Privacy Policy

1. Data controller

The data controller is LUMY.MEDIA SAS, Quai de la Douane, Bâtiment Le Grand Large, 29200 Brest, France (RCS Brest B 889 608 790).

General contact: [email protected]. Dedicated data-protection contact: [email protected]. No Data Protection Officer (DPO) is currently appointed; a dedicated contact point is provided at the address above.

2. Data collected

We collect strictly necessary data:

• Account: email, name, password (encrypted), role (client or photographer).
• Photographer profile: name, city, biography, specialties, portfolio, services, links (website, Instagram), location.
• Matching: content of contact messages sent to photographers, saved favorites.
• Reviews: reviews published or imported from third-party sources (e.g. Google).
• Billing data (Premium photographers): information needed for the subscription, processed via Stripe.
• Technical data: IP address, connection logs, browser type, for security purposes.

3. Purposes and legal bases

• Provide the matching service and manage accounts (performance of the contract).
• Process Premium subscriptions and billing (performance of the contract, legal obligation for invoices).
• Ensure security and prevent fraud (legitimate interest, legal obligation for logs).
• Improve the service through aggregated statistics (legitimate interest).
• Send service-related communications (performance of the contract) or, where applicable, marketing communications (consent).

4. Recipients and processors

Your data is accessible to authorized Photographes.io staff and to processors bound by GDPR-compliant contracts (Article 28):

• Scaleway SAS (France) — hosting of the application, database and storage of media (photographs).
• Stripe — processing of Premium subscription payments.
• Resend — sending of transactional emails.
• Google (Places API) — import and display of reviews and business listing information.
• Mapbox — display of search maps.

5. Transfers outside the EU

We favor hosting providers and processors located in the European Union. Where a provider may process data outside the EU, such transfers are governed by appropriate safeguards (European Commission standard contractual clauses).

6. Retention periods

• Account data: for the duration of use, then deletion or anonymization (after a reasonable period following termination).
• Invoices: 10 years (legal accounting obligation).
• Connection logs: 1 year (legal obligation).
• Anonymized statistics: no limit, as they are non-identifying.

7. Security

We implement appropriate technical and organizational measures: encryption of communications (TLS), hashed passwords, access control, hosting in certified datacenters. In case of a data breach posing a risk, the notification obligations of Articles 33 and 34 GDPR are met.

8. Your rights

You have the rights of access, rectification, erasure, restriction, objection and portability over your data. You can exercise them at [email protected]. A response is provided within a maximum of one month. Some data may be retained under legal obligations (e.g. invoices).

9. Cookies

The site uses cookies strictly necessary for its operation (authentication, security, preferences), exempt from consent. Any audience-measurement tools are configured to respect your privacy. You can manage cookies via your browser settings.

10. Minors

The service is not intended for minors under 15. Photographers undertake to obtain the necessary authorizations (image rights) before publishing any photographs depicting minors.

11. Changes

This policy may be updated. The applicable version is the one published on the site, with its update date.

12. Complaints

You may lodge a complaint with the CNIL (French data protection authority), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, or at cnil.fr.