete it immediately.
8. International Users
MiniShoots is based in the United States. By using the service, you consent to the transfer and processing of your data in the United States.
9. California Privacy Rights (CCPA)
California residents have additional rights:
- Right to know what personal information is collected
- Right to know if personal information is sold or disclosed
- Right to opt-out of sale of personal information (we do not sell data)
- Right to deletion of personal information
- Right to non-discrimination for exercising privacy rights
10. GDPR Rights (European Users)
If you are in the European Economic Area, you have rights under GDPR:
- Right to access personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent
11. Cookies and Tracking
We use minimal cookies and tracking:
- Essential Cookies: Required for authentication and security
- Analytics: Sentry for error tracking and performance monitoring
- No Advertising Cookies: We do not use advertising or marketing cookies
12. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes via email or in-app notification. Continued use after changes constitutes acceptance.
13. Data Breach Notification
We take data security seriously and have implemented measures to protect your information. In the unlikely event of a data breach:
13.1 Notification Timeline
We commit to notifying affected users within 72 hours of confirming a data breach that may have compromised personal information.
13.2 Breach Notification Contents
In the event of a breach, we will provide:
- A description of the nature of the breach and the types of data affected
- The approximate date and time of the breach
- Steps we are taking to address and remediate the breach
- Recommendations for actions you can take to protect yourself
- Contact information for our security team for further questions
13.3 Preventive Security Measures
We implement comprehensive security measures to prevent data breaches, including:
- End-to-end encryption for data in transit and at rest
- Regular security audits and penetration testing
- Multi-factor authentication for administrative access
- Continuous monitoring and anomaly detection systems
- Employee security training and access controls
- Incident response procedures and disaster recovery plans
14. Data Deletion Requests
You have the right to request deletion of your personal data. Here's how the process works:
14.1 How to Submit a Request
To request deletion of your data, send an email to support@minishoots.com with the subject line "Data Deletion Request." Please include your account email address and specify whether you want a complete account deletion or deletion of specific data.
14.2 Processing Timeline
We will process your data deletion request within 30 days of receiving it. You will receive an acknowledgment email within 5 business days confirming we have received your request.
14.3 Data That Cannot Be Deleted
Certain data must be retained even after a deletion request due to legal and regulatory requirements:
- Payment and Transaction Records: Retained for 7 years per financial regulations
- Tax Documentation: Retained as required by tax authorities
- Legal Hold Data: Data subject to ongoing legal proceedings or investigations
- Anonymized/Aggregated Data: Statistical data that cannot identify individuals
14.4 Confirmation of Deletion
Upon completion of your data deletion request, you will receive a confirmation email detailing:
- The date your data was deleted
- Categories of data that were deleted
- Any data retained for legal purposes and the reason for retention
- Information about backup deletion timelines (up to 30 additional days)
15. Contact Us
For privacy-related questions or to exercise your rights, contact us at:
Questions about your privacy? We're here to help. Contact us anytime at support@minishoots.com